accidental海贼王644
海贼王644 时间:2021-01-20 阅读:()
Op.
52ConstructingDigitalSignaturesfromaOneWayFunctionLeslieLamportComputerScienceLaboratorySRIInternational18October1979CSL-98333RavenswoodAve.
MenloPark,California94025(415)326-6200Cable:SRIINTLMPKTWX:910-373-124611.
IntroductionAdigitalsignaturecreatedbyasenderPforadocumentmisadataitemOp(m)havingthepropertythatuponreceivingmandap(m),onecandetermine(andifnecessaryproveinacourtoflaw)thatPgeneratedthedocumentm.
Aonewayfunctionisafunctionthatiseasytocompute,butwhoseinverseisdifficulttocompute[1].
Morepreciselyaonewayfunctionisafunctionfromasetofdataobjectstoasetofvalueshavingthefollowingtwoproperties:1.
Givenanyvaluev,itiscomputationallyinfeasibletofindadataobjectdsuchthat(d)=v.
2.
Givenanydataobjectd,itiscomputationallyinfeasibletofindadifferentdataobjectdfsuchthat(d!
d)Ifthesetofdataobjectsislargerthanthesetofvalues,thensuchafunctionissometimescalledaonewayhashingfunction.
Wewilldescribeamethodforconstructingdigitalsignaturesfromsuchaonewayfunction.
OurmethodisanimprovementofamethoddevisedbyRabin[2].
LikeRabin's,itrequiresthesenderPtodepositapieceofdataocinsometrustedpublicrepositoryforeachdocumenthewishestosign.
Thisrepositorymusthavethefollowingproperties:-otcanbereadbyanyonewhowantstoverifyPfssignature.
-ItcanbeproveninacourtoflawthatPwasthecreaterofoc.
Onceochasbeenplacedintherepository,Pcanuseittogenerateasignatureforanysingledocumenthewishestosend.
Rabin'smethodhasthefollowingdrawbacksnotpresentinours.
1.
ThedocumentmmustbesenttoasinglerecipientQ,whothenrequestsadditionalinformationfromPtovalidatethesignature.
Pcannotdivulgeanyadditionalvalidatinginformationwithoutcompromisinginformationthatmustremainprivatetopreventsomeoneelsefromgeneratinganewdocumentmfwithavalidsignatureap(mf).
2.
Foracourtoflawtodetermineifthesignatureisvalid,itisnecessaryforPtogivethecourtadditionalprivateinformation.
Thishasthefollowingimplications.
.
P—oratrustedrepresentativeofP—mustbeavailabletothecourt,-Pmustmaintainprivateinformationwhoseaccidentaldisclosurewouldenablesomeoneelsetoforgehissignatureonadocument.
Withourmethod,Pgeneratesasignaturethatisverifiablebyanyone,withnofurtheractiononPfspart.
Aftergeneratingthesignature,Pcandestroytheprivateinformationthatwouldenablesomeoneelsetoforgehissignature.
TheadvantagesofourmethodoverRabin'sareillustratedbythefollowingconsiderationswhenthesigneddocumentmisacheckfromPpayabletoQ.
1.
ItiseasyforQtoendorsethecheckpayabletoathirdpartyRbysendinghimthesignedmessage"makempayabletoRlf.
However,withRabin'sscheme,RcannotdetermineifthecheckmwasreallysignedbyP,sohemustworryaboutforgerybyQaswellaswhetherornotPcancoverthecheck.
Withourmethod,thereisnowayforQtoforgethecheck,sotheendorsedcheckisasgoodasacheckpayabledirectlytoRsignedbyP.
(However,someadditionalmechanismmustbeintroducedtoprevent0fromcashingtheoriginalcheckafterhehassigneditovertoR.
)2.
IfPdieswithoutleavingtheexecutorsofhisestatetheinformationheusedtogeneratehissignatures,thenRabin'smethodcannotpreventQfromundetectablyalteringthecheckm—forexample,bychangingtheamountofmoneypayable.
Suchposthumousforgeryisimpossiblewithourmethod.
3.
WithRabin'smethod,tobeabletosuccessfullychallengeanyattemptbyQtomodifythecheckbeforecashingit,Pmustmaintaintheprivateinformationheusedtogeneratehissignature.
Ifanyone(notjustQ)stolethatinformation,thatpersoncouldforgeacheckfromPpayabletohim.
OurmethodallowsPtodestroythisprivateinformationaftersigningthecheck.
2.
TheAlgorithmWeassumeasetMofpossibledocuments,asetICofpossiblekeys,1TheelementsofKarenotkeysintheusualcryptographicsense,butarearbitrarydataitems.
WecallthemkeysbecausetheyplaythesameroleasthekeysinRabin'salgorithm.
andasetV^ofpossiblevalues.
Let2denotethesetofallsubsetsof{1,.
.
.
,40}containingexactly20elements.
(Thenumbers40and20arearbitrary,andcouldbereplacedby2nandn.
WeareusingthesenumbersbecausetheywereusedbyRabin,andwewishtomakeiteasyforthereadertocompareourmethodwithhis.
)Weassumethefollowingtwofunctions.
1.
AfunctionF:IC->V_withthefollowingtwoproperties:a.
GivenanyvaluevinVfitiscomputationallyinfeasibletofindakeykinKsuchthatF(k)=v.
b.
Foranysmallsetofvaluesv1f.
.
.
,vffl,itiseasytofindakeyksuchthatF(k)isnotequaltoanyofthevi2.
AfunctionG:M^->2withthepropertythatgivenanydocumentminM,itiscomputationallyinfeasibletofindadocumentm1imsuchthatG(mf)=G(m).
ForthefunctionF,wecanuseanyonewayfunctionwhosedomainisthesetofkeys.
ThesecondpropertyofFfollowseasilyfromthesecondpropertyoftheonewayfunction.
WewilldiscusslaterhowthefunctionGcanbeconstructedfromanordinaryonewayfunction.
Forconvenience,weassumethatPwantstogenerateonlyasinglesigneddocument.
Later,weindicatehowhecansignmanydifferentdocuments.
ThesenderPfirstchooses40keysk^suchthatallthevaluesFCk.
^)aredistinct.
(OursecondassumptionaboutFmakesthiseasytodo.
)Heputsinapublicrepositorythedataitemat=(F(k.
F(kjj0)).
NotethatPdoesnotdivulgethekeys^,whichbyourfirstassumptionaboutFcannotbecomputedfroma.
Togenerateasignatureforadocumentra,PfirstcomputesG(m)toobtainasetli-j,.
.
.
,i2o^°^integers.
Thesignatureconsistsofthe20keysk,L.
Moreprecisely,wehaveap(m)=(k_.
k_.
),i1i2Qri1i20wherethei-aredefinedbythefollowingtworequirements:(i)G(m)=Ult.
.
.
,i20}.
(ii)i1computationallyinfeasible.
)Suchfunctionsaredescribedin[1]and[2].
TheobviouswaytoconstructtherequiredfunctionGistolet$besuchaonewayfunction,anddefineG(m)toequalR((m)),whereR:{0,.
.
.
,2n-1}-2.
ItiseasytoconstructafunctionRhavingtherequiredrangeanddomain.
Forexample,onecancomputeR(s)inductivelyasfollows:1.
Dividesby40toobtainaquotientqandaremainderr2.
Usertochooseanelementxfrom{1,.
.
.
,40}.
(Thisiseasytodo,since0rjtobesurethattheresultingfunctionGhastherequiredproperty.
Wesuspectthatformostonewayfunctions,thismethodwouldwork.
However,wecannotprovethis.
ThereasonconstructingGinthismannermightnotworkisthatthefunctionRfrom{0,.
.
.
,2n}into2isamanytoonemapping,andtheresulting"collapsing11ofthedomainmightdefeattheonewaynatureof.
However,itiseasytoshowthatifthefunctionRisonetoone,thenproperty(ii)ofimpliesthatGhastherequiredproperty.
ToconstructG,weneedonlyfindaneasilycomputableonetoonefunctionRfrom{0,.
.
.
,2n-1}into2,forareasonablylargevalueofn.
WecansimplifyourtaskbyobservingthatthefunctionGneednotbedefinedontheentiresetofdocuments.
Itsufficesthatforanydocumentm,itiseasytomodifyminaharmlesswaytogetanewdocumentthatisinthedomainofG.
Forexample,onemightincludeameaninglessnumberaspartofthedocument,andchoosedifferentvaluesofthatnumberuntilheobtainsadocumentthatisinthedomainofG.
Thisisanacceptableprocedureif(i)itiseasytodeterminewhetheradocumentisinthedomain,and(ii)theexpectednumberofchoicesonemustmakebeforefindingadocumentinthedomainissmall.
Withthisinmind,weletn=MOanddefineR(s)asfollows:ifthebinaryrepresentationofscontainsexactly20ones,thenR(s)={i:theitjibitofsequalsone},otherwiseR(s)isundefined.
Approximately13%ofall40bitnumberscontainexactly20ones.
Hence,iftheonewayfunctionissufficientlyrandomizing,thereisa.
13probabilitythatanygivendocumentwillbeinthedomainofG.
Thismeansthatrandomlychoosingdocuments(ormodificationstoadocument),theexpectednumberofchoicesbeforefindingoneinthedomainofGisapproximately8.
Moreover,after17pchoices,theprobabilityofnothavingfoundadocumentinthedomainofGisabout1/10^.
(Ifweuse60keysinsteadof40,theexpectednumberofchoicestofindadocumentinthedomainbecomesabout10,and22pchoicesareneededtoreducetheprobabilityofnotfindingoneto1/10p.
)Iftheonewayfunctionkiseasytocompute,thenthesenumbersindicatethattheexpectedamountofefforttocomputeGisreasonable.
However,itdoesseemundesirabletohavetotrysomanydocumentsbeforefindingoneinthedomainofG.
WehopethatsomeonecanfindamoreelegantmethodforconstructingthefunctionG,perhapsbyfindingaoneto.
onefunctionRwhichisdefinedonalargersubsetof{0,.
.
.
,2n}.
Note;WehavethusfarinsistedthatG(m)beasubsetof{1,.
.
.
,40}consistingofexactly20elements.
ItisclearthatthegenerationandverificationprocedurecanbeappliedifG(m)isanypropersubset.
AnexaminationofourcorrectnessproofshowsthatifweallowG(m)tohaveanynumberofelementslessthan40,thenourmethodwouldstillhavethesamecorrectnesspropertiesifGsatisfiesthefollowingproperty:-ForanydocumentmfitiscomputationallyinfeasibletofindadifferentdocumentmfsuchthatG(mf)isasubsetofG(m).
BytakingtherangeofGtobethecollectionof20elementsubsets,weinsurethatG(mf)cannotbeapropersubsetofG(m).
However,itmaybepossibletoconstructafunctionGsatisfyingthisrequirementwithoutconstrainingtherangeofGinthisway.
REFERENCES[1]Diffie,W.
andHellman,M.
"NewDirectionsinCryptography".
IEEETrans,^nInformationTheoryIT-22_(November1976),544-654.
[2]Rabin,M.
"DigitalizedSignatures",inFoundationsofSecureComputing,AcademicPress(1978),155-168.
52ConstructingDigitalSignaturesfromaOneWayFunctionLeslieLamportComputerScienceLaboratorySRIInternational18October1979CSL-98333RavenswoodAve.
MenloPark,California94025(415)326-6200Cable:SRIINTLMPKTWX:910-373-124611.
IntroductionAdigitalsignaturecreatedbyasenderPforadocumentmisadataitemOp(m)havingthepropertythatuponreceivingmandap(m),onecandetermine(andifnecessaryproveinacourtoflaw)thatPgeneratedthedocumentm.
Aonewayfunctionisafunctionthatiseasytocompute,butwhoseinverseisdifficulttocompute[1].
Morepreciselyaonewayfunctionisafunctionfromasetofdataobjectstoasetofvalueshavingthefollowingtwoproperties:1.
Givenanyvaluev,itiscomputationallyinfeasibletofindadataobjectdsuchthat(d)=v.
2.
Givenanydataobjectd,itiscomputationallyinfeasibletofindadifferentdataobjectdfsuchthat(d!
d)Ifthesetofdataobjectsislargerthanthesetofvalues,thensuchafunctionissometimescalledaonewayhashingfunction.
Wewilldescribeamethodforconstructingdigitalsignaturesfromsuchaonewayfunction.
OurmethodisanimprovementofamethoddevisedbyRabin[2].
LikeRabin's,itrequiresthesenderPtodepositapieceofdataocinsometrustedpublicrepositoryforeachdocumenthewishestosign.
Thisrepositorymusthavethefollowingproperties:-otcanbereadbyanyonewhowantstoverifyPfssignature.
-ItcanbeproveninacourtoflawthatPwasthecreaterofoc.
Onceochasbeenplacedintherepository,Pcanuseittogenerateasignatureforanysingledocumenthewishestosend.
Rabin'smethodhasthefollowingdrawbacksnotpresentinours.
1.
ThedocumentmmustbesenttoasinglerecipientQ,whothenrequestsadditionalinformationfromPtovalidatethesignature.
Pcannotdivulgeanyadditionalvalidatinginformationwithoutcompromisinginformationthatmustremainprivatetopreventsomeoneelsefromgeneratinganewdocumentmfwithavalidsignatureap(mf).
2.
Foracourtoflawtodetermineifthesignatureisvalid,itisnecessaryforPtogivethecourtadditionalprivateinformation.
Thishasthefollowingimplications.
.
P—oratrustedrepresentativeofP—mustbeavailabletothecourt,-Pmustmaintainprivateinformationwhoseaccidentaldisclosurewouldenablesomeoneelsetoforgehissignatureonadocument.
Withourmethod,Pgeneratesasignaturethatisverifiablebyanyone,withnofurtheractiononPfspart.
Aftergeneratingthesignature,Pcandestroytheprivateinformationthatwouldenablesomeoneelsetoforgehissignature.
TheadvantagesofourmethodoverRabin'sareillustratedbythefollowingconsiderationswhenthesigneddocumentmisacheckfromPpayabletoQ.
1.
ItiseasyforQtoendorsethecheckpayabletoathirdpartyRbysendinghimthesignedmessage"makempayabletoRlf.
However,withRabin'sscheme,RcannotdetermineifthecheckmwasreallysignedbyP,sohemustworryaboutforgerybyQaswellaswhetherornotPcancoverthecheck.
Withourmethod,thereisnowayforQtoforgethecheck,sotheendorsedcheckisasgoodasacheckpayabledirectlytoRsignedbyP.
(However,someadditionalmechanismmustbeintroducedtoprevent0fromcashingtheoriginalcheckafterhehassigneditovertoR.
)2.
IfPdieswithoutleavingtheexecutorsofhisestatetheinformationheusedtogeneratehissignatures,thenRabin'smethodcannotpreventQfromundetectablyalteringthecheckm—forexample,bychangingtheamountofmoneypayable.
Suchposthumousforgeryisimpossiblewithourmethod.
3.
WithRabin'smethod,tobeabletosuccessfullychallengeanyattemptbyQtomodifythecheckbeforecashingit,Pmustmaintaintheprivateinformationheusedtogeneratehissignature.
Ifanyone(notjustQ)stolethatinformation,thatpersoncouldforgeacheckfromPpayabletohim.
OurmethodallowsPtodestroythisprivateinformationaftersigningthecheck.
2.
TheAlgorithmWeassumeasetMofpossibledocuments,asetICofpossiblekeys,1TheelementsofKarenotkeysintheusualcryptographicsense,butarearbitrarydataitems.
WecallthemkeysbecausetheyplaythesameroleasthekeysinRabin'salgorithm.
andasetV^ofpossiblevalues.
Let2denotethesetofallsubsetsof{1,.
.
.
,40}containingexactly20elements.
(Thenumbers40and20arearbitrary,andcouldbereplacedby2nandn.
WeareusingthesenumbersbecausetheywereusedbyRabin,andwewishtomakeiteasyforthereadertocompareourmethodwithhis.
)Weassumethefollowingtwofunctions.
1.
AfunctionF:IC->V_withthefollowingtwoproperties:a.
GivenanyvaluevinVfitiscomputationallyinfeasibletofindakeykinKsuchthatF(k)=v.
b.
Foranysmallsetofvaluesv1f.
.
.
,vffl,itiseasytofindakeyksuchthatF(k)isnotequaltoanyofthevi2.
AfunctionG:M^->2withthepropertythatgivenanydocumentminM,itiscomputationallyinfeasibletofindadocumentm1imsuchthatG(mf)=G(m).
ForthefunctionF,wecanuseanyonewayfunctionwhosedomainisthesetofkeys.
ThesecondpropertyofFfollowseasilyfromthesecondpropertyoftheonewayfunction.
WewilldiscusslaterhowthefunctionGcanbeconstructedfromanordinaryonewayfunction.
Forconvenience,weassumethatPwantstogenerateonlyasinglesigneddocument.
Later,weindicatehowhecansignmanydifferentdocuments.
ThesenderPfirstchooses40keysk^suchthatallthevaluesFCk.
^)aredistinct.
(OursecondassumptionaboutFmakesthiseasytodo.
)Heputsinapublicrepositorythedataitemat=(F(k.
F(kjj0)).
NotethatPdoesnotdivulgethekeys^,whichbyourfirstassumptionaboutFcannotbecomputedfroma.
Togenerateasignatureforadocumentra,PfirstcomputesG(m)toobtainasetli-j,.
.
.
,i2o^°^integers.
Thesignatureconsistsofthe20keysk,L.
Moreprecisely,wehaveap(m)=(k_.
k_.
),i1i2Qri1i20wherethei-aredefinedbythefollowingtworequirements:(i)G(m)=Ult.
.
.
,i20}.
(ii)i1computationallyinfeasible.
)Suchfunctionsaredescribedin[1]and[2].
TheobviouswaytoconstructtherequiredfunctionGistolet$besuchaonewayfunction,anddefineG(m)toequalR((m)),whereR:{0,.
.
.
,2n-1}-2.
ItiseasytoconstructafunctionRhavingtherequiredrangeanddomain.
Forexample,onecancomputeR(s)inductivelyasfollows:1.
Dividesby40toobtainaquotientqandaremainderr2.
Usertochooseanelementxfrom{1,.
.
.
,40}.
(Thisiseasytodo,since0rjtobesurethattheresultingfunctionGhastherequiredproperty.
Wesuspectthatformostonewayfunctions,thismethodwouldwork.
However,wecannotprovethis.
ThereasonconstructingGinthismannermightnotworkisthatthefunctionRfrom{0,.
.
.
,2n}into2isamanytoonemapping,andtheresulting"collapsing11ofthedomainmightdefeattheonewaynatureof.
However,itiseasytoshowthatifthefunctionRisonetoone,thenproperty(ii)ofimpliesthatGhastherequiredproperty.
ToconstructG,weneedonlyfindaneasilycomputableonetoonefunctionRfrom{0,.
.
.
,2n-1}into2,forareasonablylargevalueofn.
WecansimplifyourtaskbyobservingthatthefunctionGneednotbedefinedontheentiresetofdocuments.
Itsufficesthatforanydocumentm,itiseasytomodifyminaharmlesswaytogetanewdocumentthatisinthedomainofG.
Forexample,onemightincludeameaninglessnumberaspartofthedocument,andchoosedifferentvaluesofthatnumberuntilheobtainsadocumentthatisinthedomainofG.
Thisisanacceptableprocedureif(i)itiseasytodeterminewhetheradocumentisinthedomain,and(ii)theexpectednumberofchoicesonemustmakebeforefindingadocumentinthedomainissmall.
Withthisinmind,weletn=MOanddefineR(s)asfollows:ifthebinaryrepresentationofscontainsexactly20ones,thenR(s)={i:theitjibitofsequalsone},otherwiseR(s)isundefined.
Approximately13%ofall40bitnumberscontainexactly20ones.
Hence,iftheonewayfunctionissufficientlyrandomizing,thereisa.
13probabilitythatanygivendocumentwillbeinthedomainofG.
Thismeansthatrandomlychoosingdocuments(ormodificationstoadocument),theexpectednumberofchoicesbeforefindingoneinthedomainofGisapproximately8.
Moreover,after17pchoices,theprobabilityofnothavingfoundadocumentinthedomainofGisabout1/10^.
(Ifweuse60keysinsteadof40,theexpectednumberofchoicestofindadocumentinthedomainbecomesabout10,and22pchoicesareneededtoreducetheprobabilityofnotfindingoneto1/10p.
)Iftheonewayfunctionkiseasytocompute,thenthesenumbersindicatethattheexpectedamountofefforttocomputeGisreasonable.
However,itdoesseemundesirabletohavetotrysomanydocumentsbeforefindingoneinthedomainofG.
WehopethatsomeonecanfindamoreelegantmethodforconstructingthefunctionG,perhapsbyfindingaoneto.
onefunctionRwhichisdefinedonalargersubsetof{0,.
.
.
,2n}.
Note;WehavethusfarinsistedthatG(m)beasubsetof{1,.
.
.
,40}consistingofexactly20elements.
ItisclearthatthegenerationandverificationprocedurecanbeappliedifG(m)isanypropersubset.
AnexaminationofourcorrectnessproofshowsthatifweallowG(m)tohaveanynumberofelementslessthan40,thenourmethodwouldstillhavethesamecorrectnesspropertiesifGsatisfiesthefollowingproperty:-ForanydocumentmfitiscomputationallyinfeasibletofindadifferentdocumentmfsuchthatG(mf)isasubsetofG(m).
BytakingtherangeofGtobethecollectionof20elementsubsets,weinsurethatG(mf)cannotbeapropersubsetofG(m).
However,itmaybepossibletoconstructafunctionGsatisfyingthisrequirementwithoutconstrainingtherangeofGinthisway.
REFERENCES[1]Diffie,W.
andHellman,M.
"NewDirectionsinCryptography".
IEEETrans,^nInformationTheoryIT-22_(November1976),544-654.
[2]Rabin,M.
"DigitalizedSignatures",inFoundationsofSecureComputing,AcademicPress(1978),155-168.
- accidental海贼王644相关文档
- 船舶海贼王644
- "床上用品产品质量监督抽查合格企业名单"
- 第1页共1页贵阳日报/2008
- 《丰富多彩的动画人物》教学反思
- 健身海贼王644
- 教职成〔2016〕310号
易探云:香港物理机服务器仅550元/月起;E3-1230/16G DDR3/SATA 1TB/香港BGP/20Mbps
易探云怎么样?易探云(yitanyun.com)是一家知名云计算品牌,2017年成立,从业4年之久,目前主要从事出售香港VPS、香港独立服务器、香港站群服务器等,在售VPS线路有三网CN2、CN2 GIA,该公司旗下产品均采用KVM虚拟化架构。目前,易探云推出免备案香港物理机服务器性价比很高,E3-1230 8 核*1/16G DDR3/SATA 1TB/香港BGP线路/20Mbps/不限流量,仅...
Raksmart:香港高防服务器/20Mbps带宽(cn2+bgp)/40G-100Gbps防御
RAKsmart怎么样?RAKsmart香港机房新增了付费的DDoS高防保护服务,香港服务器默认接入20Mbps的大陆优化带宽(电信走CN2、联通和移动走BGP)。高防服务器需要在下单页面的IP Addresses Option里面选择购买,分:40Gbps大陆优化高防IP-$461/月、100Gbps国际BGP高防IP-$692/月,有兴趣的可以根据自己的需求来选择!点击进入:RAKsmart官...
御云(RoyalYun):香港CN2 GIA VPS仅7.9元每月起,美国vps仅8.9/月,续费同价,可叠加优惠
御云怎么样?炎炎暑期即将来临,御云(royalyun)香港、美国服务器开启大特惠模式。御云是新成立的云服务提供商,主要提供香港、美国的云服务器,不久将开启虚拟主机业务。我们的香港和美国主机采用CN2 GIA线路。目前,香港cn2 gia vps仅7.9元每月起,美国vps仅8.9/月,续费同价,可叠加优惠,香港云服务器国内延迟一般在50ms左右,是搭建网站的最佳选择,但是请不要用于违法用途。点击进...
海贼王644为你推荐
-
绿色桌面背景图片什么类的桌面背景图好看?浏览器哪个好什么浏览器最好?麒麟820和980哪个好麒麟980跟骁龙855哪个好一点?绝地求生加速器哪个好绝地求生哪个加速器好用一点,求推荐一个苹果手机助手哪个好苹果手机助手哪个好,苹果手机助手推荐?qq空间登录不上qq空间登不进去 怎么办qq空间登录不了为什么我的QQ空间登陆不上?360云盘关闭360云盘已经关闭了 文件怎么下360云u盘怎么删除360云u盘360云盘转存百度云盘360云盘可以转存百度云盘吗