Cryptanalysis of a digital signature scheme based on factoring and discrete logarithms

全文

(1)Cryptanalysis of a digital signature scheme based on factoring and discrete logarithms (基於分解因數與離散對數之數位簽章方法之安全性分析) 基於分解因數與離散對數之數位簽章方法之安全性分析). Hung-Min Sun (孫宏民) Department of Computer Science and Information Engineering National Cheng Kung University Tainan, Taiwan 70101 Email: [email protected]. ABSTRACT Recently, He proposed a new digital signature scheme based on the difficulties of simultaneously solving the factoring problem and the discrete logarithms problem. In this paper, we show that He’s digital signature scheme is insecure against forgery if the discrete logarithms problem is solved.. Keywords: Cryptography, Digital Signature, Factoring, Discrete Logarithms ㆗文摘要最近，植基於同時解因數分解與離散對數之問題，何提出㆒個新的數位簽章演算法。在本論文㆗，我們證明了假如離散對數的問題解決了，何的數位簽章演算法是不安全的。關鍵字: 密碼學、數位簽章、因數分解、離散對數. 1. Introduction. logarithms problem is solved; He and Kiesler’s scheme [5] was shown to be insecure [6-7]; and Shao’s schemes [8] were shown to be not sufficiently secure [9-10]. Recently, He [11] proposed a new digital signature scheme based on the difficulties of simultaneously solving the factoring and discrete logarithms problems. In this paper, we show that He’s digital signature scheme is still insecure against forgery if the discrete logarithms problem is solved.. 2. Review of He’s digital signature scheme In this section, we briefly review He’s digital signature scheme as follows: Initialisation: The trusted center of the system selects a large prime P satisfying P = 4 p1 ⋅ q1 +1, where p1 = 2 p 2 + 1 ,. q1 = 2q 2 + 1 and p1 , p 2 , q1 , q 2 are all primes. Let R =(P-1)/4= p1 ⋅ q1 . The trusted center selects an element g with order R in Z P . The system parameters P and g are made public, while p1 , p 2 , q1 , q 2 are all discarded. Each user in the system selects a private key x ∈ Z R such that gcd( (x+ x. −1 2. ),. −1. Since Harn [1] presented the first digital signature scheme based on two hard problems – the factoring problem [2] and the discrete logarithms problem [3], several digital signature schemes, based on the difficulties of simultaneously solving these two hard problems, have been proposed [4,5,8]. All these schemes were designed to provide the advantage that once one hard problem is solved, these schemes are still secure against forgery. Unfortunately, most of them have been shown to be insecure against forgery. For example, Harn’s scheme [1] was shown to be insecure [4] if the discrete. R)=1, where x⋅ x =1 (mod R), and the corresponding public key is y=. g ( x+ x. −1 2. ). (mod P).. Digital signature generation: In order to generate a digital signature on a message m, the signer first select a random integer t∈ Z R such that gcd( (t+ t. r1 = g ( t +t. −1 2. ). −1 2. ) , R)=1. Then he computes ( t +t −1 ) −2. (mod P) and r2 = g (mod P). Finally, he computes s which satisfies the following congruence:.

(2) −1. −1. −1. −1. (x+ x ) = s⋅(t+ t )+f( r1 , r2 ,m) ⋅(t+ t ) (mod R), ……………………………..….Eq.(1) where f is a one-way hash function. Thus, ( r1 , r2 , s) is a valid digital signature on the message m. Digital signature verification: Upon receiving a digital signature ( r1 , r2 , s) associated with m with respect to the signer, anyone can verify the validity of the digital signature by checking whether the following congruence holds or not: s2. r1 ⋅ r2. y=. f 2 ( r1 , r2 , m ). ⋅ g 2 s⋅ f ( r1 ,r2 ,m ) (mod P). ……………………………….Eq.(2) If this congruence holds, then ( r1 , r2 , s) is a valid digital signature on the message m. Here we call Eq.(2) the signature verification equation. In the following, we show that Eq. (2) holds if Eq.(1) holds.. x −1 ) = s⋅(t+ t −1 )+f( r1 , r2 ,m). Because (x+ ⋅(t+ t y= g. −1. ) −1. (mod P). [ g (t +t =. −1 −2. ). s2. ~. signature, the equation Eq.(1) holds. That is, (x+ x ⋅(t+ t. −1. ). −1. −1. ) = s⋅(t+ t. −1. )+f( r1 , r2 ,m). (mod R).. Because ~ s =( f( r1 , r2 ,m)−1 −1 ~ f( r , r , m ) ) ⋅(t+ t )-2 + s (mod R), it is clear 1. 2. that. ~ ~ )⋅(t+ t −1 ) −1 (mod R) s ⋅(t+ t −1 )+f( r1 , r2 , m ~ )]⋅(t+ t −1 )-2 + = {[ f( r , r , m)- f( r , r , m 1 2 −1. 1. 2. ~ )⋅(t+ t −1 ) −1 (mod R) s}⋅(t+ t )+f( r1 , r2 , m ~ )]⋅(t+ t −1 )-1+ = [f( r , r ,m)- f( r , r , m 1 2 −1. 1. 2. ~ )⋅(t+ t −1 ) −1 (mod R) s⋅(t+ t )+ f( r1 , r2 , m −1 ~ )⋅(t+ t −1 )-1+ = f( r , r ,m)⋅(t+ t )-1 - f( r , r , m 2. 1. 2. −1 -1. ) + s⋅(t+ t. −1. ). (mod R), by. Eq.(1),. ] s ⋅ g 2⋅s⋅ f ( r1 ,r2 ,m ) ⋅. = (x+ x. 2. ]f. r1 ⋅ r2. Because ( r1 , r2 , s) is a valid digital. = f( r1 , r2 , m)⋅(t+ t. =g (mod P) ( t + t −1 ) 2. Proof:. ~. ⋅ g 2 s ⋅ f ( r1 ,r2 , m ) (mod P).. ~ )⋅(t+ t −1 ) −1 (mod R) s⋅(t+ t )+ f( r1 , r2 , m. s ⋅( t + t ) + 2⋅s ⋅ f ( r1 , r2 , m ) + f 2 ( r1 , r2 , m )⋅( t + t −1 ) −2. =[g. ~) f 2 ( r1 , r2 , m. ~ s2. y=. −1. −1 2. 2. r1 ⋅ r2. 1. (mod R), it is obvious that. ( x + x −1 ) 2. Theorem 1. The triple ( r1 , r2 , ~ s ) satisfies:. 2. ( r1 , r2 , m ). f 2 ( r1 , r2 , m ). −1. ). (mod R).. That is, (x+ x. (mod P). −1. )=. ~ ~ )⋅(t+ t −1 ) −1 s ⋅(t+ t −1 )+f( r1 , r2 , m. ⋅ g 2 s⋅ f ( r1 ,r2 ,m ) (mod P).. (mod R).. Hence, the signature verification equation. 3. Cryptanalysis of He’s scheme. y=. ~ s2. r1 ⋅ r2. ~) f 2 ( r1 , r2 , m. ~. ~. ⋅ g 2 s ⋅ f ( r1 ,r2 , m ) (mod P). holds. We assume that an attacker knows a previous valid digital signature ( r1 , r2 , s) on a message. m. with. respect. to. the. signer.. Assuming that the discrete logarithms problem is solved, the attacker can easily obtain (t+ t. −1 -2. ). (mod R) by solving the discrete logarithm:. log g r2 in Z P . Thus, the attacker can forge another valid digital signature ( r1 , r2 , ~ s ) on an. ~ with respect to the signer arbitrary message m by. assigning. ~ )]⋅(t+ t f( r1 , r2 , m. ~ s −1 -2. =[f(. r1 ,. ) + s (mod R).. r2. ,m)-. 4. Conclusions In this paper, we have shown that He’s digital signature scheme, based on the factoring and discrete logarithms problems simultaneously, is not secure against forgery if the discrete logarithms problem is solved.. Acknowledgments This work was supported in part by the National Science Council, Taiwan, under contract NSC-90-2213-E-006-111..

(3) REFERENCES. (4), pp. 249-252 HARN, L.: ‘Comment: Enhancing the security of ElGamal’s signature scheme’, IEE Proc. Comput. Digit. Tech., 1995, 142, (5), pp. 376 [7] LEE, N. Y., and HWANG, T.: ‘The security of He and Kiesler’s signature schemes’, IEE Proc. Comput. Digit. Tech., 1995, 142, (5), pp. 370-372 [8] SHAO, Z.: ‘Signature schemes based on factoring and discrete logarithms’, IEE Proc. Comput. Digit. Tech., 1998, 145, (1), pp. 33-36 [9] LI, J., and XIAO, G.: ‘Remarks on new signature scheme based on two hard problems’, Electron. Lett., 1998, 34, (25), pp. 2401 [10] LEE, N. Y.: ‘Security of Shao’s signature schemes based on factoring and discrete logarithms’, IEE Proc. Comput. Digit. Tech., 1999, 146, (2), pp. 119-121 [11] HE, W. H.: ‘Digital signature scheme based on factoring and discrete logarithms’, Electron. Lett., 2001, 37, (4), pp. 220-222. [6] [1]. [2]. [3]. [4]. [5]. HARN, L.: ‘Public-key cryptosystem design based on factoring and discrete logarithms’, IEE Proc. Comput. Digit. Tech., 1994, 141, (3), pp. 193-195 RIVEST, R., SHAMIR, A., and ADLEMAN, L.: ‘A method for obtaining digital signature and public-key cryptosystem’, Commun. ACM, 1978, 21, (2), pp. 120-126 ELGAMAL, T.: ‘A public key cryptosystem and signature scheme based on discrete logarithms’, IEEE Tran. Information Theory, 1985, IT-31, (4), pp. 469-472 LEE, N. Y., and HWANG, T.: ‘Modified Harn signature scheme based on factorizing and discrete logarithms’, IEE Proc. Comput. Digit. Tech., 1996, 143, (3), pp. 196-198 HE, J., and KIESLER, T.: ‘Enhancing the security of ElGamal’s signature scheme’, IEE Proc. Comput. Digit. Tech., 1994, 141,.

(4)