|
|
| (One intermediate revision by one other user not shown) |
| Line 1: |
Line 1: |
| In [[cryptography]] the '''Rabin Signature Scheme''' is a method of [[Digital signature]] originally proposed by [[Michael O. Rabin]] in 1979. The Rabin Signature Scheme was one of the first digital signature schemes proposed, and it was the first to relate the hardness of forgery directly to the problem of integer factorization. Because of its simplicity and prominent role in early public key cryptography, the Rabin Signature Scheme is covered in most introductory courses on cryptography. The Rabin Signature Scheme is [[Existential forgery|existentially unforgeable]] in the [[random oracle]] model assuming the [[integer factorization]] problem is intractable. The Rabin Signature Scheme is also closely related to the [[Rabin cryptosystem]].
| | The writer is known by the name of Figures Lint. To perform baseball is the hobby he will never stop performing. I am a meter reader. North Dakota is her beginning place but she will have to move 1 working day or another.<br><br>Feel free to visit my homepage; [http://www.sex-porn-tube.ch/blog/36870 www.sex-porn-tube.ch] |
| | |
| ==Original Algorithm==
| |
| The algorithm relies on a collision-resistant hash function <math>H : \{0,1\}^* \rightarrow \{0,1\}^k</math>
| |
| | |
| *'''Key Generation'''
| |
| **The signer ''S'' chooses primes ''p'',''q'' each of size approximately ''k/2'' bits, and computes the product <math>n = pq</math>
| |
| **''S'' then chooses a random ''b'' in <math>\{1,\ldots,n\}</math>.
| |
| **The public key is ''(n,b)''
| |
| **The private key is ''(p,q)''
| |
| | |
| *'''Signing'''
| |
| **To sign a message ''m'' the signer ''S'' picks random padding ''U'' and calculates ''H(mU)''
| |
| **''S'' then solves <math>x(x+b) = H(mU) \mod n</math>
| |
| **If there is no solution ''S'' picks a new pad ''U'' and tries again. If ''H'' is truly random the expected number of tries is 4.
| |
| **The signature on ''m'' is the pair ''(U,x)''
| |
| | |
| *'''Verification'''
| |
| **Given a message ''m'' and a signature ''(U,x)'' the verifier ''V'' calculates ''x(x+b)'' and ''H(mU)'' and verifies that they are equal
| |
| | |
| ==Modern Terminology==
| |
| In modern presentations, the algorithm is often simplified as follows
| |
| | |
| The hash function ''H'' is assumed to be a [[random oracle]] and the algorithm works as follows
| |
| | |
| *'''Key Generation'''
| |
| **The signer ''S'' chooses primes ''p'',''q'' each of size approximately ''k/2'' bits, and computes the product <math>n = pq</math>
| |
| **The public key is ''n''
| |
| **The private key is ''(p,q)''
| |
| | |
| *'''Signing'''
| |
| **To sign a message ''m'' the signer ''S'' picks random padding ''U'' and calculates ''H(mU)''
| |
| **If ''H(mU)'' is not a square modulo ''n'', ''S'' picks a new pad ''U''
| |
| **''S'' solves the equation <math>x^2 = H(mU) \mod n</math>
| |
| **The signature on ''m'' is the pair ''(U,x)''
| |
| | |
| *'''Verification'''
| |
| **Given a message ''m'' and a signature ''(U,x)'' the verifier ''V'' calculates ''x''<sup>2</sup> and ''H(mU)'' and verifies that they are equal
| |
| | |
| In some treatments, the random pad ''U'' is eliminated and instead we add two numbers ''a'' and ''b'' to the public key with <math>(\tfrac{a}{p}) = -(\tfrac{a}{q}) = 1</math> and <math>(\tfrac{b}{q}) = -(\tfrac{b}{p}) = 1</math> where <math>(\cdot)</math> denotes the [[legendre symbol]]. Then for any ''r'' modulo ''n'' exactly one of the four numbers <math>r,ar,br,abr</math> will be a square, and the signer chooses that one for his signature.
| |
| | |
| ==Security==
| |
| If ''H'' is a random oracle, i.e. its output is truly random in <math>\mathbb{Z}/n\mathbb{Z}</math> then, forging a signature on any message ''m'' is as hard as
| |
| calculating the square root of a random element in <math>\mathbb{Z}/n\mathbb{Z}</math>. To see that taking a random square root is as hard as factoring, we first note that any square modulo ''n'' has four square roots since ''n'' has two square roots modulo ''p'' and two square roots modulo ''q'', and each pair gives a unique square root modulo ''n'' by the [[chinese remainder theorem]]. Now, if we have two different square roots, ''x'',''y'' such that <math>x^2 = y^2 \mod n</math> but <math>x \ne \pm y \mod n</math>, then this immediately leads to a factorization of ''n'' since ''n'' divides <math>x^2 - y^2 = (x-y)(x+y)</math> but it does not divide either factor. Thus taking <math>gcd(x\pm y,n)</math> will lead to a nontrivial factorization of ''n''. Now, there exists an algorithm to take square roots, we pick a random ''r'' modulo ''n'' and square it <math>r^2 = R \mod n</math>, then, using the algorithm to take the square root of ''R'' modulo ''n'', we will get a new square root <math>r^\prime</math>, and with probability half <math>r \ne \pm r^\prime \mod n</math>.
| |
| | |
| ==References==
| |
| *[http://publications.csail.mit.edu/lcs/pubs/pdf/MIT-LCS-TR-212.pdf Original Paper]
| |
| | |
| [[Category:Digital signature schemes]]
| |
The writer is known by the name of Figures Lint. To perform baseball is the hobby he will never stop performing. I am a meter reader. North Dakota is her beginning place but she will have to move 1 working day or another.
Feel free to visit my homepage; www.sex-porn-tube.ch