Efficient Signature Gen-eration by Smart Cards

20103112 Suk Ki Kim20103114 Sunyeong Kim

1. Introduction 2. What is the problem in RSA 3. ESG Feature 4. Key Authentication Center 5. Introduce existing Chaum 6. Minimizing the Number of Communication Bits 7. Comparison Chaum and ESG 8. Signature Generation / Verification 9. Efficiency 10. Hash Function h 11. Performance Analyze 12. Preprocessing

Contents

Writer : C.P.Schnorr (Universitat Frankfurt) This paper presents an efficient algorithm

for generating public-key signatures which is particularly suited for interactions be-tween smart cards and terminals.

This paper presents a new public-key sig-nature scheme and a corresponding au-thentication scheme that are based on dis-crete logarithms.

1. Introduction

2. What is the problem in RSA

nCM

nMC

MnM

d

e

ed

mod

mod

mod

1. Computation amount is message de-pendent!

2. Require many modular multiplications

1. minimizes the message-dependent amount of computation.

2. signature generation can be done during the idle time of the processor.

3. The length of signatures is about 212 bits, it is less than half of the length of RSA signatures.

3. ESG Feature

Key Authentication Center(KAC) Chooses• Primes p and q such that, • with order q,• A one-way hash function h:• Its own private and public key• The KAC publishes p,q, , h and its

public key.

4. Key Authentication Cen-ter

512140 2,2 pq

pZ 1),(mod1 pq

}12,...,0{ tp ZZ

4. Key Authentication Cen-ter

KAC

User

Name,Address,ID number,EtcRegister re-quest

KAC verifies its identityGenerates an identification number Iand generates a Signatures S for the pair (I,v) consisting of I and the user’s public key v.

A user generates by himself a private key s which is a random number in {1,2,…,q}.The corresponding public key v is the number

)(mod pv s

5. Introduce existing chaum

A picks a random number }1,...,1{ qr

)(mod: px rand computes

I,v,S,xVerifies the signa-tures S and sends a random number }12,...,0{ tee

y := r + se(mod q)

y)(mod pvx ey

Prover A

Verifier B

The Authentication protocol

A fraudulent A’ can cheat by guess-ing the correct e

The probability of success for this attack is

5. Introduce existing chaum

rypvx er :),(mod: t2

6. Minimizing the Number of Communica-tion Bits

A picks a random number }1,...,1{ qr

)(mod: px rand computes

I,v,S

Verifies the signa-tures S and sends a random number }12,...,0{ tee

y := r + se(mod q)

y)(mod pvx ey

Prover A

Verifier B

The Authentication protocol

h(x)

Check that h(x) = xh

7. Comparison Chaum and ESG

I,v,S,x

e

y

I,v,S

ey

h(x)

px r mod: 5122p,

}12,...,0{ tp ZZA one-way hash function h:

284),,(724),,(

140),,(140512),,(

SvIQSvIQ

ttSvIQtSvIQ

8. Signature Generation / Verification

I, v, (S)

e : t bits, y : 140 bits

I, s, v, (S)

Pick random r

Check I, v, (S)

)(mod: pvx ey

),( mxhe

)(mod: px r

),(: mxhe

)(mod: qsery Check that

α, q, p, hMessage m

Signature Genera-tion

Signature Verifica-tion

9. Efficiency

Signature Generation• Preprocessing• Compute se (mod q) (from e = r + se (moe q))

Signature Verification• )log(25.05.1 2 qltl

10. Hash Function h

Possible Attack I

• Given a Message m find a signature for m• collision-free for x•Uniform with respect to x•

• Uniformly distributed : 2t step for attack-

ing

)}12,...,0{( tet

x emxhob 2]),([Pr

10. Hash Function h (cont’d)

Possible Attack II

• Chosen message attack. Sign an un-signed message m of your choice.• One-way in the argument m• If not, the probability of attack success =

1

• depend on 140 bits of x

10. Hash Function h (cont’d)

About Message m• Not necessary collision-free• H(x,m) = h(x, m’)• Signature for m’ = x’• Can’t use to sign m

11. Performance Analyze

New Scheme

t=27

Fiat-Shamir

k=9, t=8RSA GQ

Signature generation(without preprocess-ing)

0 44 750 180

Preprocessing 210 0 0 0

Signature verification 228 44 >2 180

Number of multiplica-tions

12. Preprocessing

During idle time An exponentiation of a

random number (xi,ri) • Initialize by KAC• Use random combination pair

)(mod pr r

},...,1{ qr

12. Preprocessing Algo-rithm

Each smart cards have own algorithm Example algorithm

Initiation. Load ri,xi for i = 1, … ,k, ν := 1

1. pick a random permutation a of {1,…,k}2. r := rν+2rν -1 (mod q), x := x ν xν -1

2 (mod p), u := r, z := x3. for i = k,…,1 do {u := ra(i) + 2u (mod q), z := xa(i)z2

(mod p)4. rν := u, xν := z, ν := ν+1 (mod k), go to 1 for the nest round

Finally, , )(mod2:r

2

1

1)( qr

k

i

iia

)(mod:2

1

2)(

1

pxxk

iia

i

(Quasi-independent form the old pairs.)

Chaum, D.,Evertse, J.H. and van de Graaf, J, “An Im-proved Protocol For Demonstrating Possession of Dis-crete Logarithms and Some Generalizations”, Ad-vanced in Cryptology, EUROCRYPT’ 87. Lecture Notes in Computer Science 304 (1988). Pp. 127-141

Kevin S.M., “The Discrete Logarithm Problem”, Pro-ceedings of Symposia in Applied Mathematics Vol-ume 42, 1990

H. Cohen, “A Course in Computational Algebraic Number Theory”, Springer, 1996.

Reference

Q & A