DSS數字簽名標准
DSA
- 簽名過程:
graph TD; id2 -.Signature.-> id12 subgraph Signature Generation; id0(Message/Data)-.-> id1(Hash Function) id1 -.Message Digest.-> id2(Sinature Generation) id3(Private Key) -.-> id2 end subgraph Signature Verification; id10(Message/Data)-.-> id11(Hash Function) id11 -.Message Digest.-> id12(Sinature Verification) id13(Public Key) -.-> id12 id12 -.-> id14(Valid/Invalid) end
-
初始化設置:
- Obtain Domain Parameter;
- Obtain Assurance of Domain Parameter Validity;
- Obtain DS Key Pair;
- Obtain Assurance of Public Key Validity;
- Obtain Assurance of Possession of the DS Private Key;
- Register the Public Key and Identify with a TTP(Optional);
-
數字簽名生成:
- Generate a Message Digest;
- Obtain Additional Information for the Digital Signature Process;
- Generate a Digital Signature;
- Verify the Digital Signature(Optional);
-
數字簽名的驗證和確認:
graph LR; subgraph Actions; id1(Get the Claimed Signatory's Identifiers) -.-> id2(Obtain the Domain Parameters and Public Key) id2 -.-> id3(Generate a Message Digest) id3 -.-> id4(Verify the Digital Signature) end subgraph Assurance; aid1(Obtain assurance of the Claimed Signatory's Identity) aid2(Obtain Assurance of Domain Parameter Validity) -.-> aid3(Obtain Assurance of the Validity of the Owner's Public Key) aid2 -.-> aid4(Obtain Assurance that the Owner Possesses the Private Key) end subgraph ValidationComplete; vid1(Digital Signature Validation Complete) end aid1 -.-> vid1 aid3 -.-> vid1 aid4 -.-> vid1 id4 -.-> vid1
DSA參數
- 公鑰\(y=g^x\mod p\);
- 私鑰\(x\in [1,q-1]\);
- 素數\(p\), 位長度為\(L\), \(p\in (2^{L-1}, 2^L)\);
- 和\(p-1\)互質的素數\(q\), 位長度記為\(N\), \(q\in (2^{N-1}, 2^N)\);
- 乘法群\(GF(p)\)中階為\(q\)的子群的生成子\(g\), \(g \in (1,p)\);
- 偽隨機整數\(k\), \(k\in [1,q-1]\);
DSA域參數
- \(p, q, g\);
- 可選的
domain_parameter_seed/counter, 用於\(p,q\)的生成;
DSA參數選擇
- 規范指定的(L,N)長度選擇:
- L = 1024, N = 160;
- L = 2048, N = 224;
- L = 2048, N = 256;
- L = 3072, N = 256;
- 哈希函數的選擇要滿足其安全強度大於\(min(L,N)\);
DSA簽名生成
- 記Hash函數的輸出位字符串的位長度為\(outlen\);
- 記
truncate_l(bit_str, len)表示取位字符串bit_str的最左邊的len位; - \(k^{-1}\)表示關於隨機數\(k\)的模\(q\)的逆, 即\((k^{-1}\cdot k)\mod q = 1\);
- 簽名\((r,s)\)的計算如下:
\[\begin{aligned} & r = (g^k \mod p) \mod q \\ & z = truncate_l(Hash(M), min(N, outlen)) \\ & s = (k^{-1}(z+x\cdot r))\mod q; \end{aligned} \]
DSA簽名的驗證和確認
- 假設認證者已經確認了域參數和公鑰;
- 記接受者收到了消息\(M'\), 和簽名\((r', s')\), 則簽名驗證如下;
- 簽名需滿足\(0\lt r' \lt q\), \(0 \lt s' \lt q\);
- \(r'\)需滿足\(r'=v\):
- \(w = (s')^{-1}\mod q\);
- \(z = truncate_l(Hash(M'), min(N, outlen))\);
- \(u1 = (z\cdot w)\mod q\);
- \(u2 = (r' \cdot w)\mod q\);
- \(v = ((g^{u1}\cdot y^{u2})\mod p) \mod q\);
RSA數字簽名算法
- 公鑰\((n, e)\);
- 私鑰\((n, d)\);
相關的標准有:
- ANS X9.31;
- PKCS1;
ECDSA數字簽名算法
相關標准:
其它內容待補充;
參考資料
- FIPS 186-4;
- FIPS 186-5-draft;