This preview shows page 1. Sign up to view the full content.
Unformatted text preview: inal ciphertext message is the triple: (C, c1, c2) To decrypt C, the receiver computes M" using Ck a ±M" (mod N) The proper sign of M" is given by c2. Finally, M = (Sc1 * (-1)c1 * M") mod N Williams refined this scheme further in [1603, 1604, 1605]. Instead of squaring the plaintext message, cube it. The large primes must be congruent to 1 mod 3; otherwise the public and private keys are the same. Even better, there is only one unique decryption for each encryption. Both Rabin and Williams have an advantage over RSA in that they are provably as secure as factoring. However, they are completely insecure against a chosen-ciphertext attack. If you are going to use these schemes in instances where an attacker can mount this attack (for example, as a digital signature algorithm where an attacker can choose messages to be signed), be sure to use a one-way hash function before signing. Rabin suggested another way of defeating this attack: Append a different random string to each message before hashing and signing. Unfortunately, once you add a one-way hash function to the system it is no longer provably as secure as factoring , although adding hashing cannot weaken the system in any practical sense. Other Rabin variants are [972, 909, 696, 697, 1439, 989]. A two-dimensional variant is in [866, 889]. 19.6 ElGamal
The ElGamal scheme [518,519] can be used for both digital signatures and encryption; it gets its security from the difficulty of calculating discrete logarithms in a finite field. To generate a key pair, first choose a prime, p, and two random numbers, g and x, such that both g and x are less than p. Then calculate y = gx mod p The public key is y, g, and p. Both g and p can be shared among a group of users. The private key is x. ElGamal Signatures
To sign a message, M, first choose a random number, k, such that k is relatively prime to p - 1. Then compute a = gk mod p and use the extended Euclidean algorithm to solve for b in the following equation: M = (xa + kb) mod (p - 1) The signature is the pair: a and b. The random value, k, must be kept secret. To verify a signature, con...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10