DOCSLIB.ORG

Progress on Cryptography

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Progress on Cryptography PROGRESS ON CRYPTOGRAPHY 25 Years of Cryptography in China THE KLUWER INTERNATIONAL SERIES IN ENGINEERING AND COMPUTER SCIENCE PROGRESS ON CRYPTOGRAPHY 25 Years of Cryptography in China edited by Kefei Chen Shanghai Jiaotong University China KLUWER ACADEMIC PUBLISHERS NEW YORK, BOSTON, DORDRECHT, LONDON, MOSCOW eBook ISBN: 1-4020-7987-7 Print ISBN: 1-4020-7986-9 ©2004 Kluwer Academic Publishers New York, Boston, Dordrecht, London, Moscow Print ©2004 Kluwer Academic Publishers Boston All rights reserved No part of this eBook may be reproduced or transmitted in any form or by any means, electronic, mechanical, recording, or otherwise, without written consent from the Publisher Created in the United States of America Visit Kluwer Online at: http://kluweronline.com and Kluwer's eBookstore at: http://ebooks.kluweronline.com International Workshop on Progress on Cryptography Organized by Department of Computer Science and Engineering, SJTU In cooeration with National Natural Science Foundation of China (NSFC) Aerospace Information Co., Ltd. Workshop Co-Chairs Kefei Chen (Shanghai Jiaotong University, China) Dake He (Southwest Jiaotong University, China) Program committee Kefei Chen (Chair, Shanghai Jiaotong University, China) Lidong Chen (Motorola Inc., USA) Cunsheng Ding (HKUST, Hong Kong, China) Dengguo Feng (Chinese Academy of Sciences, China) Guang Gong (University of Waterloo, Canada) Dake He (Southwest Jiaotong University, China) Xuejia Lai (S.W.I.S. GROUP, Switzerland) Bazhong Shen, (Broadcom Corp., USA) Huafei Zhu (Institute for Infocomm Research, Singapore) Organizing committee Kefei Chen (Shanghai Jiaotong University, China) Dawu Gu (Shanghai Jiaotong University, China) Baoan Guo (Chair, Tsinghua University, China) Liangsheng He (Chinese Academy of Sciences, China) Shengli Liu (Shanghai Jiaotong University, China) Weidong Qiu (Shanghai Jiaotong University, China) Dong Zheng (Shanghai Jiaotong University, China) This page intentionally left blank Contents Foreword xi Preface xiii Randomness and Discrepancy Transforms 1 Guang Gong Legendre Sequences and Modified Jacobi Sequences 9 Enjian Bai, Bin Zhang Resilient Functions with Good Cryptographic Properties 17 WEN Qiao-yan, ZHANG Jie Differential Factoring for Integers 25 Chuan-Kun Wu Simple and Efficient Systematic A-codes from Error Correcting Codes 33 Cunsheng Ding, Xiaojian Tian, Xuesong Wang On Coefficients of Binary Expression of Integer Sums 45 Bao Li, Zongduo Dai A new publicly verifiable proxy signcryption scheme 53 Zhang Zhang, Qingkuan Dong, Mian Cai Some New Proxy Signature Schemes from Pairings 59 Fangguo Zhang, Reihaneh Safavi-Naini, Chih-Yin Lin Construction of Digital Signature Schemes Based on DLP 67 Wei-Zhang Du , Kefei Chen DLP-based blind signatures and their application in E-Cash systems 73 Weidong Qiu A Group of Threshold Group-Signature Schemes with Privilege Subsets 81 Chen Weidong, Feng Dengguo viii PROGRESS ON CRYPTOGRAPHY A New Group Signature Scheme with Unlimited Group Size 89 FU Xiaotong, XU Chunxiang Identity Based Signature Scheme Based on Quadratic Residues 97 Weidong Qiu, Kefei Chen New Signature Scheme Based on Factoring and Discrete Logarithms 107 Shimin Wei New Transitive Signature Scheme based on Discreted Logarithm Problem 113 Zichen Li, Juanmei Zhang, Dong Zheng Blind signature schemes based on GOST signature 123 Zhenjie Huang, Yumin Wang One-off Blind Public Key 129 Zhang Qiupu, Guo Baoan Analysis on the two classes of Robust Threshold Key Escrow Schemes 137 Feng Dengguo, Chen Weidong Privacy-Preserving Approximately Equation Solving over Reals 145 Zhi Gan, Qiang Li, Kefei Chen An Authenticated Key Agreement Protocol Resistant to DoS attack 151 Lu Haining, Gu Dawu A comment on a multi-signature scheme 157 ZHENG Dong, CHEN Kefei, HE Liangsheng Cryptanalysis of LKK Proxy Signature 161 ZHENG Dong, LIU Shengli, CHEN Kefei Attack on Identity-Based Broadcasting Encryption Schemes 165 Shengli Liu, Zheng Dong, Kefei Chen Differential-Linear Cryptanalysis of Camellia 173 Wenling WU, Dengguo FENG Security Analysis of EV-DO System 181 Zhu, Hong Ru A Remedy of Zhu-Lee-Deng’s Public Key Cryptosystem 187 Huafei Zhu, Yongjian Liao Quantum cryptographic algorithm for classical binary information 195 Nanrun Zhou, Guihua Zeng Practical Quantum Key Distribution Network 201 Contents ix Jie Zhu, Guihua Zeng A Survey of P2P Network Security Issues based on Protocol Stack 209 ZHANG Dehua, ZHANG Yuqing DDoS Scouter: A simple IP traceback scheme 217 Chen Kai, Hu Xiaoxin, Hao Ruibing A Method of Digital Data Transformation–Base91 229 He Dake, He Wei An approach to the formal analysis of TMN protocol 235 ZHANG Yu-Qing, LIU Xiu-Ying This page intentionally left blank Foreword Teacher Xiao will turn 70 this year. As his students, we learnt from him not only scientific knowledge, but also the ethics in the life; not only through the lectures in the serious classroom, but also through the conversations outside the campus over the world, politics, economics, life. We all enjoyed the time of listening your lectures and we are proud to be your students. Since a quarter of century, teacher Xiao has educated hundreds of us in the fields of mathematics, information theory, communication, cryptology, etc. Today, the “old-classmates” have grown up into the society; many of them are taking the key positions all over the world. Especially, when we talk about the “Xidian branch schools” are spreading the seeds in many places like Beijing, Shanghai, ... I think he would be proud of the intellect, energy and enthusiasm that he gave us during our campus life and would be especially proud of his achievements and the achievements that his students have made since our Xidian life. Best wishes to Teacher Xiao’s seventieth birthday! XUEJIA LAI, ZURICH, SWITZERLAND This page intentionally left blank Preface This workshop entitled “Progress on Cryptography: 25 Year of Cryptography in China” is being held during the celebration of Professor Guozhen Xiao’s 70th birthday. This proceeding is a birthday gift from all of his current and former graduate students, who have had the pleasure of being supervised by Professor Xiao during the last 25 years. Cryptography, in Chinese, consists of two characters meaning “secret cod- ing”. Thanks to Ch’in Chiu-Shao and his successors, the Chinese Remainder Theorem became a cornerstone of public key cryptography. Today, as we observe the constant usage of high-speed computers interconnected via the In- ternet, we realize that cryptography and its related applications have developed far beyond “secret coding”. China, which is rapidly developing in all areas of technology, is also writing a new page of history in cryptography. As more and more Chinese become recognized as leading researchers in a variety of topics in cryptography, it is not surprising that many of them are professor Xiao’s former students. We will never forget a moment in the late 1970’s, during the time when China was just opening its door to the world, when Professor Xiao explained the idea of public key cryptography at a lecture. We were so fascinated that many of us have since devoted our careers to cryptography research and applications. Professor Xiao had started a weekly cryptography seminar, where we discussed newly published cryptography research papers from all over the world. We greatly benefited by the method he taught us, which was to catch the main ideas of each piece of research work. He also influenced us deeply by his method of approaching a creative breakthrough. As he said, “only when you can stand on the top of the existing results, just as you stand on the highest peak to look at all the mountains, can you figure out where to go next.” With this advice, we took our first step in research by thoroughly understanding other people’s work. As a result, many of us generated our first few pieces of work through the seminars. “Professor Xiao’s graduate students” as a group, has been attracting the attention of the academic cryptography community since the first ChinaCrypt in 1984, at which his first few graduate students presented some very impressive xiv PROGRESS ON CRYPTOGRAPHY work. After 20 years, the research interests of the group have extended to a variety of areas in cryptography. This proceeding includes 32 papers. These papers cover a range of topics, from mathematical results of cryptography to practical applications. This proceeding includes a sample of research conducted by Professor Xiao’s former and current graduate students. In China, we use the term “peaches and plums” to refer to “pupils and disci- ples”. Now Professor Xiao’s peaches and plums have spread all over the world. We are recognized as a special group in the cryptography community with not only our distinguished achievements but also our outstanding spirit. Many peo- ple have asked about the underlying motivation behind this quarter-century leg- end in cryptography research, made by professor Xiao and his students. Among all possibilities, I would consider independent thinking and honest attitude as the most crucial aspects. Professor Xiao guided us not only to a fascinating scientific field where many of us made our life-long careers but also to a realm of thought which made us as who we are today. Please join me in wishing Professor Xiao a Happy 70th Birthday. LIDONG CHEN, PALATINE, IL, USA This proceedings is dedicated to Professor Guozheng XIAO on his 70th birthday This page intentionally left blank RANDOMNESS AND DISCREPANCY TRANSFORMS Guang Gong Department of Electrical and Computer
Load more

Recommended publications
  • One-Time and Interactive Aggregate Signatures from Lattices
    One-Time and Interactive Aggregate Signatures from Lattices Dan Boneh Sam Kim Stanford University Stanford University [email protected] [email protected] Abstract An aggregate signature scheme enables one to aggregate multiple signatures generated by different people on different messages into a short aggregate signature. We construct two signature aggregation schemes whose security is based on the standard SIS problem on lattices in the random oracle model. Our first scheme supports public aggregation of signatures, but for a one-time signature scheme. Our second scheme supports aggregation of signatures in a many-time signature scheme, but the aggregation process requires interaction among the signers. In both schemes, the size of the aggregate signature is at most logarithmic in the number of signatures being aggregated. 1 Introduction A signature scheme is a tuple of three algorithms: KeyGen generates a key pair (sk; pk), Sign(sk; m) ! σ signs a message m, and Verify(pk; m; σ) ! 0=1 verifies a signature σ on message m. A one-time signature is a signature scheme that is existentially unforgeable against an adversary that is given the public key and the signature on a single message of its choice. One-time signatures (OTS) have found many applications in cryptography. They are used to transform any existentially unforgeable signature into a strongly unforgeable signature [BS08], in several chosen-ciphertext secure public-key encryption constructions [DDN03, CHK04], in offline/online signatures [EGM96], and for authenticating streaming data [GR01]. The classic OTS scheme of Lamport [Lam79] and its Winternitz variant [BDE+13] shows that one-time signature schemes can be constructed from any one-way function.
    [Show full text]
  • Hash Functions from Sigma Protocols and Improvements to VSH
    Hash Functions from Sigma Protocols and Improvements to VSH Mihir Bellare and Todor Ristov Department of Computer Science and Engineering, University of California San Diego, 9500 Gilman Drive, La Jolla, CA 92093-0404, USA. URL: www-cse.ucsd.edu/users/mihir, www-cse.ucsd.edu/users/tristov Abstract. We present a general way to get a provably collision-resistant hash function from any (suitable) Σ-protocol. This enables us to both get new designs and to unify and improve previous work. In the first category, we obtain, via a modified version of the Fiat-Shamir proto- col, the fastest known hash function that is provably collision-resistant based on the standard factoring assumption. In the second category, we provide a modified version VSH* of VSH which is faster when hash- ing short messages. (Most Internet packets are short.) We also show that Σ-hash functions are chameleon, thereby obtaining several new and efficient chameleon hash functions with applications to on-line/off-line signing, chameleon signatures and designated-verifier signatures. 1 Introduction The failure of popular hash functions MD5 and SHA-1 [42, 43] lends an impetus to the search for new ones. The contention of our paper is that there will be a \niche" market for proven-secure even if not-so-fast hash functions. Towards this we provide a general paradigm that yields hash functions provably secure under number-theoretic assumptions, and also unifies, clarifies and improves previous constructs. Our hash functions have extra features such as being chameleon [25]. Let us now look at all this in more detail.
    [Show full text]
  • Final Exam 2005
    COMP-547A page 1 of 4 Faculty of Science Final Examination Computer Science COMP-547A Cryptography and Data Security Examiner: Prof. Claude Crépeau Date: Dec 7th, 2005 Associate Examiner: Prof. David Avis Time: 14:00 – 17:00 Room: PetH 206 INSTRUCTION: • This examination is worth 50% of your final grade. • The total of all questions is 109 points. • Each question is assigned a value found in parenthesis next to it. • This is an open book examination. All documentation is permitted. • Faculty standard calculator permitted only. • This examination consists of 6 questions on 4 pages, including title page. Suggestion: read all the questions and their values before you start. COMP-547A page 2 of 4 Question 1. Easy bits (12 points) Let p be an odd prime and g be a primitive element mod p. x • Show that given p, g, g mod p, the predicate lsbp(x) is easy to compute. • Show that given p, g, ga mod p, gb mod p there is a predicate of gab mod p that is easy to compute. Question 2. Second Preimage (12 points) Question 3. Blum-Goldwasser à la RSA (25 points) Let n=pq be the product of two large primes such that p ≡ q ≡ 2 (mod 3). • Provide all the details of a variant of the Blum-Goldwasser cryptosystem where we use i i RSA with public exponent 3 (z =lsb(s 3 mod n)) instead of BBS (z =lsb(s 2 mod n)) as in i 0 i 0 the original system. Rewrite the entire description of the Blum-Goldwasser cryptosystem as given in cryptosystem 8.2 (see next page).
    [Show full text]
  • Modern Cryptography: Lecture 13 Digital Signatures
    Modern Cryptography: Lecture 13 Digital Signatures Daniel Slamanig Organizational ● Where to find the slides and homework? – https://danielslamanig.info/ModernCrypto18.html ● ow to conta!t me? – [email protected] ● #utor: Karen Klein – [email protected] ● Offi!ial page at #', )o!ation et!. – https://tiss.tuwien.ac.at/!ourse/!o$rseDetails.+html?dswid=86-2&dsrid,6/0. !ourseNr,102262&semester,2018W ● #utorial, #U site – https://tiss.tuwien.ac.at/!ourse/!o$rseAnnouncement.+html?dswid=4200.dsr id,-51.!ourseNum6er,10206-.!ourseSemester,2018W ● 8+am for the se!ond part: Thursday 31.21.2210 15:00-1/:00 (Tutorial slot; 2/26 Overview Digital Signatures message m / :m( σ; secret key skA Inse!$re !hannel p$bli! key pkA p$bli! key pkA σ σ :, 7igskA:m; 6 :, =rfypkA:m( ; 3: pkA -/26 Digital Signatures: Intuitive Properties Can 6e seen as the p$6li!9key analog$e of M3Cs with p$6li! >erifiability ● Integrity protection: 3ny modifi!ation of a signed message !an 6e detected ● 7o$r!e a$thenti!ity: The sender of a signed message !an be identified ● Non9rep$diation: The signer !annot deny ha>ing signed :sent) a message 7e!$rity :intuition;: sho$ld 6e hard to !ome $p with a signat$re for a message that has not 6een signed by the holder of the pri>ate key 5/26 Digital Signatures: pplications *igital signat$res ha>e many applications and are at the heart of implementing p$6lic9key !ryptography in practice ● <ss$ing !ertifi!ates 6y CAs (?$6lic %ey <nfrastr$!t$res;: 6inding of identities to p$6lic keys ● @$ilding authenticated !hannels: a$thenti!ate parties :ser>ers; in sec$rity proto!ols :e.g.( TL7; or se!$re messaging :Whats3pp( 7ignal, ...; ● Code signing: a$thenti!ate software/firmware :$pdates; ● 7ign do!$ments :e.g.( !ontra!ts;: )egal reg$lations define when digital signat$res are eq$ivalent to handwritten signat$res ● 7ign transa!tions: $sed in the !rypto!$rren!y realm ● et!.
    [Show full text]
  • Jeffrey Hoffstein Jill Pipher Joseph H. Silverman
    Undergraduate Texts in Mathematics Je rey Ho stein Jill Pipher Joseph H. Silverman An Introduction to Mathematical Cryptography Second Edition Undergraduate Texts in Mathematics Undergraduate Texts in Mathematics Series Editors: Sheldon Axler San Francisco State University, San Francisco, CA, USA Kenneth Ribet University of California, Berkeley, CA, USA Advisory Board: Colin Adams, Williams College, Williamstown, MA, USA Alejandro Adem, University of British Columbia, Vancouver, BC, Canada Ruth Charney, Brandeis University, Waltham, MA, USA Irene M. Gamba, The University of Texas at Austin, Austin, TX, USA Roger E. Howe, Yale University, New Haven, CT, USA David Jerison, Massachusetts Institute of Technology, Cambridge, MA, USA Jeffrey C. Lagarias, University of Michigan, Ann Arbor, MI, USA Jill Pipher, Brown University, Providence, RI, USA Fadil Santosa, University of Minnesota, Minneapolis, MN, USA Amie Wilkinson, University of Chicago, Chicago, IL, USA Undergraduate Texts in Mathematics are generally aimed at third- and fourth- year undergraduate mathematics students at North American universities. These texts strive to provide students and teachers with new perspectives and novel approaches. The books include motivation that guides the reader to an appreciation of interre- lations among different aspects of the subject. They feature examples that illustrate key concepts as well as exercises that strengthen understanding. More information about this series at http://www.springer.com/series/666 Jeffrey Hoffstein • Jill Pipher Joseph
    [Show full text]
  • Blind Schnorr Signatures in the Algebraic Group Model
    An extended abstract of this work appears in EUROCRYPT’20. This is the full version. Blind Schnorr Signatures and Signed ElGamal Encryption in the Algebraic Group Model Georg Fuchsbauer1, Antoine Plouviez2, and Yannick Seurin3 1 TU Wien, Austria 2 Inria, ENS, CNRS, PSL, Paris, France 3 ANSSI, Paris, France first.last@{tuwien.ac.at,ens.fr,m4x.org} January 16, 2021 Abstract. The Schnorr blind signing protocol allows blind issuing of Schnorr signatures, one of the most widely used signatures. Despite its practical relevance, its security analysis is unsatisfactory. The only known security proof is rather informal and in the combination of the generic group model (GGM) and the random oracle model (ROM) assuming that the “ROS problem” is hard. The situation is similar for (Schnorr-)signed ElGamal encryption, a simple CCA2-secure variant of ElGamal. We analyze the security of these schemes in the algebraic group model (AGM), an idealized model closer to the standard model than the GGM. We first prove tight security of Schnorr signatures from the discrete logarithm assumption (DL) in the AGM+ROM. We then give a rigorous proof for blind Schnorr signatures in the AGM+ROM assuming hardness of the one-more discrete logarithm problem and ROS. As ROS can be solved in sub-exponential time using Wagner’s algorithm, we propose a simple modification of the signing protocol, which leaves the signatures unchanged. It is therefore compatible with systems that already use Schnorr signatures, such as blockchain protocols. We show that the security of our modified scheme relies on the hardness of a problem related to ROS that appears much harder.
    [Show full text]
  • A Survey on the Provable Security Using Indistinguishability Notion on Cryptographic Encryption Schemes
    A SURVEY ON THE PROVABLE SECURITY USING INDISTINGUISHABILITY NOTION ON CRYPTOGRAPHIC ENCRYPTION SCHEMES A THESIS SUBMITTED TO THE GRADUATE SCHOOL OF APPLIED MATHEMATICS OF MIDDLE EAST TECHNICAL UNIVERSITY BY EMRE AYAR IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTER OF SCIENCE IN CRYPTOGRAPHY FEBRUARY 2018 Approval of the thesis: A SURVEY ON THE PROVABLE SECURITY USING INDISTINGUISHABILITY NOTION ON CRYPTOGRAPHIC ENCRYPTION SCHEMES submitted by EMRE AYAR in partial fulfillment of the requirements for the degree of Master of Science in Department of Cryptography, Middle East Technical University by, Prof. Dr. Om¨ ur¨ Ugur˘ Director, Graduate School of Applied Mathematics Prof. Dr. Ferruh Ozbudak¨ Head of Department, Cryptography Assoc. Prof. Dr. Ali Doganaksoy˘ Supervisor, Cryptography, METU Dr. Onur Koc¸ak Co-supervisor, TUB¨ ITAK˙ - UEKAE, Istanbul˙ Examining Committee Members: Assoc. Prof. Dr. Murat Cenk Cryptography, METU Assoc. Prof. Dr. Ali Doganaksoy˘ Department of Mathematics, METU Assist. Prof. Dr. Fatih Sulak Department of Mathematics, Atılım University Date: I hereby declare that all information in this document has been obtained and presented in accordance with academic rules and ethical conduct. I also declare that, as required by these rules and conduct, I have fully cited and referenced all material and results that are not original to this work. Name, Last Name: EMRE AYAR Signature : v vi ABSTRACT A SURVEY ON THE PROVABLE SECURITY USING INDISTINGUISHABILITY NOTION ON CRYPTOGRAPHIC ENCRYPTION SCHEMES Ayar, Emre M.S., Department of Cryptography Supervisor : Assoc. Prof. Dr. Ali Doganaksoy˘ Co-Supervisor : Dr. Onur Koc¸ak February 2018, 44 pages For an encryption scheme, instead of Shannon’s perfect security definition, Goldwasser and Micali defined a realistic provable security called semantic security.
    [Show full text]
  • Implementation and Performance Evaluation of XTR Over Wireless Network
    Implementation and Performance Evaluation of XTR over Wireless Network By Basem Shihada [email protected] Dept. of Computer Science 200 University Avenue West Waterloo, Ontario, Canada (519) 888-4567 ext. 6238 CS 887 Final Project 19th of April 2002 Implementation and Performance Evaluation of XTR over Wireless Network 1. Abstract Wireless systems require reliable data transmission, large bandwidth and maximum data security. Most current implementations of wireless security algorithms perform lots of operations on the wireless device. This result in a large number of computation overhead, thus reducing the device performance. Furthermore, many current implementations do not provide a fast level of security measures such as client authentication, authorization, data validation and data encryption. XTR is an abbreviation of Efficient and Compact Subgroup Trace Representation (ECSTR). Developed by Arjen Lenstra & Eric Verheul and considered a new public key cryptographic security system that merges high level of security GF(p6) with less number of computation GF(p2). The claim here is that XTR has less communication requirements, and significant computation advantages, which indicate that XTR is suitable for the small computing devices such as, wireless devices, wireless internet, and general wireless applications. The hoping result is a more flexible and powerful secure wireless network that can be easily used for application deployment. This project presents an implementation and performance evaluation to XTR public key cryptographic system over wireless network. The goal of this project is to develop an efficient and portable secure wireless network, which perform a variety of wireless applications in a secure manner. The project literately surveys XTR mathematical and theoretical background as well as system implementation and deployment over wireless network.
    [Show full text]
  • Implementation and Evaluation of Secure Industrial Ethernet Communication
    Implementation and Evaluation of Secure Industrial Ethernet Communication Master of Science Thesis, Communication Engineering KAN YU Department of Signals and Systems CHALMERS UNIVERSITY OF TECHNOLOGY Göteborg, Sweden, August 2010 Page 2/88 Abstract Automation network security becomes increasingly important due to the introduction of Ethernet- based fieldbus protocols and cryptographic algorithms play a vital important role in these protocols. Choosing the most suitable cryptographic algorithms under consideration of security and performance according to different application cases is essential. In this thesis, we first present a comprehensive survey of most commonly used cryptographic algorithms which can be applied in automation networks and then identify our candidates based on existing literature and related works for further evaluation in ARM platform for industrial purpose. Finally, according to our evaluation results, we choose suitable algorithms for different applications: for symmetric algorithms, Twofish is recommended for best performance and eXtended Tiny Encryption Algorithm (XTEA) and Corrected Block Tiny Encryption Algorithm (XXTEA) are recommended for the least footprint; for Message Authentication Code (MAC) algorithms, UMAC is strongly recommended for excellent speed; for asymmetric algorithms, Elliptic Curve Cryptography (ECC) has much better performance than RSA at the same security level in our platform. Page 3/88 TABLE OF CONTENTS 1 INTRODUCTION ..................................................................................................................................
    [Show full text]
  • 11 Digital Signatures
    This is a Chapter from the Handbook of Applied Cryptography, by A. Menezes, P. van Oorschot, and S. Vanstone, CRC Press, 1996. For further information, see www.cacr.math.uwaterloo.ca/hac CRC Press has granted the following specific permissions for the electronic version of this book: Permission is granted to retrieve, print and store a single copy of this chapter for personal use. This permission does not extend to binding multiple chapters of the book, photocopying or producing copies for other than personal use of the person creating the copy, or making electronic copies available for retrieval by others without prior permission in writing from CRC Press. Except where over-ridden by the specific permission above, the standard copyright notice from CRC Press applies to this electronic version: Neither this book nor any part may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, microfilming, and recording, or by any information storage or retrieval system, without prior permission in writing from the publisher. The consent of CRC Press does not extend to copying for general distribution, for promotion, for creating new works, or for resale. Specific permission must be obtained in writing from CRC Press for such copying. c 1997 by CRC Press, Inc. Chapter 11 Digital Signatures Contents in Brief 11.1 Introduction :::::::::::::::::::::::::::::425 11.2 A framework for digital signature mechanisms ::::::::::426 11.3 RSA and related signature schemes :::::::::::::::::433 11.4 Fiat-Shamir signature schemes :::::::::::::::::::447 11.5 The DSA and related signature schemes ::::::::::::::451 11.6 One-time digital signatures :::::::::::::::::::::462 11.7 Other signature schemes ::::::::::::::::::::::471 11.8 Signatures with additional functionality ::::::::::::::474 11.9 Notes and further references ::::::::::::::::::::481 11.1 Introduction This chapter considers techniques designed to provide the digital counterpart to a handwrit- ten signature.
    [Show full text]
  • Proactive Two-Party Signatures for User Authentication
    Proactive Two-Party Signatures for User Authentication Antonio Nicolosi, Maxwell Krohn, Yevgeniy Dodis, and David Mazieres` NYU Department of Computer Science {nicolosi,max,dodis,dm}@cs.nyu.edu Abstract may have the right to initiate signatures of arbitrary mes- We study proactive two-party signature schemes in the con- sages, while a server’s role is simply to approve and log text of user authentication. A proactive two-party signa- what has been signed. In such settings, an attacker may gain ture scheme (P2SS) allows two parties—the client and the fruitful advantage from the use of even a single key share, server—jointly to produce signatures and periodically to re- unless some separate mechanism is used for mutual authen- fresh their sharing of the secret key. The signature genera- tication of the two parties. Finally, ordinary two-party sig- tion remains secure as long as both parties are not compro- natures offer no way to transfer ownership of a key share mised between successive refreshes. We construct the first from one party to another—as the old owner could neglect such proactive scheme based on the discrete log assump- to erase the share it should no longer be storing. tion by efficiently transforming Schnorr’s popular signature Proactive digital signatures allow private key shares to be scheme into a P2SS. We also extend our technique to the updated or “refreshed” in such a way that old key shares signature scheme of Guillou and Quisquater (GQ), provid- cannot be combined with new shares to sign messages or ing two practical and efficient P2SSs that can be proven recover the private key.
    [Show full text]
  • Introduction to Cryptography Lecture 8
    Reminder: RSA Public Key Cryptosystem * * • The multiplicative group ZN =Zpq . The size of the group is φ(n) = φ(pq) = (p-1) (q-1) Introduction to Cryptography • Public key : Lecture 8 – N=pq the product of two primes – e such that gcd (e, φ(N))=1 (are these hard to find?) • Private key: Rabin’s encryption system, – d such that de ≡1 mod φ(N) Digital signatures ∈ • Encryption of M ZN* e – C=E(M)=M mod N Benny Pinkas ∈ • Decryption of C ZN* d – M=D(C)=C mod N (why does it work?) December 18, 2005 Introduction to Cryptography, Benny Pinkas page 1 December 18, 2005 Introduction to Cryptography, Benny Pinkas page 2 Reminders Rabin’s encryption systems • The Chinese Remainder Theorem (CRT): • Key generation: – Let N=pq with gcd( p,q)=1. – Private key: random primes p,q (e.g. 512 bits long). ∈ × – Then for every pair (y,z) Zp Zq there exists a unique – Public key: N=pq . ∈ x Zn, s.t. • x=y mod p • Encryption: • x=z mod q ∈ * – Plaintext m ZN . – Ciphertext: c = m 2 mod N. (very efficient) • Quadratic Residues: ∈ * ∈ * 2 1/2 – The square root of x Zp is y Zp s.t. y =x mod p. • Decryption: Compute c mod N. ∈ * – x Zp has either 2 or 0 square roots, and is denoted as a Quadratic Residue (QR) or Non Quadratic Residue (NQR), respectively. ∈ * (p-1)/2 – Euler’s theorem: x Zp is a QR iff x = 1 mod p. December 18, 2005 Introduction to Cryptography, Benny Pinkas page 3 December 18, 2005 Introduction to Cryptography, Benny Pinkas page 4 1 Square roots modulo N Square roots modulo N • ⇒⇒⇒ Let x be a quadratic residue (QR) modulo N=pq, t hen • N= pq .
    [Show full text]