Cryptography Reference
In-Depth Information
Example 4.6 If Alice generates n = pq = 3023
3359 = 10154257 , e =7 ,
d = 7248483 , then φ ( n ) = 10147876 .If she wishes to send
·
m = 1111101 to
1111101 d
Bob, she computes sig k ( m )
5134234 (mod n ) and sends ( m, c )=
(1111101 , 5134234) to Bob.After getting Alice's public data ( e, ver k ) , he com-
putes ver k ( m, c )=1 since c e
5134234 7
m (mod 10154257) .
1111101
A real-world analogue of the above RSA DSS is Alice's signing a postcard
and sending it to Bob. Alternatively, Alice could write a letter on paper, sign
it, and put it in an envelope, which gets sent to Bob. There is a variant of the
RSA DSS given above, which has this as its analogue, namely, to digitally sign
the message, then encrypt it. This variant of the RSA DSS is an example of the
second kind of DSS, namely, one with an appendix.
Thus, after the above signing stage, she would add an encryption stage , where
she enciphers with Bob's public exponent e B ,so( m, c ) e B is sent. Then Bob uses
his private RSA exponent d B to calculate (( m, c ) e B ) d B
( m, c ) (mod n ), and
he uses Alice's public RSA exponent to compute c e
m (mod n ). This further
encryption of the entire message with Bob's public key ensures confidentiality,
as does the analogue of sending a sealed letter, rather than a postcard. This
variant of the RSA signature scheme can be applied to any DSS with message
recovery, namely, by hashing the message and signing the hash, thereby turning
it into a DSS with an appendix.
Analysis
As with the RSA cipher itself, we must ensure that the above DSSs are
properly set up and the private data is kept secure. We assume this has been
done.
The first thing that we observe in the RSA DSS with message recovery is that
anyone can verify Alice's signature since e is made public, but only Alice can
sign the message since sig k = d is private. This also ensures that Alice cannot
deny later that she sent the message, since nobody else could have computed
m d . This is an example of nonrepudiation (see page 162). Another safeguard
is to ensure that a digital signature is not reused, which can be ensured by
appending a timestamp . For instance, instead of just sending the message m ,
Alice would have a message with a timestamp t , so the original message would
be M =( m, t ).
If we choose a small public exponent (see page 178) the verification is con-
siderably faster than the signing. Thus, the RSA DSS is well suited to circum-
stances where signature verification is the primary operation used. In order to
make it even more e 8 cient, we must introduce another in our cast of crypto-
graphic characters, Trent , the trusted third party (TTP). If we enlist Trent to
create a certificate of identification for Alice, which he has to do only once, then
verification may take place numerous times by Bob and other entities with whom
Alice has communication. It can be shown that for messages no longer than half
the RSA modulus, the RSA DSS with message recovery is most e8cient, whereas
if message blocking is required, then the most bandwidth-e8cient 4.5 method is
4.5 Bandwidth is the width of the range of frequencies that an electronic signal occupies on
Search WWH ::




Custom Search