190 likes | 196 Vues
Cryptanalysis of the Wu–Varadhrajan Fair Exchange Protocol. Source:Information Processing Letters , Volume 87 , Issue 3 , August 2003, pp.169-171 Author:Olivier Markowitch and Shahrokh Saeednia Speaker:Kuo-Wei Weng Date:. Outline. Introduction
E N D
Cryptanalysis of the Wu–Varadhrajan Fair Exchange Protocol Source:Information Processing Letters , Volume 87 , Issue 3 , August 2003, pp.169-171 Author:Olivier Markowitch and Shahrokh Saeednia Speaker:Kuo-Wei Weng Date:
Outline • Introduction • The Wu–Varadhrajan Fair Exchange Protocol • Attack • Conclusion
Introduction • A fair exchange protocol consists of two entities • that wish to exchange digital signatures in such a way • At the end of the protocol either both signatures • are correctly exchanged or none of them is indeed • received
Introduction Cont’ • TTP (Trusted Third Party) • acts as a judge when possible disputes occur • stays off-line • is needed only when there is a dispute
The Wu–Varadhrajan Fair Exchange Protocol • The protocol is based on the DSS signature • scheme • DSS(Digital Signature Standard) is based on • discrete logarithm problem
The Wu–Varadhrajan Fair Exchange Protocol Cont’ 1. The DSS TTP: chooses two large public primes p and q q is a large factor of p−1 a public generator g for the subgroup of Z∗pof order q Signer: chooses randomly an integer x ∈ Zqas private key computes y = gxmod p as public key
The Wu–Varadhrajan Fair Exchange Protocol Cont’ Signature Generation: h is a public hash function The signer randomly chooses: k ∈ Z∗q, computes r = (gkmod p) mod q s =k−1(h(m) + xr) mod q The signature is the pair (r, s)
The Wu–Varadhrajan Fair Exchange Protocol Cont’ Signature Verification: The verifier computes: u1= h(m)s−1 mod q u2= rs−1 mod q The signature is accepted as valid if r ≡ (gu1yu2 mod p) mod q
The Wu–Varadhrajan Fair Exchange Protocol Cont’ Because r ≡ (gu1yu2 mod p) mod q and r = (gk mod p) mod q Proof:gu1yu2= gk gu1yu2 =gh(m)s-1* yrs-1(y = gx) =gh(m)s-1+xrs-1 =gs-1(h(m)+xr) (s =k−1(h(m) + xr)) =gk
The Wu–Varadhrajan Fair Exchange Protocol Cont’ 2. Committed Signature Each user and the TTP agree on two random secrets v and w ∈ Zq The user is also given the following public information issued by the TTP: γ = gvmod p γ’= gv−1 mod p λ = γ’wγmod p
The Wu–Varadhrajan Fair Exchange Protocol Cont’ Committed Signature Generation: Signer: computes r and s as a DSS signature u1= h(m)s−1 mod q u2= rs−1 mod q Then computes v’= v−1(h(m) + wγ) mod q α= gu1 mod p β = yu2 mod p δ = yv’mod p
The Wu–Varadhrajan Fair Exchange Protocol Cont’ r = (αβ mod p) mod q c = r−1h(m) mod q e = h(α,β, δ, c) z = (v’+ eu1) mod q The committed signature is (α,β, δ, z)
The Wu–Varadhrajan Fair Exchange Protocol Cont’ Committed Signature Verification: The verifier computes: r = (αβ mod p) mod q c = r−1h(m) mod q e = h(α,β, δ, c) The committed signature is accepted if gz≡ γ’h(m)λαe (mod p) and yz≡ δβce (mod p)
The Wu–Varadhrajan Fair Exchange Protocol Cont’ • 3. Final signature • After the exchange of the committed signatures and • successful verification by the entities, they exchange • their final digital signature consisting of their respective • DSS signatures • The final signatures can also be provided by the TTP, thanks to its knowledge of v and w. Knowing the committed signature (α,β, δ, z) of one entity communicated by the other entity, the TTP can • compute
Attack During an instance of the protocol, the committed signature on a message m is (α,β, δ, z). The recipient of such a committed signature can compute:r,c,e when this committed signature is converted into the corresponding final signature, the recipient knows the related u1 and is able to compute v’= z −eu1
Attack Cont’ If the protocol is executed again for another message m2, the recipient will be able to compute v2’= z2− e2u21 In the same way,the recipient can compute: a = v’v2’ −1 mod q and a = (h(m) + wγ)(h(m2)+ wγ)−1 mod q
Attack Cont’ Then: h(m2)a + waγ = h(m)+ wγ mod q w(aγ − γ ) = h(m) −h(m2)a mod q w = h(m)− h(m2)a(aγ − γ )−1 mod q Since γ is public, the recipient can compute wand subsequently vas v = v’−1(h(m) +wγ) mod q
Attack Cont’ • After two complete executions of the • Wu–Varadhrajan protocol, the recipient knows vand • w(modulo q) of the signer • With this information, the recipient of a committed signature is able to convert it into a final signature, exactly in the same way as the TTP does
Conclusion • The authors show that the Wu–Varadhrajan protocol is not secure . After two executions of the protocol, • a dishonest participant is able to obtain the secret • information of the other participant