Download Cryptanalysis of Shieh-Lin-Yang

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Secret sharing wikipedia , lookup

Cryptography wikipedia , lookup

One-time pad wikipedia , lookup

SHA-1 wikipedia , lookup

Determination of the day of the week wikipedia , lookup

Cryptanalysis wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Diffie–Hellman key exchange wikipedia , lookup

Commitment scheme wikipedia , lookup

Digital signature wikipedia , lookup

Cryptanalysis of Shieh-Lin-YangSun Signature Scheme
Vol. 7, No. 4, APRIL. 2003, pp. 195-196
Authors: Shin-Jia Hwang and En-Ti Li
Speaker: Hao-Wen Huang
Date: 2004/10/
 Brief review of Shieh et al’.’s scheme
 Forgery attack
 Conclusions
Brief review of Shieh et al’.’s sheme(1)
p: be a large prime.( public parameter )
: be a primitive element in GF(p).( public parameter )
Xi: Ui’s private key.
Uniformly between 0 and p-1 such that gcd( Xi,p-1 )=1.
Yi : Ui’s public key.
Yi=()Xi mod p
Brief review of Shieh et al’.’s sheme(2)
Signature={ti, ri, S}
1) Compute S= (Yi)m mod p , message m Zp
2) Select a random number ki between 1 and p-1.
Compute ri= [m*()-ki] mod p
3) Solve ti from the following congruence equation:
(S+ti) = (Xi)-1(ki-ri) mod (p-1)
Brief review of Shieh et al’.’s sheme(3)
The Signature Verification and Recovery
step1) perform the formula to recover m.
(Yi)S+ti ∙ ri∙ () ri = ( m mod p)
step2) check S ?= (Yi)m mod p
if the above statement holds, the
authenticity of the initial signature is
Brief review of Shieh et al’.’s sheme(4)
The Parallel Multisignature Scheme
The message m is first signed by an initiator
U1, and then is sent separately to all signer.
Finally,U1 is responsible for combining these
individual signature into a multisignature.
Brief review of Shieh et al’.’s sheme(5)
The Serial Multisignature Scheme
In the serial multisignature scheme, the
trusted center can play the role of the public
notary (PN). The responsibility of PN is to
endorse the signatures and manage users’
public keys.
Forgery attack on Shieh et al.’s scheme(1)
One major characteristic of these schemes
is to avoid using one-way hash functions
and message redundancy schemes.
However, this causes some security flaw.
Forgery attack on Shieh et al.’s scheme(2)
Performs the following six steps to forge the signature( ti’,ri’,S’ )
 Select a random integer  in{1,2,….,p-1} and
suppose  = ti’+ S’ mod (p-1).
 Choose a value of ri’ in GF(p) randomly.
ki’ by ki’ = (Y ) x ri’ mod p without
 Compute the value of 
knowing the value of ki’.
ki’ mod p.
 Obtain the message M = ri’ x 
 Compute S’ = (Yi) mod p.
 Compute ti’ =  -S’ mod (p-1).
Forgery attack on Shieh et al.’s scheme(3)
(Yi)ti’+S’ x ri’ x ()ri’ mod p
={ (Yi)( ti’+S’ ) x M x [()ki]-1 x ()ri’ } mod p
={ (Yi)  x M x [()ki’]-1 x ()ri’ } mod p
={()ki’ x [()ri’ ’]-1 x M x [()ki’]-1 x ()ri’ } mod p
= M mod p
Then the message M will pass the verification
S’ = (Yi)M mod p
To overcome this problem, the
straightforward way is to adopt the
message redundancy schemes.