A New Digital Signature Algorithm Similar to ELGamal Type

Transcription

1 320 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH 2010 A Nw Dgal Sgnaur Algorhm Smlar o ELGamal Typ Hapng Chn Collg of Compur Scnc and Tchnology, Jln Unvrsy, Changchun, Chna E-mal: chnhp@jluducn Xuanjng Shn and Yngda Lv Collg of Compur Scnc and Tchnology, Jln Unvrsy, Changchun, Chna E-mal: {jshn@jluducn, lvyngda1983@163com} Absrac Applcaon of dgal sgnaur chnology bcoms mor nsv, bu many posd dgal sgnaur algorhms hav ncrasngly rvald som shorcomngs and dfcncs Amng drcly a h frqunly usd dgal sgnaur chnologs, whch ar wak o Subsuon Aack and Homosass Aack, h auhors prform h hash ransformaon on mssags bfor sgnaur Thn, a hash round funcon s consrucd, whch smulanously sasfs h characrs of balanc, hgh nonlnary, src avalanch crron and ralzaon of sofwar Morovr, makng us of h hash round funcon, a nw hash algorhm namd HRFA (Hash Round Funcon Algorhm) s conrvd On hs bass, amng a h dfc ha h sng dgal sgnaur algorhms ar wak o acv aack and mprsonaon aack, usng h hash algorhm namd HRFA and h slf-crfd publc ky sysm, a nw knd of dgal sgnaur algorhm, whch s smlar o ELGamal, namd H-S DSA (Hash Round Funcon and Slf-crfd Publc Ky Sysm Dgal Sgnaur Algorhm) s rasd and ralzd Fnally, h auhors analyz h H-S DSA from wo aspcs of scury and m-comply And, h rsuls show ha h nw dsgnd dgal sgnaur algorhm namd H-S DSA no only has br scury srngh, bu also has lowr mcomply Ind Trms dgal sgnaur, smlar o ELGamal, HRFA, H-S DSA, algorhm analyss I INTRODUCTION Dgal sgnaur chnology s prsnd for h frs m n 1976 by Dff and Hllman n hr famous papr namd "Nw Drcon n Crypography" [1] Subsqunly, has arousd nrs n many rsarchs and was grown by laps and bounds A prsn, hr ar many maur dgal sgnaur Scnfc and chnologcal dvlopmn projc of Jln Provnc ( ); Corrspondng auhor: Xuanjng Shn(1958-), mal, PhD suprvsor, rsarch nrss: Compur Nwork Scury, Dgal Imag Procssng and Parn Rcognon, Inllgn Masurmn Sysm algorhms, among whch, RSA dgal sgnaur algorhm, ELGamal dgal sgnaur algorhm, US dgal sgnaur sandard/algorhm (DSS/DSA) and LUC dgal sgnaur algorhm ar h mos rprsnav ons Howvr, dvlopng o h prsn, hs commonly usd dgal sgnaur algorhms mor or lss s knds of problms RSA schm holds h characrsc of homosass, and s consqunly wak o acv aack and mprsonaon aack [2] Manwhl, ELGamal dgal sgnaur algorhm has svr chnologcal dfc alhough no dald crypanalyss s s mployd [3] I s vry fragl o subsuon aack and forgry aack In addon, DSS, on varaon of ELGamal schm, suffrs h sam aacks as ELGamal Wors sll, h publc modulus and oo shor scr ky lavs a furhr scury rsk o DSS [4] [5] As for LUC soluon, sgnaur could b forgd usng h sgnd nformaon [5] Morovr, LUCELG and LUCDIF ar vry wak o h sub-nd m aackng algorhm [6] N, w wll mak dald analyss of ELGamal dgal sgnaur algorhm Th schm can b brfd as blow: S p s a larg prm numbr, q s a larg prm numbr s facor of P-1, g s a larg prm numbr s facor wh ordr q ovr GF (P), and gcd(g,p)=1 Usr A slcs a random numbr, hr (1, p-1), calculang y=g mod p Th publc kys ar Y, g, p, h scr ky s If usrs wan o sgn for mssag m, h followng sps mus b carrd ou: 1) Slc ngr k randomly, k (l,p-1] and gcd (k,p-1)=1; 2) Calcula: k r = g (mod p) ; 3) Calcula s whch sasfs m=r+ks(mod (p-1)), r 1 ha s, s=(m- )k (mod (p-1)) Thn A's sgnaur on m s (r, s), afr rcvng h sgnaur (r, s) of m from A, B vrfs f (r, s) ms h quaon: s gm=yr (mod p) If ms h abov quaon, h sgnaur wll b accpd; ohrws, h sgnaur wll b rjcd Drawbacks of ELGamal dgal sgnaur algorhm: 1) Afr nroducon of RSA n 1978, gra dal of do:104304/jsw

2 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH nrgy has bn spn o fnd s dfcs whch can b dcphrd Thr s no rsk whn s usd n som scop of h proocol, howvr, ELGamal algorhm s no sd by a dald password s analyss and dcphr, hr ar sll srous chncal dfcs 2) I s consqunly wak o acv aack and mprsonaon aack [7] If h aackr rplacs som lgma usrs publc ky n SA by publc ky corrspondng o h randomly slcd prva ky succssfully, h wll b abl o fak any of hos usrs sgnaurs 3) Suffr subsuon aack [8] Ths aacks nclud usng par of h sgnaur s and only us h publc ky Y Th subsuon aack carrd ou by par of sgnaur s s h mos mporan aack ELGamal sgnaur schm facs 4) Suffr fak aack [3] Th forgry sars from h sgnaur, makng any changs o h mssag o form sgnaur of anohr mssag m, and, hs sgnaur wll m h sam quaon as h orgnal sgnaur 5) Random ky k can no b usd o sgn for dffrn mssags rpadly [3], ohrws, h aackr can asly oban h sgnaur s ky 6) H and Kslr pond ou ha, h sgnr can b fakd o sgn any mssags [9] If hr random kys k ( = 1,2,3) sasfy k 3 = k 1 + k 2, hn r ( = 1,2,3) wll sasfy r3 = r1r2 Thus, h aackr can fnd ky Ths s smlar o homomorphsm aacks RSA sgnaur facs Wha s dffrn s, h homomorphsm of RSA sgnaur s only o fak h sgnaur by aackrs, and can b ovrcom by h us of hash funcon Bu, for h homomorphsm aack ELGamal dgal sgnaur schm facs, hr s sll no ffcv soluon 7) Th ssu of Sublmnal Channl [3] For closng Sublmnal Channl on ELGamal dgal sgnaur schm, so far hr ar no rsuls of any rsarch Concrnng abou hs problms, w propos h H-S DSA (hash round funcon and slf-crfd publc ky sysm dgal sgnaur algorhm) basd on hash round funcon and slf-crfd publc ky sysm afr rlvan sudy W hav also analyzd hs schm wh rspc o scury and m-comply Th rsuls dmonsra ha hs nwly dsgnd algorhm H-S DSA posssss adqua scury and rlavly low m-comply II Dsgn for Hash Round Funcon Algorhm Hash funcon s a knd of funcon namd h, whch comprsss numrc srng dnod by M wh arbrary lngh o an oupu numrc srng dnod by H wh fd lngh, and, H=h(M) s calld as Hash Valu of M, also can b calld as Dgal Fngr Prn of M or Mssag Dgs of M For a hash funcon h, f s asy o calcula H=h(M) usng M, bu h calculaon s no fasbl, whch ylds ' ' a M o mak h(m )=H, ha s o say h s on-way funcon, hn h s calld as on-way hash funcon I s nroducd manly basd on h consdraon of dgal sgnaur or mssag auhncaon Applyng hash funcon o h dgal sgnaur can brng h followng bnfs: [10] 1) Can undrmn som knd of mahmacal srucur of dgal sgnaur schm, such as homomorphsm srucur 2) Can ncras h spd of dgal sgnaur Whn h sgnr would lk o sgn a mssag, h frsly consrucs a mssag dgs z=h() (h s a hash funcon), and hn calculas sgnaur y=sgk (z) 3) Can lak a sgnaur whou dsclosur of h mssag corrspondng o h sgnaur For ampl, y=sgk (z) s a sgnaur for mssag, whr z=h(), can mak (z, y) known o publc, bu kp a scr 4) Can dsngush sgnaur ransformaon and ncrypon ransformaon, allow usng prva ky crypography o achv confdnaly, and usng publc ky crypography o achv dgal sgnaur In h Opn Sysm Inrconncon Rfrnc Modl(OSIRM) of ISO, on of h mrs of hs sparaon s o provd ngry and confdnaly bwn dffrn layrs Boolan Algbra, whch was dscovrd and consrucd by XMZhang and JSbrry al, holds an clln propry of crypography, whch s wdly blvd wch nds o b sasfd as much as possbl whn dsgnng crypographc algorhm lk on-way hash round funcon [11] Thr proprs ar consdrd o b ssnal: 1 Sasfyng 0-1 balanc; 2 Hgh nonlnar; 3 Sasfyng src avalanch crron; Furhrmor, as a funcon s, has h followng characrs: 4 Muual lnar nonquvaln; 5 Muual oupu rrlvan A Consrucon of Boolan algbra on V 2k + 1 Assum k 1, f b Bn funcon on V [12] 2k, and h for non-consan affn funcon on V 2k, so consqunly f() h() wll b also Bn funcon Y gnrally, h valus of f() and f() h() can b consdrd as addng dffrn ms of 1 (W can rplac h() by h() 1 and f() h() by f() h() 1) On V 2k+1, dfn funcon g as: g(y, 1,, 2k) = (1 y)f( 1,, 2k) y(f( 1,, 2k) h( 1,, 2k)) = f(,, ) y(h(,, )) 1 2k 1 2k Th abov funcon g s Bn funcon ha s balancd, hgh non-lnar and sasfs src avalanch crron on V 2k+1 [13] Lmma 1 funcon g dfnd by (1) s a balancd funcon Lmma 2 non-lnary of funcon dfnd by (1), 2k k sasfs N 2 2 g (1)

3 322 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH 2010 Lmma 3 funcon g dfnd by (1) sasfs src avalanch crron Som horms can b summarzd from lmma 1, 2 and 3: Thorm 1 f k 1, funcon g ha s dfnd by (1) s a balancd funcon on V, wh s 2k+1 2k k non-lnary N 2 2 and sasfs src avalanch g crron Accordng o horm 1, o buld a Bn funcon on V ha s balancd, hgh non-lnar and sasfs src 2k+1 avalanch crron, som sps can b followd: 1) Choos an appropra Bn funcon f on V 2k ; 2) Choos h opmum affn funcon h on V 2k+1 (wh rspc o h non-lnary of h fnally bul Bn funcon) and fgur ou h ndd rsul g accordng o (1); 3) Do ssnal lnar ransformaon o g (hs ransformaon won' chang h balanc or non-lnary), so as o m h fnal applanc nd B Consrucng a nw hash round funcon Frsly, choos four Bn funcons on V 4 : f(,,, ) f(,,, ) f(,,,) f(, 3 1 2,, 3 4) Thn choos non-consan affn funcons l,l,land l3 on V 4 Us (1) o calcula: 512 Y q l(,,,) = 1 l(,,, ) = 1 l(,,,) = 1 l(,,,) = g (,,, ) = f(,,, ) l (,,, ),=0,1,2, A B C D A A Tm 0 (ABCDE, Y, K) q 0 B Tm 1 (ABCDE, Y, K) q 1 B Tm 79 (ABCDE, Y, K) q 79 C C D D E E E Four Bn funcons ar fgurd ou ha sasfy balanc, hgh non-lnary and src avalanch crron smulanously g(,,,,) g(,,,,) g(,,,,) g(,,,,) Do lnar ransformaon o hs four Bn funcons afrwards: σ 0( 1, 2, 3, 4, 5) = ( 1, 5, 2, 3, 4) σ 1( 1, 2, 3, 4, 5) = ( 1, 5, 2, 3, 4) σ 2( 1, 2, 3, 4, 5) = ( 1, 5, 2, 3, 4) σ 3( 1, 2, 3, 4, 5) = ( 1, 5, 2, 3, 4) Thn, w g h fnal rsuls: h(,,,,) h(,,,,) h 2( 1, 2, 3, 4, 5) = h(,,,,) Hr, h,h,h and h3 ar h bul hash round funcons w wan, all of whch ar balancd funcons on V 5 ha sasfy h src avalanch crron Th 4 2 non-lnary s all 2 2 = 12, acually h mamum lnary possbl for balancd funcon on V 5 As a funcon s hy ar muually lnar nonquvaln [14] Us (1) drcly on Bn funcon, w hav rcvd four funcons g(= 0,1,2,3), and h four funcons hav alrady bn balancabl, hgh nonlnar and sasfd src avalanch crron, howvr, hs funcons as a funcon s o b oupu ar rlad o ach ohr [12] Th rol of lnar ransformaon s o mak h oupu solad by ransformng h coordnas of h npu Ths ransformaon s jus on of h ransformaons whch m h rqurmns By now, w hav bul up h nw hash round funcons Ths funcons fully sasfy crypography Bn funcon characrs 1~3; and as a funcon s, hy also sasfy boh characr 4 and 5, whch mans a largly rnforcd scury for hash algorhm A B C D E CLS5 f + + CLS30 + W K A B C D E 128MD q+1 + Mod 2 32 Fgur 1 Dalng wh vry 512b group of HRFA Fgur 2 Th basc calculaon block dagram of n HRFA

4 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH W Yq (w w w w ) 1 w 0 w 2 w 8 w 13 XOR w -16 w -14 w -8 w -3 XOR w 63 w 65 w 71 w 79 XOR Tabl 1 Th Valu Rangs of and consan K f(a,b,c,d,e) Calcula ms f (A,B,C,D,E) K 0 19 ABC ACE AB BC AD D 5A AB CD BE E 6ED9EBA ABD AD BD BCC 8F1BBCDC W0 W1 W15 W16 W W79 Fgur 3 Eghy 32b words producd by HRFA afr rang an npu group C Dsgnng for Hash Round Funcon Algorhm Inpu: h lngh of npu mssags should b lss han 264b; Oupu: h oupu lngh s 160b; Vrfcaon: for rcvr, hy calcula h hash valu of h rcvd mssag, and vrfy n complanc wh h rcovrd hash valu from dcrypon I s unfasbl o calcula h hash valu for a forgry mssag and mak h sam as h gvn on, and s also mpossbl o fnd ou wo dffrn mssags sharng h sam hash valu n calculaon Any chang n mssag would lad o a dffrn hash valu wh hgh probably, whch would consqunly rsul n h falur of sgnaur vrfcaon Gvn a mssag, h procdur of buldng a 160b mssag absrac ar as follows: 1 Pad h mssag no an ngral mulpl of 512b Pad a 1 on h rgh sd of, and hn cascad wh nough 0 so as o nd h lngh of modul o 448b A las, cascad wh 64b o rprsn h lngh of (us L o rprsn) Gvn ha M = L 0d L, h paddng valu s 1~512b 2 Us fv 32b varabls (A, B, C, D, E) as h nal valu (hadcmal) A = , B=EFCDAB89, C=98BADCFE, D= , E=C3D22E1F0 3 M = Y0 Y1 K YL, hr Y,Y 0 1 KY L ar all 52b groups, and Yq n ach group has sn 32b words Each m rcvng 512b, sor valus of A, B, C, D, E no anohr fv 32b varabls AA, BB, CC, DD and EE, rspcvly (AA=A, BB=B, CC=C, DD=D, EE=E), hn carry ou four rounds of raon wh 20 compld n ach round(fg 1) dnos ach basc opraon (such as Fg 2) E=D, D=C, C=(B<<30), B=A, A=(A<<5)+f (A, B, C, D, E)+E+W +K hr, h valus of f(a,b,c,d,e) and consan K ar shown n Tab 1 Noc ha f(a,b,c,d,e)s hash round funcon bul n ⅡB Th valus of W ar shown n Fg 3 Afr dalng wh all 512b groups, ha s, complng 80 basc calculaons, A=A+AA, B=B+BB, C=C+CC, D=D+DD, E=E+EE Thn, cascad h valus BD BC AD DE E CA62C1D6 of A, B, C, D and E, and oupu hm as hash valu wh a lngh of 160 bs 4 Valu of W : End h npu 16b words o 80b words whch ar ssnal n ramn (Fg 3) Th scury of hash funcon s quvaln o ha of hash round funcon, so hash round funcon plays a val rol n h dsgn of hash funcon Hr, sarng from four Bn funcons on V 4, h auhors hav consrucd four Boolan funcons sasfyng balanc, hghly nonlnar and src avalanch crra a h sam m, and h four Boolan funcons ar as h hash round funcon of hash algorhm Afrwards, usng hs hash round funcons, HRFA has bn dsgnd, and n h procss of h algorhm s ralzaon, ach sp uss h rsuls from h prvous sp, has a good avalanch ffc Morovr, h hash valu s 160 bs, h rssanc o hausv sarch aack s srongr, and has br scury III Dsgn for H-S DSA Dgal Sgnaur Algorhms basd on Publc ky cryposysm, such as Dff-Hllman RSA and ELGamal, ar all algorhms whch h sgnr uss h prva ky o gnra h mssag's sgnaur, and hn h vrfr uss h sgnr's publc ky o vrfy h sgnaur Gnrally spakng, publc kys ar all kp n h ky drcory manand by h Sysm Admnsraor (SA) Whn vrfyng h dgal sgnaur, h vrfr wll frs oban h publc ky from SA hrough publc communcaon channl Thr s a problm n hs procss, ha s, a fals publc ky s bng subsu for a ru publc ky If h advrsary rplacs som lgma usrs publc kys n ky drcory by publc kys corrspondng o h prva kys h chos, or h rplacs h publc kys n s ransmsson procss, h wll b abl o fak any of hos usrs sgnaur, whch ar h so-calld acv aacks and fak aacks [15] Mos of h sng dgal sgnaur schms hav hs problm In ordr o ovrcom hs shorcomng, s ncssary o vrfy h valdy of publc ky frsly bfor usng h publc ky o vrfy sgnaurs Thr ar hr mhods o vrfy publc ky, howvr, snc Slf-crfd publc ky mhod dos no rqur an addonal crfca, and rlavly spakng, s sorag and compuaon ar graly rducd, h auhors prsn a nw dgal sgnaur algorhm namd H-S DSA(Hash Round Funcon and Slf-Crfd Publc Ky Sysm Dgal

5 324 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH 2010 Sgnaur Algorhm), usng HRFA algorhm and h abov Slf-crfd publc ky mhod Sgnng for mssags of hs dgal sgnaur algorhm s composd of wo pars, and hs algorhm s smlar o ELGamal sgnaur algorhm n form, so h auhors call dgal sgnaur algorhm smlar o ELGamal (H-S DSA) Th scury of hs algorhm ls on h on-way hash round funcon, facorzaon (FAC) and dscr logarhm problm assumpon (DL) N, w frs nroduc h Slf-crfd publc ky sysm A Slf-crfd publc ky sysm Slf-crfd publc ky sysm (SCPKS) was proposd by Graul n 1991 [16], whch was commonly calld RSA-basd SCPKS, bcaus h publc/prva ky par of hs sysm ar basd on RSA crypography I consss of wo sps ncludng sysm naon and usr rgsraon Dald dscrpons ar as follows: 1 Sysm naon Sysm Admnsraon (SA) wll choos wo prm numbr p, q, calcula N=pq, and g h ngral numbr Z g (mamum ponn numbr n ( ZN )) Thn calcula h scr ky accordng o RSA, wh rgards ha (, d)=1( mod ϕ (N) ) b sasfd( ϕ s Eulr s consan) And mak publc N, g, whras p, q, d would b kp confdnal 2 Usr rgsraon Whn usr U wh an dny h sysm, h should frs choos a ky Z * (Z N ) and calcula: Thn snd { } ID wans o accss n - v = g modn (2) ID, v o SA o rgsr Hs publc ky would b hn calculad by SA usng (2) y ( ) d = v- ID modn (3) Concluson from (2) and (3): h publc ky of usr U s acually h sgnaur of hs ky and ID, whch s producd by SA Manwhl, h prva ky of usr s unknown o SA Usr U can hn vrfy h valdy of publc ky y usng (4): - y + ID = g modn (4) Th slf-crfcaon procdur of publc ky s: If usr U wans o vrfy hs dny, hs sps basd on Bh s [17] or Schnorr s [18] auhncaon proocol nd o b cud: 1 Usr Usnds { ID, v } o h vrfr, who would hn calcula usng (5): ( ) v = y +ID modn (5) U chooss a random numbr r 1, and calculas usng (6) and snd o h vrfr 1 r = g modn (6) Z Vrfr would choos a random numbr k n ( ZN ), and snd o U 2 U calculas s usng (7), and snd o h vrfr 3 vrfr vrfs h (8): s = r+ k (7) k g v = modn (8) Thn, f (8) s nabl, vrfr would consdr h dny of U vald, ohrws nvald Basd on h analyss abov, no ra crfcaons ar ndd whn vrfy h dny of U bcaus h publc ky y s slf-crfd Undr FAC and DL, howvr, cp for U, canno b drvd from y or any ohr publc nformaon In h vn ha SA forgs a U, sayng h chooss a prva ky, calculas h corrspondng publc ky y usng (3) and manags o pass h vrfyng quaon of (4), h fac ha on usr U has wo vald publc ky would howvr crfca h dshonsy of SA S scr ky and modulus lngh rang, and na p bs,q bs, bs,d bs,n bs N N Produc random numbr Produc prm numbr p, 3*2(pbs-2)<=p<=2^pbs-1 gcp(p-1,)=1 Produc prm numbr p, 3*2(pbs-2)<=p<=2^pbs-1 gcp(p-1,)=1 Calcula N=p*q, qnv=q^{-1}modp, d=^{-1}mod(p-1)*(q-1),dp= d mod(p-1),dp=d mod (q-1) ma ponn numbr g Mak publc g,n, and HRFA Sysm nas Usr ID accsss sysm and chooss scr ky u calculas V=g^(-)mod N SA calcula U s scr ky Y=(V-ID) d mod N U vrfs:y^+id=g^(-)mod N, and vrfy valdy of y Ina M,u choos ngral numbr w Calcula =g^w mod N Calcula h(m,) usng HRFA Calcula s=w+*h(m,r) Vrfr chcks G * *(Y^+ID)^h(M,r)=r mod N Fgur 4 Th flow-sh dagram of H-S DSA nd Usr rgsraon Sgnng Vrfcaon

6 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH B H-S DSA Slf-crfd publc ky can ffcvly ovrcom acv aacks and fak aacks, so on hs bass, h dgal sgnaur algorhm smlar o ELGamal (H-S DSA) s prsnd H-S DSA consss of four sps: sysm naon, usr rgsraon, sgnaur craon and sgnaur vrfcaon Th frs wo sps ar h sam as ha of Graul s SCPKS Wha s dffrn s ha SA nds o mak publc a on-way hash round funcon h durng sysm naon wh h oupu lngh shorr han ha of N, ha s for any m, w hav h(m) N Th man purpos of h s o condns h comng sgnaur mssag no mssag absrac so as o avod plan aack Th sgnaur craon and crfcaon sps ar dscrbd as: 1 Sgnaur craon M s a mssag ha nds o b sgnd Th sgnr U chooss a random numbr w, and calculas h sgnaur (r,s ) of M, whr w hav: w r = g modn (9) s = w + h( M,r ) (10) Afrwards, U snds M and h sgnaur (r,s ) o h vrfr 2 Sgnaur vrfcaon Afr rcvng M and (r,s ), vrfr wll vrfy (11): g (y + ID ) = rmodn (11) s h(m,r ) If (11) s nabl, h vrfr accps h sgnaur valdy of M, ohrws wll dny Ths mpls ha, publc ky y from scr ky lss of SA nds also o b vrfd by sgnaur crfcaon quaon W ar now provng ha boh h sgnaur of M and publc ky of U can b vrfd, provdd ha hy pass (11) Thorm 2 f (11) s nabl, publc ky of U wll b vrfd a h m h sgnaur M s vrfd To prov: ak on boh sd ponn wh a bas g, and w hav: s w h(m,r ) g g g modn = (12) Accordng o (2), (4) and (9), ransform (11) no (13): -h ( ) ( M,r ) s g r y ID modn = + (13) Ths quaon n fac conans a hddn (11), whch mans (r,s ) would b vrfd a h m publc ky y b vrfd In addon, from (9), (12) and (13), w hav: ( ) ( ) h ( ) ( M,n h M,n - ) y + ID = g modn (14) W can drv (4) from (14), whch confrms ha y s h sgnaur of and ID In ohr words, onc (r,s ) b vrfd, y would b vrfd smulanously In hs schm, h vrfcaon of sgnaur and publc ky compl a h sam m, so no ra m would b spn on vrfyng h publc ky In addon, snc h slf-crfd publc ky nds no o sor ra crfcaon, h sorag and calculaon boh dcras a lo H-S DSA procdur s shown n Fg 4 IV H-S DSA analyss To nsur ha an algorhm ms or cds h dsgnd pcaons, s ssnal o analyz h prformanc of hs algorhm o dc ponal problms, hs procss s calld as Algorhm Prformanc Analyss Spcfc o h H-S DSA, s prformanc analyss ncludng scury analyss and m comply analyss, s o chck whhr h algorhm can work ffcvly A Scury analyss H-S DSA argorhm has usd a on-way hash funcon, and s safy manly ls n h hash round funcon usd n ach round In addon o h on-way hash funcon, h safy of H-S DSA also dpnds on h followng wo wll-known password assumpons: Facs Facorzaon Hypohss (FAH) and Dscr Logarhm Problm (DLP) [19] 1 Facs Facorzaon Hypohss If N s h produc of wo larg prm numbrs, and wo ngrs and d sasfy: d=1(mod ϕ (N)), hn, h hr ms as followng wll no b fasbl n h calculaon (1) Fnd h facors of N; (2) Gv ngrs M and C o fnd d whch d maks C = M(mod N); (3) Gv ngr C o fnd M whch maks M =C(mod N) 2 Dscr Logarhm Problm Gv a larg prm numbr p, and g s h prmv lmn ovr GF(p) Ingr y (1,p-1) s no fasbl n h calculaon of fndng ou o mak y = g mod p N, on h bass of Facs Facorzaon Hypohss and Dscr Logarhm Problm, w analyz h hr possbl aacks o H-S DSA Ths aacks nclud posng a scr paramr, forgng of dgal sgnaur of a gvn nformaon Aack 1: Advrsary dscloss h usr s scr ky va U s publc ky y Scury analyss: advrsary could g from ( ) d ( ) v = y + ID m od N y = v ID mod N, whch mpls ha h may calcula drcly by: = - v g modn

7 326 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH y ID g modn + = or Howvr, n such suaon, FAC and DL assumpon ar nvabl for hm o fac Aack 2: Advrsary dscloss usr s scr ky from U s sgnaur o M, (r,s ) Scury analyss: suppos ha advrsary obans w n advanc, h could hn calcula from (10) vn f only r s known o hm In ohr words, advrsary can calcula w va (9), h sam as ha n aack 1, whch mans sll ha FAC and DL assumpon would b sll nvabl Morovr, (3) could b anohr approach o and w Howvr, h amoun of unknown varabls and w s always largr han ha of quaons n sysm Ths maks h amp mpossbl Aack 3: Wh unknown, advrsary forgs h sgnaur (r,s ) o h randomly chosn mssag M undr h nam U Scury analyss: hr ss wo ways for advrsary o forg vald sgnaur o mssag M, boh of whch nd (4): 1 Fs r frs, hn calculas s ; 2 Fs s frs, hn calculas r from quaon (4) In h frs mhod, advrsary wll hav o fac o brakdown hypohc FAC and h dscr logarhm problm DLP assumpon And wll b mor compl o us mhod (2) bcaus wh r bng undr h procon of on-way hash funcon, an ra obsacl would com o hm From h analyss abov, w can com o h concluson ha undr h on-way hash funcon, FAC and DLP assumpon, H-S DSA can ndur hos aacks and dmonsras a rlavly hgh scury From h abov analyss and dscusson, can b consdrd ha undr h assumpon of on-way hash funcon facorzaon Hypohss(FAH) and Dscr Logarhm Problm(DLP), H-S DSA has br scury srngh I can rss a vary of password aacks ffcvly ncludng lnar analyss and dffrnal aacks, wh br scury B Tm-comply analyss Bcaus of aacks o ELGamal s sgnaur schm, ELGamal has o us hash funcon Sgnaur schm Yn and Lab had mad many ffors o fnd ELGamal s sgnaur schm whou usng hash funcon, bu hy fald fnally [20] Us hash funcon o mak a hash round funcon ransformaon, ffcvly ncrasd h algorhm s scury Th m-comply of H-S DSA sgnaur schm dpnds on on-way funcon hash round funcon Dscr Logarhm Problm and Slf-crfd publc ky sysm Th symbols blow ar usd n prformanc analyss of H-S DSA: h T h T m Lngh of mssag Oupu lngh of hash round funcon h Tm n calculang on-way funcon Mulplcaon m wh no modulus N T mm Mulplcaon m wh modulus N T m Eponn m wh modulus N In cas of hausv sarchng aack, accordng o (3) ha f chosn numbr w and h b rsrcd o 220b and 128b rspcvly, h valu of s would b rsrcd o ϕ, so h lngh of any sgnaur would b (N) r + s, bng rsrcd no 2 N b W us quaon (2) and quaon (3) o calcula h m-comply of crang a dgal sgnaur I coss (Tm+ Tmm+ T m) o cra, whr (3 Tm + Tm + T mm ) s ndd o vrfy h sgnaur ELGamal sgnaur schm s basd on h dffculy of solvng dscr logarhm, w can s from rfrnc [21], f s assumd ha b s h bs of prm modulus p, hn h compuaonal comply of calculang from y, or calculang k from r, or calculang from u s O(p cblnb, whch c (0,1)) Algorhm wh compuaonal comply of O(p cblnb) s calld as sub-nd m algorhm Thrfor, as long as h scal of b s pandd appropraly (For ampl, b achvs 1024 bs), wll bcom vry dffcul for forgrs o dcphr mplc sgnaur schm or ELGamal sgnaur schm smply by solvng dscr logarhm Th comply of mod nd problm s O(n), so sgnrs can asly calcula y, u and r Du o h consrucon faurs of sgnaur, h sgnng spd of H-S DSA s a b slowr compard wh hos of ELGamal sgnng schms, whch s h prncpal waknss of H-S DSA Howvr, snc h calculaon of u has nohng o do wh mssag M, u calculaon can b don o offs h waknss n spd By h way, boh sgnng and vrfyng spd n rcnly proposd rnforcd ELGamal schms ar slowr han ha of h orgnal schms [22] Wh scury nhancd, sgnng and vrfyng spd ar nvabl o b affcd mor or lss Th m-comply of H-S DSA can b rgardd as rlavly smpl V Concluson In hs papr, w analyz and summarz som dgal sgnaur algorhms whch ar rlavly maur and frqunly usd On hs bass, hash round funcon and slf-crfd publc ky sysm ar bng sudd, upon whch a nw dgal sgnaur algorhm smlar o ELGamal(H-S DSA) s dsgnd and ralzd And hs sgnaur algorhm s basd on ransformaon of hash round funcon and slf-crfd publc ky sysm A prformanc valuaon for H-S DSA has bn mad n hs arcl From h scury analyss for h algorhm, w can hnk ha h nw dsgnd algorhm

8 JOURNAL OF SOFTWARE, VOL 5, NO 3, MARCH has suffcn scury srngh, can ffcvly rss all knds of password aacks, ncludng lnar analyss and dffrnal aacks From h m-comply analyss for h algorhm, w can hnk ha h nw dsgnd algorhm has lowr m-comply Th scury of H-S DSA s mprovd compard wh ha of dgal sgnaur algorhm of ELGamal, and h m-comply of H-S DSA s no mor han ha of dgal sgnaur algorhm of ELGamal, so, can b consdrd ha H-S DSA s fasbl Wh h mor nsv applcaon of dgal sgnaurs, nw ssus wll mrg from a vary of dgal sgnaur algorhms, bu popl wll ry hard corrspondngly o mak nw soluons REFERENCES [1] Q Wang, ZF Cao, Formal modl of proy mul-sgnaur and a consrucon, Chns Journal of Compurs vol 29, no 9, pp , 2006 [2] M Mchls, P Horsr, On h rsk of dsrupon n svral mulpary sgnaur schms, Advancs n Crypology-Aslacryp'02 Prngr-Vrlag NwYork, pp , 2002 [3] M Q, G Z Xao, Enhancng h Scury of Gnrlzd ElGamal Typ Sgnaur Schms, Aca Elcronca Snca, vol24, no11, Novmbr 2003 [4] NIST, A proposd fdral nformaon procssng sandard for dgal sgnaur sandard, Fdral Rgsr Vol 56, no 169, pp , 1999 [5] P Smh, LUC publc-ky ncrypon, DrDobb's Journal pp 44-49, 2003 [6] P Smh and L Sknnr, A publc-ky cryposysm and a dgal sgnaur sysm basd on h Lucas funcon analogu o dscr Logarhms, Procdngs of Asacryp'94 Sprngr, pp , 2004 [7] M Graul, Slf-crfd publc kys, Advancs n Crypology-Eurocryp 91,Sprngr-VragBrln,pp , 1991 [8] K Nybrg and RA Ruppl, Nw dgal sgnaur schm basd on dscr logarhm (commn), Elcronc Lrs vol 30, no 5, pp481, 2004 [9] J H and T Kslr, Enhancng h scury of EIGamal's sgnaur schm, IEEE proc Compu DgTch vol 141, no 4, pp , 2004 [10] W F J, X X Wu, S Z Jn, D H Yuan, Nw On-Ln Scr Sharng Schm Usng Hash Funcon, Aca Elcronca Snca vol 31, no 1, pp 45-47, 2003 [11] X M Zhang, J Sbrry, Y Pprzyk, HAVAL-A On-Way Hashng Algorhm wh Varabl Lngh of Oupu, vol 3, no 13, Novmbr 1993, n prss [12] JF Dllon, "A Survy of Bn Funcons", NSA Mahmacal Mng, 2002 [13] J Sbrry, X M Zhang and Y Zhng, "Improvng h Src Avalanch crron Characrscs of Crypographc Funcons ", Informaon Procssng Lrs vol50, 1996 [14] J Sbrry, X M Zhang and Y Zhng, "Nonlnary and Propagaon Characrscs of Balancd Boolan Funcons", Informaon and Compuaon, vol119, no1, 2003 [15] W Al, B Z Chor, O Goldrch, and C P Schorr, "RSA and rabn funcons: cran pars ar as hard as h whol", SIAM Journal on Compung, vol17, no2, pp , Apr1998 [16] M Graul, Sf-crfd publc kys, Advancs n Crypology-Eurocryp'91, Sprngr-Vrlag Brln, pp , 2001 [17] T Bh, A Fa-Shamr-lk auhncaon proocol for h ELGamal schm, Advancs n Crypology-Eurocryp '88, Sprngr-Vrag Brln, pp [18] C P Schnorr, Efcnd nfcaon and sgnaurs for smar cards, Advancs n Crypology-Crypo'89, Sprngr- Vrlag Brln, pp , 1989 [19] X F Yuan, R Y Sun, J Q Sun, Y H Yang, Sgnaur schm wh mssag rcovry basd on dscr logarhm s and facorng, Compur Applcaons vol 27, no 10,pp , 2007 [20] S M Yn, and C S Lah, Nw dgal sgnaur schm basd on dscr logarhm, Elcronc Lrs vol 29, no 12, 1993 [21] S Pohlg and M Hllman, An mprovd algorhm for compung logarhms ovr GF(p) and s crypographc sgnfcanc, IEEE Transacon on Informaon Thory IT-24(1998) [22] L Harn, and Y Xu, Dsgn of gnralzd EIGamal yp dga sgnaur schm basd on dscr logarhm, Elcronc Lrs vol 31, no 6, 2005 Hapng A Chn, mal, was born n Cao Couny, Shandong, Jun, 1978 H rcvd bachlor dgr n 2003 and masr dgr n 2006 boh from Jln Unvrsy Now h s a lcurr and a PhD candda n h collg of compur scnc and chnology, Jln Unvrsy Hs rsarch nrss ar compur nwork scury, dgal mag procssng and parn rcognon Xuanjng B Shn, mal, was born n Hlong Couny, Jln Provnc, Dcmbr, 1958 H rcvd bachlor dgr n 1982, masr dgr n 1984, and PhD dgr n 1990 all from Harbn Insu of Tchnology rspcvly H s a profssor and PhD suprvsor currnly n h collg of compur scnc and chnology, Jln Unvrsy Hs rsarch nrss ar mulmda chnology, compur mag procssng, nllgn masurmn sysm, opcal- lcronc hybrd sysm, and c Yngda C Lv, fmal, was born n Wnan Couny, Hb Provnc, January, 1983 Sh rcvd bachlor dgr n 2007 from Jln Unvrsy Now sh s a Masr candda n h collg of compur scnc and chnology, Jln Unvrsy Hr rsarch nrss ar dgal mag procssng and parn rcognon