Open AccessGenerating standard DSA signatures without long inversion
Author(s) -
Arjen K. Lenstra
Publication year - 1996
Publication title -
lecture notes in computer science
Language(s) - English
Resource type - Book series
SCImago Journal Rank - 0.249
H-Index - 400
eISSN - 1611-3349
pISSN - 0302-9743
ISBN - 3-540-61872-4
DOI - 10.1007/bfb0034835
Subject(s) - modulo , computer science , algorithm , integer (computer science) , digital signature algorithm , inversion (geology) , discrete mathematics , modular design , timing attack , cryptography , digital signature , arithmetic , theoretical computer science , mathematics , hash function , programming language , paleontology , side channel attack , structural basin , biology
We show how the generation of a random integer k modulo q and the subsequent computation of k–1 mod q during the signature phase of the NIST digital signature algorithm (DSA) can be replaced by the simultaneous generation of a pair (k, k–1 mod q). The k generated by our method behaves as an unpredictable integer modulo q that cannot, as far as we know, be efficiently distinguished from a truly randomly generated one. Our approach is useful for memory-bound implementations of DSA, because it avoids modular inversion of large integers. It is different from the inversion-free but non-standard method from [10], thus avoiding possible patent issues and incompatibility with standard DSA signature verification implementations. Another application of our method is in the blinding operation that was proposed by Ron Rivest to foil Paul Kocher's timing attack on RSA, or in any other situation where one needs a random number and its modular inverse.
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom