This preview shows page 1. Sign up to view the full content.
Unformatted text preview: issue will take time to resolve; at the time of this writing it isn’t even resolved in the United States. In June 1993 NIST proposed to give PKP an exclusive patent license to DSA [541]. The agreement fell through after public outcry and the standard was issued without any deal. NIST said [542]: ...NIST has addressed the possible patent infringement claims, and has concluded that there are no valid claims. So the standard is official, lawsuits are threatened, and no one knows what to do. NIST has said that it would help defend people sued for patent infringement, if they were using DSA to satisfy a government contract. Everyone else, it seems, is on their own. ANSI has a draft banking standard that uses DSA [60]. NIST is working to standardize DSA within the government. Shell Oil has made DSA their international standard. I know of no other proposed DSA standards. 20.2 DSA Variants
This variant makes computation easier on the signer by not forcing him to compute k1 [1135]. All the parameters are as in DSA. To sign a message, m, Alice generates two random numbers, k and d, both less than q. The signature is r = (gk mod p) mod q s = (H(m) + xr) * d mod q t = kd mod q Bob verifies the signature by computing w = t/s mod q u1 = (H(m) * w) mod q u2 = (rw) mod q If r = ((gu1 * yu2) mod p) mod q, then the signature is verified. This next variant makes computation easier on the verifier [1040,1629]. All the parameters are as in DSA. To sign a message, m, Alice generates a random number, k, less than q. The signature is r = (gk mod p) mod q s = k * (H(m) + xr)1 mod q Bob verifies the signature by computing u1 = (H(m) * s) mod q u2 = (sr) mod q If r = ((gu1 * yu2) mod p) mod q, then the signature is verified. Another DSA variant allows for batch verification; Bob can verify signatures in batches [1135]. If they are all valid, he is done. If one isn’t valid, then he still has to find it. Unfortunately, it is not secure; either the signer or the verifier can easily create a set of bogus signatures that satisfy the batch criteria [974]. There is also a variant for D...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details