accidental海贼王644
海贼王644 时间:2021-01-20 阅读:(
)
Op.
52ConstructingDigitalSignaturesfromaOneWayFunctionLeslieLamportComputerScienceLaboratorySRIInternational18October1979CSL-98333RavenswoodAve.
MenloPark,California94025(415)326-6200Cable:SRIINTLMPKTWX:910-373-124611.
IntroductionAdigitalsignaturecreatedbyasenderPforadocumentmisadataitemOp(m)havingthepropertythatuponreceivingmandap(m),onecandetermine(andifnecessaryproveinacourtoflaw)thatPgeneratedthedocumentm.
Aonewayfunctionisafunctionthatiseasytocompute,butwhoseinverseisdifficulttocompute[1].
Morepreciselyaonewayfunctionisafunctionfromasetofdataobjectstoasetofvalueshavingthefollowingtwoproperties:1.
Givenanyvaluev,itiscomputationallyinfeasibletofindadataobjectdsuchthat(d)=v.
2.
Givenanydataobjectd,itiscomputationallyinfeasibletofindadifferentdataobjectdfsuchthat(d!
d)Ifthesetofdataobjectsislargerthanthesetofvalues,thensuchafunctionissometimescalledaonewayhashingfunction.
Wewilldescribeamethodforconstructingdigitalsignaturesfromsuchaonewayfunction.
OurmethodisanimprovementofamethoddevisedbyRabin[2].
LikeRabin's,itrequiresthesenderPtodepositapieceofdataocinsometrustedpublicrepositoryforeachdocumenthewishestosign.
Thisrepositorymusthavethefollowingproperties:-otcanbereadbyanyonewhowantstoverifyPfssignature.
-ItcanbeproveninacourtoflawthatPwasthecreaterofoc.
Onceochasbeenplacedintherepository,Pcanuseittogenerateasignatureforanysingledocumenthewishestosend.
Rabin'smethodhasthefollowingdrawbacksnotpresentinours.
1.
ThedocumentmmustbesenttoasinglerecipientQ,whothenrequestsadditionalinformationfromPtovalidatethesignature.
Pcannotdivulgeanyadditionalvalidatinginformationwithoutcompromisinginformationthatmustremainprivatetopreventsomeoneelsefromgeneratinganewdocumentmfwithavalidsignatureap(mf).
2.
Foracourtoflawtodetermineifthesignatureisvalid,itisnecessaryforPtogivethecourtadditionalprivateinformation.
Thishasthefollowingimplications.
.
P—oratrustedrepresentativeofP—mustbeavailabletothecourt,-Pmustmaintainprivateinformationwhoseaccidentaldisclosurewouldenablesomeoneelsetoforgehissignatureonadocument.
Withourmethod,Pgeneratesasignaturethatisverifiablebyanyone,withnofurtheractiononPfspart.
Aftergeneratingthesignature,Pcandestroytheprivateinformationthatwouldenablesomeoneelsetoforgehissignature.
TheadvantagesofourmethodoverRabin'sareillustratedbythefollowingconsiderationswhenthesigneddocumentmisacheckfromPpayabletoQ.
1.
ItiseasyforQtoendorsethecheckpayabletoathirdpartyRbysendinghimthesignedmessage"makempayabletoRlf.
However,withRabin'sscheme,RcannotdetermineifthecheckmwasreallysignedbyP,sohemustworryaboutforgerybyQaswellaswhetherornotPcancoverthecheck.
Withourmethod,thereisnowayforQtoforgethecheck,sotheendorsedcheckisasgoodasacheckpayabledirectlytoRsignedbyP.
(However,someadditionalmechanismmustbeintroducedtoprevent0fromcashingtheoriginalcheckafterhehassigneditovertoR.
)2.
IfPdieswithoutleavingtheexecutorsofhisestatetheinformationheusedtogeneratehissignatures,thenRabin'smethodcannotpreventQfromundetectablyalteringthecheckm—forexample,bychangingtheamountofmoneypayable.
Suchposthumousforgeryisimpossiblewithourmethod.
3.
WithRabin'smethod,tobeabletosuccessfullychallengeanyattemptbyQtomodifythecheckbeforecashingit,Pmustmaintaintheprivateinformationheusedtogeneratehissignature.
Ifanyone(notjustQ)stolethatinformation,thatpersoncouldforgeacheckfromPpayabletohim.
OurmethodallowsPtodestroythisprivateinformationaftersigningthecheck.
2.
TheAlgorithmWeassumeasetMofpossibledocuments,asetICofpossiblekeys,1TheelementsofKarenotkeysintheusualcryptographicsense,butarearbitrarydataitems.
WecallthemkeysbecausetheyplaythesameroleasthekeysinRabin'salgorithm.
andasetV^ofpossiblevalues.
Let2denotethesetofallsubsetsof{1,.
.
.
,40}containingexactly20elements.
(Thenumbers40and20arearbitrary,andcouldbereplacedby2nandn.
WeareusingthesenumbersbecausetheywereusedbyRabin,andwewishtomakeiteasyforthereadertocompareourmethodwithhis.
)Weassumethefollowingtwofunctions.
1.
AfunctionF:IC->V_withthefollowingtwoproperties:a.
GivenanyvaluevinVfitiscomputationallyinfeasibletofindakeykinKsuchthatF(k)=v.
b.
Foranysmallsetofvaluesv1f.
.
.
,vffl,itiseasytofindakeyksuchthatF(k)isnotequaltoanyofthevi2.
AfunctionG:M^->2withthepropertythatgivenanydocumentminM,itiscomputationallyinfeasibletofindadocumentm1imsuchthatG(mf)=G(m).
ForthefunctionF,wecanuseanyonewayfunctionwhosedomainisthesetofkeys.
ThesecondpropertyofFfollowseasilyfromthesecondpropertyoftheonewayfunction.
WewilldiscusslaterhowthefunctionGcanbeconstructedfromanordinaryonewayfunction.
Forconvenience,weassumethatPwantstogenerateonlyasinglesigneddocument.
Later,weindicatehowhecansignmanydifferentdocuments.
ThesenderPfirstchooses40keysk^suchthatallthevaluesFCk.
^)aredistinct.
(OursecondassumptionaboutFmakesthiseasytodo.
)Heputsinapublicrepositorythedataitemat=(F(k.
F(kjj0)).
NotethatPdoesnotdivulgethekeys^,whichbyourfirstassumptionaboutFcannotbecomputedfroma.
Togenerateasignatureforadocumentra,PfirstcomputesG(m)toobtainasetli-j,.
.
.
,i2o^°^integers.
Thesignatureconsistsofthe20keysk,L.
Moreprecisely,wehaveap(m)=(k_.
k_.
),i1i2Qri1i20wherethei-aredefinedbythefollowingtworequirements:(i)G(m)=Ult.
.
.
,i20}.
(ii)i1computationallyinfeasible.
)Suchfunctionsaredescribedin[1]and[2].
TheobviouswaytoconstructtherequiredfunctionGistolet$besuchaonewayfunction,anddefineG(m)toequalR((m)),whereR:{0,.
.
.
,2n-1}-2.
ItiseasytoconstructafunctionRhavingtherequiredrangeanddomain.
Forexample,onecancomputeR(s)inductivelyasfollows:1.
Dividesby40toobtainaquotientqandaremainderr2.
Usertochooseanelementxfrom{1,.
.
.
,40}.
(Thisiseasytodo,since0rjtobesurethattheresultingfunctionGhastherequiredproperty.
Wesuspectthatformostonewayfunctions,thismethodwouldwork.
However,wecannotprovethis.
ThereasonconstructingGinthismannermightnotworkisthatthefunctionRfrom{0,.
.
.
,2n}into2isamanytoonemapping,andtheresulting"collapsing11ofthedomainmightdefeattheonewaynatureof.
However,itiseasytoshowthatifthefunctionRisonetoone,thenproperty(ii)ofimpliesthatGhastherequiredproperty.
ToconstructG,weneedonlyfindaneasilycomputableonetoonefunctionRfrom{0,.
.
.
,2n-1}into2,forareasonablylargevalueofn.
WecansimplifyourtaskbyobservingthatthefunctionGneednotbedefinedontheentiresetofdocuments.
Itsufficesthatforanydocumentm,itiseasytomodifyminaharmlesswaytogetanewdocumentthatisinthedomainofG.
Forexample,onemightincludeameaninglessnumberaspartofthedocument,andchoosedifferentvaluesofthatnumberuntilheobtainsadocumentthatisinthedomainofG.
Thisisanacceptableprocedureif(i)itiseasytodeterminewhetheradocumentisinthedomain,and(ii)theexpectednumberofchoicesonemustmakebeforefindingadocumentinthedomainissmall.
Withthisinmind,weletn=MOanddefineR(s)asfollows:ifthebinaryrepresentationofscontainsexactly20ones,thenR(s)={i:theitjibitofsequalsone},otherwiseR(s)isundefined.
Approximately13%ofall40bitnumberscontainexactly20ones.
Hence,iftheonewayfunctionissufficientlyrandomizing,thereisa.
13probabilitythatanygivendocumentwillbeinthedomainofG.
Thismeansthatrandomlychoosingdocuments(ormodificationstoadocument),theexpectednumberofchoicesbeforefindingoneinthedomainofGisapproximately8.
Moreover,after17pchoices,theprobabilityofnothavingfoundadocumentinthedomainofGisabout1/10^.
(Ifweuse60keysinsteadof40,theexpectednumberofchoicestofindadocumentinthedomainbecomesabout10,and22pchoicesareneededtoreducetheprobabilityofnotfindingoneto1/10p.
)Iftheonewayfunctionkiseasytocompute,thenthesenumbersindicatethattheexpectedamountofefforttocomputeGisreasonable.
However,itdoesseemundesirabletohavetotrysomanydocumentsbeforefindingoneinthedomainofG.
WehopethatsomeonecanfindamoreelegantmethodforconstructingthefunctionG,perhapsbyfindingaoneto.
onefunctionRwhichisdefinedonalargersubsetof{0,.
.
.
,2n}.
Note;WehavethusfarinsistedthatG(m)beasubsetof{1,.
.
.
,40}consistingofexactly20elements.
ItisclearthatthegenerationandverificationprocedurecanbeappliedifG(m)isanypropersubset.
AnexaminationofourcorrectnessproofshowsthatifweallowG(m)tohaveanynumberofelementslessthan40,thenourmethodwouldstillhavethesamecorrectnesspropertiesifGsatisfiesthefollowingproperty:-ForanydocumentmfitiscomputationallyinfeasibletofindadifferentdocumentmfsuchthatG(mf)isasubsetofG(m).
BytakingtherangeofGtobethecollectionof20elementsubsets,weinsurethatG(mf)cannotbeapropersubsetofG(m).
However,itmaybepossibletoconstructafunctionGsatisfyingthisrequirementwithoutconstrainingtherangeofGinthisway.
REFERENCES[1]Diffie,W.
andHellman,M.
"NewDirectionsinCryptography".
IEEETrans,^nInformationTheoryIT-22_(November1976),544-654.
[2]Rabin,M.
"DigitalizedSignatures",inFoundationsofSecureComputing,AcademicPress(1978),155-168.
Boomer.Host是一家比较新的国外主机商,虽然LEB自述 we’re now more than 2 year old,商家提供虚拟主机和VPS,其中VPS主机基于OpenVZ架构,数据中心为美国得克萨斯州休斯敦。目前,商家在LET发了两款特别促销套餐,年付最低3.5美元起,特别提醒:低价低配,且必须年付,请务必自行斟酌确定需求再入手。下面列出几款促销套餐的配置信息。CPU:1core内存:...
Digital-vm是一家成立于2019年的国外主机商,商家提供VPS和独立服务器租用业务,其中VPS基于KVM架构,提供1-10Gbps带宽,数据中心可选包括美国洛杉矶、日本、新加坡、挪威、西班牙、丹麦、荷兰、英国等8个地区机房;除了VPS主机外,商家还提供日本、新加坡独立服务器,同样可选1-10Gbps带宽,最低每月仅80美元起。下面列出两款独立服务器配置信息。配置一 $80/月CPU:E3-...
对于Megalayer云服务器提供商在之前也有对于他们家的美国服务器和香港服务器进行过评测和介绍,但是对于大部分网友来说需要独立服务器和站群服务器并不是特别的普及,我们很多网友使用较多的还是云服务器或者VPS主机比较多。在前面也有在"Megalayer新增香港VPS主机 1GB内存 50GB SSD 2M带宽 月59元"文章中有介绍到Megalayer商家有新增香港CN2优化VPS主机。那时候看这...
海贼王644为你推荐
金士顿4g内存条价格金士顿4G内存条多少钱?电脑杀毒软件哪个好电脑杀毒软件哪个好用莫代尔和纯棉哪个好莫代尔和纯棉的区别,莫代尔和纯棉哪个好法兰绒和珊瑚绒哪个好法兰绒和珊瑚绒哪个好被套好游戏加速器哪个好游戏加速器用哪个比较好用游戏盒子哪个好游戏盒子哪个好?电陶炉和电磁炉哪个好电磁炉和电陶炉哪个好? 电磁炉和电陶炉的具体区别红茶和绿茶哪个好红茶和绿茶 那个更好电动牙刷哪个好电动牙刷和普通牙刷哪个好,有何区别?行车记录仪哪个好我想买一个24小时监控行车记录仪,哪款比较好?
网站空间购买 成都虚拟主机 老域名失效请用户记下 备案域名购买 紧急升级请记住新域名 vps是什么意思 免费二级域名申请 主机优惠码 本网站服务器在美国维护 国外永久服务器 国内永久免费云服务器 表单样式 好看的桌面背景图片 建站代码 mysql主机 韩国网名大全 坐公交投2700元 新天域互联 刀片服务器是什么 789电视网 更多