applied cryptography - protocols, algorithms, and source code in c

While we have designed technical modifications to the

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: s (Publisher: John Wiley & Sons, Inc.) Author(s): Bruce Schneier ISBN: 0471128457 Publication Date: 01/01/96 Search this book: Go! Previous Table of Contents Next ----------- Proofs for the mathematical relationships are found in [1154]. Table 20.1 provides a summary. Speed Precomputations Table 20.2 gives sample software speeds of DSA [918]. Real-world implementations of DSA can often be speeded up through precomputations. Notice that the value r does not depend on the message. You can create a string of random k values, and then precompute r values for each of them. You can also precompute k-1 for each of those k values. Then, when a message comes along, you can compute s for a given r and k-1. This precomputation speeds up DSA considerably. Table 20.3 is a comparison of DSA and RSA computation times for a particular smart card implementation [1479]. Table 20.1 DSA Signatures Public Key: p 512-bit to 1024-bit prime (can be shared among a group of users) q 160-bit prime factor of p – 1 (can be shared among a group of users) g = h(p - 1)/q mod p, where h is less than p – 1 and h(p - 1)/q mod p > 1 (can be shared among a group of users) y = gx mod p (a p-bit number) Private Key: x < q (a 160-bit number) Signing: k choose at random, less than q r (signature) = (gk mod p) mod q s (signature) = (k-1 (H(m) + xr)) mod q Verifying: w = s-1 mod q u1 = (H(m) * w) mod q u2 = (rw) mod q v = ((gu1 * yu2) mod p) mod q If v = r, then the signature is verified. DSA Prime Generation Lenstra and Haber pointed out that certain moduli are much easier to crack than others [950]. If someone forced a network to use one of these “cooked” moduli, then their signatures would be easier to forge. This isn’t a problem for two reasons: These moduli are easy to detect and they are so rare that the chances of using one when choosing a modulus randomly are almost negligible—smaller, in fact, than the chances of accidentally generating a composite number using a probabilistic prime generation routine. In [1154] NIST recommended a specific...
View Full Document

This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.

Ask a homework question - tutors are online