4

My cryptology professor asked us to show that while the following signature scheme is conceptually valid, that it is inherently insecure, however, I am not sure how to demonstrate that the associated verification process produces an equality if the signature is valid.

The protocol works as follows given:

  • A publicly shared prime $p$;
  • A primitive root of $p$, $a|a<q$
  • A private key: $x|x<q$; and
  • A public key: $y=a^x\bmod{q}$
  • A cryptographic hash function $H=\texttt{SHA1}$

A signature $s$ can be generated for $m$ as follows: first, compute $h = H(m)$; if $\texttt{gcd}(h, q-1) \neq 1$ append $h$ to $m$ and calculate a new hash, and continue the process until $h$ and $q-1$ are relatively prime.

Then, calculate $z|z\cdot h\equiv x\bmod{q-1}$ and return the signature $s = a^{z}$.

In order to verify $s$, a user verifies that $Y=(a^z)^{h}=a^{x}\bmod{q}$.

For example, in order to sign a message $m$, where:

  • $q=6043$
  • $a=5$
  • $x=1098$
  • $y=485$
  • $h\leftarrow H(m)=612515367434372930600221767499032307523881412051$
  • $z\leftarrow z\cdot h\equiv x\bmod{q-1}=8513$
  • $s\leftarrow a^{z} = 5845$

Given the signature $s$, a user can verify that the signature is correct by verifying that $y=(a^{z})^{h}=a^{x}\bmod{q}$, however, I am not sure how to evaluate

$$(a^{z})^{h}= a^{x}\bmod{q}$$

since $h$ is (relatively) large. I (think) that I need to evaluate the following expression, however, I am not sure if its computationally feasible since:

$$(a^{z})^{h}\rightarrow s^{h}\rightarrow 5845^{612515367434372930600221767499032307523881412051}$$

Meaning that in order to verify the signature, I would have to perform the following calculation:

$$(5^{8513})^{612515367434372930600221767499032307523881412051} = 5^{1098}\bmod{6043}$$

Normally, I would use fast modular exponentiation here, but $h$ is absolutely enormous. For a while, I thought that maybe I misunderstood the protocol and $h$ should be reduced modulo $q$, but, again, maybe I just have an embarrassingly flawed understanding of the protocol?

How do you think I should verify the signature?

hodgepodge
  • 43
  • 4

1 Answers1

1

Sorry, can't comment yet. So I'm going be more verbose since it's an answer ;)

I get other values for $z$ and $s$: $$h^{-1} = 2441\mod q-1 $$ and $$z = x \cdot h^{-1} = 3612\mod q-1\\ \Rightarrow s = a^z = 1039\mod q$$

The hash value $h$ can be reduced since we are working modulo $q$. With $q$ prime we have $\phi(q) = q-1$ and we can reduce the exponent modulo $q-1$.

This gives $$y' = s^h = s^{h\mod q-1} \mod q\\$$ So with $h \equiv 2297 \mod q-1$ we verify: $$y' = 1039^{2297}\mod 6043 = 485 = y$$ as desired.

Jesper Freesbug
  • 126
  • 4
  • Sorry, can't upvote yet. Thanks for your response, I never realized that there was an implicit modulo reduction for $h$ in there. – hodgepodge Feb 23 '16 at 15:57