Scribd
Upload
61 views4 pages

K Dsa PDF

This appendix provides a proof that v = r in DSA signature verification. It presents 4 lemmas: 1) Powers of g modulo p are equal modulo q and p. 2) Combining modular terms preserves equality modulo p. 3) y(rw) modulo q and p equals g(xrw) modulo q and p. 4) ((H(M)+xr)w) modulo q equals k. Using these lemmas, it proves that v equals r when calculating the DSA signature.

Uploaded by

sushma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
61 views4 pages

K Dsa PDF

This appendix provides a proof that v = r in DSA signature verification. It presents 4 lemmas: 1) Powers of g modulo p are equal modulo q and p. 2) Combining modular terms preserves equality modulo p. 3) y(rw) modulo q and p equals g(xrw) modulo q and p. 4) ((H(M)+xr)w) modulo q equals k. Using these lemmas, it proves that v equals r when calculating the DSA signature.

Uploaded by

sushma
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

A PPENDIX K

Proof of the Digital Signature


Algorithm

William Stallings
Copyright 2010

Supplement to
Cryptography and Network Security, Fifth Edition
William Stallings
Prentice Hall 2010
ISBN-10: 0136097049
http://williamstallings.com/Crypto/Crypto5e.html
The purpose of this appendix is to provide a proof that in the DSA signature verification we have
v = r if the signature is valid. The following proof is based on that which appears in the FIPS
standard, but it includes additional details to make the derivation clearer.

LEMMA 1. For any integer t, if g = h(p–1)/q mod p


then gt mod p = gt mod q mod p

Proof: By Fermat's theorem (Chapter 8), because h is relatively prime to p, we have


Hp–1 mod p = 1. Hence, for any nonnegative integer n,

nq
=  h( ) mod p mod p
p −1 q
gnq mod p
 
= h((p–1)/q)nq mod p by the rules of modular arithmetic
= h(p–1)n mod p
 p −1 n
=   h( ) mod p  mod p by the rules of modular arithmetic
  

= 1n mod p = 1

So, for nonnegative integers n and z, we have

gnq+z mod p = (gnq gz) mod p

= (( gnq
)( ))
mod p g z mod p mod p

= gz mod p

Any nonnegative integer t can be represented uniquely as t = nq + z, where n and z are


nonnegative integers and 0 < z < q. So z = t mod q. The result follows. QED.

LEMMA 2. For nonnegative integers a and b: g(a mod q + b mod q) mod p = g(a+b) mod q mod p

K-2
Proof: By Lemma 1, we have

g(a mod q + b mod q) mod p = g(a mod q + b mod q) mod q mod p


= g(a + b) mod q mod p
QED.

LEMMA 3. y(rw) mod q mod p = g(xrw) mod q mod p

Proof: By definition (Figure 13.2), y = gx mod p. Then:

y(rw) mod q mod p = (gx mod p)(rw) mod q mod p


= gx ((rw) mod q) mod p by the rules of modular
arithmetic
= g(x ((rw) mod q)) mod q mod p by Lemma 1
= g(xrw) mod q mod p
QED.

LEMMA 4. ((H(M) + xr)w) mod q = k

( )
Proof: By definition (Figure 13.2), s = k −1 (H( M) + xr) mod q . Also, because q is prime, any

nonnegative integer less than q has a multiplicative inverse (Chapter 8). So (k k–1) mod q = 1.
Then:

(ks) mod q =  k (( k −1
(H(M ) + xr)) mod q) mod q

(( ))
=  k k −1 (H(M ) + xr)  mod q

=  ((kk ) mod q )(( H(M ) + xr ) mod q ) mod q


−1

= ((H( M ) + xr)) mod q

K-3
By definition, w = s–1 mod q and therefore (ws) mod q = 1. Therefore,

((H(M) + xr)w) mod q = (((H(M) + xr) mod q) (w mod q)) mod q


= (((ks) mod q) (w mod q)) mod q
= (kws) mod q
= ((k mod q) ((ws) mod q)) mod q
= k mod q

Because 0 < k < q, we have k mod q = k. QED.

THEOREM: Using the definitions of Figure 13.2, v = r.

v = (( gu1 u2
y ) mod p) mod q by definition

  (H ( M )w ) mod q ( rw ) mod q  
= g y mod p mod q
   
  (H ( M )w ) mod q ( xrw ) mod q  
= g g mod p mod q by Lemma 3
  
  (H ( M )w ) mod q +( xrw ) mod q  
g  mod p mod q
=

  (H ( M )w+xrw) mod q  
g  mod p mod q
= by Lemma 2

  (( H( M ) +xr )w ) mod q  
= g  mod p mod q
  
= ( gk mod p) mod q by Lemma 4
= r by definition
QED.

K-4

You might also like