Đang chuẩn bị liên kết để tải về tài liệu:
modern cryptography theory and practice wenbo mao phần 9

Đang chuẩn bị nút TẢI XUỐNG, xin hãy chờ

(C QRN) bi 0 giải thích lý do tại sao tôi "sách giáo khoa mật mã" isonly tốt trong một thế giới lý tưởng, nơi dữ liệu ngẫu nhiên và kẻ xấu hoạt động nicely.It cho thấy không đủ khả năng chung của các "sách giáo khoa mật mã" cho thế giới thực bằng cách khác bi 1; | signatures of messages of the forger s choice. This is done via simulation of a signing oracle. In order for the forger to release its full capacity for signature forgery the simulated signing oracle must behave indistinguishably from a true signer. Since the forger is polynomially bounded it suffices for us to use the polynomial-time indistinguishability notion which follows Definition 4.15 in 4.7 . In the rest of this chapter we name a forger Malice who is an active attacker. 16.3 Strong and Provable Security for ElGamal-family Signatures For a long period of time 1985-1996 after the birth of the ElGamal signature scheme 10.4.6 and the family of such signatures e.g. Schnorr 10.4.8.1 and DSS 10.4.8.2 it was widely believed that the difficulty of forging such a signature should somehow be related to solving the discrete logarithm in a large subgroup of a finite field. However no formal evidence formal proof was ever established until 1996. Pointcheval and Stern succeed demonstrating affirmative evidence for relating the difficulty of signature forgery under a signature scheme in the ElGamal-family signatures to that of computing discrete logarithm 235 . They do so by making use of a powerful tool the random oracle model ROM for proof of security 22 . The reader may review 15.2.1 to refresh the general idea of using ROM for security proof there ROM-based proofs are for public-key encryption schemes . The ROM-based technique of Pointcheval and Stern is an insightful instantiation of the general ROM-based security proof technique to proving security for the ElGamal-family signatures. 16.3.1 Triplet ElGamal-family Signatures Let us now introduce a typical version of the ElGamal-family signature schemes which can be provably unforgeable under ROM. A scheme in this version takes as input a signing key sk a public key pk and a message M which is a bit string and outputs a signature of M as a triplet r e s . Here r is called a commitment it commits an ephemeral integer .