Upload
sade-beachem
View
216
Download
0
Tags:
Embed Size (px)
Citation preview
Efficient Signature Gen-eration by Smart Cards
20103112 Suk Ki Kim20103114 Sunyeong Kim
1. Introduction 2. What is the problem in RSA 3. ESG Feature 4. Key Authentication Center 5. Introduce existing Chaum 6. Minimizing the Number of Communication Bits 7. Comparison Chaum and ESG 8. Signature Generation / Verification 9. Efficiency 10. Hash Function h 11. Performance Analyze 12. Preprocessing
Contents
Writer : C.P.Schnorr (Universitat Frankfurt) This paper presents an efficient algorithm
for generating public-key signatures which is particularly suited for interactions be-tween smart cards and terminals.
This paper presents a new public-key sig-nature scheme and a corresponding au-thentication scheme that are based on dis-crete logarithms.
1. Introduction
2. What is the problem in RSA
nCM
nMC
MnM
d
e
ed
mod
mod
mod
1. Computation amount is message de-pendent!
2. Require many modular multiplications
1. minimizes the message-dependent amount of computation.
2. signature generation can be done during the idle time of the processor.
3. The length of signatures is about 212 bits, it is less than half of the length of RSA signatures.
3. ESG Feature
Key Authentication Center(KAC) Chooses• Primes p and q such that, • with order q,• A one-way hash function h:• Its own private and public key• The KAC publishes p,q, , h and its
public key.
4. Key Authentication Cen-ter
512140 2,2 pq
pZ 1),(mod1 pq
}12,...,0{ tp ZZ
4. Key Authentication Cen-ter
KAC
User
Name,Address,ID number,EtcRegister re-quest
KAC verifies its identityGenerates an identification number Iand generates a Signatures S for the pair (I,v) consisting of I and the user’s public key v.
A user generates by himself a private key s which is a random number in {1,2,…,q}.The corresponding public key v is the number
)(mod pv s
5. Introduce existing chaum
A picks a random number }1,...,1{ qr
)(mod: px rand computes
I,v,S,xVerifies the signa-tures S and sends a random number }12,...,0{ tee
y := r + se(mod q)
y)(mod pvx ey
Prover A
Verifier B
The Authentication protocol
A fraudulent A’ can cheat by guess-ing the correct e
The probability of success for this attack is
5. Introduce existing chaum
rypvx er :),(mod: t2
6. Minimizing the Number of Communica-tion Bits
A picks a random number }1,...,1{ qr
)(mod: px rand computes
I,v,S
Verifies the signa-tures S and sends a random number }12,...,0{ tee
y := r + se(mod q)
y)(mod pvx ey
Prover A
Verifier B
The Authentication protocol
h(x)
Check that h(x) = xh
7. Comparison Chaum and ESG
I,v,S,x
e
y
I,v,S
ey
h(x)
px r mod: 5122p,
}12,...,0{ tp ZZA one-way hash function h:
284),,(724),,(
140),,(140512),,(
SvIQSvIQ
ttSvIQtSvIQ
8. Signature Generation / Verification
I, v, (S)
e : t bits, y : 140 bits
I, s, v, (S)
Pick random r
Check I, v, (S)
)(mod: pvx ey
),( mxhe
)(mod: px r
),(: mxhe
)(mod: qsery Check that
α, q, p, hMessage m
Signature Genera-tion
Signature Verifica-tion
9. Efficiency
Signature Generation• Preprocessing• Compute se (mod q) (from e = r + se (moe q))
Signature Verification• )log(25.05.1 2 qltl
10. Hash Function h
Possible Attack I
• Given a Message m find a signature for m• collision-free for x•Uniform with respect to x•
• Uniformly distributed : 2t step for attack-
ing
)}12,...,0{( tet
x emxhob 2]),([Pr
10. Hash Function h (cont’d)
Possible Attack II
• Chosen message attack. Sign an un-signed message m of your choice.• One-way in the argument m• If not, the probability of attack success =
1
• depend on 140 bits of x
10. Hash Function h (cont’d)
About Message m• Not necessary collision-free• H(x,m) = h(x, m’)• Signature for m’ = x’• Can’t use to sign m
11. Performance Analyze
New Scheme
t=27
Fiat-Shamir
k=9, t=8RSA GQ
Signature generation(without preprocess-ing)
0 44 750 180
Preprocessing 210 0 0 0
Signature verification 228 44 >2 180
Number of multiplica-tions
12. Preprocessing
During idle time An exponentiation of a
random number (xi,ri) • Initialize by KAC• Use random combination pair
)(mod pr r
},...,1{ qr
12. Preprocessing Algo-rithm
Each smart cards have own algorithm Example algorithm
Initiation. Load ri,xi for i = 1, … ,k, ν := 1
1. pick a random permutation a of {1,…,k}2. r := rν+2rν -1 (mod q), x := x ν xν -1
2 (mod p), u := r, z := x3. for i = k,…,1 do {u := ra(i) + 2u (mod q), z := xa(i)z2
(mod p)4. rν := u, xν := z, ν := ν+1 (mod k), go to 1 for the nest round
Finally, , )(mod2:r
2
1
1)( qr
k
i
iia
)(mod:2
1
2)(
1
pxxk
iia
i
(Quasi-independent form the old pairs.)
Chaum, D.,Evertse, J.H. and van de Graaf, J, “An Im-proved Protocol For Demonstrating Possession of Dis-crete Logarithms and Some Generalizations”, Ad-vanced in Cryptology, EUROCRYPT’ 87. Lecture Notes in Computer Science 304 (1988). Pp. 127-141
Kevin S.M., “The Discrete Logarithm Problem”, Pro-ceedings of Symposia in Applied Mathematics Vol-ume 42, 1990
H. Cohen, “A Course in Computational Algebraic Number Theory”, Springer, 1996.
Reference
Q & A