Unformatted text preview: added to ESIGN [1460] (see Section 20.6). In ESIGN, the secret key is a pair of large prime numbers, p and q, and the public key is n =p2q . With a subliminal channel, the private key is three primes, p, q, and r, and the public key is n, such that n = p2qr The variable, r, is the extra piece of information that Bob needs to read the subliminal message. To sign a normal message, Alice first picks a random number, x, such that x is less than pqr and computes: w, the least integer that is larger than (H(m)  xk mod n)/pqr) s = x + ((w/kxk1) mod p)pqr H(m) is the hash of the message; k is a security parameter. The value s is the signature. To verify the signature, Bob computes sk mod n. He also computes a, which is the least integer larger than the number of bits of n divided by 3. If H(m) is less than or equal to sk mod n, and if sk mod n is less than H(m) +2a , then the signature is considered valid. To send a subliminal message, M, using the innocuous message, M', Alice calculates s using M in place of H(m). This means that the message must be smaller than p2qr. She then chooses a random value, u, and calculates x' = M' + ur Then, use this x' value as the “random number” x to sign M'. This second s value is sent as a signature. Walter can verify that s (the second s) is a valid signature of M'. Bob can also authenticate the message in the same way. But, since he also knows r, he can calculate s = x' + ypqr = M + ur + ypqr a M (mod r) This implementation of a subliminal channel is far better than the previous two. In the OngSchnorrShamir and ElGamal implementations, Bob has Alice’s private key. Besides being able to read subliminal messages from Alice, Bob can impersonate Alice and sign normal documents. Alice can do nothing about this; she must trust Bob to set up this subliminal channel. The ESIGN scheme doesn’t suffer from this problem. Alice’s private key is the set of three primes: p, q, and r. Bob’s secret key is just r. He knows n =p2qr, but to recover p and q he has to factor that number. If the primes are large enough, Bob has just...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details