Security of Nyberg-Rueppel digital signatures without message recovery

Size: px

Start display at page:

Download "Security of Nyberg-Rueppel digital signatures without message recovery"

Annice Ramsey
5 years ago
Views:

1 BULLETIN OF THE POLISH ACADEMY OF SCIENCES TECHNICAL SCIENCES, Vol. 62, No. 4, 2014 DOI: /bpsts Security of Nyberg-Rueppel igitl sigtures without messge recovery T. ADAMSKI 1 W. NOWAKOWSKI 2 1 Istitute of Electroic Systems, Wrsw Uiversity of Techology, 15/19 Nowowiejsk St., Wrsw, Pol 2 Istitute of Mthemticl Mchies, 34 Krzywickiego St., Wrsw, Pol Abstrct. The pper els with Nyberg-Rueppel igitl sigtures without messge recovery. Probbility of sigture forgery is lyze ssesse. Some simple methos to miimize probbility of sigture forgery re propose. Key wors: cryptogrphy, igitl sigtures, Nyberg-Rueppel sigtures, probbility of sigture forgery. List of Symbols N set of turl umbers, Z set of itegers, Z rig of itegers moulo, Z multiplictive group of the rig Z, <, m > set of iteger greter eve to less eve to m, R + set of oegtive rel umbers, ϕ Euler s fuctio, CDm, ) gretest commo ivisor of two itegers m, #A umber of elemets i the fiite set A, # orer of the fiite group, EX) verge of the rom vrible X, D 2 X) vrice of the rom vrible X, itio moulo, multiplictio moulo, subtrctio moulo, BX, Y ) set of ll bijectios f : X Y, BX) σ-fiel of ll Borel sets of topologicl spce X, 2 X set of ll subsets of the set X, ceilig fuctio. 1. Itrouctio I cotemporry electroics, t like softwre, mesuremet t, trsmitte t lso structure of electroic circuits) c be chge i mlicious, frequetly gerous wy. Digitl sigtures re methos prevetig these mlicious ttcks. Every igitl sigture scheme like commo h writte sigture uer ocumet hs three mi properties: 1. the sigture of perso A c be crete oly by the perso A, 2. the sigture shoul be uforgeble, 3. the sigture shoul be verifible. Every sigture scheme is compose of two lgorithms: lgorithm of sigig use by ocumet Siger) lgorithm of verifictio use by sigture Verifier). There re my ifferet sigture schemes. I geerl sigture schemes re ivie ito two ctegories: oe-time sigture schemes [1, 2] multi-use sigture schemes [1, 2]. There re lso two kis of sigture schemes: sigture with messge recovery sigture schemes with ppeix i.e. without messge recovery). There re lso specil sigtures with itiol fuctiolity like bli sigtures clle lso i blco sigtures), ueible sigture schemes fil-stop sigtures. For exmple, oe-time sigture schemes re the followig lgorithms: oe-time Rbi sigtures, oe-time Lmport sigtures oe time Mtys-Meyer sigtures. Wiely pplie i prctice multi use schemes re the followig: RSA, Elml, DSA Digitl Sigture Algorithm), ECDSA Elliptic Curve DSA), Rbi, Shore sigtures, filly Nyberg-Rueppel clss of sigtures. Some of them re itrouce to the public key cryptogrphy str IEEE P1363. Nyberg-Rueppel sigture schemes re wie clss of igitl sigtures with very iterestig properties. All Nyberg- Rueppel sigtures re probbilistic i the sese tht the sigture epes o sige ocumet rom vrible. Security of ll Nyberg-Rueppel sigtures is bse o DLP Discrete Logrithm Problem). We cosier i the pper simple prticulr cse of Nyberg- Rueppel scheme: so clle Nyberg-Rueppel scheme without messge recovery i.e. sigture scheme with ppeix). I the sequel we lyze ssess probbility of forgery i this sigture scheme propose simple methos to cotrol probbility of forgery. e-mil: t.mski@ise.pw.eu.pl 817

2 T. Amski W. Nowkowski 2. Nyberg-Rueppel igitl sigture scheme without messge recovery Nyberg-Rueppel igitl sigture i the cosiere i the pper versio) is the sigture scheme with ppeix i.e. without pli text messge recovery. eerl ssumptios re the followig. Assume is fiite group of the orer i.e. f #. Aitiolly we ssume 3 to voi trivility. The plitext messge m the messge which is sige) is ietifie with elemet of the group the m. Assume itiolly tht f : Z is rbitrry but fixe bijectio of the group o the rig Z of itegers moulo. Assume lso tht g, g 1 is geertor of the group or elemet of the sufficietly lrge orer. We ssume for security resos tht the group the elemet g re chose i this wy tht the iscrete logrithm problem DLP) with the bsis g is prcticlly usolvble i the group. Siger chooses t rom umber x Z so, tht CDx, ) 1 x 1. The umber x is privte key is secret. Now, Siger computes g x publishes y f g x s public key. Siger publishes lso the orer of the group i.e., bijectio f : Z elemet g. If # 2 the Z 2 {1} oly possible choice of x Z 2 is x 1. Becuse y g1 g everyoe kows immeitely the Siger s privte key. Hece the orer of the group is ssume i the sequel 3. I prctice the orer of the group is lrge umber becuse DLP hve to be usolvble. Algorithm of sigig ocumet plitext messge m) i.e. sigture geertio is show i Fig. 1. The sige ocumet m is rbitrry elemet of the group. The sigture is orere pir, b) Z. The ocumet is sige i similr wy like i Elml sigture scheme. The sige ocumet is orere pir m,, b)). Nyberg-Rueppel sigture verifictio lgorithm is show i Fig. 2. Fig. 1. Nyberg-Rueppel sigture geertio lgorithm Fig. 2. Nyberg-Rueppel sigture verifictio lgorithm 818 Bull. Pol. Ac.: Tech. 624) 2014

3 Security of Nyberg-Rueppel igitl sigtures without messge recovery 3. Solutio of lier cogruecies Theorem 3.1. Assume, x, y Z, m N, m 2. If CD, m) 1 the x ymom) if oly if x ymom). If f CD, m) > 1 the x ymom) if oly if x ymom/). Proof. 1. If CD, m) 1 the iverse 1 of umber mo m) i the rig Z m exists. Hece, multiplyig both sies of the cogruece x ymom) by 1, we hve 1 x 1 ymom). Becuse 1 mom) 1 the x ymom). If x ymom) the multiplyig both sies of the cogruece by we obti x ymom). 2. Directly from cogruece efiitio we hve, tht x ymo m) if oly if x y mo m ). But itegers m re reltively prime becuse NWD, m). Applyig the the first prt of the theorem we obti x y mo m ) if oly if x ymom/) filly we hve x ymom) if oly if x ymom/). Corollry. Cogruecies c be ivie sie by sie if ivisio i Z is possible) by iteger which is reltively prime with the moulus m N, m 2. More precisely, if, x, y Z, m N, m 2, CD, m) 1 x ymom) the x ymom). Exmple. Becuse ) mo 6) CD5, 6) 1, the we hve lso 2 4)mo6). Theorem 3.2. o solutios of the lier cogruece x bmom) for CD, m) 1). Assume, b Z, m N, m 2. If CD, m) 1 the the cogruece x bmom) hs solutio x Z give by the formul x b 1 mom), where 1 is iverse of the umber mom) i the rig Z m. Aitiolly every umber x Z is the cogruece solutio if oly if x xmom). Proof. 1. We c esily verify tht the iteger x b 1 mo m) where 1 is iverse of the iteger mom) i the rig Z m ) is solutio of the cogruece x bmom). Iee b 1 mom))mom) 1 )mom)b)mom) bmom) i.e. x bmom) for x b 1 mom). If x is such iteger, tht x bmom) the x bmom) if oly if x xmom). From the prove bove Theorem 3.1 o ivisio sie by sie we obti ow, tht x xmom). O the other h if x xmom) the of course x is solutio of the cogruece x bmom). Theorem 3.3. Assume, b Z, m N, m 2 eote by CD, f m). 1. If b the the cogruece x bmom) hs solutio give by the formul ) ) 1 b x mo m ), ) 1 where is iverse of the iteger mo ) m ) i the rig of itegers moulo m iteger x is solutio of the cogruece x bmom) if oly if x xmom/). Aitiolly i the set Z m we hve exctly solutios of the cogruece x bmom). 2. If b is ot ivisible by the the cogruece x bmom) hs o solutio. Proof. A 1. Assume b CD, m)). If x bmom) the there is k Z tht x b + k m we hve x b + k m. It mes tht x b mo m ). If we hve x b mo m ) the of course x bmom) filly we obti x bmom) if oly if, x b mo m ). Becuse the itegers m re reltively prime the we hve from the previous Theorem 3.2 o lier cogruece solutio), tht the cogruece x b mo m ) hs the solutio, x mo m ) ) ) 1 b ) 1, where is iverse of the umber mo ) m ) i the rig of itegers moulo m ) iteger x is solutio of the cogruece x b mo m ) if oly if, x x mo m ). The the cogruece x bmom) hs the solutio ) ) 1 b x mo m ) the iteger x is solutio of the cogruece x bmom) if oly if, x x mo m ). The lst cogruece is fulfille for exctly umbers x from the set Z x x+k m for k 0, 1,..., 1). The i the set Z m we hve exctly solutios of the cogruece x bmom). A. 2. Assume iversely, tht there is solutio x of the cogruece x bmom). The there is k Z tht x b + k m x k m b. The left sie of the lst equlity is ivisible by where CD, m)) but the right sie is ot, which is impossible. Hece the ssumptio tht the cogruece x bmom) hs solutio les to cotrictio. Bull. Pol. Ac.: Tech. 624)

4 T. Amski W. Nowkowski 4. Some bsic theorems The followig simple fct from commuttive rig theory is very useful i the sequel. Fct 4.1 Assume Z is rig of itegers moulo Z. A elemet Z is ivertible i the rig Z if oly if CD, ) 1. Proof. see [3 5]. Theorem 4.2. Assume is fiite group of the orer 3, m is sige pli text messge, x Z is privte key, g, g 1 is rbitrry fixe elemet of the group, y f g x is public key f : Z is bijectio. If the Nyberg-Rueppel sigture is correctly compute i.e. g k m, 1) b k 1 1 f) x), 2) where k Z is rbitrry elemet chose from Z the verifictio formul y f) b m b g 1 is fulfille. Proof. From properties of risig to power i groups we hve: y f) b g xf) g k m) b g xf) g k b m b g xf) k b m b. It follows from the Lgrge theorem tht for every elemet we hve # 1 i.e. 1. The for rbitrry r Z we hve r r mo ). 3) From 2) we obti tht the followig equlity is fulfille 1 f) x k b. The from 3) we hve: g xf) k b g xf) k b) mo ) g 1 filly we obti: y f) b g xf) k b m b g 1 m b. Theorem 4.3. If f : Z is bijectio x Z is fixe elemet of the multiplictive group Z the for every c Z the fuctio β : g) c f) x) Z is bijectio, i prticulr the fuctio h : h) 1 p f) x) Z is bijectio. Proof. If x Z the from the Theorem 3.2 we obti irectly tht the fuctio γ 1 : γ 1 ) f) x Z is bijectio. The fuctio γ 2 : Z z γ 2 ) c z Z is lso bijectio the β γ 2 γ 1 ) s superpositio of two bijectios is bijectio. Corollry 4.4. Uer ssumptios of the theorem 4.3 the umber of elemets for which CD1 f) x, ) 1 is exctly eve to ϕ), where ϕ : N N is the Euler s fuctio. Proof. A umber of ivertible elemets i the rig Z is equl to ϕ). The fuctio h: g)1 p f) x) Z from the Theorem 4.3 is bijectio the the umber of elemets for which CD1 f) x, ) 1 is exctly eve to ϕ). Theorem 4.5. Assume is fiite group of the orer 3, m is sige pli text messge, x Z is Siger s privte key, g, g 1 rbitrry fixe elemet of the group, y f g x f : Z is bijectio the: 1. If b is the seco coorite of the Nyberg-Rueppel sigture, b) of the pli text messge m more strictly b is compute s b k 1 1 p f) x) for chose t rom k Z, the fixe privte key x Z g k m) the b Z if oly if CD1 f) x, ) For every, b) Z, if CD1 f) x, )1 or equivletly b Z ) the we c fi oly oe orere pir m, k) Z tht g k m, 4) b k 1 1 f) x). 5) I other wors there is oly oe pli text messge m oe rom vlue k Z tht the Nyberg-Rueppel sigture compute for m k Z for the fixe Siger s privte key x Z) gives, b) Z. The there is o pli text messge m, m m, for which the Siger s sigture is equl to, b). As result the sigture forgery is impossible. 3. If g is geertor of the group the for every, b) Z : if CD1 f) x, ) > 1 the there re t lest two ifferet pli text messges m, m, m m hvig the sme sigture, b). Proof. A. 1. If we hve k Z 1 f) x Z the from 5) we obti b Z. If we hve b Z, k Z the from 5) we obti tht 1 p f) x is ivertible. Hece CD1 f) x, )1. A. 2. If CD1 f) x, ) 1 the we c solve i uique wy i Z Eq. 5) with ukow k. see the Theorem 3.2). Hvig k Z, we compute from Eq. 4) the uique vlue m. A. 3. From the Theorem 3.3 we obti tht Eq. 5) with ukow k) hs ifferet solutios i Z from Eq. 4) we obti ifferet pli text messges which fulfill the Eq. 4). Two possible situtios forgery impossible, forgery possible) s metioe i the Theorem 4.5 re show i Fig Bull. Pol. Ac.: Tech. 624) 2014

5 Security of Nyberg-Rueppel igitl sigtures without messge recovery Fig. 3. Two possible situtios ) b) for ) forgery is impossible for b) forgery is possible, ifferet messges c hve the sme sigture, the fuctio h : Z is give for with the formul h) 1 pf) x Z Theorem 4.6. Assume is group of the orer 3, g, g 1, m, k Z, f : Z is bijectio, y is public key y g f x, for privte key x Z ), b Z b Z or equivletly CD1 f) x, ) 1). Assume itiolly tht m is uique pli text messge which gives the sigture, b) Z for the privte key x Z, existece uiqueess of m for every, b) Z see the Theorem 4.5). If m eotes the messge obtie by Verifier for verifictio i.e m,, b))) the the verifictio formul c be i equivlet wy writte s m m 6) y f) b m b g 1. 7) I other wors: the problem if, b) Z is sigture writte by perso with privte key x) uer the pli text messge m is equivlet to fulfillmet of the formul 7). Proof. 1. From the Theorem 4.5 we obti tht for the give orere pir, b) Z there is uique orere pir m, k) Z for which we hve g k m, 8) b k 1 1 f) x). 9) We ssume tht CD1 f) x, ) 1 the 1 f) x Z. A prouct of two ivertible umbers from Z is ivertible the b is ivertible i.e. b Z. From 9) we hve k b 1 1 f) x). 10) O the other h we hve from 8) usig 10) we obti m g k m g b 1 1 f) x). 11) 2. Verifictio of the sigture m,, b)) is simply verifictio if m m. Usig 11) we c write ow equivletly equtio m m s g b 1 1 f) x) m. If we rise both sies of this equtio to the power b Z the we equivletly hve It c be writte s b g b b 1 1 f) x) m b. b g 1 f) x m b. Becuse g 1 the equivletly we hve b g g f)x m b. The bove equtio c be equivletly writte s g x ) f) b g 1 m b. But the public key y g x the filly we hve y f) b g 1 m b. I short, verifictio if m m is equivlet to verifictio if y f) b g 1 m b. It is importt tht i the verifictio formul 7) we hve o secret privte key x. 5. Probbility of forgery From the Theorem 4.5 we obti irectly the followig corollry. Corollry 5.1. If is fiite cyclic group of the orer 3, g 1, g is geertor of the group, x Z is fixe privte key of Siger f : Z fixe rbitrry bijectio the for every : Nyberg-Rueppel sigture, b) is uforgeble if oly if CD1 f) x, ) 1. I other wors if elemet 1 f) x is ivertible or equivletly CD1 f) x, ) 1) the the sigture, b) is uforgeble. The elemet 1 f) x Z is ivertible if oly if b Z the seco coorite of sigture) is ivertible. The rom elemet k Z hs o ifluece o ivertibility of the elemet 1 f) x. We hve oly ϕ) elemets of the group for which the elemet 1 f) x Z is ivertible. Deote A{ f ; CD1 f) x, ) 1}, of course #A ϕ). For every A forgery is ot possible. Assume tht ssumptios o the Corollry 5.1 re fulfille we hve efie two rom vribles X 1 X 2 see Bull. Pol. Ac.: Tech. 624)

6 T. Amski W. Nowkowski the Appeix A). The rom vrible X 1 escribes choosig t rom vlue k Z the rom vrible X 2 escribes choosig pli text messge m. From the Theorem A4 from the Appeix A) it follows tht if oe of these rom vribles hs uiform probbility istributio X 1, X 2 re iepeet the the rom vrible g X1 X 2 which escribes computtio of the first coorite of the Nyberg-Rueppel sigture) hs uiform probbility istributio o. Hece probbility, tht the first coorite g X1 X 2 of the Nyberg-Rueppel sigture belogs to \A, is eve to 1 ϕ)/ i.e. Pg X1 X 2 \A) 1 ϕ), I other wors, probbility of forgery is exctly eve to 1 ϕ)/. Becuse the vlue 1 ϕ)/ escribes probbility of forgery it is importt to choose the pproprite so tht 1 ϕ)/ woul be smll. Theorem 5.2. If r N is fixe turl umber p k1 1 p k p kr r, where p 1, p 2,..., p r re primes p 1 < p 2 <... < p r k 1, k 2,..., k r N the ϕ) lim p 1,p 2,...,p r + 1. Proof. It is irect coclusio from bsic properties of the Euler s fuctio ϕ. ϕ) ϕpk1 1 pk pkr p k1 1 pk pkr r r ) ϕpk1 1 ) ϕpk2 2 )... ϕpkr p k1 1 pk pkr r r ) p 1 1)p k1 1 1 p 2 1)p k p r 1)pr kr 1 p k1 p k2... pkr r 1 1p1 ) 1 1p2 )... 2 r 1 1pr ). The ϕ) lim p 1,p 2,...,p r + ) ) lim 1 )1 1p1 1p pr 1. p 1,p 2,...,p r + But i geerl the followig well kow property hols. Theorem 5.3. If ϕ is the Euler fuctio the lim if ϕ) Proof. see [3, 4, 6]. 0 limsup ϕ) 1. Theorem 5.4. Assume B, Z ) is the set of ll bijectios f : Z from the group of the orer 3, to the rig Z B, Z ), 2 B,Z), P) is probbilistic spce. If the probbility istributio P is uiform o B, Z ) the for every fixe every fixe x Z we hve: P{f B, Z ); CD1 f) x, ) 1}) ϕ), where ϕ is the Euler fuctio. Proof. 1. The fuctio h : Z Z efie with the formul hz) 1 z x is bijectio. Deote B h 1 Z ), of course #B ϕ). 2. Assume we hve fixe x Z the: bijectio f : Z fulfills the coitio CD1 f) x, ) 1 if oly if f) B. 3. It follows from the p. 2 tht the umber of ll bijectios f B, Z ) fulfillig the coitio CD1 f) x, ) 1 is equl to ϕ) 1)! o the other h #B, Z )! the: P{f B, Z ); CD1 f) x, ) 1}) ϕ) 1)!! ϕ). 6. Simple methos to improve the Nyberg-Rueppel sigture scheme cotrol probbility of forgery We propose i the sequel two methos to cotrol probbility of forgery i the Nyberg-Rueppel sigture schemes. The first is bse o the Theorem 5.4 Beroulli process, the seco is bse o the Theorem 6.1 formulte below. The first metho which llows to cotrol probbility of forgery. Assume B, Z ), 2 B,Z), P) probbilistic spce with the uiform probbility istributio P o B, Z ). If is fixe elemet of the group x Z is fixe elemet of Z the usig the Theorem 5.4 we c efie sequece of iepeet rom vribles: X 1, X 2,..., X s,... with vlues i the set {0, 1} i the followig wy. Assume we o series of iepeet experimets. I every experimet we choose t rom bijectio f from the set B, Z )with the uiform istributio). For every i N: X i 1 if oly if i the i-th experimet we hve chose bijectio f : Z so tht CD1 f) x, ) 1. From the Theorem 5.4 it follows tht the sequece of iepeet rom vribles X i ) is Beroulli stochstic process efie o the probbilistic spce B, Z ), 2 B,Z), P) with probbility of success equl to ϕ) it mes tht for every i N we hve PX i 1) ϕ) PX i 0) 1 ϕ). Itrouce ow, the rom vrible Y efie o the probbilistic spce B, Z ), 2 B,Z), P),with vlues i the set N {+ } i the followig wy. We hve efie bove Beroulli process X i ) of iepeet experimets. For every s N {+ }, Y s if oly if the coitio CD1 f) x, ) 1 is true the first time i the s-th experimet, Y + if oly if the coitio CD1 f) x, ) > 1 is true i every experimet. 822 Bull. Pol. Ac.: Tech. 624) 2014

7 Security of Nyberg-Rueppel igitl sigtures without messge recovery Equivletly Y s if oly if X 1 0, X 2 0,..., X s 1 0, X s 1 Y + if oly if for every i N, X i 0. The rom vrible Y is time till the first success i the Beroulli process the it hs geometricl istributio we hve see [3]): for every s N PY s) D 2 Y ) 1 ϕ) EY ) ϕ) 1 ϕ) ) s 1 ϕ), 12) ) 2 13) ϕ)) 2. Propose metho is bse o rom choosig bijectio f : Z from the set B, Z ) with the uiform probbility istributio o B, Z )) ext verifyig if CD1 f) x, ) 1. If CD1 f) x, ) 1 the we hve fou the pproprite bijectio. If CD1 f) x, ) > 1 the we repet the rom choosig. I short, we try t rom some ifferet iepeet bijectios sequece of bijectios) till the first success. From the formuls 13) we hve tht the verge time till the first success i.e. the first bijectio f i : Z tht CD1 f i ) x, ) 1) is equl to ϕ). The seco metho which llows to cotrol probbility of forgery The seco etermiistic) metho which llows to cotrol probbility of forgery is bse o the followig theorem. Theorem 6.1. Assume is fiite group of the orer, 3 x Z is fixe elemet of the multiplictive group Z. For every N there is fiite sequece of r bijectios f 1, f 2,..., f r, where for every i < 1, r >, f i : Z with the followig property: for every there is i < 1, r > tht CD1 f i ) x, ) 1. The smllest r from the bove theorem is equl to 2. ϕ) Proof. 1. It is possible to write ow the set s sum of r subsets A 1, A 2,..., A r r A i, where r for every i < 1, r > we hve ϕ) #A i ϕ) itiolly for every i, j < 1, r 1 >, i j we hve A i A j. It mes tht A 1, A 2,..., A r 1 re isjoit i pirs. As the the lst subset A r we c tke every set which fulfils two coitios: #A i ϕ) \ r 1 A i A r. 2. Now, we c efie r bijectios h 1, h 2,..., h r, where for every i < 1, r >, h i : Z h i A i ) Z. 3. For every bijectio h i : Z we c choose bijectio f i : Z i this wy tht for every, we hve h i ) 1 f i ) x. It is possible becuse we c tke for every, f i ) h f i ) 1) x 1, where x 1 is iverse i the multiplictive group Z. The fuctio f i : Z is bijectio s superpositio of 3 bijectios. 4. From the poit 1, we obti ow tht for every there is i < 1, r > tht h i ) Z or equivletly 1 f i ) x Z. The filly we hve fou fiite sequece of r bijectios f 1, f 2,..., f r, tht for every there is i < 1, r > tht CD1 f i ) x, ) It is obvious tht if h 1, h 2,..., h s is rbitrry fiite sequece of s bijectios h i : Z the the smllest umber s for which the followig coitio 14) s h 1 i Z ) 14) is fulfille is equl to of course 2). ϕ) ϕ) Equivletly the coitio 14) c be writte i the followig wy i <1,s> hi ) Z. 15) If we ssume tht for every we hve h i ) h) 1 f i ) x the the coitio 15) we c write i the form i.e. i <1,s> i <1,s> 1 f i ) x Z 16) CD1 f i ) x) 1. 17) The i short: for the give fiite sequece f 1, f 2,..., f s of s bijectios f i : Z the smllest umber s for which the coitio 16) is fulfille is equl to. ϕ) Tht is esy to verify tht for the group of the orer 2 the thesis of the bove theorem is lso fulfille, but i the pper we ssume for uiformity reso tht 3. Of course we hve i <1,r> CD1 f i ) x, ) 1, A i where A 1, A 2,..., A r re subsets of efie i the proof of the Theorem 6.2 or equivletly i <1,r> 1 f i ) x Z. A i The lgorithm of the propose metho repets the ie of the Theorem 6.1 proof. Bull. Pol. Ac.: Tech. 624)

8 T. Amski W. Nowkowski 1. Like i poit 1 of the proof, we choose i rbitrry wy sequece of r subsets A 1, A 2,..., A r r A i, where r for every i < 1, r > we hve ϕ) #A i ϕ) itiolly for every i, j < 1, r 1 >, i j we hve A i A j. It mes tht A 1, A 2,..., A r 1 re isjoit i pirs. As the the lst subset A r we c tke every set which fulfils two coitios: #A i ϕ) \ r 1 A i A r. 2. Usig A 1, A 2,..., A r we fi fiite sequece of r bijectios f 1, f 2,..., f r, with the property, tht for every there is i < 1, r > tht CD1 f i ) x, ) The we pply sequetilly bijectios f 1, f 2,..., f r verifyig for i 1, 2,..., r if CD1 f i ) x, ) 1. The first i < 1, r > for which CD1 f i ) x, ) 1 gives bijectio f i use to sig ocumet m. 7. Coclusios 1. We c esily ssess probbility of possible forgery i Nyberg-Rueppel sigture schemes. 2. Security of the Nyberg-Rueppel sigture scheme epes o the orer of the group. The the orer of the group hve to be crefully chose. 3. I the pper two simple methos of fully relible Nyberg- Rueppel like sigture schemes were propose. The first, probbilistic is bse o the Beroulli stochstic process is relible from probbilistic poit of view. The seco metho is etermiistic works lwys correctly. The essece of the presete two methos is tht we re chgig the bijectio f so tht forgery woul be impossible. As result the bijectio f is ot uiversl prmeter for the sigture scheme like i clssicl Nyberg-Rueppel methos the the chose bijectio f hve to be e s thir coorite to the sigture. The sige pli text messge hs the shpe m,, b, f)). Appeix Rom vribles with vlues i groups Defiitio A.1 topologicl group) Assume, ) is group, T) is topologicl spce, where T 2 is topology. The group is clle topologicl group iff the followig two coitios re fulfille: 1. the prouct : is cotiuous mppig of oto, 2. the iversio x x 1 is cotiuous mppig of oto. A topologicl group is lso i turl wy mesurble spce, B)), where B) is σ fiel of Borel subsets of. Hece we c efie rom vribles with vlues i. I the pper we re itereste i fiite groups for which we mit tht T 2 B) 2. The every fiite group c be trete s topologicl group mesurble spce. Defiitio A.2 covolutio of two fiite mesures) Assume is Abeli topologicl group µ 1 µ 2 re two fiite mesures o the mesurble spce, B)), B) B), µ 1 µ 2 ) is prouct of two spces with mesure:, B), µ 1 ), B), µ 2 ). Assume itiolly tht µ is iuce mesure by the cotiuous mppig f : x, y) x y i.e. for every A B) we hve µa) µ 1 µ 2 f 1 A)). The mesure µ is clle covolutio of two mesures: µ 1 µ 2 is eote by µ 1 µ 2 i.e. µ µ 1 µ 2. Theorem A1. Assume is Abeli topologicl group µ 1 µ 2 re two fiite mesures o the mesurble spce, B)). If µ µ 1 µ 2 the 1. The fuctio f : x µ 1 A x 1 ) R + is µ 2 itegrble the fuctio g : x µ 2 A x 1 ) R + is µ 1 itegrble 2. for every A B) we hve µa) µ 1 µ 2 A) µ 1 A x 1 )µ 2 x) Proof. See [7]. µ 2 A x 1 )µ 1 x). Theorem A2. Assume X 1 X 2 re iepeet rom vribles efie o probbilistic spce Ω, M, P) with vlues i Abeli topologicl group. If P Xi eotes probbility istributio of the rom vrible X i for i 1, 2 the 1. Y f X 1 X 2 is rom vrible 2. the probbility istributio P Y of the rom vrible Y is give by the followig formul Proof. See [8]. P Y P X1 P X2. Defiitio A.3 uiform probbility istributio o group ). Assume X is rom vribles efie o probbilistic spce Ω, M, P) with vlues i Abeli topologicl group. We sy tht the rom vrible X hs uiform probbility istributio iff for every A B) every x we hve P X A) P X A x), where P X eotes probbility istributio of the rom vrible X. Theorem A3. Assume X 1 X 2 re iepeet rom vribles efie o probbilistic spce Ω, M, P) with vlues 824 Bull. Pol. Ac.: Tech. 624) 2014

9 Security of Nyberg-Rueppel igitl sigtures without messge recovery i Abeli topologicl group. If P Xi eotes probbility istributio of the rom vrible X i for i 1, 2 oe of the probbility istributios P X1,P X2 is uiform the rom vrible Y f X 1 X 2 hs the uiform istributio. Proof. Assume P X1 is the uiform probbility istributio the from theorems A1 A2 we obti for every A B) P Y A) P X1 P X2 A) P X1 A x 1 )P X2 x) P X1 A)P X2 x) P X1 A) 1P X2 x) P X1 A). The the rom vrible Y f X 1 X 2 hs the uiform istributio. The bove theorem is frequetly use i cryptogrphy i the cse whe the Abeli group is fiite. For the fiite cyclic group, the followig simple fct is true. If g is geertor of the fiite cyclic group, the orer of is equl to X is rom vrible with uiform probbility istributio o the rig Z the rom vrible g X hs uiform probbility istributio o. Theorem A4. Assume we hve two iepeet rom vribles X 1 X 2 efie o probbilistic spce Ω, M, P). Assume itiolly tht g is geertor of the fiite cyclic group, orer of is equl to 2, X 1 is rom vrible ito the rig Z X 2 is rom vrible with vlues i the group. If oe of the rom vribles X 1, X 2 hs uiform probbility istributio X 1 o Z or X 2 o ) the rom vrible g X1 X 2 hs uiform probbility istributio o. Proof. A fiite cyclic group is Abeli s i the Theorem A3. Hece if the rom vrible X 2 hs uiform probbility istributio o the from theorem A3 we obti tht the probbility istributio of the rom vrible g X1 X 2 is uiform. If the rom vrible X 1 hs the uiform probbility istributio o Z the the rom vrible g X1 hs the uiform istributio o from Theorem A3 we hve tht the probbility istributio of the rom vrible g X1 X 2 hs uiform probbility istributio o. REFERENCES [1] A. Meezes, P. Oorschot, S. Vstoe, Hbook of Applie Cryptogrphy, CRC Press Ic., 1997, [2] J. Pieprzyk, T. Hrjoo, J. Seberry, Fumetls of Computer Security, Spriger, Berli, [3] V. Shoup, A Computtiol Itrouctio to Number Theory Algebr, Cmbrige Uiversity Press, Cmbrige, [4] S. Y, Number Theory for Computig, Spriger, Berli- Heielberg, [5] N. Koblitz, A Course i Number Theory Cryptogrphy, Spriger, New York, [6] W. Nrkiewicz, Number Theory, PWN, Wrszw, 1990, i Polish). [7] K. Muri, Alysis, PWN, Wrszw, 1991, i Polish). [8] J. Jkubowski R. Sztecel, Itrouctio to Probbility Theory, Script, Wrszw, 2004, i Polish). [9] C.C. Li C.S. Lih, Cryptlysis of Nyberg-Ruppel s messge recovery scheme, IEEE Commuictios Letters 4 7), ), DOI: / [10]. Ateiese B. Meeiros, A provbly secure Nyberg- Rueppel sigture vrit with pplictios, Cryptology eprit Archive, Report 2004/93, ). [11] IEEE Str Specifictios for Public-Key Cryptogrphy DOI: /IEEESTD [12] I. Blke,. Seroussi, N. Smrt, Elliptic Curves i Cryptogrphy, Uiversity of Cmbrige, Cmbrige, Bull. Pol. Ac.: Tech. 624)

M3P14 EXAMPLE SHEET 1 SOLUTIONS

M3P14 EXAMPLE SHEET 1 SOLUTIONS 1. Show tht for, b, d itegers, we hve (d, db) = d(, b). Sice (, b) divides both d b, d(, b) divides both d d db, d hece divides (d, db). O the other hd, there exist m d