RSA /2002/13(08) , ); , ) RSA RSA : RSA RSA [2] , [1,4]

Transcription

1 /2002/13( Journal of Software Vol13, No8 RSA 1,2 1, 1 (, ; 2 (, E-mal: yfhu@fudaneducn : RSA RSA :, ; RSA,,, RSA,, : ; RSA ; ;RSA; : TP309 : A RSA [1],,,, RSA [2], [3], [1,4] ; :,, RSA, RSA RSA RSA : RSA n r z Z * n, y Z * n, y r =z r : RSA RSA RSA 12 RSA Flexble RSA : RSA n z Z * n, r y, y r =z (r>1,y Z * n : ; : : ( : (1968,,,,, ; (1940,,,,,,

2 1730 Journal of Software 2002,13(8 r : flexble RSA RSA flexble RSA RSA :RSA, r z ; RSA, r z RSA [2], RSA, 13 RSA : (random self-reducton, n r, z Z * n, y=z 1/r, : z * Zn, y = 1 / z r, : z, s Z * n, z =s r z, y= y /s RSA, n z, RSA n z, RSA Flexble RSA, RSA, RSA 14 (adaptve chosen message attack :, ;,,,, ; ;,,, :, 15 (unversal one-way famly of ash functon, UOWFs [3] ( k, : x k, y(y x, k (x= k (y [5,6], k ; 2 l l,l+1<l l=160,l =512, 2 l SA-1 n, QR n n l p q, p=2p +1,q=2q +1,p q n=pq, : h,x QR n ;l+1 : (n,h,x, : (p,q m, l+1 e(e y (y QR n e xh ( x y =, y x ( ( m y = h, n y : (e,y,y m (e,y,y, :

3 : RSA 1731 (1 e l+1 ( m (2 ( e x = y h (x (3 y e x = h 21, e, h h 1, y a, x=h a mod p q, a, h QR n, d=e 1 mod p q, y=h b, b=da+d(x mod p q, y h b [7],, 22 1 RSA, 1, 1 x,y Z * n a,b Z, x a =y b,gcd(a,b=1, x [8] * Zn, x a =y, Eucldean, b k, bb =1+ak x =x b y k 1 1 t, 1 t, m ( m,(e,y,y, x = ( y h (e,y,y m ( m 1 t, ( m ( e x = y h 3 : 1 j t,e=e j,x =x j 1 j t,e=e j,x x j 1 t,e e e, e RSA RSA, [4], RSA,, RSA, n, z Z * n l+1 r, z 1/r 2Π l+1 e 1,,e t, h = z e ; w Z * 2Π n, x = w e ;, =r ( m e m, y QR n, x = ( y h ( x y = xh y x h e, m (e,y,y, 1 j t,e=e j x =x j, : ( y = x h ( m ( y = x h j ( m j, (m (m j, v Z n a0(mod, z 2 Π :v =h a = a e gcd(2a e,=1,=r 1, z r RSA, RSA : n,z Z * n r, z r : j ;

4 1732 Journal of Software 2002,13(8, : 2 Π e j 1 t( j, l+1 e, e j =r l+1, h = z w Z * n, y j = w u Z * n, x j =u 2 ( x j j x = y j h e 2Π je ( m, m j y QR n, x = ( y h x h e, y =j h x j, y j y j, m (e,y,y e=e j,x x j, y e (x = xh, e ( x j y j = xh, z r RSA, felxble RSA n,z Z * n, r(r>1 z r : l+1,e 1,,e t, h a {1,,n 2 }, x=h a e Π e = z 2 QR n p q h QR n, a=bp q +c, 0 c<p q a,c {0,,p q 1}, c,b {0,, n 2 /p q } c b c, x QR n x h, (e,y,y,m=2π e (a+(x y e =xh (x =z m d=gcd(e,m gcd(d,2p q =1 y e/d =z m/d, e³m( e m, 1 z (e/d, e³m r e, r³2π e, r³(a+(x : a=bp q +c( r c,c b r³p q, a+(x 0(mod r 1/r,r³(a+(x 1 z r, RSA 3 ( m m (e,y,y ( e e (x x = y h, y = xh (x, : g 1,g 2 s G (s l+1 m hash, α = ( ( m α, g t g 1 2,,t mod s hash α t g 2 g 1 m α;, m, t l p q, p=2p +1,q=2q +1,p q n=pq, : h,x QR n ; s G, s l+1, G g 1 g 2

5 : RSA 1733 : (n,h,x,g 1,g 2 G ( s : (p,q m, l+1 e t Z s t ( m ( g e g xh 1 2 y =, y :(e,y,t t ( m ( g g m (e,y,t, e l+1, x = y e h RSA G, 1 hash,,, s, m 4 RSA RSA :, ; RSA,,, :, RSA, SA-1 [6] : 1, Vsual C++ 60, Dell P, OptPlex GX1, Mcrosoft Wndows Bts Table 1 The tmes of basc arthmetc operatons (as a baselne Basc operatons 1 ( Modular multplcaton (µs Squarng operaton (µs Exponentaton (ms ,,,, Table 2 The tmes of the algorthms 2 Phase Modulus Key set-up phase (ms Man sgnng phase (ms Sgnature verfcaton (ms , References: [1] Goldwasser, S, Mcal, S, Rvest, RL A dgtal sgnature scheme secure aganst adaptve chosen-message attacks SIAM Journal on Computng, 1988,17(2:281308

6 1734 Journal of Software 2002,13(8 [2] Barc, N, Pftzmann, B Collson-Free accumulators and fal-stop sgnature schemes wthout trees In: Fumy, W, ed Proceedngs of the Conference on Advances n Cryptology (EUROCRYPT 97 Berln, New York: Sprnger-Verlag, [3] Naor, M, Yung, M Unversal one-way hash functons and ther cryptographc applcatons In: Johnson, DS, ed Proceedngs of the 21st Annual ACM Symposum on Theory of Computng (STOC 89 Seattle, WA, New York: ACM Press, [4] Cramer, R, Amgaard, I New generaton of secure and practcal RSA-based sgnatures In: Kobltz, N, ed Proceedngs of the 16th Annual Internatonal Conference on Advances n Cryptology (CRYPTO 96 Santa Barbara, CA, New York: Sprnger-Verlag, [5] Bellare, M, Rogaway, P Collson-resstant hashng: towards makng UOWFs practcal In: Proceedngs of the 17th Annual Internatonal Conference on Advances n Cryptology (CRYPTO 97 Santa Barbara, CA, New York: Sprnger-Verlag, 1997 [6] Shoup, V A composton theorem for unversal one-way hash functons In: Proceedngs of the Workshop on Advances n Cryptology (EUROCRYPT 2000 New York: Sprnger-Verlag, 2000 [7] Lm, C, Lee, PJ More flexble exponentaton wth precomputaton In: Desmedt, YG, ed Proceedngs of the Conference on Advances n Cryptology (CRYPTO 94 Santa Barbara, CA, New York: Sprnger-Verlag, [8] Gullou, LC, Qusquater, JJ A practcal zero-knowledge protocol ftted to securty mcroprocessor mnmzng both transmsson and memory In: Günther, CG ed Proceedngs of the Conference on Advances n Cryptology (EUROCRYPT 88 Davos, Swtzerland, New York: Sprnger-Verlag, A Sgnature Scheme Based on the Strong RSA Assumpton WANG Bao-you 1,2, U Yun-fa 1 1 (Department of Computer Scence and Engneerng, Fudan Unversty, Shangha , Chna; 2 (Chna UnCmm Lmted Shangha Branch, Shangha , Chna E-mal: yfhu@fudaneducn Abstract: For resstng the adaptve chosen message attack and mprovng the sgn generaton effcency, a sgnature scheme based on the strong RSA assumpton s descrbed n ths paper The scheme uses a fxed base rather than by rasng them to a fxed power, whch s dfferent from the RSA algorthm Moreover, one can use pre-computaton technques n order to get a better effcency In addton, a hash functon can be ncorporated nto the scheme n such a way that t offers a trapdoor to the sgn algorthm The merts of ths amendatory scheme are that f one makes a dstncton between the off lne and the on lne cost of sgnng, the sgner can reduce on lne cost sgnfcantly by usng hash trapdoor It s proved that the scheme s secure aganst the adaptve chosen message attack under the strong RSA assumpton The expermental results show that the scheme has hgh effcency Key words: dgtal sgnature; strong RSA assumpton (SRA; hash functon; RSA; securty Receved May 15, 2001; accepted October 23, 2001 Supported by the Natonal Natural Scence Foundaton of Chna under Grant No