1 / 19

Cryptanalysis of the Wu–Varadhrajan Fair Exchange Protocol

Cryptanalysis of the Wu–Varadhrajan Fair Exchange Protocol. Source:Information Processing Letters , Volume 87 ,  Issue 3  , August 2003, pp.169-171 Author:Olivier Markowitch and Shahrokh Saeednia Speaker:Kuo-Wei Weng Date:. Outline. Introduction

angelarodriguez
Télécharger la présentation

Cryptanalysis of the Wu–Varadhrajan Fair Exchange Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cryptanalysis of the Wu–Varadhrajan Fair Exchange Protocol Source:Information Processing Letters , Volume 87 ,  Issue 3  , August 2003, pp.169-171 Author:Olivier Markowitch and Shahrokh Saeednia Speaker:Kuo-Wei Weng Date:

  2. Outline • Introduction • The Wu–Varadhrajan Fair Exchange Protocol • Attack • Conclusion

  3. Introduction • A fair exchange protocol consists of two entities • that wish to exchange digital signatures in such a way • At the end of the protocol either both signatures • are correctly exchanged or none of them is indeed • received

  4. Introduction Cont’ • TTP (Trusted Third Party) • acts as a judge when possible disputes occur • stays off-line • is needed only when there is a dispute

  5. The Wu–Varadhrajan Fair Exchange Protocol • The protocol is based on the DSS signature • scheme • DSS(Digital Signature Standard) is based on • discrete logarithm problem

  6. The Wu–Varadhrajan Fair Exchange Protocol Cont’ 1. The DSS TTP: chooses two large public primes p and q q is a large factor of p−1 a public generator g for the subgroup of Z∗pof order q Signer: chooses randomly an integer x ∈ Zqas private key computes y = gxmod p as public key

  7. The Wu–Varadhrajan Fair Exchange Protocol Cont’ Signature Generation: h is a public hash function The signer randomly chooses: k ∈ Z∗q, computes r = (gkmod p) mod q s =k−1(h(m) + xr) mod q The signature is the pair (r, s)

  8. The Wu–Varadhrajan Fair Exchange Protocol Cont’ Signature Verification: The verifier computes: u1= h(m)s−1 mod q u2= rs−1 mod q The signature is accepted as valid if r ≡ (gu1yu2 mod p) mod q

  9. The Wu–Varadhrajan Fair Exchange Protocol Cont’ Because r ≡ (gu1yu2 mod p) mod q and r = (gk mod p) mod q Proof:gu1yu2= gk gu1yu2 =gh(m)s-1* yrs-1(y = gx) =gh(m)s-1+xrs-1 =gs-1(h(m)+xr) (s =k−1(h(m) + xr)) =gk

  10. The Wu–Varadhrajan Fair Exchange Protocol Cont’ 2. Committed Signature Each user and the TTP agree on two random secrets v and w ∈ Zq The user is also given the following public information issued by the TTP: γ = gvmod p γ’= gv−1 mod p λ = γ’wγmod p

  11. The Wu–Varadhrajan Fair Exchange Protocol Cont’ Committed Signature Generation: Signer: computes r and s as a DSS signature u1= h(m)s−1 mod q u2= rs−1 mod q Then computes v’= v−1(h(m) + wγ) mod q α= gu1 mod p β = yu2 mod p δ = yv’mod p

  12. The Wu–Varadhrajan Fair Exchange Protocol Cont’ r = (αβ mod p) mod q c = r−1h(m) mod q e = h(α,β, δ, c) z = (v’+ eu1) mod q The committed signature is (α,β, δ, z)

  13. The Wu–Varadhrajan Fair Exchange Protocol Cont’ Committed Signature Verification: The verifier computes: r = (αβ mod p) mod q c = r−1h(m) mod q e = h(α,β, δ, c) The committed signature is accepted if gz≡ γ’h(m)λαe (mod p) and yz≡ δβce (mod p)

  14. The Wu–Varadhrajan Fair Exchange Protocol Cont’ • 3. Final signature • After the exchange of the committed signatures and • successful verification by the entities, they exchange • their final digital signature consisting of their respective • DSS signatures • The final signatures can also be provided by the TTP, thanks to its knowledge of v and w. Knowing the committed signature (α,β, δ, z) of one entity communicated by the other entity, the TTP can • compute

  15. Attack During an instance of the protocol, the committed signature on a message m is (α,β, δ, z). The recipient of such a committed signature can compute:r,c,e when this committed signature is converted into the corresponding final signature, the recipient knows the related u1 and is able to compute v’= z −eu1

  16. Attack Cont’ If the protocol is executed again for another message m2, the recipient will be able to compute v2’= z2− e2u21 In the same way,the recipient can compute: a = v’v2’ −1 mod q and a = (h(m) + wγ)(h(m2)+ wγ)−1 mod q

  17. Attack Cont’ Then: h(m2)a + waγ = h(m)+ wγ mod q w(aγ − γ ) = h(m) −h(m2)a mod q w = h(m)− h(m2)a(aγ − γ )−1 mod q Since γ is public, the recipient can compute wand subsequently vas v = v’−1(h(m) +wγ) mod q

  18. Attack Cont’ • After two complete executions of the • Wu–Varadhrajan protocol, the recipient knows vand • w(modulo q) of the signer • With this information, the recipient of a committed signature is able to convert it into a final signature, exactly in the same way as the TTP does

  19. Conclusion • The authors show that the Wu–Varadhrajan protocol is not secure . After two executions of the protocol, • a dishonest participant is able to obtain the secret • information of the other participant

More Related