Unformatted text preview: ed with K3 and K5 can be decrypted with K1 , K2 , and K4: C = MK3*K5 mod n M = CK1*K2*K4 mod n One use for this is multisignatures. Imagine a situation where both Alice and Bob have to sign a document for it to be valid. Use three keys: K1, K2 , and K3. The first two are issued one each to Alice and Bob,and the third is made public. (1) First Alice signs M and sends it to Bob. M' = MK1 mod n (2) Bob can recover M from M'. M = M'K2*K3 mod n (3) He can also add his signature. M" = M'K2 mod n (4) Anyone can verify the signature with K3 , the public key. M = M"K3 mod n Note that a trusted party is needed to set this system up and distribute the keys to Alice and Bob. Another scheme with the same problem is [484]. Yet a third scheme is [695,830,700], but the effort in verification is proportional to the number of signers. Newer schemes [220,1200] based on zeroknowledge identification schemes solve both shortcomings of the previous systems. 23.2 SecretSharing Algorithms
Back in Section 3.7 I discussed the idea behind secretsharing schemes. The four different algorithms that follow are all particular cases of a general theoretical framework [883]. LaGrange Interpolating Polynomial Scheme
Adi Shamir uses polynomial equations in a finite field to construct a threshold scheme [1414]. Choose a prime, p, which is both larger than the number of possible shadows and larger than the largest possible secret. To share a secret, generate an arbitrary polynomial of degree m 1. For example, if you want to create a (3,n)threshold scheme (three shadows are necessary to reconstruct M),generate a quadratic polynomial (ax2 + bx + M) mod p where p is a random prime larger than any of the coefficients. The coefficients a and b are chosen randomly; they are kept secret and discarded after the shadows are handed out. M is the message. The prime must be made public. The shadows are obtained by evaluating the polynomial at n different points: ki = F(xi) In other words, the first shadow could be the polynomial evaluated at x = 1, the second shadow could be the polynomial evaluated at x = 2, and so forth. Since...
View
Full
Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details