exchange. For simplicity, we assume that A and B want to share four secrets.
(i) A generates two random short-term secret keys, kA, and kA,, and two corresponding public keys, r,, and rA2, rA, < rA2. Then, A computes the signature S A for {rAlr r A z } based on any signature variant as listed in Table 1. For example, A ObtdinS s, by solving the following equation
1 A = T A , k A 1
+
T A z k A z+
S A mod p - 1A sends {r,,,, ?Az, SA, c e r t f j A ) } to B, where certb,,) is the public- key certificate of y A signed by a trusted pruty.
(ii) Similarly, B generates kBl, kB,, r,,, rB2, sB and sends {r,,, r,,,
s ,
, certfj,)} to A.
(iii) A verifies {r,,, I,,} based on the signature sB and B s public key y B by checking
Then A computes the shared secret keys as K I = rg,A1 mod p K2 = &A2 mod p
173 = &A1 mod p
K4 = mod p
(iv) Similarly, B computes C I ‘ A , ~ A , m o d p first and verifies {rAl, rA2}. Then, B computes the shared secret keys as
Kl = B1 mod p hi = ri,B1 mod p = P ! & B ~ mod p K4 = r i 2 B ~ mod p
Discussion: We point out here that we have modified the original protocol [8] in signature signing and verification equations. Two recent attacks [IO, 111 on the original protocol cannot work suc- cessfully in this modified protocol. This modified protocol does not increase any computational load and the key agreement proto- col does not involve any additional one-way hash function.
The signatures, xA and x,, satisfy the following equations as Z A = TA, k A ,
+
T A , k~~+
S A mod p - 1T R = T . B ~ ~ B ~
+
r B z k B z+
ss mod p - 1 andBy multiplying these two equations together, we obtain X A X B = rA1rB1kAlkBI f r A l r B z k A l k 8 ,
+
T A I S g k ^ A l+
‘ r A 2 r R 1 k A z k B 1 f 1.AzTB2k,4*kR2+
r A 2 s U k A 2+
S A T B l k B l+
s A r g , k B 2+
S A S E mod p - 1In other words, we have
If the adversary knows four consecutive shared secret keys, he can solve the long-term shared secret KAB. Thus, to achieve the perfect forward secrecy, we should l i t ourselves to use only three out of the four shared secret keys. The protocol can be generalised to enable A and B to share n2 ~ 1 secrets if each user computes and
sends n Difie-Hellman public keys in each pass. Since each user only needs to generate (verify) one signature for n different Diffie- Hellman public keys to establish n2 ~ 1 shared secret keys, this
new protocol is very efficient.
Conclusion: We have proposed an authenticated key agreement protocol that utilises a digital signature to authenticate Diffie- Hellman public keys. We summarise features in this new protocol as follows:
(i) Since we integrate the Diffie-Hellman public key in the signa- ture scheme, this approach reduces overall computation. (ii) Since the protocol does not use any one-way hash function, the security assumption relies solely on solving the discrete logarithm problem.
(iii) This protocol allows two communication parties to share mul- tiple secret keys in two-pass interaction.
(iv) The computation for shared secret keys is simpler than the MQV protocol.
0 IEE 2001
Electronics Letters Online No: 20010441 DOI: 10.1049/el:20010441
L. Harn (Department of Computer Networking, University of Missouri, Kansas City, M O 64110, USA)
H.-Y. Lin (Computer Science Department. California State University, San Marcos. CA 92096-0001, USA)
14 March 2001
References
DIFFIE, w., and HELLMAN, M.E.: ‘New directions in cryptography’, IEEE Trans. InJ: Theory, 1976, IT-22, (6), pp. 644-654
ARAZI, A.: ‘Integrating a key cryptosystem into the digital signature standard, Electron. Lett., 1993, 29, (ll), pp. 966-967
NYBERG, K., and RUEPPEL, R.A.: ‘Message recovery for signature
scheme based on the discrete logarithm problem’. Proc. Eurocrypt ’94, May 1994, pp. 175-190
ELGAMAL, T.: ‘A public-key cryptosystem and a signature scheme
based on discrete logarithms’, IEEE Trans. In$ Theory, 1985, IT- 31, pp. 469412
DOBBERT1N.H.: ‘The status Of MD5 after a recent attack’, CryptoBytes, 1996, 2, (2), pp. 1-6
MENEZES, A.J., QU, M., and VANSTONE, s.A.: ‘Some key agreement
protocols providing implicit authentication’. 2nd Workshop Selected Areas in Cryptography, 1995
IEEE P1363/Editorial Contribution (Draft). In http:// stdsbbs.ieee.org/groups/l363/edcont.html
HARN, L., and LIN, H.Y.: ‘An authenticated key agreement protocol without using one-way function’. Proc. 8th Nat. Conf. Information Security, Kaohsiung, Taiwan, May 1998, pp. 155-160
HARN, L.: ‘Digital signatures for Diffie-Hellman public keys
without using one-way function‘, Electron. Lett., 1997, 33, (2), pp. 125-126
10 YEN, s.M., and JOYE, M.: ‘Improved authenticated multiple-key
agreement protocol’, Electron. Lett., 1998, 34, (18), pp. 1738-1739
11 wu, T.s., HE, w.H., and HSU, c.L.: ‘Security of authenticated multiple- key agreement protocols’, Electron. Lett., 1999, 35, ( 5 ) , pp. 391- 392
12 LIM, C.H , and LEE, P.J.: ‘Security of interactive DSA batch verification’, Electron. Letr., 1994, 30, (19), pp. 1592-1593
Cryptanalysis on improved user efficient
blind signatures
(2-1.
Fan and C.-L. Lei
Shao proposed a blind signature scheme b a e d on the Fan-Lei scheme. It is shown here that Shao’s scheme is not secure. Also,
Shao claimed that the Fan-Lei scheme is not really blind, however this claim is demonstrated as not being true.
Introduction: In 1996, Fan and Lei proposed a blind signature scheme based on quadratic residues (QRs) [l], and they also pre- sented an enhanced version of the scheme to reduce the computa- tion for requesters or users [2]. In [3], Shao proposed a blind signature scheme based on the Fan-Lei scheme [2]. However, we find that Shao’s scheme cannot withstand Pollard-Schnorr attacks
[4]. Besides, Shao claimed that the Fan-Lei blind signature scheme [2] is not really blind. In this Letter, we also show that Shao’s claim is not truc.
Attacks on Shao’s blind signature scheme: Shao proposed a blind signature scheme based on the Fan-Lei scheme in [3]. We show that Pollard-Schnorr attacks [4] are valid on Shao’s scheme as fol- lows. In the scheme of [3], the tuple (c, s) is a signature of m and they can be verified by checking if
H(m.)n2((r2
+
1) = 1 mod nAn attacker can choose a message m and then derive (w, y ) in poly- nomial time such that
(1)
630
ELECTRONICS LETTERS
10th May2001 Vol.
37
No.
10w2
+
y 2 = H(vI,)-’ mod 71through the method introduced by [4J without knowing the factor- isation of n. Thus, the attacker has that H ( ~ ) J ” ( ( J ~ ’ W ) ~
+
1) = 1 mod n. Let s = y mod n and c = y’ir. mod n. The attacker can foim a valid signature (c, .s) of m such that eqn. 1 is satisfied with- out knowing p or y. Hence, Shao’s scheme cannot withstand Pol- lard-Schnorr attacks [4].Shoo’s claim: In [3], Shao claimed that the Fan-Lei blind signa-
ture schemc [2J is not really blind. We show below that Shao’s claim is not true. In the Fan-Lei blind signature scheme [2], the signer can keep a set of records {(ai,
pi,
xi, ti)I
for every instance iof the protocol}, where
at = ~ ( m i ) ( u a
+
21:) moc1.npi
= b:(uizi+
wi) mod nAssume that the signature (H(m), c, s) of a message IIE is revealed by the requester or user, where
c = bX(u - m) mod n, = ( U - L ’ Z ) / ( U Z
+
w) mod n s = bt mod .n.s4 = H(m)(c’
+
1) mod nand U , Y , b arc secret parameters selected by the requester or user. Given (H(m), c, .s), the signer can derive a triple ( U ; , v : , bj) for each stored record
(ai,
pi,
xi, ti) through the following:bi = .st*:’ mod n U ~ T ;
+
w: = B.i(b:,)U : - viz, = c(u:zi
+
,U:) = c / ? * t : . s ~ ~ mod n, = BatTsP2 mod TLFrom the above equations, the signer can evaluate = # , t ? ~ ~ ( x ,
+
cj(2,”+
I)-’
mod n w.: = @J?s-2(1 - .i(.Zi +e)(.?+
l)-’) mod 71 Thus, we have thatH(mj((1Ly
+
( 7 4 7
= H(mj@t:‘.s-~ ((Xi+
c)Z(z;+
1) +(1 - .,(Xi+
C ) ( T t+
1 ) - 1 ) 2 ) = H(m)/9;t:s-“((2,+
c)2(z?+
1)-2+
1 = H(n1)P3$s-4((z9, +c)”x;+
1)-1+
1 = H ( m ) @ t $ 4 ( ( z i +e)(.?+
l ) - ~ l ( c - z z ) + I ) = H(m)i3Pt:s“4
+
1)-’ ((5;+
.)(C - J),)+
(:E%+
1)) = H(m)P;t:s-“x:+
1j-’(c2+
1) = H(7nj/??a,(Z:+
= H(nr)/3;aiX?s-4(2+
1) = H(m)az.s-4(C~+
1) = H(m)cui(H(naj(c*+
I))-’ (cz+
1) = (Y, mod n - 2 4 Z . i+
C ) @ f+
I)-’+
xf(rCt+
c)”(.;+
1)-2) - 2 2 , ( 2 ,+
cj(x?+
1)-1)+
i)-l(r2
+
1)Hence, given (H(m), c, .s), the signer can derive ( U ; ,
VI)
for each stored record (ai,pi,
xi, ti) and the checkmg equationai = H(n~)((ui)’
+
(,/I:)*)
mod nis always satisfied. This is the blindness property in the Fan-Lei blind signature scheme [2]. Besides, Shao claimed that a quadratic residue (QR) in ZG possibly does not have a fourth root in
Zi
.
The claim is not truc. Since n = py is a Blum integer, i.e. p and q are two distinct primcs and
0,
mod 4) = ( q mod 4) = 3, any QR in 2: has a fourth root in Zz [5]. In the Fan-Lei blind signature scheme [2J, no modular exponentiation and inverse computations are performed by requesters or users. Moreover, only scveral mod-ular additions and multiplications are required for a requester or user to obtain and verify a signature in the scheme. However, the scheme of [2] does not decrease the computation load for the signer. In almost all of the applications based on blind signatures, the signer usually possesses much more computation capacities than a requester or user such as the bank of an electronic cash sys- tem or the tally centre of an electronic voting system, while the computation capacities of the requesters or users are limited in some situations such as mobile clients and smart-card users. Therefore, it is more urgent to reduce the computation load for the requesters or users than that for the signer.
0 IEE 2001
Electronics Letters Online No: 20010422 D 01: 10.1O49/el:?O010422
C.-I. Fan (Telecommunication Luboratories, Chunghwa Telecom Co. Ltd. PO Box 8-210, Shin-Juang, Taiwan 242, Republic of China)
E-mail: [email protected]
C:L. Lei (Uepurtment of Electrical Engineering, Nutionul litiiwin University, Toipei, Tuiuwz 107, Repuhlic of China)
13 February 2001
References
1 FAN, C.I., and LEI, C.L.: ‘A multi-recaslahle ticket scheme for electronic elections’. Advances in Cryptology-ASlACKYPT’96: 1996, Springer-Verlag, LNCS 1163, pp. 116-124
2 FAN, c.I., and LEI, c.L.: ‘User efficient blind signatures’, Electron. Lett., 1998, 34, (6), pp. 544546
3 SHAO, z.: ‘Improved user efficient blind signatures’, Electron. Lett., 2000, 36, (16). pp. 1372-1374
4 POLLARD, J.M.. and SCHNORR. c.P.: ‘An efficient solution of the congruence 9 + Icy.’ = m (mod n)’, IEEE Trans. InJ Theory, 1987, 33, ( 5 ) , pp, 702-709
5 MENEZES, A , VAN OORSCHOT, P , and VANSTONE, S.: ‘Handbook of
applied cryptography’ (CRC Press LLC, 1997)
Family
size
of
orthogonal Oppermann
sequences
Guozhen Zang and Cong
LingA supplement is provided for Oppermann’s orthogonal sequences with a widerange of correlation properties. It is shown that there exist identical sequences within the sequence set under many
circumstances. The nuniber of distinct orthogonal sequences in
the sequence set is presented.
Introduction: Oppermann and Vucetic [I] proposed a new family
of complex-valued spreading sequences for code division multiple access (CDMA) systems, the wide range of correlation properties of which offers a great variety of trade-offs between auto-correla- tion and cross-correlation functions. This family includes some specific sequence families, such as the Frank-Zadoff-Chu (FZC) sequences [2, 31. A subsequent paper by Oppermann [4] proved that there exists an orthogonal subfamily of the new sequences. In this Letter, it is shown that there possibly exist identical sequences in the orthogonal set. The size of the orthogonal set, or the number of distinct sequences, is presented.
Orthog(inal Oppermann sequences: Let N be the sequence length. Let M take integer values that are relatively prime to N such that
1 5 M < N. The set of sequences is defined by Um,p,n(lV) = {uM : 1 5 M < Nj [I], while the ith element of a given sequence uM is defined by
where j 2 = -1 and m, p , and n are real numbers. The triple {m, p , n } specifies the sequence set and detexmines the characteristics of the sequences. If p = 1, each sequence in the set will have the same auto-correlation function magnitude [l]. It was stated in [l] that the maximum number of sequences is determined by Euler’s
ELECTRONICS
