1996-02-01 - Re: Revisitting Blum-Macali “digital signatures”
Header Data
From: Wei Dai <weidai@eskimo.com>
To: “Paul E. Campbell” <pecampbe@mtu.edu>
Message Hash: af88c79344621e0beaf3ebbefd95fd30128b4207241efc82496256da4803d88b
Message ID: <Pine.SUN.3.91.960129173214.24777B-100000@eskimo.com>
Reply To: <199601291842.NAA27974@metlab1.my.mtu.edu>
UTC Datetime: 1996-02-01 14:02:32 UTC
Raw Date: Thu, 1 Feb 1996 22:02:32 +0800
Raw message
From: Wei Dai <weidai@eskimo.com>
Date: Thu, 1 Feb 1996 22:02:32 +0800
To: "Paul E. Campbell" <pecampbe@mtu.edu>
Subject: Re: Revisitting Blum-Macali "digital signatures"
In-Reply-To: <199601291842.NAA27974@metlab1.my.mtu.edu>
Message-ID: <Pine.SUN.3.91.960129173214.24777B-100000@eskimo.com>
MIME-Version: 1.0
Content-Type: text/plain
On Mon, 29 Jan 1996, Paul E. Campbell wrote:
> There was some discussion on Usenet a while back about doing "digital
> signatures" with the Blum-Macali public key method.
>
> Briefly, Blum-Macali relies on the BBS generator to generate a "one-time pad".
> And the pad can be reversed by taking repeated square roots on the random
> number seed (assuming you know the factorization) to get back to the starting
> seed.
>
> So, the author suggested that one calculate a digest of the message, call it
> D.
>
> Then the author suggested that one calculate D^(1/2), as per the Blum-Micali
> method.
>
> Then he goes on to do the signature check by checking whether or not
>
> D^2 == X^4
>
> where X is the "signature".
>
> I understand that there is some sign ambiguity involved in calculating square
> roots mod B where B is a Blum integer (that causes 4 possible roots). And
> that's the source of ambiguity problems in Rabin digital signatures, but if
> the Blum-Micali public key method works, then this sign ambiguity shouldn't
> exist (because they define a SPECIFIC root to use), and the method can be
> simplified to simply calculating D^(1/2) and the check is simply D==X^2.
>
> What am I missing here?
Let me see if I understand you correctly. The scheme you describe says
to calculate X=(D^2)^(1/4) as the signature and check D^2==X^4 for
verification. You are wondering why you can't just calculate Y=D^(1/2)
as the signature and check D==Y^2 for verification.
The problem here is that some D's don't have square roots. For a Blum
integer n, only 1/4 of the numbers between 1 and n-1 have square roots
mod n (they are called quadratic residues mod n). For a D that is a
quadratic residue, the X and Y above are equal. But for a D that is not a
quadratic residue, Y can't be calculated. X can still be calculated in
this case, but X^2 != D.
Wei Dai
Thread
- Return to January 1996
Return to February 1996
- Return to ““Paul E. Campbell” <pecampbe@mtu.edu>”
Return to “Wei Dai <weidai@eskimo.com>”
- 1996-01-29 (Tue, 30 Jan 1996 03:22:32 +0800) - Revisitting Blum-Macali “digital signatures” - “Paul E. Campbell” <pecampbe@mtu.edu>
- 1996-02-01 (Thu, 1 Feb 1996 22:02:32 +0800) - Re: Revisitting Blum-Macali “digital signatures” - Wei Dai <weidai@eskimo.com>