applied cryptography - protocols, algorithms, and source code in c

This assumes the existence of a symmetric cipher that

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ature. 21.3 Schnorr Claus Schnorr’s authentication and signature scheme [1396,1397] gets its security from the difficulty of calculating discrete logarithms. To generate a key pair, first choose two primes, p and q, such that q is a prime factor of p - 1. Then, choose an a not equal to 1, such that aq a 1 (mod p). All these numbers can be common to a group of users and can be freely published. To generate a particular public-key/private-key key pair, choose a random number less than q. This is the private key, s. Then calculate v = a-s mod p. This is the public key. Authentication Protocol (1) Peggy picks a random number, r, less than q, and computes x = ar mod p. This is the preprocessing stage and can be done long before Victor is present. (2) Peggy sends x to Victor. (3) Victor sends Peggy a random number, e, between 0 and 2t - 1. (I’ll discuss t in a moment.) (4) Peggy computes y = (r + se) mod q and sends y to Victor. (5) Victor verifies that x = ayve mod p. The security is based on the parameter t. The difficulty of breaking the algorithm is about 2t. Schnorr recommended that p be about 512 bits, q be about 140 bits, and t be 72. Digital Signature Protocol Schnorr can also be used as a digital signature protocol on a message, M. The public-key/private-key key pair is the same, but we’re now adding a one-way hash function, H(M). (1) Alice picks a random number, r, less than q, and computes x = ar mod p. This computation is the preprocessing stage. (2) Alice concatenates M and x, and hashes the result: e = H(M,x) (3) Alice computes y = (r + se) mod q. The signature is e and y; she sends these to Bob. (4) Bob computes x´ = ayve mod p. He then confirms that the concatenation of M and x´ hashes to e. e = H(M,x´) If it does, he accepts the signature as valid. In his paper, Schnorr cites these novel features of his algorithm: Most of the computation for signature generation can be completed in a preprocessing stage, independent of the message being signed. Hence, it can be done during idle time and not affect the signature speed. An attack...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online