National Institute of Standards and Technology (NIST). FIPS Publication 186-2: Digital Signature Standard (DSS). 2000.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....cryptosystems are analogs of existing schemes. It is possible to define elliptic curve analogs of the RSA cryptosystem [Dem94, KMOV92] and it is possible to define analogs of public key cryptosystems that are based on the discrete logarithm problem (such as ElGamal encryption [ElG85] and the DSA [NIST94] for instance) The case of analogs to the discrete logarithm problem can be divided into two classes. In the first class the finite field is said to have (typically a large prime number) and in the second class the field is said to have . While at first sight this might be viewed as a somewhat ....

National Institute of Standards and Technology (NIST). May 19, 1994. FIPS Publication 186: Digital Signature Standard,

....variants of the hidden number problem in settings other than prime fields have been studied in [130, 129, 23] 4. 4 Lattice attacks on DSA Interestingly, the previous solution of the hidden number problem also has a dark side: it leads to a simple attack against the Digital Signature Algorithm [106, 95] (DSA) in special settings (see [73, 110] Recall that the DSA uses a public element g 2 Z p of order q, a 160 bit prime dividing p Gamma 1 where p is a large prime (at least 512 bits) The signer has a secret key ff 2 Z q and a public key fi = g mod p. The DSA signature of a message m is ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

....some cryptographic motivations and applications of our results, in particular in the signature scheme with precomputation [2] In many discrete logarithm based protocols, one needs to generate pairs of the form (x; g (mod p) where x is random and g is a fixed base. The El Gamal [5] and DSA [13] (Digital Signature Algorithm) signatures as well as the Schnorr [18, 19] and Brickell McCurley [4] identification and signature schemes are examples of such protocols. The generation of these pairs is often the most expensive operation, which makes it tempting to reduce the 3 number of modular ....

....This can be compared with the cost of direct computation of g which is about 1:5 log M modular multiplications on average and about about 1:5 log M modular multiplications in the worst case. Thus the ratio k= log M is a natural measure of speed up of the BPV generator. Recall that for the DSA [13] and Schnorr [18, 19] schemes M has 160 bits, while for the El Gamal [5] and Brickell McCurley [4] schemes M has at least 512 bits. Each generation requires k modular multiplications. For M = p Gamma 1 where p is a 512 bit prime the authors of [2] suggest to take n = 512 and k = 64. We now ....

[Article contains additional citation context not shown here]

National Institute of Standards and Technology (NIST), FIPS Publication 186: Digital Signature Standard, May 1994. 15

....log q. One can alternately run log q copies of the algorithm in parallel. Theorem 2 is a simple consequence. 5. 3 Lattice attacks on DSA Interestingly, the previous solution of the hidden number problem also has a dark side: it leads to a simple attack against the Digital Signature Algorithm [88, 79] (DSA) in special settings (see [59, 98] Recall that the DSA uses a public element g 2 Z p of order q, a 160 bit prime dividing p Gamma 1 where p is a large prime (at least 512 bits) The signer has a secret key ff 2 Z q and a public key fi = g mod p. The DSA signature of a message m is ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

....ECDSA, lattices, LLL, closest vector problem, distribution, discrepancy, exponential sums, elliptic curves. 1. Introduction 1.1. The Digital Signature Algorithm (DSA) Recall the Digital Signature Algorithm (see [19, 29] or DSA, used in the American federal digital signature standard [21]. Let p and q # 3 be prime numbers with q p 1. As usual IF p and IF q denote fields of p and q elements which we assume to be represented by the elements 0, p 1 and 0, q 1 respectively. For integers s and m # 1 we denote by #s# m the remainder of s on ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

....issue is the DigestInfo construction during signature generation, which appends an algorithm identifier to a message digest prior to a signature operation with a private key. It presents a difficulty for signature schemes that do not have a comparable step, such as the Digital Signature Standard [7]. Version 2.0 is intended to be more naturally algorithmindependent. More flexible key identification. PKCS #7 version 1.5 follows the key management model of Privacy Enhanced Mail, where a public key is identified by the issuer and serial number of a public key certificate. There are certainly ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard (DSS).May 1994.

....some cryptographic motivations and applications of our results, in particular in the signature scheme with precomputation [2] In many discrete logarithm based protocols, one needs to generate pairs of the form (x, g x (mod p) where x is random and g is a fixed base. The El Gamal [5] and DSA [14] (Digital Signature Algorithm) signatures as well as the Schnorr [19, 20] and Brickell McCurley [4] identification and signature schemes are examples of such protocols. The generation of these pairs is often the most expensive operation, which makes it tempting to reduce the number of modular ....

....This can be compared with the cost of direct computation of g x which is about 1.5 log M modular multiplications on average and about about 2 log M modular multiplications in the worst case. Thus the ratio k log M is a natural measure of speed up of the BPV generator. Recall that for the DSA [14] and Schnorr [19, 20] schemes M has 160 bits, while for the El Gamal [5] and Brickell McCurley [4] schemes M has at least 512 4 P. Q. Nguyen, i.e. Shparlinski, and J. Stern bits. Each generation requires k modular multiplications. For M = p 1 where p is a 512 bit prime the authors of [2] ....

[Article contains additional citation context not shown here]

National Institute of Standards and Technology (NIST), FIPS Publication 186: Digital Signature Standard, May 1994. 12 P. Q. Nguyen, I. E. Shparlinski, and J. Stern

....discrepancy, exponential sums. Submission to a journal in progress. PubDSA.tex; 24 06 2000; 18:20; p.1 2 1. Introduction 1.1. The Digital Signature Algorithm (DSA) Recall the Digital Signature Algorithm (see [16, 28] or DSA, used in the American federal digital signature standard [18]. Let p and q 3 be prime numbers with qjp Gamma 1. As usual IF p and IF q denote fields of p and q elements which we assume to be represented by the elements f0; p Gamma 1g and f0; q Gamma 1g respectively. For integers s and m 1 we denote by bsc m the remainder of s on ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

....discrepancy, exponential sums. Submission to the Journal of Cryptology. PubDSA.tex; 17 07 2000; 19:43; p.1 2 1. Introduction 1.1. The Digital Signature Algorithm (DSA) Recall the Digital Signature Algorithm (see [16, 28] or DSA, used in the American federal digital signature standard [18]. Let p and q # 3 be prime numbers with q p 1. As usual IF p and IF q denote fields of p and q elements which we assume to be represented by the elements 0, p 1 and 0, q 1 respectively. For integers s and m # 1 we denote by #s# m the remainder of s on ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

....log q. One can alternately run p log q copies of the algorithm in parallel. Theorem 2 is a simple consequence. 5. 3 Lattice attacks on DSA Interestingly, the previous solution of the hidden number problem also has a dark side: it leads to a simple attack against the Digital Signature Algorithm [88, 79] (DSA) in special settings (see [59, 98] Recall that the DSA uses a public element g 2 Z p of order q, a 160 bit prime dividing p Gamma 1 where p is a large prime (at least 16 512 bits) The signer has a secret key ff 2 Z q and a public key fi = g ff mod p. The DSA signature of a message m ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

.... proved cryptographically strong without assumptions, cryptographically strong pseudorandom number generators have been shown to exist under assumptions such as the difficulty of factoring [BBS86] Constructions based on hash functions have also been given, which have a heuristic basis for security [NIS94c]; some require a secret key as input in addition to the seed. Note that standard library functions, such as C s rand( are not cryptographically strong. A sufficiently unpredictable seed can generally be obtained by appropriate sampling of system events which are individually unpredictable; see ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard (DSS). May 1994. Available from http://csrc.ncsl.nist.gov/fips/.

....to demonstrate vulnerabilities in an early proposal for a simple padding scheme. Also note that while the algebraic properties we exploit appear to have a negative impact on the use of RSA, we should point out that this attack can be used constructively to provide what is called blinding [4] in anonymous payment systems Desmedt and Odlyzko s Attack and a Variant The attack of Desmedt and Odlyzko on encryption applies equally to signatures. Perhaps it is more practical when applied to signature forgery rather than ciphertext decryption, since it might be easier to demand and ....

....In J. Pieprzyk and R. Safavi Naini, editors, Advances in Cryptology Asiacrypt 94, pages 263 277, Springer Verlag, 1995. 3] M. Bellare and P. Rogaway. Optimal asymmetric encryption. In A. de Santis, editor, Advances in Cryptology Eurocrypt 94, pages 92 111, Springer Verlag, 1995. [4] D. Chaum. Security without identification: transaction systems to make big brother obsolete. Comm. ACM 28:10, October, 1985. 5] D. Coppersmith. Analysis of ISO CCITT Document X.509 Annex D. Internal Memo, IBM T.J. Watson Center, June 11, 1989. 6] W. de Jonge and D. Chaum. Attacks on some RSA ....

[Article contains additional citation context not shown here]

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 19, 1994.

....The two conditions complement each other quite well, and therefore form a convincing picture of the security level. 1 Introduction In many discrete log based protocols, one needs to generate pairs of the form (x; g x mod p) where x is random and g is a fixed base. ElGamal [9] and DSS [13] signatures, Schnorr s [18, 19] and Brickell McCurley s [4] schemes for identification and signature are examples of such protocols. The generation of these pairs is often the most expensive operation, which makes it tempting to reduce the number of modular multiplications required per generation, ....

....g b mod p. The other generators are just variants of the previous generator, using random walks. We will not discuss those, since the security of the generators relies on the same problem. 2.1 Parameters The scheme needs to store n elements of ZM , and n elements of Z p . Recall that for DSS [13] and Schnorr [18, 19] M has 160 bits, while for ElGamal [9] and Brickell McCurley [4] M has at least 512 bits. Each generation requires modular multiplications. When n=2, we say that the underlying hidden subset sum problem is sparse. The parameters n and must be sufficiently large to ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 1994.

....1. This condition should always be checked by the verifier. Moreover, an authorized signer will almost always generate a valid signature since it is very unlikely that he randomly generates an r that is divisible by q. Such a condition has been included in the digital signature standard (DSS) [12]. Hence the DSS is not susceptible to the attacks presented in this paper. Alternatively trapdoors may be avoided if the authority that is choosing the public parameters p and ff is forced to use an algorithm like the one proposed by NIST for the generation of p in DSS. The values produced by ....

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 19, 1994.

....: 13 References 14 1 Introduction Randomness is a key ingredient for cryptography. Random bits are necessary not only for generating cryptographic keys, but are also often an integral part of steps of cryptographic algorithms. Examples are the DSS signature algorithm [16] which requires the choice of a new random number every time a new signature is generated, and CBC encryption, which requires the generation of a new random IV each time a new message is encrypted. In fact, any secure, stateless encryption scheme must be probabilistic, requiring new randomness ....

....of one such random number compromises the secret key) whereas for other cases they can be made public (as in CBC encryption, where the IV may be sent in the clear) In practice, the random bits will be generated by a pseudo random number generation process. For example, the DSS description [16] explicitly allows either using random or pseudo random numbers. When this is done, the security of the scheme of course depends in a crucial way on the quality of the random bits produced by the generator. Thus, an evaluation of the overall security of a cryptographic algorithm should consider ....

[Article contains additional citation context not shown here]

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 19, 1994.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 186: Digital Signature Standard, May 19, 1994.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 186-2: Digital Signature Standard (DSS). 2000.

No context found.

National Institute of Standards and Technology (NIST). FIPS Publication 186-2: Digital Signature Standard (DSS), 2000.

No context found.

National Institute of Standards and Technology (NIST). Fips publication 186: Digital signature standard (dss). Technical report, Gaithersburg, MD, May 1994.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC