applied cryptography - protocols, algorithms, and source code in c

# Alice decrypts all bi with carols private key giving

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: emes can be combined with secret-sharing schemes to create distributed convertible undeniable signatures [1235]. Someone can sign a message, then distribute the ability to confirm that the signature is valid. He might, for example, require three out of five people to participate in the protocol in order to convince Bob that the signature is valid. Improvements on this notion deleted the requirement for a trusted dealer [700,1369]. 23.5 Designated Confirmer Signatures Here’s how Alice can sign a message and Bob can verify it, such that Carol can verify Alice’s signature at some later time to Dave (see Section 4.4) [333]. First, a large prime, p, and a primitive element, g, are made public and used by a group of users. The product of two primes, n, is also public. Carol has a private key, z, and a public key is h =gx mod p. In this protocol Alice can sign m such that Bob is convinced that the signature is valid,but cannot convince a third party. (1) Alice chooses a random x and computes a = gx mod p b = hx mod p She computes the hash of m, H(m), and the hash of a and b concatenated, H(a,b). She then computes j = (H(m) • H(a, b))1/3 mod n and sends a, b, and j to Bob. (2) Bob chooses two random numbers, s and t, both less than p, and sends Alice c = gsht mod p (3) Alice chooses a random q less than p, and sends Bob d = gq mod p e = (cd)x mod p (4) Bob sends Alice s and t. (5) Alice confirms that gsht a c (mod p) Then she sends Bob q. (6) Bob confirms d a gq (mod p) e/aq a asbt (mod p) H(m) • H(a, b) a j1/3 mod n If they all check out, he accepts the signature as genuine. Bob cannot use a transcript of this proof to convince Dave that the signature is genuine, but Dave can conduct a protocol with Alice’s designated confirmer, Carol. Here’s how Carol convinces Dave that a and bconstitute a valid signature. (1) Dave chooses a random u and v, both less than p, and sends Carol k = guav mod p (2) Carol chooses a random w, less than p, and sends Dave l = gw mod p y = (kl)z mod p (3) Dave sends Carol u and v. (4) Carol confirm...
View Full Document

## This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online