Cryptography Asked by Columbida on January 26, 2021
I am looking at a proprietary signature scheme used in production. It involves a short Weierstrass curve $E_{mathcal{W}}:y^2=x^3+ax+b$ in the prime field $mathbb{F}_p$. The parameters are set up such that $E_{mathcal{W}}$ is always expressible as a Montgomery curve $E_{mathcal{M}}:y^2=x^3+x$ (i.e. $a_{mathcal{W}}=1$, $b_{mathcal{W}}=0$, $A_{mathcal{M}}=0$, and $B_{mathcal{M}}=1$). As far as I know, the Montgomery form is never used for verification. The curve has highly composite order $n$, with a base point $B$ having prime order $ell$.
The verification process given a hash function $H$, a keyed hash function built from $H$ with (namely $H$ in HMAC mode, $H_k$), a message $M$, a public key $K$ and a signature consisting of a scalar $s$ and a hash $h$ is performed as follows:
$c_1$ and $c_2$ are static HMAC keys known both to the signer and the verifier. My conjecture is that they act as domain separation strings.
I am trying to determine if there is an efficient way of creating a signature that does not involve taking a square root in $mathbb{F}_p$. Square roots are not trivially found in $p$ because $p$ it may be that $pequiv1pmod{4}$ and $pequiv1pmod{8}$.
Currently, I reach the following signing process:
Is there a way to create a signature passing the above verification process that does not involve a square root in $mathbb{F}_p$?
Ignoring the case of $R$ being the point at infinity, I have found a patent that seems to describe the system you outline to a T: US 7,512,232 B2, which also makes me suspect that your "commercial" system ends up being Microsoft's in particular. It specifically notes that taking the square root modulo $ell$ is a requirement. In other words, no, there is no way to simplify.
Answered by asnfkjsdx on January 26, 2021
Is there a way to create a signature passing the above verification process that does not involve a square root in $mathbb{F}_p$?
Well, one obvious thing to try is setting $R=0$ (the point at infinity); assuming the code doesn't have any protection against that (and the pseudocode doesn't), you compute $h = H_{c_2}(M || R_x || R_y )$ (where $R_x, R_y$ is whatever representation the point-at-infinity has), set $s=0$, and you're done...
Answered by poncho on January 26, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP