Cryptography Reference
In-Depth Information
Analysis
First we show why, in step 4 of the verification stage, the criterion actually
verifies Alice's signature. It does so since, first of all,
σ
−
1
h
(
m
)+
eσ
−
1
γ
σ
−
1
(
h
(
m
)+
eγ
)
δ
1
+
eδ
2
≡
≡
≡
r
(mod
q
)
,
then
(
α
σ
−
1
h
(
m
)+
eσ
−
1
γ
(mod
p
))
(
α
r
(mod
p
))
(
α
δ
1
β
δ
2
(mod
p
))
γ
≡
≡
≡
≡
δ
(mod
q
)
.
Of course, the key
e
must be kept private or the scheme can be broken, since
anyone in possession of
e
can sign any data and thereby impersonate Alice.
Moreover, if
r
is used more than once,
e
can be recovered by a cryptanalyst
(easily verified, given our many previous related discussions on such matters).
In order to see why the DSA depends upon the DLP for its security, we look
at step 2 of the setup stage. Since the Silver-Pohlig-Hellman attack (discussed
on page 530) is useless against large prime factors of
p
1, then this is su8cient
to thwart such attacks, and computing
r
from knowledge of the public
γ
is
deemed to be computationally infeasible. This is the DLP. Moreover, the reader
may wonder why we did not just choose a primitive root
a
modulo
p
rather
than
α
−
a
(
p
−
1)
/q
(mod
p
). The reason is that it is a generally held opinion
that many pieces of information about divisors of
p
≡
1 can collectively add
up to something useful, so DSA avoids this potential problem by keeping all
congruences as modulo
q
data in the signing and verification stages.
An advantage of DSA is that in a precomputation stage, the exponentiation
of
α
can be done oTine and need not be part of the signature generation.
Another positive feature is that DSA has relatively short signatures of 320 bits
so the signing can be done e8ciently. Some disadvantages of DSA include the
fact that it cannot be used for key exchange. Moreover, the modulus at a
mere 512 bits can be a drawback for security, so the prime
p
should actually
be chosen such that 2
1023
<p<
2
1024
for long-term security. There is another
potential problem that one would not imagine and is di8cult to detect, namely,
the building of a
subliminal channel
into DSA. This is a method of signing
an innocuous message with subliminal bits hidden in it. This could be as little
as one bit per message or as much as two bytes per message. For the reader
interested in how this is done in detail see [287, pages 300 and 301].
DSA evolved into the new
Digital Signature Standard
in FIPS 186-1 an-
nounced by NIST on December 15, 1998, and this included the RSA DSS.
On February 15, 2000, NIST announced the approval of FIPS 186-2, and this
included the upgraded DSS, the RSA DSS, and the
Elliptic Curve Digital Sig-
nature Algorithm
(ECDSA), about which we will learn later in the text.
The governmental plans for DSA are akin to that of the role played by
DES. They include applications such as cash transactions, data exchange, data
storage, electronic mail, and software distribution, to mention a few.
In the next section, we learn about the DSS upon which the DSA was based.
−
Search WWH ::
Custom Search