SignatureSchemes.pptVIP

Signature Schemes;Outline;[4] Variants of the ElGamal Signature Scheme; Let p be a prime such that the DL problem in Zp* is intractable, and let q be a prime that divides p-1. Let α be a qth root of 1 modulo p. Define K={ (p,q,α,a,β):β=αa mod p } p,q,α,β are the public key, a is private; For a (secret) random number k, define sig(x,k)=(γ,δ), where γ=hash(x||αk ) andδ=k+aγ mod q For a message (x,(γ,δ)), verification is done by performing the following computations: ver(x,(γ,δ))=true iff. hash(x||αδβ-γ)=γ ; If the signature was construct correctly, the verification will succeed since αδβ-γ=αk+aγα-aγ=αk;(Schnorr Signature Scheme Example) We take q=101, p=78q+1=7879, α=170, a=75, then β=17075 mod 7879=4567 To sign the message m=15, Alice selects k=50; Then γ=hash(15||17050), δ=5+75*γ mod 101 (15,(γ,δ)) is the signed message ;(2) Digital Signature Algorithm; For a (secret) random number k, define sig (x,k)=(γ,δ), where γ=(αk mod p) mod q and δ=(SHA-1(x)+aγ)k-1 mod q For a message (x,(γ,δ)), verification is done by performing the following computations: e1=SHA-1(x)*δ-1 mod q e2=γ*δ-1 mod q ver(x,(γ,δ))=true iff. (αe1βe2 mod p) mod q=γ ; Notice that the verification requires to compute: e1=SHA-1(x)*δ-1 mod q e2=γ*δ-1 mod q when δ=0 (it is possible!), Alice should re-construct a new signature with a new k; Take q=101, p=78q+1=7879, α=170, a=75; then β=4567 To sign the message SHA-1(x)=22, Alice selects k=50; Then γ=(17050 mod 7879) mod 101=94, δ=(22+75*94)50-1 mod 101=97 (x, (94,97)) is the signed message; The signature (94,97) on the message digest 22 can be verify by the following computations: δ-1=97-1 mod 101=25 e1=22*25 mod 101=45 e2=94*25 mod 101=27 (17045*456727 mod 7879) mod 101 = 94 =γ;(3) Elliptic Curve DSA; For a (secret) random number k, define sig (x,k)=(r,s), where kA=(u,v), r=u mod q and s=k-1(SHA-1(x)+mr) mod q For a message (x,(r,s)), verification is done by performing the following computations: i=