Information Technology Reference
In-Depth Information
setup the protocol off-line, interactive and in secure-way then the actual serving
works on-line.
Initialization
Server
A
i
Coordinator
1. Chooses the secret key
x ∈
Z
p
3. Repeatedly selects a random
and computes the public key
value
α
i
∈ Z
q
until the value
y
=
g
x
(mod
p
). The key
y
t
i
=
g
α
i
u
i
(mod
p
) belongs to
Z
q
,
then he sends
t
i
to the coordinator.
is the identifier of the group.
≤ i ≤ n
,
5. Computes
x
i
=
v
i
+
α
i
(mod
q
)
2. chooses, for each 1
a random value
z
i
∈ Z
q
,
and checks the equality
computes
u
i
=
g
z
i
(mod
p
) and
g
x
i
=
y
t
i
t
i
(mod
p
).
sends
u
i
to the
i
-th server.
If the equality holds, he accepts
x
i
4. Computes
v
i
=
t
i
x
+
z
i
(mod
q
) and
as its secret key.
sends this value to the
i
-th server.
Actual serving
Signing a message
M
Verification of
(
M, s, r, t
i
)
Server
A
i
Client
1. Computes
m
=
H
(
M
).
1. Fetches the key
y
from the registry.
2. Chooses a random
k
.
2. Computes
h
=
H
(
M
).
3. Computes
r
=
mg
−k
(mod
p
).
3. Computes
l
=
g
s
(
y
t
i
t
i
)
r
r
(mod
p
)
.
4. Computes
s
=
k − rx
i
(mod
q
).
4. Accepts the signature if
h
=
l
.
5. Sends (
M, s, r, t
i
) to the client.
5 Security and Computational Analysis
Since our anycast scheme is an applicatiom of a signature delegation scheme, it
basically inherits the security properties of the original signature scheme ([7])
and of the signature delegation scheme ([9],[6]):
-
Identifiability.
The group coordinator can determine the identity of an any-
cast server
A
i
from the value
t
i
being a part of the server's signature.
-
Nonrepudiability.
The server
A
i
cannot deny that either he (or someone to
whom he revealed his secret) is the author of the signature, since the value
s
is based on the value
x
i
known only to
A
i
.
Everyone (in particular, the
client) can verify his authorship using his public key. The cooperation of
the coordinator is necessary to identify the signature author, based on the
value
t
i
. To create a valid signature
s
which is verifiable using the value
t
i
,
knowledge of
x
i
is necessary.
-
Anycast server's deviation
. Only the group coordinator can authorize a new
anycast server. An existing anycast server cannot do the same, since knowl-
edge of the secret key
x
is necessary to create a secret key for a new server.
Finding a suitable value of
t
i
to be used in the above verification algorithm
is as dicult as finding the value of
x
, and basically requires solving the
discrete logarithm problem.