1 / 19

Zuhua Shao, Applied Mathematics and Computation, Vol. 159, Issue 2, pp. 391-399, Dec. 2004

Improvement of digital signature with message recovery using self-certified public keys and its variants. Zuhua Shao, Applied Mathematics and Computation, Vol. 159, Issue 2, pp. 391-399, Dec. 2004. Introduction.

mmuhammad
Télécharger la présentation

Zuhua Shao, Applied Mathematics and Computation, Vol. 159, Issue 2, pp. 391-399, Dec. 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Improvement of digital signature with message recovery using self-certified public keys and its variants Zuhua Shao, Applied Mathematics and Computation, Vol. 159, Issue 2, pp. 391-399, Dec. 2004 Speaker: Chi-Yu Liu

  2. Introduction • In the paper, the author showed out that Tseng et al.’s scheme will suffer from some attacks. • The author combines the concepts of self-certified public key and signature with message recovery. • The proposed scheme has two properties in verifying the signature : • The signer’s public key can simultaneously be authenticated. • The receiver obtains the message. Speaker: Chi-Yu Liu

  3. Notations • p, q: p = 2p’+1, q = 2q’+1, where p’, and q’ are prime numbers which is only known by trusted authority (TA). • N: N = p*q, • g: a base element of order p’*q’, • h(): one-way function, • IDi: a user’s identity, • (Xi,Yi): a key pair of user i, where Yi = (pi-IDi)h(IDi)-1 mod N, • (ei, di): a key pair used in RSA. Speaker: Chi-Yu Liu

  4. TA Self-Certified Public Key • The notion of self-certified public keys was first introduced by Girault, in 1991. 3. PKi, IDi User i 1. Select a random secret key Xi 2. Compute PKi =gXi mod N 4. Compute and publish user i’s public key Yi = (PKi-IDi)h(IDi)-1 mod N Yih(IDi)+IDi = gXi mod N Speaker: Chi-Yu Liu

  5. Message Recovery based on RSA • The message recovery of signature of RSA is as follows. 2. C User i User j 3. Message recovery and verify M=(CdB mod NB)eA mod NA 1.Compute signature and ciphertext S = MdA mod NA C = SeB mod NB Speaker: Chi-Yu Liu

  6. Message Recovery based on Discrete Logarithm (DSL) • The original signature based on DSL could not provide the capability of message recovery. • In 1993, Nyberg and Rueppel first proposed a concept about message recovery scheme based on DSL. Speaker: Chi-Yu Liu

  7. Nyberg and Rueppel’s Message Recovery Scheme • Authenticated encryption scheme is an application. 3. R1, R3, S User i User j 1. Select random c, k 2. Compute signature R1 = gc mod p R2 = Mg-k mod p R3 = YjcR2 mod p S = k – XiR2 mod p 4. Compute R2 = R3R1-Xj mod p 5. Verify and message recovery M=gSYiR2 R2 mod q Speaker: Chi-Yu Liu

  8. Tseng et al.’s Signature Scheme (Applied Mathematics and Computation, Vol. 136, No. 2-3, 2003) • Signature scheme with message recovery 3. R, S User j User i 4. Message recovery M=RgS(Yih(IDi) +IDi)h(R) mod N 1. Select a random k 2. Compute signature R, S R = Mg-k mod N S = k – Xih(R) Speaker: Chi-Yu Liu

  9. Tseng et al.’s Signature Scheme (Applied Mathematics and Computation, Vol. 136, No. 2-3, 2003) • Authenticated encryption scheme 3. R, S User j User i 4. Message recovery M=R(gS(Yih(IDi) +IDi)h(R))Xjmod N 1. Select a random k 2. Compute signature R, S R = M(YjH(IDj)+IDj)-k mod N S = k – Xih(R) Speaker: Chi-Yu Liu

  10. Tseng et al.’s Signature Scheme (Applied Mathematics and Computation, Vol. 136, No. 2-3, 2003) • Authenticated encryption scheme with message linkages 3. R, S, r1, r2, …, rn 4. R’ = h(r1∥r2 ∥… ∥rn) Check R’ ?= R 5. gk = gS(Yih(IDi)+IDi)R mod N t = (gk)Xj 6. Message recovery and verify Mi=rih(ri-1⊕t)-1 mod N 1. Dispute message M = {M1, M2, …, Mn} 2. Compute signature set r0 = 0 choose a random k t = (Yjh(IDj)+IDj)k mod N ri = Mih(ri-1⊕t) mod N R = h(r1∥r2 ∥… ∥rn) S = k-XiR Speaker: Chi-Yu Liu

  11. Receiver Insider Forgery Attack on Tseng et al’s Authenticated Encryption Scheme • TA, and receiver conspiracy. 3. PKj’, IDj’ TA 1. M’ be any message Compute d = M’/M R’= dR mod N S’=Sh(R’)h(R)-1 mod p’q’ 2. Choose Xj’ Compute PKj’ = gXj’ mod N 4. Publish the public key Yj’ Yj’ = (PKj’-IDj’)h(IDj’)-1 mod N They can claim that {R’, S’} is the signature of the message M’. Speaker: Chi-Yu Liu

  12. Forward Security of Tseng et al’s Authenticated Encryption Scheme 1. Assume that a third party has known message M. 2. M = R(gS(Yih(IDi)+IDi)h(R))Xj mod N = R(gXiXj)h(R)(Yjh(IDj)+IDj)S mod N 3. The third party can derive the value gXiXj, and henceforth he can use it to derive all messages. Speaker: Chi-Yu Liu

  13. TA Arbitration (Authenticated encryption scheme with message linkages) • When there are some disputes over the message signed, the signer and the receiver should reveal the value t. 2. ti 2. tj gk = gS(Yih(IDi)+IDi)R mod N tj = (gk)Xj 1. ti = (Yjh(IDj)+IDj)k mod N t = (gXiXj)R(Yjh(IDj)+IDj)S mod N Derive (gXiXj)R 3.Verify with ri = Mih(ri-1⊕t) mod N R = h(r1∥r2 ∥… ∥rn) Speaker: Chi-Yu Liu

  14. Improvement of Signature Scheme User i User j 3. R, S, r1, r2, …, rn 1. Dispute message M = {M1, M2, …, Mn} 2. Compute signature set r0 = 0 choose a random k t = (Yjh(IDj)+IDj)k mod N e = gk mod N ri = Mih(ri-1⊕t) mod N R = h(M, e) S = k-XiR 5. gk = gS(Yih(IDi)+IDi)R mod N t = (gk)Xj 6. Message recovery Mi=rih(ri-1⊕t)-1 mod N 7. Verify the signature R ?= h(M, gS(Yih(IDi)+IDi)R mod N) Speaker: Chi-Yu Liu

  15. Conclusion • The authors pointed that Tseng et al.’s authenticated encryption scheme will suffer from insider attacks and exits forward security weakness. • When there are some disputes the message signed, the third party will obtain a knowledge gxixj . • The authors counter the weaknesses and proposed an improvement scheme. Speaker: Chi-Yu Liu

  16. Comment – Based on FAC and DL • The system parameters are chosen by a trusted authority (TA) : • P = 4p1q1+1 • p1= 2p2+1 • q1= 2q1+1 • N = p1q1 • g is the order of p1p2 in ZP • TA sets p1, p2, q1, q2, P are all primes. • Each user selects a private key X in ZN such that gcd(X2, N)=1, and the public key y=gX2 mod P Speaker: Chi-Yu Liu

  17. Comments- Based on FAC and DL • Signature scheme with message recovery 3. R, S User j User i 4. Message recovery M=RgS(Yi)H(R) mod P • Select a random T in ZN such that gcd(T2, N)=1 • 2. Compute signature R, S • R = Mg-T2 mod P • S = T2 – Xi2H(R) mod N Speaker: Chi-Yu Liu

  18. Authenticated encryption scheme 3. R, S User j User i 4. Message recovery M=R(gSYiH(R))Xjmod P 1. Select a random T in ZN such that gcd(T2, N)=1 2. Compute signature R, S R = MYj-T2 mod P S = T2 – XiH(R) mod N Speaker: Chi-Yu Liu

  19. Authenticated encryption scheme with message linkages 3. R, S, r1, r2, …, rn 4. R’ = h(r1∥r2 ∥… ∥rn) Check R’ ?= R 5. gT2 = gS(Yi)R t = (gT2)Xj mod P 6. Message recovery and verify Mi=riH(ri-1⊕t)-1 mod P 1. Dispute message M = {M1, M2, …, Mn} 2. Compute signature set r0 = 0 choose a random T such that in ZN such that gcd(T2, N)=1 t = YjT2mod P ri = MiH(ri-1⊕t) mod P R = h(r1∥r2 ∥… ∥rn) S = T2-Xi2R mod N Speaker: Chi-Yu Liu

More Related