HAC Ch11

11.
1
11.2
11.3
11.4
11.5
11.6
11.7
11.8
11.9
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
. . . . . . . . . . . 2
RSA . . . . . . . . . . . . . . . . . . . . . .10
Fiat-Shamir . . . . . . . . . . . . . . . . . . . . . . . . . .27
DSA . . . . . . . . . . . . . . . . . . . 32
. . . . . . . . . . . . . . . . . . . . . . . . .46
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
. . . . . . . . . . . . . . . .61
. . . . . . . . . . . . . . . . . . . . . . .69
11.1

.
, , .

( ,
),
, (
).
, ,
. .
(TTP) , ,
.

.
RSA,
.
A. Menezes, P. Van Oorschot, S. Vanstone.
1
: ..
. .
, .

11.2

. . 11.3
RSA, . RSA
. 11.4
10. ,
(DSA Digital Signature Algorithm), 11.5.
,
, 11.6. 11.7 ESIGN.
, , - (fail-stop)
11.8. , (.. , ,
) 11.9.
11.2
1.6 1.8.3 .
.

RSA (11.3) ElGamal (11.5)
. .
11.1.
11.2.1
1.
( ) .
2. ( ) .

2
: ..
3. ( )
(. ).
4. ( ) .
5. ( ) () , .
6. ( )
, .1
, , .
.
, ISO/IEC 9796 PKCS #1,
11.3.5 11.3.6, . 11.1 . 11.1 .

M
MS
(signing space).
(signature space).
11 M MS .
MR
R (. MR = Im(R)).
R1
R (. R1 : MR M).
M.
Mh
h (. h : M Mh) Mh MS .
11.1: .
11.1 ( 11.1)
(i) () M .
(ii) ( ) MS
( 11.2.2
11.2.3). M.
.

3
: ..
(iii) ( ) S M. .
(iv) ( ) R .

11.2.2 11.2.3 :
1.

2. . .
|R|
= 1, 11.2.
11.2
( ),
|R| > 1 ,
.
11.1 .

(11.6) .
11.1: .
11.2.2
, ,
.
(11.2.4).
11.3

4
: ..

DSA (11.5.1), ElGamal (11.5.2) Schnorr (11.5.3). 11.1.
11.4

:

.
1.
S = {SA,k : k R}. SA,k 11 Mh
S .
2. S VA Mh S {, }
VA m , s
, S A,k ( m ) = s
=
,
m Mh , s S , m = h ( m ) m M. VA -
.
3. VA S.
11.5 (
)
: s S m M,
.
1. . :
(i) k R.
(ii) m = h ( m ) s = S A,k ( m ) .
(iii) m s*. m s*
.
2. . :
(i) VA .
(ii) m = h ( m ) u = VA m , s .
(iii) , u = .
11.2
. :
(i) k R, SA,k
(ii) VA

5
: ..
(iii)
m M s* S , VA m , s = , m = h ( m ) .
11.2: .
11.6. ( )
(11.2.3) ,
.
h 11.5 (. 9.3). ()
. , .
11.2.3
.
, (. 11.3.3(viii)).
11.7
.

RSA (11.3.1), Rabin (11.3.4) NybergRueppel (11.5.4).

6
: ..
11.8
:
.
1. S = {SA,k: k
R}. SA,k 11 MS S
.
2. S VA VA SA,k MS k R. VA
,
.
3. VA S.
11.9
: s S m M,
. m
s.
1. . :
(i) k R.
(ii) m = R ( m ) s = S A,k ( m ) . (R . 11.1 11.10.)
(iii) s*
m .
2. . :
(i) VA .
( )
(ii) m = VA s .
(iii) m MR . ( m MR , .)
(iv) m m R 1 ( m ) .
11.3: .

7
: ..
11.3
.
:
(i) k R, SA,k
(ii) VA
(iii)
( )
s* S , VA s MR .
11.10 ( ) R R1
. R . , MR = MS. R SA,k
11 M MR MS S, .
( )
M S . s* S, VA s MR
m s*
( 11.9, 2) :
1. k R s* S.
( )
2. m = VA s .
3. m = R 1 ( m ) .
s* m
S .
11.11 ( ) M = {m : m {0, 1}n}
n MS = {t : t {0, 1}2n}. R : M MS R(m) =

m||m, || , MR = {m||m : m M} MS.
n, | MR | | MS | = (1 2 ) . n
s*
VA(s*) MR.
11.12 ( ) R
R1 , R

S. 11.21 -
.
11.3.5.
, RSA
(11.3.1) Rabin (11.3.4).
11.13 ( ) 1.8.3

8
: ..
. RSA (8.2) Rabin (8.3).

11.3.1 11.3.4, .
11.14 ( )

. .
11.3 11.4. R
11 Mh MS.
11.4: .
11.2.4
. .
1. . , . ( , .
11.3.2(i).)
2. .

. . (. 11.21.)
3. . .
,
( , . 11.66(iii)).

.
1. . ,
.

9
: ..
2. . . :
(i) .
.
(ii) .

. (non-adaptive)
.

(. 1.13.1).
(iii) .

.
11.15 ( ) ,
.
, ()
.
,
,
.
11.16 ( )
. ,
,
. ,
.
11.17 ( )
h ( ),
h , h .
11.3 RSA
RSA .

10
: ..
(. 3.2).
. (. 11.14).
11.3.1 RSA
O
RSA ]n = {0, 1, 2, , n 1}, n = pq
. 11 ,
. RSA
(. 11.1 ). MS S ]n. R: M ]n .
11.18 RSA
: RSA
.
:
1. p q (. 11.3.2).
2. n = pq = (p 1)(q 1).
3. e, 1 < e < , gcd(e, ) = 1.
4. ( 2.107)
d, 1 < d < , ed 1 (mod ).
5. (n, e) d.
11.19 RSA
: m M.
m .
1. . :
(i) m = R ( m ) , [0, n 1].
(ii) s = m d mod n.
(iii) m s.
2. . s m,
:
(i) (n, e) .
(ii) m = s e mod n.
(iii) m MR , .
(iv) m = R 1 ( m ) .

11
: ..
. s
m, s m d mod n, m = R ( m ) . ed 1 (mod ), s e m ed m ( mod n ) . , R 1 ( m ) = R 1 ( R ( m ) ) = m.
11.20 ( RSA )
. p = 7927, q = 6997 n
= pq = 55465219 = 79266996 = 55450296. e = 5 ed = 5d
1 (mod 55450296), d = 44360237. (n = 55465219,
e = 5) d = 44360237.
. ( . 11.3.3(ii)), M = ]n
R: M ]n R(m) = m m
M. m = 31229978, m = R ( m ) = 31229978
s m d mod n = 3122997844360237 mod 55465219 = 30729435.
. m = s e mod n = 307294355 mod 55465219
= 31229978. m (., m MR) m = R 1 ( m ) = 31229978.
11.3.2 RSA
(i)
modulus n
, ,
, d e ed 1 (mod ). . p q n . , 8.2.2(i) 8.8.
(ii) RSA
To RSA ( , . 8.2.2(v))
, -
. s1 = m1d mod n s2 = m2d mod n m1 m2,
( ), s = s1s2
mod n s = (m1m2)d mod n. m = m1m2 (., m MR), s . ,
R , .,
a, b M, R(a b) R(a)R(b). 11.21,
R .
11.21 ( ) n modulus RSA d
. k = lg n n t , t < k/2. w = 2t
[1, n2t 1]. R R(m) =

12
: ..
m2t ( t bit R(m) ).

n, R .
11.10 -
(1 2)t . ,
( ), .
m. n d.
m.
( 2.107) n m = R ( m ) =
m2t = mw.
x, y r , xn + y m = r. y
r , y < n w r < n w , w < n . y > 0,

m2 = rw m3 = yw. , m2 m3 . s2 = m2d mod n s3 = m3d mod n
, m :
y > 0,
y < 0,
s2
s3
s2
s3
m2d
d
m3
rw r
d
= = m mod n
yw y
m2d
( m3 )
rw r
d
= y = m mod n.
yw

,
. .
R.
11.3.3 RSA
(i)
RSA .
moduli .
.
(nA, eA) (nB, eB), . nA > n,
,
11.22.
11.22 ( ) nA = 83877499 = 62894113, eA = 5
dA = 37726937 n = 55465219, e = 5, d = 44360237. nA > n. m = 1368797

. :
1.
s = m d A mod n A = 136879737726937 mod 62894113 = 59847900.
2.
c = s eB mod nB = 598479005 mod 55465219 = 38842235.

13
: ..
, B :
1.

s = c d B mod nB = 3884223544360237 mod 55465219 = 4382681.
2.

m = s eA mod nA = 43826815 mod 62894113 = 54383568.

m m. s modulus
n. , ( n A nB ) n A 0.12.
.
1. . modulus.
, nA > n, A
B A. , , ,

. ,
.
.
2. moduli . moduli
. modulus moduli , .
moduli (t + 1) bit moduli t
bit.
3. modulus. p
q modulus n : bit
1 k bit 0. modulus n t bit
. n , 2t1 n
2t1 + 2t k1. p t 2 bit q 2t 1 p ( 2t 1 + 2t k 1 ) p n = pq
modulus (. 11.23). modulus
n ,
.
nA modulus s = m d A mod n A m. s 1 k + 1
bit, . s, nA,
0 bit modulus . s
1 k + 1 bit, , (1 2 ) , k k
100.

14
: ..
11.23 ( modulus)
modulus n 12 bit , bit 1
k = 3 bit 0. 6 bit, p = 37. -
q 211
= 56 ( 2
11
+2
= 62. -
q 59 61. q = 61, n = 37 61 = 2257, 100011010001.
(ii)
(. 11.2.4) RSA, R. 11.3.5 .
(.
11.3.2(ii)).
(iii) RSA
11.14 . , MD5 ( 9.5) 128,
11.9
. n modulus RSA k bit,
R 128 bit k
bit. 11.3.6 ,
.
(iv)
n = pq modulus RSA 2k bit, p q k bit .
, s = md mod n, m O(k3) bit ( , . 14.3
, . 14.6). p
q, s1 = m d mod p, s2 = m d mod q, s (. 14.75). O(k3),
.
. ,
O(k2) bit. e, , 3 216 + 12 , p
q , gcd(e, (p 1)(q 1)) = 1.
RSA, , . ,
A,

(. 13.4.2).

e = 216 + 1 e m e mod n
16 (. 14.6.1).
2

15
: ..
(v)
1996, moduli RSA 768 bit.
modulus 1024 bit
.
.
RSA e 216 + 1.
d (. 8.2.2(iv)).
(vi)
(bandwidth efficiency) ( 2)
MS ( 2) MR,
. ,
R. RSA ( Rabin, 11.3.4) ISO/IEC 9796 (11.3.5) k bit
2k bit MS
2k bit. .
, modulus 1024 bit, 512 bit.
(vii)
modulus RSA modulus (system-wide) (. 8.2.2(vi)).
e , (. 8.9(ii)).
(viii)
n modulus RSA 2k bit
11.19 k bit (. ). m k
bit. m k bit , m =
m1||m2||||mt ( 11.6
).
2kt bit. , A m l k . kt + 2k, kt m.
kt + 2k 2kt t 2, RSA . k
bit RSA .
11.3.4 Rabin

16
: ..
Rabin RSA (
11.19), e.3 ,
e = 2. MS Qn (
modulo n . 2.134)
. R M MS .
11.25
Rabin. ( ) 11.30.
11.24 Rabin
: .
:
1. p q
.
2. n = pq.
3. n (p, q).
11.25 Rabin
: m M. m .
1. . :
i) m = R ( m ) .
ii) s m mod n ( 3.44)
iii) m s.
2. . s m,
:
i) n .
ii) m s 2 mod n .
iii) m MR , .
iv) m = R 1 ( m ) .
11.26 ( Rabin )
. p = 7, q = 11 n = 77
(p = 7, q = 11). MS = Q77 = {1, 4, 9,
15, 16, 23, 25, 36, 37, 53, 58, 60, 64, 67, 71}. (
p q modulus RSA, = (p 1)(q 1)
. RSA, e gcd(e, ) = 1 .
3

17
: ..
11.27), M = MS R (., m = R ( m ) = m).

. m = 23, R ( m ) = m = 23
m modulo 77. s , s 3 (mod 7) s 1 (mod 11), s =

10, 32, 45 67. m s = 45. (
.)
. m = s 2 mod 77 = 23. m = 23 MR, -
m = R 1 ( m ) = 23.
11.27 ()
i) RSA ( 11.21),
R Rabin. , M = MS = Qn R(m) = m
m M. s ]n m = s 2 mod n, s m
. (,
.) , .
ii) , M . Rabin, R. , m , R

. , , modulo n
. m
bit R R(m) Qn.
, , .
Rabin
11.27(ii),
Rabin.
ISO/IEC 9796 (11.3.5).
MS, , (
) . 11.3.5.
11.28 p q 3
modulo 4, n = pq.
i) gcd(x, n) = 1, x(p1)(q1)/2 1 (mod n).

18
: ..
ii) x Qn, x(npq+5)/8 mod n x modulo n.

iii) x Jacobi
x

n
= 1 d = (n p q + 5)/8.
x, x Qn
x 2 d mod n =
n x, x Qn
iv) p q (mod 8),
( ) = 1. , x 2
2
2 mod n Jacobi x. ( n = pq,

p q 3 (mod 4) p q (mod 8), Williams.)
11.30 Rabin. MS = {m ]n: m 6 (mod 16)}.
11.2. , R
(. 11.3.5 ).
{m ]n: m (n 6)/16}
MS
{m ]n: m 6 (mod 16)}
{s ]n: (s2 mod n) MS}
R(m) = 16m + 6 m M
MR
{ m ]n: m 6 (mod 16)}
11.2: 11.30.
11.29 Rabin
: .
:
1. p 3 (mod 8), q 7 (mod 8) n =
pq.
2. n d = (n p q +
5)/8.
11.30 Rabin
: m M. m .
1. . :
i) m = R ( m ) = 16m + 6.

19
: ..
ii) Jacobi J = m (
n
2.149).
iii) J = 1, s = m d mod n.
iv) J = 1, s = ( m 2 ) mod n. 4
d
v) m s.
2. . s m,
:
i) n .
ii) m s 2 mod n. ( m
.)
iii) m 6 (mod 8), m = m.
iv) m 3 (mod 8), m = 2m.
v) m 7 (mod 8), m = n m.
vi) m 2 (mod 8), m = 2(n m).
vii) m MR (. 11.2) , .
viii) m = R 1 (m ) = (m 6) 16.
. = m = m /2, Jacobi 1.
11.28(iv) m , m /2 Jacobi 1. , 3 6 (mod 8). 11.28(iii), s2 mod n =
n , , Qn. n 5 (mod 8),
.
11.31 ( Rabin )
. p = 19, q = 31 n = pq = 589 d = (n p
q + 5)/8 = 68. n = 589, d =
68. MS , Jacobi
J 1 1, J = 0, gcd(m , n) 1. n.
, .

20
: ..
. m = 12, m = R(12) =
198,
m 198
=
= 1
n 589
s = 19868 mod 589 = 102. m = 12 s =
102.
. m = s2 mod n = 1022 mod 589 = 391. m
7 (mod 8), m = n m = 589 391 = 198. , m =
R 1 (m ) = (198 6) 16 = 12 .
11.32 ( Rabin)
i) 11.30
Jacobi 1, n.
, y = 2d = s2 Jacobi 1
y2 (2)2d 2 (mod n) 11.28(iii). , ( y) ( + y)
0 (mod n). y Jacobi, y (mod n) gcd( y, n) = p q.

ii)
Rabin Rabin (. 11.27(i)). s, 1 s n 1, , s2 n s2 2s2
2(n s2) mod n 6 modulo 16. , s m = s2 mod n.
11.33 ( Rabin) 11.25
M MS = Qn,
Jacobi ( 2.149).
Jacobi (. 11.27)
modulo n.
modulo n (. 3.44). Jacobi ,
RSA
modulus. H e = 2
.

(. 14.18).
RSA RSA e = 3. Rabin ( 11.30) . Jacobi
.
11.34 ( ) Rabin
RSA (. 11.3.3(vi)).
11.3.5 ISO/IEC 9796

To ISO/IEC 9796 1991 (International Standards Organization ISO) .

21
: ..
.
ISO/IEC 9796 : (i) (ii)
k bit k bit (iii) (iv)
(. 11.14) (v) (padding) ,
. RSA ( 11.19) Rabin ( 11.30).
, (truncation)
ISO/IEC 9796 . 11.3
.
k
d

d 8 ( k + 3) 16 .
z
r
t
byte z = d 8 .
bit r = 8z d + 1.
, 2t
byte k 1 bit t = ( k 1) 16 .
11.3: ISO/IEC 9796.
11.35
( ISO/IEC 9796)

150 bit 1024 bit.
k (bit)
d (bit)
z (byte)
r (bit)
t (byte)
1024
150
19
64
(i) ISO/IEC 9796

5 , 11.5().

22
: ..
11.5: ISO/IEC 9796.
1. . m ,
MP = 0r1||m, 1 r 8, bit MP 8. byte MP z: MP = mz||mz1||m2||m1,
mi byte.
2. . , ME, MP
MP t
byte : ME = MEt||MEt1||||ME2||ME1 ( MEi byte).
t z, byte
byte MP, byte byte
MP . , MEi+1 = m(i mod z)+1 0 i t 1.
3. . ME
byte MR = MR2t||MR2t1||||MR2||MR1 . MR (interleaving) t byte ME t byte byte MR2z . , MR2i1 = MEi
MR2i = S(MEi) 1 i t, S(u) byte u . u = u2||u1, u1 u2 4,
S(u) = (u2)|| (u1),
( , 4 .) , MR MR2z r MR2z. 5
4. forcing. IR k bit MR
:
) k 1 bit MR bit 1
) byte u2||u1 , u1||0110. ( IR 6 (mod 16).)
5. . k bit k bit ( ).
IR s
.
11.36 (RSA, Rabin) To ISO/IEC 9796
RSA ( 11.19)6 Rabin ( 11.19)7.
, . e RSA Rabin, n modulus d
. RR : (i) IR
e , e Jacobi IR ( 5
MR2z
d . d = 8z r + 1, z r. MR.
6
1 4 R, m
1i 11.19 IR.
7
To m IR, 1 11.25.

23
: ..
) modulus n 1 (ii) IR / 2 e Jacobi

IR n 1. m s = (RR)d mod n. ISO/IEC 9796 s (RR)d mod n n ((RR)d mod n).
(ii) ISO/IEC 9796
ISO/IEC 9796
, 11.5().
1. . s . .
() s IR.
() IR k bit
bit 1, 4
bit 0110.
2. . MR 2t byte IR
.
() X k 1 bit IR.
() u4||u3||u2||0110 4 bit
X, byte X 1(u4)||u2.
() MR X () 0 15 bit
2t byte.
z r .
() 2t byte MR t
MR2 i S ( MR2 i 1 ) ,1 i t.
0, .
() z i MR2 i S ( MR2 i 1 ) 0.
() r 4 bit (). r
1 8.
MR, z byte MP :
() MP2i = MR2 i 1 , 1 i z.
3.
() r 1 bit MP
0.
() 8z r + 1 bit MP.
. s .
() MR
,
,
() , k 1 bit
MR k 1 bit MR.
11.3.6 PKCS #1
(PKCS public-key cryptography standards)
RSA (. 15.3.6).
PKCS #1 ( RSA).

24
: ..
PKCS #1
RSA. (MD2 MD5 9.51) , ,
. 11.4 . .
X Xi i .

k
n
p, q
e
d
M
MD
MD
n (k 11)
modulus, 28(k1) n < 28k
n

EB
ED
ab
BT
PS
S
||X||
11.4: PKCS #1.
(i) PKCS #1
D, ||D|| k 11. BT 00 01. PS ||PS|| = k 3 ||D||. BT = 00, PS ff.
( ) EB =
00||BT||PS||00||D.
11.37 ( )
(i) 00 EB,
, modulus n.
(ii) BT = 00, D (parsing) EB.
(iii) BT = 01, .
(iv) (iii) , BT = 01.
11.38 ( PKCS #1 )
n modulus 1024 bit ( k = 128). ||D|| = 20 , ||PS|| = 105
||EB|| = 128 .
(ii) PKCS #1
11.6().
, d
modulus n .
1. . - MD.

25
: ..
2. . MD ASN.1 (abstract syntax notation ) BER- (basic encoding rules

) D.
3. . D, 11.3.6(i) EB.
4. . EB
j i EB1||EB2||||EBk. EB
EBi ( bit ).
k
ji. 8
EB m = 28( k i ) EB
i =1
5. RSA. s = md mod n.
6. . s ED = ED1||ED2||||EDk, EDi
k
j i . S = ED.
s = 28( k i ) ED
i =1
11.6: PKCS #1.

8
1 = 00 n 28(k1), 0 m < n.

26
: ..
(iii) PKCS #1
11.6(). , S, e
modulus n.
1. .
() S, S 8.
() S s 4 .
() s > n.
2. RSA. m = se mod n.
3. . m k 6 .
4. (parsing). ,
PS D.
() .
() 00 01.
() PS < 8 .
5. .
() BER- D MD .
() MD2 MD5.
6. .
() -
MD.
() S , MD = MD.
11.4 Fiat-Shamir
10.30, - (witness-challenge response) . . Fiat-Shamir ( 10.24).
11.4.1 Feige-Fiat-Shamir
Feige-Fiat-Shamir Fiat Shamir, h : {0, 1} {0, 1}k k. {0, 1}k
k {0, 1} ( ).

27
: ..
o .
11.39 Feige-Fiat-Shamir
: .
:
1. p, q n = pq.
2. k s1, s2, , sk
Zn .
3. j = s j 2 mod n, 1 j k .
4. k- (1 ,2 ,...,k ) modulus n
k- ( s1 , s2 ,..., sk ) .
: m .
B
.
1. . :
(i) r, 1 r n 1.
(ii) u = r2 mod n.
(iii) e = (e1, e2, , ek) = h(m||u) ei {0, 1}.
(iv) s = r j =1 s j j mod n.
k
(v) m (e, s).

2. . m,
:
(i) (1 ,2 ,...,k ) n.
(ii) w = s 2 j =1 j j mod n.
k
(iii) e = h(m||w).
(iv) , e = e.
.
k
w s 2 j j r 2 s j
e
j =1
j =1
2e j
j
j =1
ej
r 2 ( s 2j j ) j r 2 u (mod n).
e
j =1
, w = u e = e.
11.41 ( Feige-Fiat-Shamir )
. p = 3571, q = 4523
n = pq = 16151633. sj ( -
) j s j 1 .

28
: ..
. h : {0, 1} {0, 1}5 . r = 23181 u = r2 mod n = 4354872.

m, , e = h(m||u) = 10110 (
). s = rs1s3s4 mod n = (23181)(42)(85)
(101) mod n = 7978909 m (e = 10110, s = 7978909).
. s2 mod n = 2926875 134 mod n = (503594)
(7104483)(1409171) mod n = 15668174. O B , w2 = s2 134 mod n =
4354872. w = u, e = h(m||w) = h(m||u) = e ,
.
11.42 ( Feige-Fiat-Shamir)
(i) RSA ( 11.19), modulus n (. 8.2.2(vi)). ,
(TTP) p q
.
(ii) Feige-Fiat-Shamir modulo n (. 3.5.2).
,
, h ,
si .
11.43 ( ) n
t bit, 11.39 kt bit. sj, 1 j k,
t < t o t, ,
sj. (k + 1) bit. , t = 768 k = 128, 98304 bit
99072 bit.
11.44 ( Feige-Fiat-Shamir )
TTP p q modulus n modulus
. 11.39
. . TTP j = f (IA||j), 1 j k,
f {0, 1} Qn j -
, sj j 1 modulo
n, 1 j k. ,
( TTP ) k- (s1,
s2, , sk). h, f modulus n .
11.39 ,

29
: ..
. TTP modulus n ,
.
11.45 ( Feige-Fiat-Shamir)

. 11.44, modulus nA k
1, 2, , k Qn ( 2 byte ).
sj j 1 modulo n, j, 1 j
k . nA 1, 2, , k. .
11.46 ( Feige-Fiat-Shamir) RSA
modulus t = 768, , , 1152 (, 768
384 ). FeigeFiat-Shamir ( 11.40) , , k/2 . , modulus
t = 768 k = 128 , , 64 , 6% RSA.

RSA e = 3, 64 , , Feige-Fiat-Shamir. , Feige-Fiat-Shamir ( DSA . 11.5)
RSA.
11.4.2 GQ
Guillou-Quisquater (GQ) (10.4.3)
( 11.48)
. h : {0, 1} ]n ,
n .
: (n, e, JA)
a.
:
1. p, q n =
pq.
2. e {1, 2, , n 1} , gcd(e, (p 1)(q 1)) = 1.
( 11.50 e.)

30
: ..
3. JA, 1 < JA < n,

, gcd(JA, n) = 1. ( JA , , ,
.)
4. a ]n , JAae 1 (mod n) :
4.1 J A1 mod n.
4.2 d1 = e 1 mod (p 1) d2 = e 1 mod (q 1).
4.3 a1 = ( J A1 ) d1 mod p a2 = ( J A1 ) d 2 mod q.
4.4 a a a1 (mod p) a a2 (mod q).
5. (n, e, JA) a.
11.48 GQ
: m .

.
1. . :
(i) k r = ke mod n.
(ii) l = h(m||r).
(iii) s = kal mod n.
(iv) m (s, l).
2. . , :
(i) (n, e, JA) .
(ii) u = s e J Al mod n l =h(m||u).
(iii) , l = l.
.
u s e J Al (kal )e J Al k e (a e J A )l k e r (mod n).
, u = r l = l.
11.49 ( GQ )
. p = 20849, q = 27457 n = pq = 572450993. e = 47, JA =
1091522 JAae 1 (mod n) a = 214611724.
(n = 572450993, e = 47, JA = 1091522),
= 214611724.
. m = 1101110001, k = 42134 r = ke mod n = 297543350.
l = h(m||r) = 2713833 ( ) s =
kal mod n = (42134)2146117242713833 mod n = 252000854. m
(s = 252000854, l = 2713833).
. se mod n = 25200085447 mod n = 398641962, JAl
mod n = 10915222713833 mod n = 110523867 u = seJAl mod n = 297543350. u
= r, l = h(m||u) = h(m||r) = l, .

31
: ..
11.50 ( GQ) 11.47 e

(. 2.1.5).
. m l = h(m||JAl) -
t l t (mod e) ( e ) .
(l, t), x , t = xe + l s = JAx mod n. seJAl (JAx)e JAl
JAxe+l JAt (mod n), , h(m||JAt) = l. , (s, l) () m.
11.51 ( ) ( 1996)
modulus n 768 bit. H 11.50
e 128 bit.
128 160 bit. modulus 768 bit
e 128 bit, GQ 896 + u bit, u
bit JA. a 768 bit.
11.52 ( GQ)
GQ ( 11.48) . modulus n 768 bit, e 128 bit
l 128 bit, ( ) 384
(128 64
e l). .
RSA ( 1152 )
Feige-Fiat-Shamir (64 )
(. 11.46). GQ Feige-FiatShamir (.
11.51).
11.53 ( GQ) 11.48
.
MS = ]n, m MS. , k , gcd(k, n) = 1 r =ke mod n l = mr

mod n. s = kal mod n. seJAl keaelJAl ke r (mod n).
m lr 1 mod n.
, R
.
11.5 DSA
(DSA Digital
Signature Algorithm) .
]p ,

32
: ..

ElGamal 11.5.2. (.
11.2).
(. 11.14).

]p . , ,
,
.
11.5.1 (DSA)
1991 (NIST National
Institute of Standards and Technology) (DSA). DSA
(FIPS 186 Federal Information Processing Standard), (DSS Digital Signature Standard )
. ElGamal (. 11.5.2) .
h: {0, 1}* ]q
q. DSS (SHA-1
Secure Hash Algorithm), 9.53.
11.54 DSA
: .
:
1. q , 2159 < q < 2160.
2. t 0 t 8 p, 2511+64t
< p < 2512+64t, q (p 1).
3. ( q ]p .)
3.1 g ]p = g(p 1)/q mod p.
3.2 = 1 3.1.
4. a , 1 a q 1.
5. y = a mod p.
6. (p, q, , y) a.
11.55 ( p q DSA) 11.54
q p
33
: ..
, q (p 1). DSS 4.56.

11.56 DSA
: m .

.
1. . :
i) k, 0 < k < q .
ii) r = (k mod p) mod q (..,
2.143).
iii) k 1 mod q (.., 2.142).
iv) s = k 1{h(m) + ar} mod q.
v) m (r, s).
2. . (r, s) m, :
i) (p, q, , y) .
ii) 0 < r < q 0 < s < q , .
iii) w = s 1 mod q h(m).
iv) u1 = w h(m) mod q u2 = rw mod q.
v) = u1 y u2 mod p mod q.
vi) , = r.
. (r, s)
m, h(m) ar + ks (mod q) . w ,
w h(m) + arw k (mod q). u1 + au2 k (mod q).
u1
y u2 mod p mod q = k mod p mod q.
, = r , .
11.57 ( DSA )
. p = 124540019 q = 17389 , q
(p 1) (p 1)/q = 7162. A g = 110217528
]p = g7162 mod p = 10083255. 1,

q ]p .
a = 12496 1 a q 1 y = a mod p = 1008325512496
mod 124540019 = 119946265. (p = 124540019, q = 17389, =

10083255, y = 119946265), a = 12496.

34
: ..
. m k =
9557 r = (k mod p) mod q = (100832559557 mod 124540019) mod 17389 =

27039929 mod 17389 = 34. A k 1 mod q 7631, h(m) = 5246 (
) s = (7631){5246 +
(12496)(34)} mod q = 13049. m (r = 34, s = 13049).
. w = s 1 mod q = 1799, u1 = w h(m) mod q =
(5246)(1799) mod 17389 = 12716 u2 = rw mod q = (34)(1799) mod q = (34)(1799) mod
17389 = 8999. O B = u1 y u2 mod p mod q = (1008325512716

8999
mod 124540019) mod 17389 = 27039929 mod 17389 = 34. = r,

119946265
.
11.58 ( DSA) DSA

.
]p (index calculus)
q, .
3.6.6. DSA ElGamal (11.5.2)
s,
( 11.66).
11.59 ( ) q
11.54 ( FIPS 186) 160 bit, p
64 512 1024 bit, . p 512 bit . 1996, modulus 768 bit . FIPS
186 p 1024 bit.
11.60 ( DSA) ,
p 768 bit.
, ( ) 240 ,
modulus 160 bit,
160 bit . 160 bit . DSA
-
. , -
RSA.
modulo p, 160 bit. ,
240 480 .
(. 14.91) , , 280 .

35
: ..
11.61 ( )
p q. DSS p, q . .
11.62 ( ) s1 mod q. s
= 0, s1 .
s 0 s ]q, s = 0 ()160. , . r 0.
r = 0 s = 0, k.
11.5.2 ElGamal
ElGamal .

h: {0, 1}* ]p, p .
DSA (11.5.1) ElGamal.
11.63 ElGamal
:
.
:
1. p ]p ( 4.84).
2. a, 1 a p 2.
3. y = a mod p (.., 2.143).
4. (p, , y) a.
11.64 ElGamal
: m .

.
1. . H :
i) k, 1 k p 2, gcd(k, p 1) = 1.
ii) r = k mod p (.., 2.143).
iii) k 1 mod (p 1) (.., 2.142).
iv) s = k 1{h(m) ar} mod (p 1).
v) m (r, s).

36
: ..
2. . (r, s) m,
:
i) (p, , y) .
ii) 1 r p 1 , .
iii) 1 = y rr s mod p.
iv) h(m) 2 = h(m) mod p.
v) , 1 = 2.
.
, s k 1{h(m) ar} (mod p 1). k ks
h(m) ar (mod p 1) h(m) ar + ks (mod p 1).
h(m) ar+ks (a)rr s (mod p). , 1 = 2, .

11.65 ( ElGamal )
. p = 2357 = 2
]2357 . A a = 1751 y = a mod p = 21751 mod
2357 = 1185. (p = 2357, = 2, y = 1185).

. , ]p h(m)
= m (. h ). m = 1463 k = 1529, r = k mod p = 21529 mod 2357 = 1490 k 1 mod (p 1) = 245.

s = 245{1463 1751(1490)} mod 2356 = 1777. m =
1463 (r = 1490, s = 1777).
. 1 = 11851490 14901777 mod 2357 = 1072, h(m) =
1463 2 = 21463 mod 2357 = 1072. 1 = 2, .
11.66 ( ElGamal)
(i) (
11.64) m k -
r = k mod p. s = k 1{h(m) ar}

mod (p 1). , s
1/p, p.
(ii) k , .
s1 = k 1{h(m1) ar} mod (p 1) s2 = k 1{h(m2) ar} mod (p 1). (s1 s2)k
(h(m1) h(m2)) (mod p 1). s1 s2 0 (mod p 1), k = (s1 s2) 1(h(m1) h(m2))
mod (p 1). k , a .
(iii) h, s = k 1{m
ar} mod (p 1).
37
: ..
. (u, ) gcd(, p 1) =
1. r = uy mod p = u+a mod p s = r1 mod (p 1). (r, s)
m = su mod (p 1), m ar
s 1
= u yv
= r.
(iv) 2ii 11.64 0 < r < p.

, , . (r, s)
m . m
h(m) u = h(m)[h(m)] 1 mod (p 1) (
[h(m)] 1 mod (p 1)). s = su mod (p 1) r ,
r ru (mod p 1) r r (mod p).
( 2.120). (r, s)
m ( 11.64) 2ii.
11.67 ( )
(i) ( ) p (3.6.5).
(ii) ( Pohlig-Hellman) O p 1 q Pohlig-Hellman
(3.6.4).
(iii) ( ) p 1 (mod 4) :
() (p 1)
() S ]p ( , S Pohlig-Hellman (3.6.4)).
( )
( 2 11.64). , p 1 = q.
m :
() t (p 3)/2 r = q.
() z , qz yq (mod p), y
. ( q yq S q
S.)
() s = t {h(m) qz} mod (p 1).
() (r, s) m 2
11.64.

38
: ..
rsyr h(m) (mod

p). , q 1 (mod p), q1 (mod p)
q(p1)/2 1 (mod p). (

]p q 1 (mod p).)
qt = q(p1)/2q1 q1 (mod p). , rsyr = (qt)[h(m)qz]yq h(m)qzyq h(m)yqyq =
h(m) (mod p). , = 2 ,
(iii) .

]p , ]p .
11.68 ( ElGamal)
(i) 11.64 ,
(k mod p),
( k 1 mod (p 1)) . ( .) off-line, ( -)
(on-line) .
(ii) , .
( )
3
2
lg p -
, ,
9
2
lg p . -
. 1 = h(m)yrrs mod p , 1 = 1. , 1
(
14.91)
15
8
lg p -
, 2.5 .
(iii) modulo p, modulo (p 1).
11.69 ( )
]p (3.6), modulus p 512 bit

. 1996,
modulus p 768 bit . moduli 1024 bit .

39
: ..
11.70 ( )
p , p (. 11.61).
(i) ElGamal
ElGamal ( 11.64).
( 1iv 11.64).
u = a + kw mod (p 1),
u = h(m), = r w = s (., h(m) = ar + ks mod (p 1)).
u, w s, r h(m) . 11.5 6 .
11.5: ElGamal.
modulo (p 1) modulo p.
11.71 ( ElGamal)
(i) 11.5
ElGamal 11.64.
, (3) (4) 11.5 s. (2) (3)
a 1 mod (p 1), .
(ii) (2) (4) rr.
xx c (mod p)
c. p, .
(ii) ElGamal
ElGamal, -
]p ,
G. 8.4.2
. 11.73 h: {0, 1}* ]n, n

40
: ..
G. r G
h(r).9
11.72 ElGamal
: G G
.
:
1. G n, . (
G .)
2. a, 1 a n 1.
y = a.
3. (, y), G a.
11.73 ElGamal
: m .
B
.
1. . H :
i) k, 1 k n 1, gcd(k, n) = 1.
ii) r = k.
iii) k 1 mod n.
iv) h(m) h(r).
v) s = k 1{h ( m ) ah ( r )} mod n.
vi) m (r, s).
2. . (r, s) m,
:
i) (, y) .
ii) h(m) h(r).
iii) 1 = yh(r) rs.
iv) 2 = h(m).
v) , 1 = 2.
11.74 ( ElGamal )
. F25
f (x) = x5 + x2 + 1 F2 . ( 2.231
F24 . ) 31 5- 11.6, 00000. =
9
, f : G {0, 1}* h(f (r)) h(r).

41
: ..
(00010) G = F25 , . G n = 31. h: {0, 1}* ]31 . a = 19 y = a = (00010)19 =

(00110). To ( = (00010), y = (00110)).
. m = 10110101,
k = 24 r = 24 = (11110) k 1 mod 31 = 22. , h(m) = 16 h(r) = 7 ( )

s = 22 {16 (19)(7)} mod 31 = 30. m (r = (11110), s
= 30).
. , h(m) = 16, h(r) = 7, 1 = yh(r)rs = (00110)7(11110)30 =
(11011) 2 = h(m) = 2 = 16 = (11011). 1 = 2.
11.6: F25 .
11.75
( ElGamal)
11.73
G (. 3.6). 11.66
ElGamal.
11.76 ( )
G (., r = k) ]n. H G.
11.77 ( ElGamal )
11.73 G
Fq.

. q
G = Fq .
11.5.3 Schnorr

42
: ..
ElGamal Schnorr.
DSA ( 11.56), ]p ,
q, p . h: {0, 1}* ]q. Schnorr
DSA ( 11.54),
p q.
11.78 Schnorr
: m .

.
1. . :
i) k, 1 k q 1.
ii) r = k mod p, e = h(m||r) s = ae + k mod q.
iii) m (s, e).
2. . (s, e) m,
:
i) (p, q, , y) .
ii) = s y e mod p e = h(m||).
iii) , e = e.
.
, s y e s y ae k r ( mod p ) . , h(m||) = h(m||r) e = e.
11.79 ( Schnorr )
. p = 129841 q = 541 , (p 1)/q =
240. H A g = 26346 Zp = 26346240

mod p = 26. 1, Zp 541.
a = 423 y = 26423 mod p =
115917. (p = 129841, q = 541, = 26, y = 115917).
. m = 11101101,
k = 327 , 1 k 540, r = 26327 mod p = 49375 e =
h(m||r) = 155 ( ). ,
s = 423 155 + 327 mod 541 = 431. m (s = 431, e =
155).
. , = 26431 115917 155 mod p = 49375 e = h(m||)
= 155. O B e = e.
11.80 ( Schnorr)
11.78 modulo p modulo

43
: ..
q. modulo p off-line.
, h(m||r)
. modulo p.
14.88 1.17 . q ElGamal 11.64, ( ) ElGamal.
11.5.4 ElGamal
ElGamal (11.5.2) (. ). ,
11.81
. , ElGamal
.
, MS = ]p , p , S = ] p ] q , q , q (p 1). R M MS.
11.81 DSA, p q.
11.81 Nyberg-Rueppel
: m M. m .
1. . :
i) m = R ( m ) .
ii) k, 1 k q 1 r =
k mod p.
mod p.
iii) e = mr
iv) s = ae + k mod q.
v) m (e, s).
2. . (e, s) m,
:
i) (p, q, , y) .
ii) 0 < e < p , .
iii) 0 s < q , .
iv) = s y e mod p m = e mod p.
v) m MR m MR , .
vi) m = R 1 ( m ) .

44
: ..
. ,
s y e s ae k ( mod p ) . , e k m k m ( mod p ) ,
.
11.82 ( Nyberg-Rueppel )
. p = 1256993 q = 3571,
q (p 1) , (p 1)/q = 352. g = 4207
Zp = 42077352 mod p = 441238. 1,
Zp 3571. , a = 2774
y = a mod p = 1013657. (p = 1256993, q =
3571, = 441238, y = 1013657), a = 2774.
. m, m = R(m) =
1147892 ( R(m) ).
k = 1001 , r = k mod p = 4412381001 mod p = 1188935, e = m r mod p =
138207 s = (2774)(138207) + 1001 mod q = 1088. m (e =

138207, s = 1088).
. , = 4412381088 1013657138207 mod 1256993 =
504308 m = 138207 mod 1256993 = 1147892. m MR m = R 1 ( m ) .
11.83 ( Nyberg-Rueppel)
(i) 11.81 ElGamal ( 11.64), 11.66. DSA ( 11.56), ElGamal ( 11.58).
(ii) 11.81 ,
R (. 11.10)
. RSA,
R. . m M, m = R (m) (e, s)
m. e = m k mod p , k, s = ae + k mod q.
m = m l mod p , l. s = s + l mod q m MR , (e, s)
( )
m = R 1 m . ,
( 2 11.81). s y e
s + l ae
k + l (mod p) e k +l m k m l m (mod p ). m MR ,
(e, s)
m .

45
: ..
(iii) 0 < e < p 2ii 11.81 . (e, s) m.

mod p s = ae + k mod q.
, e = mr
m .
(mod p ) e = e (mod q ). ( e , e = mr
( 2.120).) (e, s) 0 < e < p.

11.84 ( ElGamal ) e
mod p 1iii 11.81 = mr
m r
. E = {Er : r ]p}
, Er r ]p MS = ]p ]p . m M,
k, 1 k q 1, r = k mod p, s = ae + k mod q.
(e, s) m. H s = ae + k mod q
m

.
11.6

, , .
.
.
, ( 11.6.3
).
, ,
.
, .
11.6.1 Rabin
Rabin
. .
. , . , -

46
: ..
. 11.7.
0
0(i)
K
0l = l .
0le||be1b1b0, be1b1b0 i.
l bit.

K.
Et
E t K. Et -
h
n
l bit l bit.
{0, 1} {0, 1}l.
.
11.7: Rabin.
11.85 Rabin
: E,
2n .
A :
1. E (.., DES).
2. 2n k1, k2, , k2n K,
l .
3. yi = Eki ( M 0 (i )), 1 i 2n.
4. (y1, y2, , y2n) (k1, k2, ,

k2n).
11.86 Rabin
: m . .
1. . :
i) h(m).
ii) si = Eki (h(m)),1 i 2n.
iii) m (s1, s2, , s2n).
2. . (s1, s2, , s2n) m,
:
i) (y1, y2, , y2n) .
ii) h(m).
iii) n rj, 1 rj 2n, 1 j n.
iv) krj ,1 j n.
v) ,
z j = Ekr ( M 0 (rj )) z j = yrj , 1 j n.
j

47
: ..
vi) srj = Ekr (h(m)),1 j n.

j
11.87 ( Rabin) t l bit (.

11.7), 11.86 2nl bit. n = 80 l = 64, 1289 bit .
11.88 ( )
11.86, :
1. (TTP) m (s1, s2,
, s2n).
2. TTP k1, k2, , k2n .
3. TTP
zi = Eki ( M 0 (i )) yi = zi, 1 i 2n. -
, TTP (., ).
4. TTP ui = Eki (h(m)),1 i 2n. ui = si n i, 1
i 2n, TTP ( ). n + 1 i ui = si, TTP
.
11.89 ( )
Rabin, 11.88, . A
m, o B k
n + 1 i ui = si, m ,
h(m) = h(m). . , ui = si n
i n 2iii -
2n
, 1 .
n
11.90 ( 11.86)
Rabin , ( ) n + 1
( ) (.
11.89). ( ) n 2n .
11.6.2 Merkle
Merkle ( 11.92) Rabin ( 11.86)
. TTP
48
: ..

11.91.
11.91 Merkle
: n bit, t = n + lg n + 1 .
:
1. t = n + lg n + 1 k1, k2, , kt
l .
2. i = h(ki), 1 i t. , h - h: {0, 1} {0, 1}l (. 9.2.2).
3. (1, 2, , t) (k1, k2, ,
kt).
m n bit, w = m||c,
c m. c lg n + 1 bit
, . , w
t = n + lg n + 1.
11.92 Merkle
: m n.
A.
1. . :
i) c, 0 m.
ii) w = m||c = (a1a2at).
iii) i1 < i2 < < iu w , ai j
= 1, 1 j u.
iv) s j = ki j ,1 j u.
v) m (s1, s2, , su).
2. . (s1, s2, , s2n) m,
:
i) (1, 2, , t) .
ii) c, 0 m.
iii) w = m||c = (a1a2at).
iv) i1 < i2 < < iu w , ai j
= 1, 1 j u.
v) , i j = h( s j ) , 1 j u.
11.93 ( Merkle) m
, w = m||c 1ii
11.92 (s1, s2, , su) m. h - ,

49
: ..
m m. w = m||c, c (lg n
+ 1) bit m.
(s1, s2, , su),
m 1 m
1 (, m 1 m 0
). m m c > c ( ). , c 1
c 0. , , .
11.94 ( 11.92)
(i) m n bit k l
(n + lg n + 1) bit (
) l (n + lg n + 1) bit . l (k + k)
bit , k n
k. , n = 128, l = 64 k = 72, 8704 bit (1088 byte) . 4800 bit (600
byte).
(ii) ki
(seed). , k*
l, ki = h(k*||i), 1 i t. k*
, .
(iii) , .
n + lg n + 1 .
11.95 ( Merkle)
11.92 l (n + lg n + 1) bit ( ). bit .
bit . kt bit. m = m1||m2||mt, mi k 0 2k 1 -
. U = i =1 (2k mi ) t 2k . U lg U lg
t
t + 1 + k bit. r = ( lg t + 1 + k ) k , U U
= u1||u2||||ur, ui k. w
= m1||m2||mt||u1||u2||||ur. t + r k1, k2, , kt+r
i = h 2
(ki ),1 i t + r. -
(k1, k2, , kt+r) (1 ,2 ,...,t + r ). m

( s1 , s2 ,..., st + r ), si = h mi (ki ),1 i t , si = hui (kt +i ), 1 i r. , hc c- h . (
50
: ..
11.92), bit (checksum) (. 11.93) . si = ha(kj), ha + (kj) 0 2k a, ha , > 0, h . ,

, ,
kr bit.
11.96 ( bit )
Merkle 11.95. m =
m1||m2||m3||m4, m1 = 1011, m2 = 0111, m3 = 1010 m4 = 1101. m1, m2, m3, m4
11, 7, 10 13, . U = (16 m1) + (16
m2) + (16 m3) + (16 m4) = 5 + 9 + 6 +3 = 23. , U = 10111. w = m||00010111. (s1, s2, s3, s4, s5, s6), s1 = h11(k1), s2 =
h7(k2), s3 = h10(k3), s4 = h13(k4), s5 = h1(k5) s6 = h7(k6). , h si. (. mi ) ,
t 2d mi .
h1 . , h
-, h1 .
11.6.3
13.4.1
, , .
.
.
11.97 ( Merkle)
11.92 -
n bit. h : {0, 1}* {0, 1}l - t = n +lg n + 1. H 11.7 5 ,

m0, m1,
m2, m3, m4.
11.7:
Merkle.

51
: ..
.
mi Xi = (x1i, x2i, , xti), Ui = (u1i, u2i, , uti)
W = (w1i, w2i, , wti), 0 i 4, .
, Yi = (h(xji): 1 j t), Vi = (h(uji): 1 j t) i = (h(wji): 1
j t). h(Yi) = h(h(x1i)||h(x2i)||||h(xti)) 0 i 4, h(Vi)
h(i) . Merkle mi
Xi SA(mi, Xi), 0 i 4. Yi
SA(mi, Xi). , Ri = h(h(Yi)||h(Vi)||h(Zi)), 0 i 4.
11.8 Ri. Ui Wi
Ri.
R0 (TTP).

Ri
mi
Xi, Ui, Wi
Yi, Vi, Zi
h(Yi), h(Vi), h(Zi)
h(h(Yi)||h(Vi)||h(Zi))
SA(mi, Xi)
Yi
11.8: Ri (. 11.7).
11.9
.
m0
m1
m2
m3
m4
R0
R1
R2
R3
R4
TTP
SA(R1, U0)
SA(R2, W0)
SA(R3, U1)
SA(R4, W1)
V0, h(Y0), h(Z0)

Z0, h(Y0), h(V0)
V1, h(Y1), h(Z1)
Z1, h(Y1), h(V1)
11.9: (.
11.7).
,
m4 SA(m4, X4). Y4. Merkle 2 11.92.
Y4
. , :
1. h(V4), h(Z4) h(Y4) R4 = h(h(Y4)||h(V4)||h(Z4)).
2. SA(R4, W1) Z1 R4 11.92.
3. h(Y1), h(V1) h(Z1) R1 = h(h(Y1)||h(V1)||h(Z1)).

52
: ..
4. SA(R1, U0) V0
11.92.
5. h(Y0), h(Z0) h(V0) R0 = h(h(Y0)||h(V0)||h(Z0)).
6. TTP R0
TTP.
5 ( 11.7)
.
( , )

.
11.6.4 GMR
Godwasser, Micali Rivest (GMR) ( 11.102)
- (claw-free)
(. 11.98). .
GMR .
GMR ,
.
11.98 gi : X X, i = 0, 1, .
g0 g1 - (claw-free pair)
x, y X , g0(x) = g1(y). (x, y,
z) g0(x) = g1(y) = z (claw). gi, i = 0, 1,
, ,
g01 , g11 , , - .
g0, g1 - , gi1 i =
0, 1, x X. , g11 ( g 01 ) , x
X, g0(x) = z g11 ( z ) = y , (x, y, z).
11.99 (- ) n = pq, p 3
( ) = 1 1 Q
( ) = 1. , ( ) Jacobi ( 2.147). , D = {x: ( ) =
(mod 8) q 7 (mod 8). p q,

2
1 0 < x <
}. , g0: Dn Dn g1: Dn Dn

53
: ..
n
2
2
x mod n, x mod n < 2
g 0 ( x) =
x 2 mod n, x 2 mod n > n
2
2
2
4x mod n, 4x mod n < 2
g1 ( x) =
4x 2 mod n, 4x 2 mod n > n
2
n , g0, g1 :
(i) (g0 g1 Dn) g0(x) = g0(y), x2 y2 (mod n) (x2 y2 (mod
n) 1 Qn), x y (mod n). 0 < x, y < n/2, x
= y g0 Dn.
g1 Dn.
(ii) (g0 g1 -) x, y Dn , g0(x) = g1(y). x2 4y2 (mod n) (x2 4y2 (mod
n) , 1 Qn), (x 2y)(x + 2y) 0 (mod n).
( ) = 1, x
2 y
( ) = 1
x
2y (mod n) , o gcd(x 2y, n) -
n. n
.
(iii) (g0 g1 - )
n g 01 g11. , g0, g1
- .
11.99.
11.100 (- )
p = 11, q = 7 n = pq =77. D77 = {x:
( ) = 1 0 < x < 38} = {1, 4, 6, 9, 10, 13, 15, 16,

x
17, 19, 23, 24, 25, 36, 37}. O g0 g1.

x
g0(x)
g1(x)
1
1
4
4
16
13
6
36
10
9
4
16
10
23
15
13
15
17
15
6
24
16
25
23
17
19
1
19
24
19
23
10
37
24
37
6
25
9
36
36
13
25
g0 g1 D77.
37
`17
9
11.101 GMR
: -
.
:

54
: ..
1. -
. (
g 01 g11. )
2. r X. ( r .)
3. (g0, g1, r) ( g01 , g11 ).
, g0, g1
g0 g1, (. 1.33) g0g1. , (g0g1)(r)
g0g1(r). MS
- (. 11.103).
11.102 GMR
: m = m1m2mt. O B
.
1. . :
() Sr (m) = ti =10 g m1t i (r ).
() m Sr(m).
2. . Sr(m) m,
:
() (g0, g1, r) .
() r = ti =1 g mi ( Sr (m)).
() , r = r.
.
t
t 1
i =1
i =1
j =0
r = g mi ( Sr (m)) = g mi g m1t j ( r )
= g m1 D g m2 D"D g mt D g m1t D g m1t 1 D" g m11 (r ) = r.

, r = r, .
11.103 ( )
11.102
- (prefix-free).
( , 101 10111 101 10111.) b1b2bl b1b1b2b2blbl01.
- , m = m1m2mt
Sr (m) = ti =10 g m1t i (r ). m = m1m2mu, u < t,

m Sr(m)

Sr (m) =

u 1
j =u +1
i =0
g m j ( Sr (m)) = g m1u i (r ).
55
: ..
11.104 ( 11.102)
GMR , - m =
m1m2mt m = n1n2nu -
r.
Sr (m) = ti =10 g m1t i (r )
Sr (m) = ui =01 g nu1i (r ).
t
u
i =1 g mi ( Sr (m)) = r = i =1 g ni ( Sr (m)). -
, h 1 mh nh.
gj ,
t
i =h
i =h
g mi ( Sr (m)) = g ni ( Sr (m))
i = h +1
i = h +1
g mh g mi ( Sr ( m)) = g nh g ni ( Sr (m)).
x = ti = h+1 g mi ( Sr (m)) y = ui = h +1 g ni ( Sr (m)),
( x, y, g mh ( x)).
. .
11.99, modulus n
(. .)
11.105 ( GMR .)
. n, p, q, g0, g1
11.100. r = 15 D77.
. m = 1011000011 .
Sr(m) = g11 D g11 D g01 D g01 D g 01 D g 01 D g11 D g11 D g01 D g11 (15) = 23.
m 23.
. ,
r = g1 D g0 D g1 D g1 D g0 D g 0 D g 0 D g0 D g1 D g1 (23) = 15.
r = r , o B .
GMR
GMR ( 11.102), (.
13.4.1). 11.6.3,
. , .
11.106 k 2k+1 1
2k . k .
k . Y1,
Y2, , Yn, n = 2k. *
R (. ). R TTP
. *
56
: ..
Yi Yi. Yi r GMR.
* .
* . r
rL rR t bit. rL||rR
GMR r. H
r, rL, rR Sr(rL||rR).
, b0L, b1L, b0R b1R t bit. H
rL, b0L, b1L, SrL (b0 L || b1L )
rR, b0R, b1R, SrR (b0 R || b1R ). b0L, b1L, b0R b1R , . , * .
11.8.
11.8: 2 GMR.
*
m. - g0, g1. m
x , m
Sx(m) .
11.7

11.3 (RSA ), 11.4
( Fiat-Shamir), 11.5 (DSA ),
11.6 ( ).
11.7.1
11.107
(TTP)
.

57
: ..
11.109 E =
{Ek: k K}, K . Ek l bit h: {0, 1}* {0, 1}l . TTP kT K .
, TTP .
11.108
: TTP. A :
1. kA K.
2. , kA TTP.
11.109
: Ek A .
TTP.
1. . m, :
() H = h(m).
() H u = Ek A ( H ).
() u TTP.
() TTP E k1 (u ) .
A
() TTP s = EkT ( H || I A ) s .
() m s.
2. . s m :
() = Ek B ( s ).
() IB TTP.
() TTP EkB1 ( ) s.
() TTP EkT1 ( s ) H || I A .
() TTP w = EkB ( H || I A ) w .
() EkB1 ( w) H || I A .
() (m) m.
() , = .
11.110 ( )
11.109

58
: ..
.
13.3 .
11.111 ( )
, 11.109 () . TTP,
TTP
TTP.
11.7.2 ESIGN
To ESIGN ( Efficient digital SIGNature )
.
h: {0,1}* Zn.
11.112 ESIGN
: .
:
1. p q , p q p, q
.
2. n = pq.
3. k 4.
4. (n, k) (p, q).
11.113 ESIGN
: s , sk mod n
. sk mod n .
1. . m, , :
() = h(m).
() x, 0 x pq.
() w = (( x k ) mod n) ( pq ) y = w (kx k 1 ) 1 mod p.
() s = x + ypq mod n.
() m s.
2. . s m,
:
() (n, k) .
() u = sk mod n z = h(m).
() z u z + 2
.
2 lg n
3
, -

59
: ..
. sk (x + ypq)k
k
i=0 i xk i ( ypq)i xk + kypqx k1 (mod n). kx k1y w (mod p) , , kx k1y

k
= w + lp l Z. , sk x
+ pq(w + lp) x
+ pqw x
( h ( m ) x k ) mod n
h ( m ) x k + jn +
k
k
x
+
pq
pq
(mod n), = ( x h( m)) mod pq. pq

pq
, sk x k + h(m) xk + (mod n). 0 pq, h(m) sk mod n h(m) +

2 lg n
3
, .
11.114 (ESIGN ) 11.113

m, 0 m < n h h(m) =
m.
. p = 17389 q = 15401, k = 4, n = p2q = 4656913120721. To A (n = 4656913120721, k = 4)
(p = 17389, q = 15401).
. m = 3111527988477,
= h(m) = 3111527988477 x = 14222 , 0 x pq. -
, w = (( x k ) mod n) ( pq) = 2848181921806 267807989 = 10635.16414 = 10636
y = w(kx k 1 ) 1 mod p = 10636(4 142223 )1 mod17389 = 9567. ,

s = x + ypq mod n = 2562119044985.
. (n = 4656913120721, k = 4)
u = sk mod n = 3111751837675. , 3111527988477
3111751837675 3111527988477 + 229, ( , 23 lg n =
29).
11.115 ( ESIGN)
(i) modulus n = p2q 11.113 modulus RSA

p. moduli

.
(ii) m,
m h(m) ,
2 lg n
3
( u = sk mod n). m ,
h(m) u h(m) + 2
s . h(m) h(m) (lg n)/3 bit. h
, 2(lg n)/3 m .

60
: ..
(iii) m m , h(m) h(m) (lg n)/3

bit. ( 2.27(ii)),
O(2(lg n)/6 ) .
m , m.
(iv) n n , (ii) (iii) .
11.116
( ESIGN)
11.113 . k (. k = 4),
1. ,
modulus p. k = 4 modulus n 768 bit,
ESIGN (10 100 ) RSA modulus. RSA
.
11.8

. (., RSA)

.
11.8.1
, 11.2,
(blind signature schemes) . .
.
, a priori m
. m
.
.
11.117 ( )
( ) (
) a postiori m SB(m) .
m

61
: ..
. m SB(m) , .

.
:
1. . SB(x)
x.
2. f g ( ) , g(SB(f (m))) =
SB(m). f (blinding function), g (unblinding function) f(m) .
2 SB g.
11.118 ( RSA) n = pq
. SB B RSA ( 11.19) (n, e) d. k
gcd(n, k) = 1. f : ] n ] n
f(m) = mk e mod n g : ] n ] n g(m) = k 1m

mod n. f, g SB, g(SB(f (m))) = g(SB((mk e mod n)) = g(m dk
mod n) = m d mod n = SB(m), 2.

11.119 f g
11.118.
11.119 Chaum
: .
m a priori , 0
m n 1. m
m.
1. . RSA B (n, e) d, . k
0 k n 1 gcd(n, k) = 1.
2. .
i) () O A , m* = mk e mod n .
ii) () , s* = (m*)d mod n, .
iii) () , s = k 1s* mod n, m.
11.8.2
(undeniable signature schemes)
, 11.2,
. .
11.120 ( )

62
: ..
i) ( )
( ). , ,
.
. , (
)
.
ii) .
.
. ,

. .
11.121 11.122
: .
:
1. p = 2q + 1, q .
2. ( q ]p .)
2.1 ]p = (p1)/q mod p.
2.2 = 1 2.1.
3. a {1, 2, , q1} y = a mod p.
4. (p, , y). a.
11.122 Chaum-van Antwerpen
: m q
]p . .
1. . :
i) s = mk mod p.
ii) m s.
2. . s
m, :
i) O B (p, , y) .
ii) O B x1, x2 {1, 2, , q 1}.
iii) O B z = s x1 y x2 mod p z .
iv) w = ( z )
a 1
mod p ( aa 1 1 (mod q)) w
.

63
: ..
v) w = m x1 x2 mod p ,
w = w.
.
w ( z)
a 1
s x1 y x
) (m
a 1
ax1
ax2
a 1
m x1 x2 w mod p,
.
11.123 , ,

11.123
( ) s
m, . s ma mod p.
11.122 1/q .
11.124
( )
() 11.122
:
(i) 11.122
(ii)
(iii) .
(i) () . (ii) (iii) ( 11.125).
11.125 11.122 .
11.125
Shaum-van Antwerpen
: s 11.122,
.
1. (p, , y).
2. O B x1, x2 {1, 2, , q 1} , z
= s x1 y x2 mod p z .
1
3. , w = ( z ) a mod p ( aa1 1 (mod p)) w .

4. w = m x1 x2 mod p, s .
5. x1, x2 {1, 2, , q 1} , z
= s x1 y x2 mod p z .

64
: ..
6. , w = ( z ) a mod p w .

7. w = m x1 x2 mod p, s .
8. , c = ( w x2 ) x1 mod p c = ( w x2 ) x1 mod p . c = c,
c , s.
11.126 11.125 .
11.126 m s ( )
m.
(i) s , . s ma mod p 11.125 , w = w ( , s
).
(ii) s m, . s = ma mod p. 11.126 , . w = w ( A
) 1/q.
11.127
( )
(i) 11.122 -
q ]p (. 3.6.6).
(ii) B
2 11.122 x1, x2 . C
B s.
, 2 11.122
. m, x1, x2 l [1, q 1] 1
s = ((m x1 x2 )l y x2 ) x1 mod p.
z = s x1 y x2 mod p w = z l mod p. 11.122 s m.
.
11.8.3 - (fail-stop)
- , (
) , . . ,
.

65
: ..
-
,
. , --. - :
1. , .
2. .
3.
, , .
4. .
11.130 -. , ,
(. 11.6.3). --
11.134.
11.128 11.130
:
(TTP).
1. TTP :
() p q , q (p 1) Zq .
() ( G, q, Zp .)
(i) g Zp = g ( p 1) q mod p.
(ii) = 1 (i).
() a, 1 a q 1, = a
mod p. O a TTP.
() ( p, q, , ) .
2. :
() x1, x2, y1, y2 [0, q 1].
() 1 = x1 x2 2 = y1 y2 mod p.
() (1, 2, p, q, , )
x = ( x1 , x2 , y1 , y2 ).

66
: ..
11.129
( TTP)
q Zp
11.128, a,
, TTP.
11.130 - (van Heijst-Pedersen)
: q Zp .
1. . m [0, q 1],
:
() s1,m = x1 + my1 mod q s2,m = x2 + my2 mod q.
() m (s1,m, s2,m).
2. . (s1,m, s2,m) m,
:
() (1, 2, p, q, , ) .
s
() 1 = 12m mod p 2 = 1, m
s2, m
mod p.
() , 1 = 2 .
.
1 12m ( x1 x2 )( y1 y2 ) m x1 + my1 x2 + my2

s
1,m
s2, m
2 (mod p).
11.130
x x . ( 11.134)
. 11.131 11.132.
11.131 (
) 11.130 (1, 2,
p, q, , ) x = ( x1 , x2 , y1 , y2 ).
(i) q2 x = ( x1 , x2 , y1 , y2 ) x1 , x2 , y1 , y2 ]q (1, 2) .
(ii) q2 (1, 2). q ]q, q
(s1,m, s2,m) m ( 11.130). , q2 q m.

67
: ..
(iii) m ]q m. q2 ,
(s1,m, s2,m) m, q m.
11.132 ( 11.131) p = 29 q = 7. = 16
q Zp . = 5 mod 29 = 23.
x = (2, 3, 5, 2) 1 = 2 3 mod
29 = 7, 2 = 5 2 mod 29 = 16. O q2 = 49
.
49 m = 1,
q = 7 (s1,m, s2,m).
.
O , m ]7,
7 (0, 5) m = 1.
11.133
( 11.30)
( )
m. .

68
: ..
(i) (.,
).
11.131(ii) m q/q2 = 1/q .
(ii) m (s1,m, s2,m) . 11.131(iii),
m 1/q ,
.

11.130.

. ,
,
a. a TTP ( 11.129), .
11.134 -- 11.130
m ) m
: s = ( s1, m , s2,
, a = log
.
( ) :
1. s = ( s1,m , s2,m ) m x (. 11.128).
2. s = s 1.
m )1 mod q.
3. a = ( s1,m s1, m ) ( s2,m s2,
11.134 . 11.131(iii), s
= s 1 11.134 1/q. (s
11.130), 1, m
s2, m
1, m
m
s2,
(mod p) 1, m
s1, m
m s2, m )
a ( s2,
(mod p)
m s2,m ) (mod q ). , a = ( s1,m s1, m ) ( s2,m s2,

m )1 mod q.
s1,m s1, m a ( s2,
11.135 ( )
11.134, .
11.9
11.1
1976 Diffie Hellman
[344, 345]. ,
69
: ..
Rivest, Shamir Adleman

[1060]. Merkle
[849, 850] 1978. Merkle 11.6.2. Lamport [738], Rabin
[1022, 1023] Matyas [801].
Mitchell,
Piper Wild [882]. Stinson [1178].
Meyer Matyas [859], Goldwasser, Micali Rivest [484], Rivest
[1054], Schneier [1094].
11.2
Diffie Hellman [344]
.
( )
Merkle Hellman [553]. Davies Price [308],
Denning [326]

. Mitchell, Piper Wild [882], Stinson [1178] 11.2.

Goldwasser, Micali Rivest [484], Rivest [1054].

.
.
Merkle-Hellman Merkle Hellman [857], Shamir [1114]
Shamir [1109]
Odlyzko [939] Ong-Schnorr-Shamir (OSS) [958]
Pollard (. Pollard Schnorr [988]) .
Naccache [914] Ong-Schnorr-Shamir
.
11.3
RSA ( 11.19), Rivest,
Shamir Adleman [1060],
.
RSA (11.3.2(ii)) Davida
[302]. Denning [327] Derida
Moore . Gordon [515] RSA
()
. RSA
70
: ..
( 11.21) de Jonge Chaum [313].

Evertse van Heijst [38] RSA
.
(11.3.3(i)) Davies Price [308],
modulus Guillou.
() modulus t bit n = pq 1
k .
u = 2t + w2t/2 w (t/2 k) bit. p (t/2) bit u p q
r (., u = pq + r). q , n = pq
RSA modulus . , t =14 k = 3, u =
214 + w27, w = 11. p = 89, q = 199 n = pq = 17711. n 100010100101111.
Rabin ( 11.25) Rabin
[1023]. Rabin
(. 11.33).
Beller Yacobi [101]
(. 12.5.3).
Rabin ( 11.30) RSA Williams [1246] (. 8.3).
. ISO/IEC 9796
(11.3.5). To e = 2. gcd(e, (p 1)(q 1)/4) = 1,
e Qn.
To ISO/IEC 9796 [596] 1991. RSA
Rabin.
t bit t/2
bit, RSA Rabin.
. Guillou et al. [525]. ISO/IEC
9796 , . Koyama et al. [708].
To ISO/IEC 9796 . Quisquater [1015]
ISO/IEC 9796 . , . h,
k bit. ISO/IEC 9796 t
bit m bit, n > t, m mc ms, mc (n t k) bit. o d = h(m)
m = ms||d m t.
m ISO/IEC 9796 J. H m

71
: ..
mc||J. ,
.
11.3.6 PKCS#1 [1072]. To
,
.
ISO/IEC 9796.
, ,
. e = 3 e
= 216 + 1. PKCS#1 ( ) Boer Bosselaers [324], Desmedt Odlyzko
[341].
11.4
Feige-Fiat-Shamir ( 11.40),
Feige, Fiat Shamir [383], Fiat-Shamir [395],
. Fiat Shamir [395]
h . Feige, Fiat Shamir [383] .
11.44 Fiat Shamir [395]. 11.45
Micali Shamir [868], modulus nA
1, 2, , k .
moduli, j Qn, 1 j k,
n. , Micali Shamir
k
modulus,
.
GQ ( 11.48) Guillou Quisquater [524].
11.5
DSA ( 11.56) Kravitz [711] (Federal Information Processing Standard FIPS)
1991 ...
(Digital Signature Standard DSS)
1994, FIPS 186 [406]. Smid Branstad [1157]
DSA : , , ..,
,
. DSA RSA FIPS.
Naccache et al. [916]
DSA. , k 1 mod q 1iii
11.56 b,

72
: ..
u = bk mod q s = b{h(m) + ar} mod q. (r, s, u).

u 1 mod q u 1s mod q = s . H (r , s ) , , 11.56.
. Naccache et al.
r = (k mod p) mod q.
DSA, .
. ( ), DSA .
Bguin Quisquater [82] DSA. . ,
DSA. O Arazi [54]
DSA.
ElGamal ( 11.64) 1984
ElGamal [368]. ElGamal [368], Mitchell, Piper Wild [882], Stinson [1178]
.
11.66(iv) Bleichenbacher [153], 11.67(iii),
.
p , Zp y
ElGamal. p
1 = bq b Zp . , = cq c, 0 < c < b, t , t (mod p). m, (r, s) r =
s = t{h(m) cqz} mod (p 1), z qz yq (mod p), m 11.64. Bleichenbacher ElGamal p .
ElGamal 11.5.2 ElGamal [366], Agnew, Mullin Vanstone [19], Kravitz [711],
Schnorr [1098] Yen Laih [1259]. Nyberg Rueppel [938] , ,
Horster Petersen [564],
.
ElGamal
Koblitz [695], Miller [878], 1985. DSA

73
: ..
ECDSA
10 IEEE.
Schnorr ( 11.78), Schnorr [1098],
(.
10.4.4). Schnorr - 11.78. k k mod p , - ki ki mod p , 1 i t, . De Rooij [315] t .
Brickell McCurley [207] Schnorr.
p , p
1, q p, q Zp .
s = ae + k mod (p 1) s = ae + k mod q Schnorr.
Schnorr, : (i) q Zp p
1. ,
Zp .
Okamoto [949] Schnorr
, Zp
- ( - ).
Schnorr , .
Nyberg-Rueppel ( 11.181) Nyberg Rueppel [936].
, , . Nyberg Rueppel [938]. RSA,
S ,
V, S V , V(S(m)) = m
m ]p, S(V(m)) m m ]p. (
m , ), DSA .
10
1996 (..)

74
: ..
.
(subliminal)
.
Simmons [1139, 1140, 1147, 1149]. O Simmons [1139]
l1 bit l2 bit ,
l1 l2 bit . l1 l2 bit
, ,
. bit,
, .
Simmons ElGamal . , s = k 1{h(m) ar}
mod (p 1), a , k .
, . Simmons [1147] DSA.
11.6
Rabin [1022] ( 11.86)
1978. Lamport [738] , Diffie
Hellman [345], . Diffie
. ,
Diffie-Lamport. Lamport [738]
, Bos
Chaum [172]. Bos Chaum
, RSA .
Merkle ( 11.92) Merkle
[853] 15.2.3(vi). 11.95
Merkle [853] Winternitz. Bleichenbacher Maurer [155] Lamport, Merkle Winternitz .
Merkle [850, 852, 853]
. ,

. Merkle [853]

. ,

, ,
75
: ..
. Merkle [853] .
GMR ( 11.102) Goldwasser, Micali Rivest [484],
-
- ( 11.99) .

Goldwasser, Micali Rivest
. , (., ). O Goldreich [465]
, ( 11.99), ,
, . Bellare Micali
[92] GMR -
( ). Naor Yung [920]
. Rompel
[1068], , . (
),
RSA
, , ,
.
on-line/off-line (. 15.2.3(ix))
Even, Golgreich Micali [377, 378]

(.., ).
(..,
RSA, Rabin, DSA). off-line
Merkle ( 11.92),
.
, off-line. off-line
. on-line
off-line
. , ,
.

76
: ..
11.7
11.109
Davies Price [308], Needham Schroeder [923].
To ESIGN ( 11.113 . 15.2.2(i)), Okamoto
Shiraishi [953], OSS, Ong, Schnorr Shamir [958]. OSS
Pollard . Ong, Schnorr Shamir [958] Estes et al.
[374]. To ESIGN
. [953]
k = 2 . Brickell DeLaurentis [202] . k = 3 . Brickell Odlyzko [209, . 516]. Okamoto [948] k 4.
k. Fujioka, Okamoto Miyaguchi [428] ESIGN
RSA .
11.8
(11.8.1) Chaum [242],
, .
( 11.119) Chaum
[243]. Chaum Pedersen [251]
ElGamal (11.5.2),
Schnorr (11.5.3), .
.
Chaum [245] . Camenisch, Piveteau Stadler [228]
DSA ( 11.56) Nyberg-Rueppel ( 11.81). Horster, Petersen Michels [563]
. Stadler, Piveteau Camenisch [1166]

.
Chum, Fiat Naor [250] ,
() .
, on-line
. , . , ,
(-),
. Okamoto [951] .
()

77
: ..
, .
(11.8.2) Chaum van Antwerpen [252], ( 11.125). Chaum [246]

( 2 11.122) .

. Chaum [247]
. , .
. Chaum [247] RSA. O Okamoto [950] .
, oyer et al.
[181], (11.8.2)
, () .
., - . . , . . -
. , .
. Boyar et al. [181]

ElGamal (11.5.2) ( )
- .
Chaum, van Heijst Pfitzmann [254] .
- (fail-stop) Waidner Pfitzmann [1227] Pfitzmann Waidner [971]. - - ( 11.98) (. Pfitzmann
Waidner [972]). van Heijst

78
: ..
Petersen [1201], 11.130

. van Heijst, Petersen Pfitzmann [1202]
van Heijst Petersen - .
Damgrd [298]
.
Chaum van Heijst [253] (group signature). : (i)
(ii)
, ( ) .
Chen Pedersen [255]
.
: .
.

79
: ..

HAC Ch11

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HAC Ch11

Uploaded by

Copyright:

Available Formats

11.

n MS = {t : t {0, 1}2n}. R : M MS R(m) =

. RSA (8.2) Rabin (8.3).

= 31229978. m (., m MR) m = R 1 ( m ) = 31229978.

. s1 = m1d mod n s2 = m2d mod n m1 m2,

m2t ( t bit R(m) ).

r , y < n w r < n w , w < n . y > 0,

s = m d A mod n A = 136879737726937 mod 62894113 = 59847900.

c = s eB mod nB = 598479005 mod 55465219 = 38842235.

q 59 61. q = 61, n = 37 61 = 2257, 100011010001.

11.27), M = MS R (., m = R ( m ) = m).

m modulo 77. s , s 3 (mod 7) s 1 (mod 11), s =

ii) x Qn, x(npq+5)/8 mod n x modulo n.

iv) p q (mod 8),

2 mod n Jacobi x. ( n = pq,

{m ]n: m 6 (mod 16)}

{s ]n: (s2 mod n) MS}

{ m ]n: m 6 (mod 16)}

s = 19868 mod 589 = 102. m = 12 s =

0 (mod n). y Jacobi, y (mod n) gcd( y, n) = p q.

11.3.5 ISO/IEC 9796

(i) ISO/IEC 9796

11.5: ISO/IEC 9796.

) modulus n 1 (ii) IR / 2 e Jacobi

11.4: PKCS #1.

2. . MD ASN.1 (abstract syntax notation ) BER- (basic encoding rules

11.6: PKCS #1.

(v) m (e, s).

. h : {0, 1} {0, 1}5 . r = 23181 u = r2 mod n = 4354872.

3. JA, 1 < JA < n,

11.50 ( GQ) 11.47 e

MS = ]n, m MS. , k , gcd(k, n) = 1 r =ke mod n l = mr

, q (p 1). DSS 4.56.

y u2 mod p mod q = k mod p mod q.

]p = g7162 mod p = 10083255. 1,

mod 124540019 = 119946265. (p = 124540019, q = 17389, =

9557 r = (k mod p) mod q = (100832559557 mod 124540019) mod 17389 =

17389 = 8999. O B = u1 y u2 mod p mod q = (1008325512716

mod 124540019) mod 17389 = 27039929 mod 17389 = 34. = r,

11.58 ( DSA) DSA

h(m) ar+ks (a)rr s (mod p). , 1 = 2, .

2357 = 1185. (p = 2357, = 2, y = 1185).

= m (. h ). m = 1463 k = 1529, r = k mod p = 21529 mod 2357 = 1490 k 1 mod (p 1) = 245.

r = k mod p. s = k 1{h(m) ar}

(iv) 2ii 11.64 0 < r < p.

rsyr h(m) (mod

q(p1)/2 1 (mod p). (

]p (3.6), modulus p 512 bit

, f : G {0, 1}* h(f (r)) h(r).

(00010) G = F25 , . G n = 31. h: {0, 1}* ]31 . a = 19 y = a = (00010)19 =

k = 24 r = 24 = (11110) k 1 mod 31 = 22. , h(m) = 16 h(r) = 7 ( )

240. H A g = 26346 Zp = 26346240

138207 s = (2774)(138207) + 1001 mod q = 1088. m (e =

(iii) 0 < e < p 2ii 11.81 . (e, s) m.

( 2.120).) (e, s) 0 < e < p.

4. (y1, y2, , y2n) (k1, k2, ,

vi) srj = Ekr (h(m)),1 j n.

11.87 ( Rabin) t l bit (.

(k1, k2, , kt+r) (1 ,2 ,...,t + r ). m

11.92), bit (checksum) (. 11.93) . si = ha(kj), ha + (kj) 0 2k a, ha , > 0, h . ,

n bit. h : {0, 1}* {0, 1}l - t = n +lg n + 1. H 11.7 5 ,

V0, h(Y0), h(Z0)

(mod 8) q 7 (mod 8). p q,