Finding Malleability in NTRUSign

Transcription

1 Fndng Malleablty n TRUSgn SungJun Mn, Go Yamamoto, and Kwangjo Km Auto-ID Labs Whte Paper WP-HARDWARE-33 Sungjun Mn Senor Researcher, atonal Computerzaton Agency Go Yamamoto Senor Researcher, Informaton Sharng Platform Laboratores TT Kwangjo Km Professor, Informaton and Communcaton Unversty Contact: sjmn@ncaorkr atonal Computerzaton Agency(CA), e-government Promoton Dvson, CA Bldg, 77, Mugyo-Dong, Jung-Gu, Seoul, Korea, Internet: wwwncaorkr Hardware

2 Abstract A new type of sgnature scheme, called TRUSgn, based on solvng the approxmately closest vector problem n an TRU lattce was proposed at CT- RSA'3 However no securty proof aganst chosen messages attack has been made for ths scheme In ths paper, we show that TRUSgn sgnature scheme contans the weakness of malleablty From ths, one can derve new vald sgnatures from any prevous message-sgnature par whch means that TRUSgn s not secure aganst strongly exstental forgery Fnally, we propose a smple technue to avod ths flaw n TRUSgn scheme Keywords: TRUSgn, Dgtal Sgnature Scheme, Strong Exstental, Forgery, Malleablty, Centered orm

3 1 Introducton Recently, Hoffsten et al ntroduced a new type of authentcaton and dgtal sgnature scheme called TRUSgn [7] at CT-RSA'3 Whle the tradtonal sgnature schemes are based on the well-known hard problems such as factorzaton or dscrete log problem, the hard problem underlyng TRUSgn s to fnd the approxmately shortest(or closest) vectors n a certan lattce, called TRU lattce In ths scheme, the sgner uses secret knowledge to fnd a pont n the TRU lattce close to the gven pont He/She then explots ths approxmate soluton to the closest vector problem as hs sgnature One of the sgnfcant advantages s the fast operaton: TRU-based algorthms as one of lghtweght cryptographc prmtves, for example, execute hundreds of tmes faster than RSA under the same securty Due to the sze and workng speed of the TRU-based algorthms, they attract publc attenton n varous applcatons such as RFID or contactless smart cards whch can be used the supply chan management nstead of the bar code system, and they are also expected to become a key technology n the ubutous envronment However, t seems to be somewhat unreasonable to employ the TRU-based algorthms n the real applcaton felds up to now In ths paper, we actually clam that the TRUSgn sgnature scheme does not contan one of the mportant cryptographc propertes that the sgnature scheme should guarantee non-malleablty We frst gve a determnstc attack how an attacker can generate new vald sgnatures from the prevous sgned message ext, we propose a smple technue to avod ths attack 11 Hstory of TRUSgn scheme Snce the advent of TRU encrypton scheme based on a hard mathematcal problem of fndng short vectors n certan lattces n 1996, several related sgnature schemes such as SS [1] and R-SS [6] have been proposed A fast authentcaton and dgtal sgnature schemes called SS, based on the same underlyng hard problem and usng keys of the same form, was presented at Eurocrypt 1 [1] However, ths scheme was broken by Mronov and Gentry et al, see [3, 1] In ther Eurocrypt presentaton, the authors of SS sketched a revsed verson of SS (called R-SS) and publshed t n the prelmnary cryptographc standard document EESS [18] Although t seemed that R-SS was sgnfcantly stronger than the prevous verson (SS), t was proved that key recovery attack could be mounted by Gentry and Szydlo [4] The source of these weaknesses about SS and R-SS was an ncomplete lnkng of the SS method wth the approxmate closest vector problem n the TRU lattce In other words, the weaknesses of SS and R-SS arose from the fact that the sgner dd not possess a complete bass of short vectors for the TRU lattce L T h Later on, Hoffsten et al proposed a new TRU based sgnature scheme called TRUSgn Unlke prevous sgnature schemes, the lnk n TRUSgn between the sgnature and the underlyng approxmate closest vector problem s clear and drect: the sgner must solve an approxmate CVP problem" n L T h 3

4 the lattce e, produce a lattce pont that s suffcently close to a message dgest pont Ths paper, however, descrbes a weakness n TRUSgn: from any gven message-sgnature par, one can derve many dfferent sgnatures of the same message, thus t s malleable 1 Impact of malleablty If a sgnature scheme s malleable, we can derve another sgnature of the message from any message-sgnature par In ths case, we cannot dstngush t from the orgnal one generated by who knows the secret key, whch can be n practce regarded as a forgery Although such a weakness does not allow the attacker to change the message strng, ths forgery shows that the sgnature scheme cannot be used for all knds of applcatons For example, f one would lke to apply t to electronc cash, fndng a second vald sgnature for a bll should be mpossble Also an entty recevng the message-sgnature pars ( m, s) and ( m, s' ) such that s s' at the same tme, nether s or s ' wll be accepted as a vald sgnature for the message m by hm If a legtmate sgner wants to assert s as hs/her own sgnature for the message m, then he/she should exhbt hs/her prvate key, whch s a negatve property 13 Our Contrbutons In ths paper, we show how a passve adversary who observes only a vald message-sgnature par can generate another sgnature on the same message The man dea of ths forgery s to use specfc polynomals of whch norm value s zero Although ths weakness mght be overlooked for some applcatons, TRUSgn s not secure n the non-malleablty sense aganst known message attack The noton of ths securty s well descrbed n [16] Fnally we propose a smple technue to avod our proposed attack 14 Organzaton The rest of ths paper s organzed as follows: In Secton, we brefly descrbe the TRUSgn sgnature scheme We do not gve all the techncal and theoretcal detals for the functons used n the scheme Only the general constructon s descrbed here In Secton 3 we show how an attacker can forge an addtonal sgnature for a message prevously sgned by usng some specfc polynomals, and then n Secton 4, we ntroduce a smple method to avod ths weakness Fnally, we make concludng remarks n Secton 5 4

5 Descrpton of TRUSgn Algorthm In ths secton, we brefly descrbe TRUSgn dgtal sgnature scheme As TRU encrypton scheme, basc operatons take place n the uotent polynomal rng R = Ζ[ x]/( x ), where s the securty parameter A polynomal a( x) R (shortly, a ) can be presented by a vector a of ts coeffcents as follows: 1 a = a x = ( a L, a1,, a ) For the sake of smplcty, we wll use the same notaton for the polynomal a(x) and the vector a The product of two polynomals a and b n R s smply calculated by a * b = c, where the k-th coeffcent c k s k abk + ab + k = ab j k j k (mod ) c = k In some steps, TRUSgn uses the uotent rng R = Z [ x]/( x ), where the coeffcents are reduced by modulo, where s typcally a power of, for example 18 The multplcatve group of unts n R s denoted by of * a R s denoted by * R The nverse polynomal a If a polynomal a has all coeffcents chosen from the set {,1}, we call ths a bnary polynomal The securty of TRUSgn scheme s based on the approxmately closest vector problem n a certan lattce, called TRU lattce In ths scheme, the sgner can sgn a message by demonstratng the ablty to solve the approxmately closest vector problem reasonably well for the pont generated from a hashed message n a gven space The basc dea s as follows: The sgner's prvate key s a short bass for an TRU lattce and hs publc key s a much longer bass for the same lattce The sgnature on a dgtal document s a vector n the lattce wth two propertes: The sgnature s attached to the document beng sgned The sgnature demonstrates an ablty to solve a general closest vector problem n the lattce TRUSgn dgtal sgnature scheme works as follows: System Parameters 1 : a (prme) dmenson : a modulus 3 d f, d g : key sze parameters 4 ormbound: a bound parameter of verfcaton Key Generaton A sgner creates hs publc key h and the correspondng prvate key 5

6 {( f, g),( F, G)} as follows: 1 Choose bnary polynomals f and g wth d f 1 s and Compute the publc key h f * g (mod ) 3 Compute small polynomals ( F, G) satsfyng f * G g * F = d g 1 s, respectvely Sgnng Step A sgner generates hs sgnature s on the dgtal document D as follows: 1 Obtan the polynomals ( m, m 1 ) mod for the document D by usng the publc hash functon Wrte G m F * m = A * B, * 1 + g m + f * m = a * b * 1 + Where A and a have coeffcents between / and / 3 Compute polynomals s and t as s f * B + F * b (mod ), t g * B + G * b (mod ) T Here, a vector ( s, t) L h s very close to m = ( m 1, m ) 4 The polynomal s s the sgnature on the dgtal document D for the publc key h Verfcaton Step For a gven sgnature s and document D, a verfer should do the followng: 1 Hash the document D to recreate ( m 1, m ) mod Usng the sgnature s and publc key h, compute the correspondng polynomal t s * h (mod ), Whch becomes exactly the same as the polynomal g * B + G * b (mod ) T (ote that ( s, t) s a pont n the TRU lattce L h ) 3 Compute the dstance from ( s, t) to ( m, m 1 ) and verfy that ths value s smaller than the ormbound parameter In other words, check that s m1 + t m ormbound, where the norm ( ) s a centered norm TRUSgn algorthm uses the centered norm concept nstead of Eucldean norm n verfcaton step to measure the sze of an element a R 6

7 Defnton 1 Let a (x) be a polynomal n rng R = Z[ x]/( x ) Then the centered norm of a (x) s defned by where 1 1 a = a 1 a( x) = ( a μ a ) = a ( a ), μ s the average of the coeffcents of a (x) The centered norm of an n-tuple ( a1, a, L, an ) wth a1, a, L, a n R can be defned by ths formula ( (a1, a,, an ) ) = a1 + a + L+ an L ote that the sgnature on D s a vector ( s, t) n TRU lattce L T, whch s very close to m To solve an approxmately closest vector problem n the lattce, a sgner uses a short bass" defned as below: Defnton A bass {( f, g),( F, G)} s called a short bass n T L h f f, g = O( ), and F, G = O( ) The sgnng process of TRUSgn may be explaned by the followng matrx euaton, whch shows that the role of a sgner s to fnd approxmate soluton about the closest vector problem by usng hs short bass {( f, g),( F, G)} : h A vald sgnature demonstrates that the sgner knows a lattce pont that s wthn ormbound of the message dgest vector m Clearly, the smaller that ormbound s set, the more dffcult t wll be for an attacker, wthout knowledge of the prvate key, to solve ths problem The desgners recommend that the suggested parameters (,, d f, d g, ormbound) = ( 51,18, 73, 71, 3) offer securty at least as strong as 1,4 bt RSA [8] 3 Weakness n TRUSgn In ths secton we descrbe that the TRUSgn s strong exstental forgeable, sometmes ths noton s called as malleable Strong exstental forgeablty for a gven sgnature scheme means that one can create a message-sgnature par that has never been observed by the sgner [16] A dfferent sgnature for a once legtmately sgned message can be regarded as a forgery In practce, ths forgery shows that the TRUSgn scheme cannot be used for all knds of applcatons For example, n electronc cash system, fndng another vald sgnature for a bll should be mpossble Thus the applcaton area of ths scheme s lmted, because a dgtal sgnature 7

8 scheme s selected accordng to both ts securty level and the context of use ow we wll descrbe how we can generate a vald sgnature dfferent from a prevous vald sgnature for a gven message Remnd that TRUSgn sgnature scheme uses the centered norm concept n verfcaton step The centered norm has uasmultplcatve property, that s, a( x) * b( x) a( x) * b( x) for random polynomals a (x) and b(x) n R, whch was well dscussed n [9] The propertes of the centered norm wll be employed to nduce a new sgnature from a gven sgnature wthout knowng the prvate key The followng lemma descrbes the centered norm propertes: Lemma 1 Let R be a uotent polynomal rng R = z[ x]/( x ) Then ( ) In R = Z [ x]/( x ), there exst exactly polynomals α (x) such that α ( x) = ( ) If α ( x) =, then α ( x) * β ( x) = for every polynomal β ( x) R Proof ( ) It s obvous that α = α1 = L = α for α (, ] f and only f 1 ( a ) μ a = where 1 1 μ a = a, namely a ( x) = ( ⅱ ) From the result of ( ) we can know that all coeffcents of α are the same, say α = α, α, L, ) Then, clearly the k-th coeffcent of α * β s ( α ( = k + 1 α β k ) ( α β k ) = α ( β + L β k + β k + β ) α * β, and so are the other coeffcents of complete the proof of ths lemma α * β the same Agan by applyng to ( I ), we We call these polynomals satsfyng α ( x) = annhlatng polynomal These annhlatng polynomals make the TRUSgn algorthm to be malleable Hoffsten et al argued that forgery of a sgnature n TRUSgn s euvalent to solve an approxmately closest vector problem n hgh dmenson for the class of TRU lattces It seems to be true f we do not consder the stronger attack model Hstorcally, Goldwasser, Mcal and Rvest [5] ntroduced the noton of exstental forgery aganst chosen-message attack for publc key sgnature scheme Ths noton has become the de facto securty defnton for dgtal sgnature algorthm, aganst whch all new sgnature algorthms are measured In ths scenaro, an adversary wth access to the publc key of the scheme and to a sgnng oracle, should not be able to forge a vald sgnature for some new message or for a message of hs choce (exstental forgery and selectve forgery, respectvely) An even stronger reurement called the non-malleablty, or strong unforgeablty, also forbds an adversary to forge an addtonal sgnature for a message whch mght already have been sgned by the 8

9 oracle [16] We can see more detal securty notons for dgtal sgnature scheme and the relaton between them n [5,14] ow we wll show that one can easly generate a message-sgnature par that has never been observed by the sgner To create addtonal vald sgnatures we use the followng observatons: ote that all coeffcents of polynomals are reduced by modulo Remark 1 Let α be an annhlatng polynomal Then chosen polynomal r R r + α r for randomly If both reduced form" and not reduced form" of polynomal r + α are eual, then the centered norm values of r and r + α are exactly the same The dfferences between r + α and r are caused from only the gap falure The concepts of gappng and wrappng falure are presented n [15] We have mplemented the above remark wth the suggested parameters 1, tmes for each α usng Mathematca 4 It s clear that as the coeffcent of annhlatng polynomal gets smaller, the probablty of havng the same norm gets hgher When the coeffcent of α s ± 1 or ±, our experment shows that each probablty whch two centered norm values are exactly the same becomes 15 and 15 approxmately Fgure 1 descrbes the dstrbuton of dstances between r + α and r for random polynomal r R, where the x-axs denotes the nteger coeffcent α of an annhlatng polynomal and y-axs denotes the average dstance between r + α and r for random polynomal r We wll see some results nduced from the propertes of an annhlatng polynomal For any polynomal f = ( f, f1, L f 1) R, ν ( f ) denotes the sum of all coeffcents of f modulus, that s, 1 ν ( f ) = f (1) = f (mod ) Z (1) f R, the product f * α can be presented by ν ( f ) α, where α s an For any annhlatng polynomal (See the proof of Lemma 1) From (1) t s trval that ν has the followng propertes: Lemma Let f and g be two polynomals n R ( ) ν ( f ) ν ( g) ν ( f * g) (mod ) ( ) ν ( f ) ν ( f ) (mod ) f f has an nverse n R f Proof For an arbtrary annhlatng polynomal α, we know that * α = ν ( f ) να(mod) From ths property, we can obtan the followng euaton: 9

10 ν ( f * g) α ( f * g)* α = f *( g * α) f *( ν ( g) α) = ν ( g) f * α ν ( f ) ν ( g) α(mod) Therefore we have ν ( f ) ν ( g) ν ( f * g) (mod ) Obvously ν ( f ) ν ( f ) ν ( f * f ) ν ( 1) 1(mod ), hence ν ( f ) ν ( f ) (mod ) Assume that one chooses two polynomal par ( f, g), where f has an nverse n R If there exsts somewhat small nteger α (, ] satsfyng 1 α = ( α, α, L, α ) and ( f * g) * α are annhlatng polynomals wth somewhat small coeffcents from Lemma Fg 1 Dstance between r + α and r Remark In the suggested parameters ( d, ) = (73, 71) gven n [8], one has f d g ν ( g) = 55 and ν ( g) = 57 In ths case one can choose 1 α = 8 x so that h * α (mod ) = ν ( h) α = ν ( f For a gven sgnature T L h * g) * α = ν ( f ) ν ( g) * α = 8 1 ( s, t) generated under the suggested parameters, we take s' = s + α (mod ), where 1 α = 8 x Then the correspondng sgnature par t s x 1

11 t' = s'* h (mod ) = s * h + α * h (mod ) = t 8 1 x (mod ) At ths tme, we can expect that both s - m1 and t - m are small Moreover, t s plausble that the small number of ther coeffcents are out of the range (-64+8, 64-8] Form these reasons, the new lattce pont ( s ', t') = ( s + 8 x, t 8 x ) wll be another vald sgnature wth hgh probablty Smply speakng, f one has s m1 wthout any coeffcents greater than 56 and t m wthout any coeffcents less than -55, then one can have the followng euaton exactly: s' m1 + t' m = s m1 + t m ormbound whch means that (s,t ) s always another vald sgnature A numercal expermental result shows that one has much more chance to succeed n the proposed attack: we examne a set P that conssts of 18, 51 elements from Z 18[ x]/( x ) generated n such a way that all coeffcents are randomly chosen from normal dstrbuton wth unformly chosen means μ ( 64,64] and a fxed standard devatonσ = ormbound / 18 9 For two sets P ' = { s P s < 3 } and '' = { ' + 8 P s P s x < 3 } we obtaned the result that the set P conssts of,65 dstnct elements and that P and P concde exactly We mplemented the full TRUSgn sgnature scheme as descrbed n [8] and [17] wth suggested parameters usng GU MP verson 41 Our experment llustrates that the proposed forgery s almost always succeeds for gven message document D and a vald sgnature s Table 1 depcts the approxmate probablty that new par ( s ', t') = ( s + α, t + h * α) (mod ) would be another sgnature for a gven vald sgnature ( s, t) In Table 1, note that α denotes the coeffcent of an annhlatng polynomal α and two sets A and B mean as follows: T A = {( s, t) Lh ( s, t) s a vald sgnature for gven message m} T and B = {( s', t') L ( s', t') s a vald forged sgnature for gven message m}, respectvely h Remark 3 The EESS#1 standard ntroduces the centerng method n the computaton of centered norm [17, 18] Ths centerng method means that f the center of t not reduced modulo s near to or, then the coeffcents of t are properly shfted before beng reduced modulo Because ths centerng method 1 11

12 removes any effect of wrappng, f we use ths method, then our analyss s always correct One example of ths forgery s descrbed n Appendx α Success Prob(B A) Table 1 Approxmate forgery probablty when = 51; = 18 4 Reparng TRUSgn In ths secton we present a smple way n order to avod the weakness n the TRUSgn sgnature scheme The strategy for reparng TRUSgn s to make the sgnng transformaton one-to-one correspondent on a gven secret key It can be acheved by addng an annhlatng polynomal n the sgnng step Our dea s to make the most sgnfcant coeffcent (e, the coeffcent of x ) of the sgnature s obtaned from the orgnal TRUSgn to be zero If the dstance between the new sgnature s ' computed by ths process and gven pont s not as close as to the expected dstance (e, ormbound), then we smply add the annhlatng polynomal 1 x to the sgnature s ' untl t becomes to a vald sgnature The repared verson of TRUSgn scheme s as follows: Sgnng Sgner generates hs sgnature s ' on the dgtal document D IPUT: prvate key {( f, g),( F, G)} and hashed message ( m, m 1 ) OUTPUT: vald sgnature s ' 1 Obtan the sgnature s from the orgnal TRUSgn 1

13 1 Set s ' s s x (mod ) 3 Whle 1 m1 + t' m ormbound do the followng: s ' > 1 31 Set s' s' + x (mod ) 4 Return ( s ' ) Verfyng Recever verfes the sgnature s ' IPUT: sgnature s ' and sender s publc key h OUTPUT: Accept or Reject 1 Compute t ' = s' * h (mod ) If s ' m1 + t' m > ormbound 3 Whle s ' : 1 31 Set s' s' x (mod ) 3 If s' m1 + t' m 4 Return ( Accept ) ormbound, then return ( Reject ), then return ( Reject ) It s obvous that our modfcaton does not degenerate the securty of the orgnal TRUSgn scheme Actually two problems based on orgnal TRUSgn and repared TRUSgn are computatonally euvalent Although our proposed attack cannot be appled for repared TRUSgn anymore, we do not know whether the repared verson of TRUSgn s non-malleable yet It s an open problem to prove that the repared TRUSgn s non-malleable sgnature scheme 5 Concludng Remarks In ths paper we descrbed a weakness of TRUSgn dgtal sgnature scheme that can cause sgnfcant problems n some real applcatons f one s not aware of t We showed that TRUSgn sgnature scheme s not secure n terms of strongly exstental forgeable, thus t s malleable Ths noton allows an adversary to fnd new sgnatures for a message of hs choce, gven a sgnature for ths message Ths forgery reures a specfc polynomal wth small coeffcent satsfyng ts norm value eual to zero Even f ths forgery does not admt an adversary to change the message, TRUSgn scheme cannot be used for all applcatons We also proposed a smple technue to repar the scheme 13

14 References 1 H Cohen, A course n computatonal algebrac number theory, GTM 138, Sprnger-Verlag, 1993 L Granboulan, How to repar ESIG", SC', LCS, Vol576, Sprnger-Verlag, pp34-4, 3 3 C Gentry, J Jonsson, J Stern, and M Szydlo, Cryptanalyss of the TRU Sgnature Scheme (SS) from Eurocrypt '1" Advances n Cryptology-Asacrypt '1, LCS, Vol48, Sprnger-Verlag, pp13-131, 1 4 C Gentry and M Szydlo, Cryptanalyss of the Revsed TRU Sgnature Scheme", Advances n Cryptology-Eurocrypt ', LCS, Vol33, pp99-3, Sprnger-Verlag, 5 S Goldwasser, S Mcal, and R Rvest, A Dgtal Sgnature Scheme Secure Aganst Adaptve Chosen-Message Attacks", SIAM Journal of Computng, pp81-38, J Hoffsten, J Ppher, and J Slverman, Enhanced Encodng and Verfcaton Methods for the TRU Sgnature Scheme", TRU Techncal ote #17, 1 Avalable from 7 J Hoffsten, Graham, J Ppher, J Slverman, and W Whyte, TRUSgn: Dgtal Sgnatures Usng the TRU Lattce Prelmnary Draft ", Avalable from 8 J Hoffsten, Graham, J Ppher, J Slverman, and W Whyte, TRUSgn: Dgtal Sgnatures Usng the TRU Lattce", CT-RSA'3, LCS, Vol61, Sprnger-Verlag, pp1-14, 3 9 J Hoffsten, J Ppher, and J Slverman, TRU: A Rng-Based Publc Key Cryptosystem", n Algorthmc umber Theory (ATS III), LCS, Vol143, Sprnger-Verlag, pp67-88, J Hoffsten, J Ppher, and J Slverman, SS: An TRU Lattce-Based Sgnature Scheme", Advanced n Cryptology-Eurocrypt '1, LCS, Vol45, Sprnger-Verlag, pp13-137, 1 11 A Joux and G Martnet, Some Weaknesses n Quartz Sgnature Scheme", ESSIE publc reports, ES/DOC/ES/WP5/6/1, 3 1 I Mrnov, A ote on Cryptanalyss of the Prelmnary Verson of the TRU Sgnature Scheme", IACR preprnt server, Avalable from 13 T Okamoto, E Fujsak, and H Morta, TSH-ESIG: Effcent Dgtal Sgnature Scheme Usng Trsecton Sze Hash (Submsson to P1363a)", D Pontcheval and J Stern, Securty Proofs for Sgnature Schemes", Advances n Cryptology-Proceedngs of Eurocrypt '96, LCS, Vol17, Sprnger-Verlag, pp , J Slverman, Wraps, Gaps and Lattce Constants" TRU Techncal Report #11, 1, Avalable from 16 J Stern, D Pontcheval, J Lee, and Smart, Flaws n Applyng Proof Methodologes to Sgnature Schemes", Advances n Cryptology-Crypto', LCS, Vol44, Sprnger-Verlag, pp93-11, 17 Consortum for Effcent Embedded Securty Effcent Embedded Securty Standard (EESS)#1: Implementaton Aspects of TRUEncrypt and TRUSgn Avalable from wwwceesstandardsorg 18 Consortum for Effcent Embedded Securty Effcent Embedded Securty Standard (EESS)#1: Draft Prevously on ceesstandardsorg 14

15 Appendx An Example of Sgnature Forgery Here we gve an example of how to generate another sgnature from a gven messagesgnature par Let parameters be as defned n Effcent Embedded Securty Standards (EESS) [17]; = 51, = 18, d f = 73, d g = 71, and ormbound = 3 The bnary prvate key f, g and complementary prvate key F, G satsfyng f * G g * F = are as followng: f ( d f = 73), 1,, 1,, 1, 1, 1,,, 1,, 1, 1,,,,, 1,,,,, 1, 1,, 1, 1,,,,,,,,,,,, 1,,,,,,,,,,, 1, 1,,,,,,,, 1, 1,,, 1,,,, 1,, 1, 1, 1,,, 1, 1, 1,,, 1, 1,, 1,,,,,,, 1,, 1,, 1,, 1,,,,,,,, 1,,, 1, 1,, 1, 1, 1,,,,, 1,,,, 1,,,, 1, 1, 1,, 1,,, 1,, 1,,,,,,,, 1,,,, 1,, 1,,,, 1,,,, 1,, 1, 1,, 1,,, 1,,,,,,,,,,, 1,,,, 1,,,,,, 1, 1,,, 1,, 1,,, 1,,,,,, 1,,,,, 1,,, 1,,,,,,, 1,,,,, 1,, 1,, 1,,, 1,,,,,,,,,,,,,,,,,,,, 1,, 1,,, g ( d g = 71) 1,, 1,, 1,,,,,,,,,,,, 1,,,,,, 1, 1, 1,,,, 1,, 1,, 1,, 1, 1, 1,, 1, 1,,, 1, 1, 1,, 1,,,,,,,,,,,,, 1, 1, 1, 1,, 1, 1,,, 1, 1,, 1, 1,,,, 1,,,,,,,,, 1,,,,,, 1, 1,,,, 1,,,,, 1,,, 1, 1, 1, 1,,,, 1,, 1, 1,,, 1, 1,,,,, 1,,,, 1,, 1, 1,,,,,,, 1,,,,, 1,,,,,,,, 1, 1,,,,,, 1,, 1, 1,,,,,, 1,,, 1,,,,,,,,,, 1,,,,,, 1,, 1,,,,,,,,,,,, 1,,,,,,, 1,, 1,,,,,,,,,,,, 1,,,,,,,,, 1,,,,,,, 1, 1,,, 1, 1,, 1,, 1,,,,,, F -1, 4, -1, 1, -1,, -1, 1, -4, 5, -3, 3, 1, 1,, -1,, 3, 5,,,, -3, 1, -1,, 3, -,, -,,,, 3, 1, -, 5,, 1, 1, 4,, -3,, 1,,,, 1, -1,,, 3,, -1, 1, 1, 3,,, -1, 1, -3, 1, 1,, -5,,, -4,, -1,, -, 1,, 5, 1,, 4,, 1, -1, 1,, 3,, 5, 4, -1, 3, -1, 1,, 1,,,, -1,, -1, 3,, -, -, -1,,,,, 3, 1, 5, -3, 1, 3, 3,, -,, -,, -3, -3, -1,, 1,,, 7,, -1, 3, -4, 3, -1, 4, -3, 3, 4, 3, 3, 1, -1, 1, -,, -,,, 15

16 G, 3, 3, 3, 3,, 1,, 1, 3, -3,, -7,,, -,,, 1,,, 3, -1, 3, 1, -3, 3, 1,,, 1, -1, 4, -3, 1,, -1, -, 5,, 3, 1,, 4, 3,,,, 4, 1, 1, -1, 1,, 1, -3,, 3, 3,, 3,, -,, -1,, -1, -, 3, -3, 1, -3, 3, -1, -1, -1, 1, -1, 1,, -1,, -1, 5, 1, 3, -1,, 6, 5,, -, 1,, 3,,, 1, 1, 1,, 1, -, -3,, 1,,, -3, 1,, -1, -1,, 4, -3,,, -1,, 1,, -1, -1, 1, -,, -,, 1,, 4,,, 1, -1, 1,, 7, 3, -1, 3, -3,,, -, 1, 1, 4, -,, 3, -1, 3,,,, -4, -, 1, -1,, 1,, -1, -, 1, 4, 3,, -1, -, -, 1, 4, -1, 1,, 3, -1,, 1,, 4, 1, 3,,, 1,, -1, -3, 4, 4, 3, -, -, -, 1, -,, 1, 1, -3, -3,, 1, 1, 4, -1,, 1, 3, 1, 1,,, -3, 1,, 3,, 3,, 5,,, 3, 3, -,, 1,,, 1, -3,,,, -, -1, -1, 4, 1, 3, -, 4, 1,,,,, 4,, 5, 1,, 1, -1, -1, -1,, 1, 3,,,,,, 3, 5, 1,, -1, 3,, 5,,, 1,,, -1, 1, 1, -1, -3, -4, 3,,, -1, 4,, 3, -1, 1, -1, -1, -,,,, 4,,,, 1, 3, -3, -1,,, 4, -1,, 1, -1, 1,,, 4, -,, -4,,,, -1, 4,,, -3, 1,, 1,, 3, -3,,,,, 3, -1, 4, 4, 1,, 5,,, The correspondent publc key h = f * g (mod ) s h f * g (mod ) -3, 36, -5, -8, -4, -17, 14, -16, -4, -4, 4, -39, 1, 14, -55, 8, -6, -4, -1, 6, -49, 64, -63, 9, 35, 18, -44, -14, -, -17, 5, -4, -7, -3, 49, 7,6, -8, 46, -15, -16, 41, 4, -53, -, -4, -9, 15, -4, 37, -5, 39, -3,56, 43, 53, -, 5, 37, -51, 6, -31, 5, -16, -34, -5, 37, -61, -5, -5, -3, 61, 4, -4, 5, -57,, -45, -1, 36, -6, 6, 17, 54, 3, -55, 5, 16, 1, -49, -3,, -3, -6, -34, -7, 15, 5,, -37, 31, 64, 49, 56, -1, -15,1, -43, 18, -63, -16, -9, 6, -4, 11, 34, -61, -47,, 15, 47, 14, -18, 6, -36, 43, 6, 34, -39, 19, 5, -6, 8, -16, -1, 39, -35, 38, -43,, 8, 4, -18, 1,, 6, -16, 3, 15, -7, 3, -38, -8, 41, 45, 8,, 57, 9, 1, 6, 3, -18, 4, 48, 38, -36, 17, -33, 6, 3, 43, -38, -56, 38, -33, -4, 3, 58, -1, 56, -37, 4, -17, 6, 3, 57, -5, 5, 19, 64, -41, 34, 45, -3, 1, 55, -9, -7, 49, 19, 9, -41, -14, 1, -46, 57, -49, 17, -, -31, -5, 36, -1, -9, 1, -31, 58, -, 13, 55, 5, 47, -36, 44, -61, -5, 11, -1, -6, 8, -61, -45, 48, -5, 1, 5, 3, -1, -, -59, -, 48, -58, -6, -5, -, 1, -49, 19, 9, Let the message m 1 and m to be sgned be m 1 6, 8, 3, -48, 64, -1, 3, 41, -41, 14, 51, -31, 6, 19, 4, -14, 49, -1, -59, -4, 7, -47, -37,, -61, -9, -48, 17, 41, 64,,, 8, -3, 18, 7,, -43, -16, 46, 36, -9, -5, 33, 54, 54, -46, 39, -, -4, -5, 5, -, -, 8, -18, 16

17 13, 4, 63, -1, 4, 1, 56, -33, 33, 1, 39, -1, 3, -4, -8, 4, -7, -14, -8, -17, -4, -9, -4, 19, 16, -7, 5, 58, 15, -51, -5, -36, 37, -6, 18, -3, 4, 1, 8, 8, -44,, 63, 53, 5, -9, -8, -46, 1, 8, 1, 6, -45, 4, 17, 36, 61, -43, 3, 1, -9, -6, 4, -57, -1, -6, 4, -45, -61, -3, 7, -4, 35, 6, -5, -5, 61, 4, 13, 18, -3, -5, 16, -1, 38, -31, -41, 34, -9, 53, -19, 6, 58, -43, 33, -7, 15, -7, -8, 19, 5, -45, 43, -5, 46, 55, 35, 4, -5, -17, -4, 7, -3, -5, -5, -3, -19, -6, -6, 36, -38, -15, -3, -44, 7, -35, -7, -43, 3, 5, 4, -56, -6, 19, -17, 5, 9, -47, 8, -61, 1, -41, 31, 6, -8, 45, -3, 17, -45, -8, -1, -19,, 49,, -36, -5, 59, -14, 18, 45, -39, 6, 49, 44, -56, 35, -11, -38, -, -7, 8,, -41, 6, 58, -6, 58, 1, -41, -34, 63, 5, 53, 47, -58, -47, 6, -63, 3, 15, 46, 9, -4, 31, m 9, -15, 1, 63, 1, 64, -9, -5, 1, 15, -64, 15,, 59, -4, 43, -4, -41, -16, -51, -58, -9, -34, -61, -7, 34, 19, -6, -1, 6, -59, -57, -, 6, -59, 56, 5, -3, -33, -38, -53, -33, 41, 31, -39, -63, 1, -14, -4, 59,, -34, -15, 3, -3, 4,, 53, -48, 63, 48, -43, -58, -36, 8, -53, -45, -3, 9, -13, -6, 1, 18, -9, -1, 44, -8, 63, -35, -4, 57, 9, 7, -, -5, 61, -44, 6, 5, -8, 58, 33, -6, 64, 6, -43, -53, -48, -1, 1, 4, 49, -3, -43, -45, 9, -64, -9, 7, -34, 5,, 6, 14, 63, -9, 1, -46, -14, -5, -9, -, -36, 49, -1, -39, -58, -9, -, -3, -53, 46, -19, -11, -61, 1, -46, -6, 56, 45, -3, 44, 1, -34, -7, -1, 1, -61, 17, -58, -1, -56, -14, 8, 57, 3, 53, 64, -43, -33, -4, -31, -51, 4,, -48, -, 4, -44, -3, 1, -9, -51, -43, 1, 6, 1, -3, 1, -6, -16, -56, -18, 35, 36, -5,, 5, -6, 1, 56, 35, 55, -59, 1, 1, -43, 54, -1, -, -4, -56, 33, -7, -34, -1, 44, 51, 3, -11, -39, -49, -3, 7, 5, -31, 46, -14, 58, -45, -57, 5, 55, 6, 55,, 9, -5, -8, 61, -1, 16, -59, -41, 54, -9, 13, 33, -4, -, -43, -17, -4, 19, 55, -18, 5, 36, 3, 45, 56, We now observe a vald sgnature (s, t) whch s made by a legtmate sgner s 6, 6, 4, -43, -5,, 16, 38, -37, 9, 47, -9, -41, 43, -56, 4, -6, -1, -51, -1, 1, -4, -34, 45, -43, -16, -9, 8, 53, -51, 8,, 3, -1, 4, 1, 33, -44, -4, 59, 5, -5, -51, 36, 58, 57, -33, 9, -13, -5, -4, -59,,, 18, -16, 8, 3, -5, -4, 36, -4, 58, -, 55, 39, 41, 8, 46, -37, -4, 6, 14, 6, -, 3, -17, -1, -19,, 37, -19, 11, -53, 36, -5, -36, -7, 45, -17, 44, -3, 61, 8, 3, 14, -4, 14, -6, 61, 16, -34, 1, -41, 4, 36, -11, -54, -34, 3, 49, 37, -59, -48, 55, 9, -11, -45, 5, -41, -16, 9, 1, -46, -37, -48, 46, -34, 47, 56, -34, -9, -3, 3, 39,, -9, -36, 7, 5, 33, -4, -33, 4,, 41, -6, 3, -6, -45, 7, -15, 31, -1, 11, 3, 15, -5, 3, -6, 43, -55, 3, 4, 17, -1, 15, 34, 1, -44, -38, -1,, -9, -61, 54, -6, -9, 6, -33, 14, -6, -3, -9, 35, 53, 6, 63, -4, -5, -5, -63, 16, -6, 8, -43,, -, 47, -5, -33, 56, -3, 18, -36, -, 7, -9, 48, 55, 17, -14, -7, -3, -14, 9, 49, -6, 36, 53, 53, -38, 5, 6, -18,, 17

18 19, 37, 33, -8, 3, 64, -49, -53, 1, -1, -3, -57, 15, 47, 57, -58, -43, 54, -61, 6, 5, 54, 35, -16, 56, t = s * h ( mod ) 1, 5, 9, -48, -14, -38, 6, -16, 5, 31, 59, 3, 17, -58, -7, -56, -5, -1, 6, -5, -54, 7, -9, -8, -5, 46,, -17, 5, -6, -4, -6, -,, -63, -6,, 3, -3, -37, -33, -19, 46, 41, -44, -4, 8, 6, -, -5, 15, -7, 1, 45, -3, 58, 15, -57, -41, -6, 61, -3, -37, -11, 34, -39, -31, -15, 14,, 8, 17, 34, -9, 8, 57, -9, -5, -7,, 45, 3, 46, -18, 5, -55, -7, -5, 5, -18, -58, 37, 1, -57, -39, -9, -53, -56, -9, 33, 1, -6, -7, -4, -, 58, -44, -3, 46, -, 6, 33, -6, 4, -56, -3, 4, -44, 3, 1, -3, -13, -45, 6, -1, -3, -47, -6, -14, 7, -5, -6, -,, -51, 7, -9, -46, -48, 5, -1, 54, 8, 1, 9, 4, 37, -6, 16, -41, 1, -37, -1, 5, 59, 34, -5, -58, -9, -3, -7,-9, -38, -59, 5, -17, -1, 44, -9, -, 45, 3, -47, -19, 38, 1, 3, 8, 36, -17, 9, -4, -4, 6, 44, -9, 1, 53, -3, 53, -61, 36, -59, -35, 3, 1, -34, -63, -4, -14, -, -48, 4, -36, -4,, 44, -54, 49, -6, -3, -49,, 11, -56, -3, 54, 5, -46, -7, -, 5, -56, -47, 54, 16, 5, -8,, -56, 11, 18,-5, -41, -57, -31, 13, 4, -, -11, -41, -13, 1, 34, -6, -5, -51, 6, 33, 47, -56, Obvously, the above sgnature (s, t) s vald and ts norm value s m 1 + t m = 483 t m = 9, where s m 1 = 5335 and 863, respectvely We can now generate the second sgnature (s, t ) from prevous sgnature (s, t) by addng annhlatng polynomal α = 8* 1 x to s s' = s + α (mod ) 34, 34, 48, -35, -44, 8, 4, 46, -9, 37, 55, -1, -33, 51, -48, 1, -5, -4, -43, -4, 9, -3, -6, 53, -35, -8, -1, 36, 61, -43, 16, 8, 11, -4, 3, 9, 41, -36, 4, -61, 6, -17, -43, 44, -6, -63, -5, 37, -5, -4, -34, -51, 1, 8, 6, -8, 36, 4, -44, 4, 44, 4, -6, -1, 63, 47, 49, 16, 54, -9, 4, 14,, 14, -14, 11, -9, 7, -11, 8, 45, -11, 19, -45, 44, -44, -8, -19, 53, -9, 5, 5, -59, 36, 38,, -34,, -5, -59, 4, -6,, -33, 48, 44, -3, -46, -6, 38, 57, 45, -51, -4, 63, 37, -3, -37, 58, -33, -8, 17, 9, -38, -9, -4, 54, -6, 55, 64, -6, -1, -, 31, 47, 3, -1, -8, 15, 13, 41, -16, -5, 48, 8, 49,, 38, -5, -37, 35, -7, 39, -4, 19, 31, 3, -17, 4,, 51, -47, 4, 5, 5, -, 3, 4, 9, -36, -3, -, 8, -1, -53, 6, -18, -1, 14, -5,, -18, 5, -1, 43, 61, -6, -57, -3, 3, 3, -55, 4, -18, 36, -35, 1, -14, 55, -44, -5, 64, -4, 6, -8, -1, 15, -1, 56, 63, 5, -6, -19, -4, -6, 37, 57, -18, 44, 61, 61, -3, 6, 14, -1, 8, 7, 45, 41, -, 4, -56, -41, -45, 18, -13, -, -49, 3, 55, -63, -5, -35, 6, -53, 14 18

19 , 33, 6, 43, -8, 64, 8 t' = s' * h = t + α * h = t α (mod ) 4, -3, 1, -56, -, -46, -, -4, 44, 3, 51, 15, 9, 6, -35, 64, -33, -9, -, -58, -6, -1, -37, -36, -13, 38, 1, -5, -3, 58, -48, 6, -3, 14, 57, 58, 1, -5, -38, -45, -41, -7, 38, 33, -5, -48,, -, -8, -58, 7, -35, -7, 37, -31, 5, 7, 63, -49, 58, 53, -31, -45, -19, 6, -47, -39, -3, 6, -6,, 9, 6, -37,, 49, -37, -6, -35, -6, 37,, 38, -6, -3, -63, -35, -6, 44, -6, 6, 9, 13, 63, -47, -37, -61, 64, -17, 5, 13, 6, -15, -48, -8, 5, -5, -11, 38, -8, 54, 5, 58, 3, 64, -11, 16, -5, -5,, -11, -1, -53, 54, -18, -4, -55, -14, -, -1, -58, 6, -1, -8, -59, -1, -37, -54, -56, 4, -9, 46,, -7, 1, -4, 9, 6, 8, -49, 13, -45, -9, 17, 51, 6, -6, 6, -37, -38, -15, -37, -46, 61, 4, -5, -9, 36, -37, -8, 37, -5, -55, -7, 3,,,, 8, -5, 1, -48, -1, 5, 36, -17,, 45, -11, 45, 59, 8, 61, -43, 15, 13, -4, 57, -1, -, -8, -56, 3, -44, -3, -6, 36, -6, 41, -14, -31, -57, -8, 3, 64, -31, 46, -3, -54, -35, -3, 44, 64, -55, 46, 8, 17, -36, 1, 64, 3, 1, -33, -49, 63, -39, 5, 16, -8, -19, -49, -1,, 6, 58, -13, -59, 5, 5, 39, 64, In ths example, we can have the followng euaton exactly: 1 = s ' m + t' m = s m1 + t m where s ' m 1 = 5335 and t' m 863, respectvely 9, 19