# OASIS – SAML Security Assertion Markup Language

### Pages to are hidden for

"OASIS – SAML Security Assertion Markup Language"

```					A Public Key Cryptosystem and a Signature
Scheme Based on Discrete Logarithms

TAHER ELGAMAL

2005 . 3 . 28
KANG JEON-IL
INHA Univ.
Diffie-Hellman key distribution
 p : large prime number
A                             B
 α : primitive element mod p
yA      xA
mod p            y B   xB mod p
 A has a secret xA                                                                     yA
 B has a secret xB

yB

K AB   x A xB mod p
 y A B mod p
x

 y B A mod p
x

 It is not yet proved that breaking the system is equivalent to computing discrete
logarithms.
 If p-1 has only small prime factors, then computing discrete logarithms is easy.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Public Key System [1]
 A wants to send B a message m, where 0 ≤ m ≤ p-1
 A chooses a number k uniformly between 0 and p-1.

A                               B
y B   xB mod p

yB

K  y B mod p
k

c1   k mod p
c2  Km mod p                        (c1,c2)

K  ( k ) xB  c1 B mod p
x

c2
m        mod p
K

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Public Key System [2]
 If k is used more than once,

c1.1 ≡ αk mod p           c2.1 ≡ m1K mod p
c1.2 ≡ αk mod p           c2.2 ≡ m2K mod p

Then m1/m2 ≡ c2.1/c2.2 mod p, and m2 is easily computed if m1 is known.

 Breaking the system is equivalent to breaking the Diffie-Hellman distribution
scheme
• If m can be computed from c1, c2 and y, then K can also be computed from
y, c1, and c2.
• (Even if m is known) computing k or x from c1, c2, and y is equiavalent to
computing discrete logarithms.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
A Digital Signature Scheme
 The Signing Procedure
1) Choose a random number k, uniformly between 0 and p-1, such that
gcd(k,p-1)=1
2) r ≡ αk mod p
3) The signature for m is the pair (r,s), 0 ≤ r, s < p-1

αm ≡yrrs ≡ αxrαks mod p

which can be solved for s by using

m ≡ xr + ks mod (p-1)
s ≡ (m - xr)/k mod (p-1)

 The Verification Procedure
• Given m, r, and s, it is easy to verify the authenticity of the signature by
computing both sides of αm and checking that they are equal.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Attacks on the Signature [1]
 Attack 1. (to recover x)
• Given {mi,(ri,si): i = 1,2,…,l}, and intruder may try to solve l equation.

m1 ≡ xr1 + k1s1 mod (p-1)
m2 ≡ xr2 + k2s2 mod (p-1)
...
ml ≡ xrl + klsl mod (p-1)

• But, this is l+1 equation!

 Attack 2. (to recover x)
• Trying to solve equation of the form αm ≡ yrrs ≡ αxrrs mod p
• It’s always equivalent to computing discrete logarithms over GF(p).

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Attacks on the Signature [2]
 Attack 3. (to recover x)
• An intruder might try to develop some linear dependencies among the
unknowns {ki:i=1,2,…,l}.
• This is also equivalent to computing discrete logarithms.

ki  ck j mod( p  1)
ri   ki             r j mod p
ck j      c

 Attack 4. (forging signature)
• Given a document m, a forger may try to find r, s.
• If r ≡ αj mod p is fixed for some j chosen at random, then computing s is
equivalent to solving a DLP over GF(p).
• If the forger fixes s first, then r could be computed from the equation
rsyr ≡ A mod p

• It is not yet proved to be at least as hard as computing DLPs. But, it does
not seem to be feasible to solve it in polynomial time.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Attacks on the Signature [3]
 Attack 5. (forging signature)
• It seems possible that αm ≡ yrrs mod p can be solved for both r and s
simultaneously.
r '  r A B y C mod p
 Attack 6. (forging signature)                                                   sr '
• Select integers A(=0),B and C                                      s'             mod( p  1)
Ar  Cs
arbitrarily such that (Ar-Cs)                                             r ' ( Am  Bs)
is relatively prime to p-1                                           m'                 mod( p  1)
Ar  Cs
sr '
(r’,s’) signs m’.                                            y r '  y (r  y )
r'    s'        r'       A    B     C      Ar Cs
mod p
1
 (y   r ' Ar  r 'Cs  r 'Cs
r       
Asr '   Bsr ' Ar Cs
)          mod p
1
 (( y r ) 
r   s Ar '       Bsr ' Ar Cs
)         mod p
mAr '  Bsr '
    Ar Cs
mod p
  m ' mod p

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Properties [1]
 Best known algorithm is given by

O (exp cm ln m )
where the best estimate for c is 0.69

 These estimates imply that we have to use numbers that are about the size of
the numbers used in the RSA system in order to obtain the same level of
security. So, the size of the public file is larger (exactly twice) that that for the
RSA system.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Properties [2]                                               public key system

 Due to the randomization (against k) in the enciphering operation, the cipher
text for a given message m is not repeated.
• This prevents attacks like a probable text attack.

 Due to the structure of system, there is no obvious relation between the
enciphering of m1, m2, and m1m2, or any other simple function of m1 and m2.

 For enciphering operation, two exponentiations are required.
 For deciphering operation, only one exponentiation (plus one division) is need.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Properties [3]                                               signature scheme

 The signature is double the size of the document. Then the size of signature is
the same size as that needed for the RSA scheme.

 Since the number of signature is p2, while the number of documents is only p,
each document m has a lot of signature but any signature signs only one
document.

 For the signing procedure, one exponentiation (plus a few multiplications) is
needed.
 To verify a signature, it seems that three (or 1.875) exponentiation are
needed.

Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.
Since 2003 『 Information Security Research Laboratory 』
The Graduate School of Information Technology & Telecommunication in INHA Univ.

```
DOCUMENT INFO
Shared By:
Categories:
Stats:
 views: 13 posted: 1/19/2010 language: English pages: 12