Download Publicly verifiable authenticated encryption

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
Document related concepts
no text concepts found
Transcript 
Publicly verifiable
authenticated encryption
IEEE Electronics Letters,
Vol. 39, No 19, pp. 13821383, 18th Sep. 2003
Authors: Hsiang-An, Chein-Min Lo
and Tzonelih Hwang
Speaker: Pen-Yi Chang, 2004/10/13
Source:
1
Outline
 Introduction
 Review of MA-Chen Scheme
 Verification problem of the TTP in the
Ma-Chen scheme
 Conclusions
2
Introduction
 Ma-Chen have proposed an authenticated
encryption scheme with public verifiability.
 Ma-Chen scheme, which the TTP can verify
the sender’s signature. How- ever we will
point out the verification problem of the
TTP in the Ma-Chen scheme. This problem
causes the TTP to reject a valid signature
with non-negligible probability.
3
Review of MA-Chen Scheme(1/3)
 Notations:
p, q: large prime number with q|(p-1)
g: generator of order q
H: public one way hash function
xa, xb: secret key of Alice and Bob
ya, yb: public key of Alice and Bob
m:message
k: random number
4
Review of MA-Chen Scheme(2/3)
Alice picks a random number k
Alice
Bob
(c, r , s )
v  ( g  yB ) k mod p
e  v mod q
v  ( g  yB ) s  y Ar ( xB 1) mod p
c  m  ( H (v))1 mod p
m  c  H (v) mod p
r  H (e, H (m))
r  H (e, H (m))
s  k  xA  r mod q
5
Review of MA-Chen Scheme(3/3)
For public verification:
rx
k
s
Bob computes K1  ( yB mod p) mod q  ( yB  y A B mod p) mod q
Bob
TTP
( H (m), K1 , r, s)
e '  ( g s  y Ar  K1 mod p) mod q
r  H (e ', H (m))
6
Problem in TTP verification(1/5)
 The reconstructed e’ by the TTP does not
always equal the original e computed in the
signature of the sender
 Lemma 1:
p, q: two prime number such that p  kq  1
a, b: natural numbers.
Let s  b(mod p mod q)
Then the probability that
ab(mod p mod q)  as(mod p mod q)
k 1
is 1 
p
7
Problem in TTP verification(2/5)
 Proof:
Let b  np  r and r  n ' q  s ,so
b  np  n ' q  s and ab  anp  an ' q  as
Let c  an ' q(mod p mod q) . Then
ab(mod p mod q )  anp  an ' q  as (mod p mod q )
 0  c  as(mod p mod q )
 If c  0(mod p mod q) then,
ab(mod p mod q)  as(mod p mod q)
8
Problem in TTP verification(3/5)
If c  0(mod p mod q) then
ab(mod p mod q)  as(mod p mod q)
 The probability that ab  as(mod p mod q) is
equivalent to the probability that an ' q  0
 Without loss of generality, assume that an ' q(mod p)
is uniformly distributed in Zp .Thus, the
probability that an ' q  0(mod p mod q) is
(k+1)/p
Therefore, probability that ab  as(mod p mod q)
=probability that an ' q  0(mod p mod q)
=1-(k+1)/p
9
Problem in TTP verification(4/5)
 TTP
e '  ( g s  y Ar  K1 ) mod p mod q  ( g k  K1 ) mod p mod q
K1  ( yBs  y Ar xB ) mod p mod q  yBk mod p mod q
 Alice
e  ( g k  yBk ) mod p mod q
 By Lemma 1
(ab
g k(mod
 yBk ) mod
p mod
( g k  Kp1mod
) modq)p mod q
p mod
q) qas(mod
k 1
probability is 1 
p
10
Problem in TTP verification(5/5)
 Example
Let p=23, q=11, g=2, k=10
yB  16 mod 23
,
K1  1610  2 mod 23mod11
e  (g∙yB)kmod p mod q
e’  (gk∙K1)mod p mod q
(2∙16)10mod 23 mod 11 7
(210∙2)mod 23 mod 11 1
e  e'
11
Conclusions
 The inequality between computing e in
signing phase and public verification causes
the TTP to reject a valid signature with nonnegligible probability.
 The TTP will reject a valid signature with
probability 1 – (k+1)/p.
12
Related documents