This preview shows page 1. Sign up to view the full content.
Unformatted text preview: ks. First compute r = gk mod p The generalized signature equation now becomes ak = b + cx mod q The coefficients a, b, and c can be any of a variety of things. Each line in Table 20.4 gives six possibilities. To verify the signature, the receiver must confirm that ra = gbyc mod p This is called the verification equation. Table 20.5 lists the signature and verifications possible from just the first line of potential values for a, b, and c, ignoring the effects of the ± Table 20.4 Possible Permutations of a, b, and c (r’ = r mod q) ±r’ ±r’m ±r’m ±mr’ ±ms ±s ±s ±ms ±r’s ±r’s m 1 1 1 1 That’s six different signature schemes. Adding the negative signs brings the total to 24. Using the other possible values listed for a, b, and c brings the total to 120. ElGamal [518,519] and DSA [1154] are essentially based on equation (4). Other schemes are based on equation (2) [24,1629]. Schnorr [1396,1397] is closely related to equation (5), as is another scheme [1183]. And equation (1) can be modified to yield the scheme proposed in [1630]. The rest of the equations are new. There’s more. You can make any of these schemes more DSAlike by defining r as r = (gk mod p) mod q Keep the same signature equation and make the verification equation u1 = a1b mod q u2 = a1c mod q r = (gu1yu2 mod p) mod q There are two other possibilities along these lines [740,741]; you can do this with each of the 120 schemes, bringing the total to 480 discretelogarithmbased digital signature schemes. But wait—there’s more. Additional generalizations and variations can generate more than 13,000 variants (not all of them terribly efficient) [740,741]. One of the nice things about using RSA for digital signatures is a feature called message recovery. When you verify an RSA signature you compute m. Then you compare the computed m with the message and see if the signature is valid for that message. With the previous schemes, you can’t recover m when you compute the signature; you need a candidate m that you use in a verification equation. Well, as it turns out it is possible to construct a message recovery variant for all the above signature schemes. Table 2...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details