1 / 22

The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme

The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme. 姓名:林文茂 學號: D9521003. Willy Susilo, Rei Safavi-Naini, Marc Gysin and Jennifer Seberry. A New and Efficient Fail-stop Signature Scheme. The COMPUTER JOURNAL, Vol. 43, No. 5, 2000.

diem
Télécharger la présentation

The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Cryptanalysis on A New and Efficient Fail-stop Signature Scheme 姓名:林文茂 學號:D9521003 • Willy Susilo, Rei Safavi-Naini, Marc Gysin and Jennifer Seberry. A New and Efficient Fail-stop Signature Scheme. The COMPUTER JOURNAL, Vol. 43, No. 5, 2000. • Katja Schmidt-Samoa. Factorization-based Fail-Stop Signature Revised. Advanced in Cryptology – EOROCRYPT 2004.

  2. Outline • Introduction • Review of fail-stop signatures schemes • Properties of fail-stop signature scheme • The proposed scheme • Cryptanalysis on the scheme • The reparation solution • Future research • Discussion

  3. Introduction • FSS: A polynomially bounded signer can be protected against a forger with unlimited computational power. • The security in an ordinary digital signature schemes remains computational. • An enemy with unlimited computing power can always forge a signature. • In a FSS, in the case of forgery, the presumed signer can provide a proof that a forgery has happened. This is by showing that the underlying computational assumption of the system is broken.

  4. Review of fail-stop signatures schemes • Ordinary signatures schemes: • Key generation: a two-party protocol between the signer and the centre to generate a pair of keys. • Sign: the algorithm used for signature generation. • Test: the algorithm for testing acceptability of a signature.

  5. Review of fail-stop signatures schemes • Fail-stop signatures schemes : • Key generation: • Sign: • Test: • Proof : an algorithm for proving a forgery. • Proof-test: an algorithm for verifying that the proof of forgery is valid.

  6. Properties of fail-stop signature scheme • Properties of an ordinary signature scheme • Correctness: If the signer signs a message, the recipient must be able to verify the signature. • Recipient’s security: A polynomially bounded forger cannot create forged signatures that successfully pass the verification test.

  7. Properties of fail-stop signature scheme • Properties of fail-stop signature scheme • Correctness: • Recipient’s security: • Signer's security:When a forger with an unlimited computational power succeeds in forging a signature that passes the verification test, the presumed signer can construct a proof of forgery and convince a third party that a forgery has occurred. • Non-reputability: A polynomially bounded signer cannot create a signature that he can later prove to be a forgery.

  8. unlimited computational power pass the verification test successfully Question the forgery General concept Signature on message Accept the signature Receiver : R Signer : S verification test Enemy polynomially bounded userproof of forgery

  9. The proposed scheme • Prekey generation: trusted center T • T chooses two large safe primes p and q. • T finds a prime P such that n = pq divides P − 1. • Finally T selects an element α such that the multiplicative order ofαmodulo P is p • α, n and P are sent to the signer via an authenticated channel.

  10. The proposed scheme • Key generation: • S chooses and computes • α1 =αk1 mod P • α2 =αk2 mod P • The private key is ( k1, k2 ) and the public key is (α1,α2).

  11. The proposed scheme • Signing a message m: • To sign a message , S computes • s = k1m + k2 mod n • and publishes s as his signature on m. • Testing a signature: • s passes the test if... • αs = α1mα2 mod P holds.

  12. The proposed scheme • Proof of forgery: • If there is a forged signature s’ which passes the test, the presumed sender can generate his own signature, namely s, on the same message, and the following equation will hold: • Or • Hence, a non-trivial factor of n can be found by computing gcd(s −s’, n ). The probability of s being equal to s’ is 1/q

  13. Enemy Test: Private keys: Signature on m : s = k1m + k2 mod n Public keys: Forge a signature s` Pass the test successfully Signer S creates his own signature s Question signer with s` Receiver Proved : s` is a forgery Break n=pq Trusted center T {n, P, α} {n, P, α}

  14. Cryptanalysis on the scheme • Acceptable signature: A signature that can pass the test by receiver R. • Provable forged signature: An adversary `A` forges an acceptable signature and can be proved as a forgery later by the signer, S. • Unprovable forged signature: An adversary `A` forges an acceptable signature and the signer `S` is unable to prove it as a forgery.

  15. Cryptanalysis on the scheme • How can a forged acceptable signature that can not to be proved as a forgery : • An acceptable signature s* on a message m*≠m is unprovable if s* equals S’s own signature on m*. • Assume the secret key of S equals (k1, k2). • The corresponding public key (α1, α2) is defined as: • α1≡αk1 mod P • α2≡αk2 mod P

  16. Cryptanalysis on the scheme • Let (s, m) be a signature/message pair that S has created using his secret keys (k1, k2), i.e. s ≡k1+mk2 mod n • To construct a computationally unbounded adversary A who is able to compute unprovable forged signatures... For a suitable integer x : m* = m +qx

  17. Cryptanalysis on the scheme • A solves the discrete logarithm problem and obtains k2’ such that α2≡αk2 mod P holds. As the multiplicative order of α equals p therefore : k2’ ≡ k2mod p • In the same manner and with the help of Chinese Remainder Theorem, A constructs k1’ k1’ ≡ k1mod p And k1’ ≡ s--mk2’mod q

  18. Cryptanalysis on the scheme • The key-pair (k1’ , k2’ ) can be used to construct signatures that S cannot prove to be forgeries. • Proof. • Define s* ≡ k1’ +m*k2’mod n • As last slide implies:s ≡k1+mk2 ≡k1’ +mk2’ mod n • So that s* equals S’s signature on m* : s* ≡ k1’ +m*k2’ ≡ k1’ +mk2’ +qxk2’ ≡ k1 +mk2 + qxk2’ ≡ k1 +mk2 +qxk2 ≡ k1 +m*k2mod n ............#

  19. Enemy Test: Private keys: Signature on m : s = k1 + mk2 mod n Public keys: Forge a signature s* on m*=m+qx Pass the test successfully Signer S creates his own signature s Question signer with s* Receiver s* is a successful unprovable forgery S: unable to break n=pq Trusted center T {n, P, α} {n, P, α}

  20. The reparation solution A possible countermeasure is to reduce the message space M to {0,1,2,...,q-1}. In this case, the security provided in the proposed Seberry’s scheme becomes sound.

  21. Future Research • To revise the proposed scheme such that the forgeries are provable by signer for any m. • Further improve the revised scheme such that the receiver will also be protected. • Construct some other approaches for fail-stop signature scheme.

  22. Discussion

More Related