280 likes | 589 Vues
The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme. 姓名:林文茂 學號: D9521003. Willy Susilo, Rei Safavi-Naini, Marc Gysin and Jennifer Seberry. A New and Efficient Fail-stop Signature Scheme. The COMPUTER JOURNAL, Vol. 43, No. 5, 2000.
E N D
The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme 姓名:林文茂 學號:D9521003 • Willy Susilo, Rei Safavi-Naini, Marc Gysin and Jennifer Seberry. A New and Efficient Fail-stop Signature Scheme. The COMPUTER JOURNAL, Vol. 43, No. 5, 2000. • Katja Schmidt-Samoa. Factorization-based Fail-Stop Signature Revised. Advanced in Cryptology – EOROCRYPT 2004.
Outline • Introduction • Review of fail-stop signatures schemes • Properties of fail-stop signature scheme • The proposed scheme • Cryptanalysis on the scheme • The reparation solution • Future research • Discussion
Introduction • FSS: A polynomially bounded signer can be protected against a forger with unlimited computational power. • The security in an ordinary digital signature schemes remains computational. • An enemy with unlimited computing power can always forge a signature. • In a FSS, in the case of forgery, the presumed signer can provide a proof that a forgery has happened. This is by showing that the underlying computational assumption of the system is broken.
Review of fail-stop signatures schemes • Ordinary signatures schemes: • Key generation: a two-party protocol between the signer and the centre to generate a pair of keys. • Sign: the algorithm used for signature generation. • Test: the algorithm for testing acceptability of a signature.
Review of fail-stop signatures schemes • Fail-stop signatures schemes : • Key generation: • Sign: • Test: • Proof : an algorithm for proving a forgery. • Proof-test: an algorithm for verifying that the proof of forgery is valid.
Properties of fail-stop signature scheme • Properties of an ordinary signature scheme • Correctness: If the signer signs a message, the recipient must be able to verify the signature. • Recipient’s security: A polynomially bounded forger cannot create forged signatures that successfully pass the verification test.
Properties of fail-stop signature scheme • Properties of fail-stop signature scheme • Correctness: • Recipient’s security: • Signer's security:When a forger with an unlimited computational power succeeds in forging a signature that passes the verification test, the presumed signer can construct a proof of forgery and convince a third party that a forgery has occurred. • Non-reputability: A polynomially bounded signer cannot create a signature that he can later prove to be a forgery.
unlimited computational power pass the verification test successfully Question the forgery General concept Signature on message Accept the signature Receiver : R Signer : S verification test Enemy polynomially bounded userproof of forgery
The proposed scheme • Prekey generation: trusted center T • T chooses two large safe primes p and q. • T finds a prime P such that n = pq divides P − 1. • Finally T selects an element α such that the multiplicative order ofαmodulo P is p • α, n and P are sent to the signer via an authenticated channel.
The proposed scheme • Key generation: • S chooses and computes • α1 =αk1 mod P • α2 =αk2 mod P • The private key is ( k1, k2 ) and the public key is (α1,α2).
The proposed scheme • Signing a message m: • To sign a message , S computes • s = k1m + k2 mod n • and publishes s as his signature on m. • Testing a signature: • s passes the test if... • αs = α1mα2 mod P holds.
The proposed scheme • Proof of forgery: • If there is a forged signature s’ which passes the test, the presumed sender can generate his own signature, namely s, on the same message, and the following equation will hold: • Or • Hence, a non-trivial factor of n can be found by computing gcd(s −s’, n ). The probability of s being equal to s’ is 1/q
Enemy Test: Private keys: Signature on m : s = k1m + k2 mod n Public keys: Forge a signature s` Pass the test successfully Signer S creates his own signature s Question signer with s` Receiver Proved : s` is a forgery Break n=pq Trusted center T {n, P, α} {n, P, α}
Cryptanalysis on the scheme • Acceptable signature: A signature that can pass the test by receiver R. • Provable forged signature: An adversary `A` forges an acceptable signature and can be proved as a forgery later by the signer, S. • Unprovable forged signature: An adversary `A` forges an acceptable signature and the signer `S` is unable to prove it as a forgery.
Cryptanalysis on the scheme • How can a forged acceptable signature that can not to be proved as a forgery : • An acceptable signature s* on a message m*≠m is unprovable if s* equals S’s own signature on m*. • Assume the secret key of S equals (k1, k2). • The corresponding public key (α1, α2) is defined as: • α1≡αk1 mod P • α2≡αk2 mod P
Cryptanalysis on the scheme • Let (s, m) be a signature/message pair that S has created using his secret keys (k1, k2), i.e. s ≡k1+mk2 mod n • To construct a computationally unbounded adversary A who is able to compute unprovable forged signatures... For a suitable integer x : m* = m +qx
Cryptanalysis on the scheme • A solves the discrete logarithm problem and obtains k2’ such that α2≡αk2 mod P holds. As the multiplicative order of α equals p therefore : k2’ ≡ k2mod p • In the same manner and with the help of Chinese Remainder Theorem, A constructs k1’ k1’ ≡ k1mod p And k1’ ≡ s--mk2’mod q
Cryptanalysis on the scheme • The key-pair (k1’ , k2’ ) can be used to construct signatures that S cannot prove to be forgeries. • Proof. • Define s* ≡ k1’ +m*k2’mod n • As last slide implies:s ≡k1+mk2 ≡k1’ +mk2’ mod n • So that s* equals S’s signature on m* : s* ≡ k1’ +m*k2’ ≡ k1’ +mk2’ +qxk2’ ≡ k1 +mk2 + qxk2’ ≡ k1 +mk2 +qxk2 ≡ k1 +m*k2mod n ............#
Enemy Test: Private keys: Signature on m : s = k1 + mk2 mod n Public keys: Forge a signature s* on m*=m+qx Pass the test successfully Signer S creates his own signature s Question signer with s* Receiver s* is a successful unprovable forgery S: unable to break n=pq Trusted center T {n, P, α} {n, P, α}
The reparation solution A possible countermeasure is to reduce the message space M to {0,1,2,...,q-1}. In this case, the security provided in the proposed Seberry’s scheme becomes sound.
Future Research • To revise the proposed scheme such that the forgeries are provable by signer for any m. • Further improve the revised scheme such that the receiver will also be protected. • Construct some other approaches for fail-stop signature scheme.