question 1 Problem 1 You have a software for a signature scheme SS = (K,S,V) tha

Question

question 1 Problem 1 You have a software for a signature scheme SS = (K,S,V) that is known to be UF-CMA secure under some reasonable assumptions. But the message space for this scheme is only the set messages up to 1 MB but less than 2 MB minus 2 bits. So you decide to use the existing software from now on in the following way. To sign a message M, break it into equal part M1,m2 (for simplicity let?s assume that all messages have even length) and let the signature be computed as Here|| denotes concatenation. The verification algorithm verifies both s1, s2 halves of the signature as b1 V p k and return 1 if neither verification rejected (b1 and b2 are both 1), and return 0 otherwise . Let?s call the modified scheme Prove that SS is not UF-CMA secure.

Explanation / Answer

UF-CMA: (unforgeable under chosen message attacks).

Generally, Advantage of this signature method is ...it has negligible probability of forging a MAC.

But in your case..message divided into two parts..and individually signature calculated and concatenated.

But , firstly we have to learn how the signature is calculated. IT will use identity key and sign..to store calculated signature.

So, if we split message to two lengths then it must use same identity key ( id ). So attacker / forger can guess and win game by identifying these two signatures and by comparing he canable to forger the identity key. So Straight away it is not a secure. But solution for this is....calculated signatures separetly with different identity keys and dont concatenate. Instead of concatnate send them seperately using twoo different identity keys.

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.