13.2 DSA specifies that if the signature generation process results in a value of s = 0, a new value of k should be generated and the signature should be recalculated. Why?(DSA 指定,如果签名生成过程导致值 s = 0,
应生成新的 k 值,并重新计算签名。为什么?)
答:
生成签名(r,s)的过程如下:
r = (g^k mod p) mod q
s = (k-1(H(M) + xr) ) mod q
当s=0的时候,必有(k-1(H(M) + xr) )整除q,会使得H(M)+xr很容易被找到并且被攻破,且检验的时候,有:w = s-1 mod q,此时s没有逆元,所以当s=0的时候需要重新选择。
13.3 What happens if a k value used in creating a DSA signature is compromised?(如果用于创建 DSA 签名的 k 值被泄露,会发生什么情况?)
k已知的情况下,签名r,s直接可以计算出,使得所有的签名变成“公开”,这样会使得签名变得无效。且攻击者可以随意伪造任何签名。
13.6 Consider the problem of creating domain parameters for DSA. Suppose we have already found primes p and q such that q|(p - 1). Now we need to find g ∈ Zp with g of order q mod p. Consider the following two algorithms: (考虑为 DSA 创建域参数的问题。假设我们已经找到了素数 p 和 q,使得 q|(p - 1)。现在我们需要找到 g ∈ Zp,其中 g 的阶数为 q mod p。请考虑以下两种算法:)
Algorithm 1 Algorithm 2
repeat repeat
select g ∈ Zp select h ∈ Zp
h ←g^q mod p g←h^((p-1)/q) mod p
until (h = 1 and g ≠ 1) until (g ≠ 1)
return g return g
- What happens in Algorithm 1 if ord(q) = q is chosen? (如果选择 ord(q) = q,算法 1 中会发生什么情况?)
- What happens in Algorithm 2 if ord(q) = q is chosen?(如果选择 ord(q) = q,算法 2 中会发生什么?)
- Suppose p = 64891 and q = 421. How many loop iterations do you expect Algorithm 1 to make before it finds a generator? (假设 p = 64891 且 q = 421。您期望算法 1 在找到生成器之前进行多少次循环迭代?)
- If p is 512 bits and q is 128 bits, would you recommend using Algorithm 1 to find g? Explain. (如果 p 是 512 位,q 是 128 位,你会建议使用算法 1 来查找 g 吗?解释)
- Suppose p = 64891 and q = 421. What is the probability that Algorithm 2 computes a generator in its very first loop iteration? (If it is helpful, you may use the fact that ∑(d|n)φ(d) = n when answering this question.(假设 p = 64891 且 q = 421。算法 2 在其第一次循环迭代中计算生成器的概率是多少?(如果有帮助,您可以在回答此问题时使用 ∑(d|n)φ(d) = n 的事实。)