## GMR – signature system

GMR – signature system (1) Consequence “variation of m” (active attack) now means also a “variation of R” – a randomly chosen reference, that is unknown to the attacker when he chooses m. Problems 1) securing the originality of the randomly chosen reference 2) construction of the collision-resistant permutations (which are invertible only using the secret) which depend on the messages Solution of problem 2 Idea Choose 2 collision-resistant permutations f 0, f 1 (which are invertible only using the secret) and compose F n,m by f 0, f 1. {for simplicity, we will write f 0 instead of f n,0 and f 1 instead of f n,1} Def. Two permutations f 0,f 1 are called collision-resistant iff it is difficult to find any x,y,z with f 0(x) = f 1(y) = z Note Proposition: collision-resistant � one-way Proof (indir.): If f i isn’t one-way: 1) choose x; 2) f 1-i(x) = z; 3) f i -1 (z) = y z z f 0 f 1 2) f 1-i 3) f i -1 x y 1) x y 199

GMR – signature system (2) Construction: For m = b0b1...bk (b0,...,bk � {0,1}) let Fn,m := f � f � ... � f b 0 b 1 b k -1 -1 -1 bk b1 b0 -1 Fn,m := f � ... � f � f -1 -1 -1 b0 -1 b1 bk -1 -1 f f f Signing: R f (R) ... f (...(f (R) )...) =: Sig b 0 b k b 0 R b R k bk-1 b0 R m m m Testing: Sig f (Sig ) ... f (...(f (Sig ) )...) = R Example: R f f f b k b 0 b k Sig � � � � �R 1110 f 0 f 1 f 1 f 1 R m 200 ?

