Cryptography Reference
In-Depth Information
A user might be motivated to do this if the user later could claim that, because the
prime was weak, the resulting RSA modulus could easily be factored. The user could
thereby attempt to repudiate a previously verified signature.
36
Standardization committees repeatedly argued over whether key genera-
tion algorithms for RSA signature schemes should test for strong primes.
37
The arguments attempted to evaluate how the generation of weak primes
might provide the basis for repudiating signatures:
On the one hand, it was argued that a user would have a difficult time convincing
a judge that the supposed weakness was the result of chance. Since it is unlikely
that a random prime would be weak against the
P - 1
method, the claim would be
suspicious, particularly as to why an opponent would choose this one RSA modulus
to factor with the
P - 1
method without knowing in advance where the effort would
succeed (although the user could know in advance whether a modulus could
be factored by the
P - 1
method, there is no way for an outsider to determine
this without actually trying to factor it). On the other hand, it was pointed out that
the mere possibility that such a ruse might succeed was sufficient justification to
prevent it.
38
What is perhaps most interesting about these arguments is cryptogra-
phers' vision of the court process as one in which judges appreciate the
evidential value of the signatures based on their mathematical properties.
The design of cryptographic systems actively involved a priori imagination
of how the evidence they produced might hold up in court. These debates
add additional layers of complexity to cryptography's project of construct-
ing evidence usable in court: “A general consensus was emerging by the
late 1990s that is was important to consider not only security against
outside opponents, but security against insiders—the users—when con-
structing requirements for key generation.”
39
Although digital signature
users must obviously exert control over their keys if they are to claim them
as signing instruments, they must simultaneously be prevented from
having
too much
control over them.
Mutations
The preceding sections highlighted some of the work necessary to bridge
the gap between digital signatures and their handwritten counterparts. As
communicated by Rivest, Shamir, and Adleman's initial bracketing of “sig-
nature,” “proof,” and “judge” within the protected space of quotes, cryp-
tographic algorithms are not transparently assimilable to the writing of
