Cryptography Reference
In-Depth Information
a counterfeiting problem arises consisting in the possibility of mixing up the order
of the blocks and the signatures belonging to the blocks, there are two further
compelling reasons to employ, instead of construction of blocks, the function
µ that we named the redundancy function in the paragraph above in which we
discussed calculating a digital signature.
The first is that a redundancy function µ : M Z n maps arbitrary messages
M from a message space M into the residue class ring
Z n , whereby messages
typically are reduced by the application of hash functions (cf. page 398) to values
z 2 160 , which then are linked with predefined sequences of characters. Since
the image of M under µ is signed in a single RSA step and hash functions can be
calculated quickly by design, the use of such a procedure represents great savings
in time over the number of RSA steps required for the individual blocks of M .
The second reason is that the RSA algorithm has an undesirable property for
creating signatures: For two messages M 1 and M 2 the multiplicative relation
( M 1 M 2 ) d mod n = M 1 M 2 mod n
(17.4)
holds, which supports the counterfeiting of signatures if no measures are taken
against it.
On account of this property, called homomorphism , of the RSA function
it would be possible without the inclusion of redundancy R to have messages
digitally signed with a “hidden” signature. To do this one could select a secret
message M and a harmless message M 1 , from which a further message
M 2 := MM 1 mod n A is formed. If one succeeded in getting a person or
authority A to digitally sign the messages M 1 and M 2 , then one would obtain
the signatures S 1 = M d A
1
mod n A and S 2 = M d A
2 mod n A , from which one can
create the signature to M by calculating S 2 S 1 mod n A , which was probably
not what A had in mind, though nonetheless A may not have noticed this when
generating the signatures S 1 and S 2 : The message M would in this case be said
to have a hidden signature.
To be sure, one could counter that with high probability M 2 does not
represent a meaningful text and that anyway, A would not be well advised to
sign M 1 or M 2 at a stranger's request and without examining the contents with
care. Yet one should not rely on such assumptions of reasonableness when it
comes to human behavior in order to justify the weaknesses of a cryptographic
protocol, especially when such weaknesses can be eliminated, such as in this case
by including redundancy. In order to achieve this redundancy, the redundancy
function µ must satisfy the property
µ ( M 1 M 2 ) = µ ( M 1 ) µ ( M 2 )
(17.5)
for all M 1 ,M 2 M and thus ensure that the signature function itself does not
possess the undesirable homomorphism property.
Supplementary to the signature procedures with appendix there are
additional methods known that make it possible to extract the signed message
 
Search WWH ::




Custom Search