# A Fail-stop Signature Scheme

In [1]:
def check_prime(N):
    c=0
    for i in range(N):
        i+=1
        if N%i ==0:
            c+=1
            #print(i)
    return c

In [2]:
check_prime(127)

2

## Parameters

* $p$: 11
* $q$: 13
* $P=859$
* $n=pq$

In [3]:
p=11
q=13
n=p*q
print(n)

143


In [4]:
for i in range(20):
    i+=1
    P=n*i+1
    if check_prime(P) ==2:
        print(P)

859
2003
2861


In [5]:
P=859

## Define a power function in $Z_N$

Compute $a^{b}\equiv c$ mod $N$.

In [6]:
def power_zn(a,b,N):
    c=1
    for i in range(b):
        c=c*a
        c=c%N
    return c

In [7]:
def power_zn_2(a,b,N):
    x=a
    t=1
    while (b>0):
        if (b%2 ==1):
            t=(t*x)%N
            b-=1
        x= (x*x) % N
        b=b/2
    return t

In [10]:
power_zn(35,17,13)

3

In [11]:
power_zn_2(35,17,13)

3

## Find Primative root

In [7]:
for i in range(P):
    i+=1
    if power_zn(i,p,P)==1:
        print(i)

1
13
61
88
169
205
214
269
285
479
793


We choose $\alpha=61.$

In [8]:
alpha=61

In [9]:
for i in range(11):
    i+=1
    print(power_zn(61,i,P))

61
285
205
479
13
793
269
88
214
169
1


Check the primative root:

In [10]:
power_zn(61,11,859)

1

## Choose secret keys

We choose $(sk_1,sk_2)=(30,91)\in Z_{143}\times Z_{143}$

In [11]:
sk_1=37
sk_2=91
pk_1=power_zn(alpha,sk_1,P)
pk_2=power_zn(alpha,sk_2,P)
print(pk_1)
print(pk_2)

479
205


$(pk_1,pk_2)=(479,205)$

## Signature/message

The message $m=71.$

$s\equiv sk_1+msk_2$ mod $n.$

In [12]:
m=71
s=(sk_1+m*sk_2)%n
print(s)

63


## Testing a Signature

$\alpha ^s \equiv (pk_1)(pk_2)^m$ mod $P$

In [13]:
power_zn(alpha,s,P)

88

In [14]:
(power_zn(pk_2,m,P)*pk_1) % P

88

In [15]:
alpha

61

In [16]:
print(pk_1)
print(pk_2)
print(sk_1)
print(sk_2)

479
205
37
91


## Assume the Discrete Logarithm Problem being solved

Find $sk_2^{\prime}$ such that $pk_2 \equiv \alpha^{sk_2^\prime}$ mod $P$.

In [17]:
for sk2 in range(n):
    sk2 +=1
    if pk_2==power_zn(alpha,sk2,P):
        print(sk2)

3
14
25
36
47
58
69
80
91
102
113
124
135


We can choose $sk_2^{\prime}=69.$

In [18]:
sk_2p=69

Then, we want to find $sk_1^{\prime}$ such that $pk_1 = \alpha^{sk_1^\prime}$ mod $P$,

and

$sk_1^{\prime} \equiv s-msk_2^{\prime}$ mod $q.$

In [19]:
for sk1 in range(n):
    sk1 +=1
    if pk_1==power_zn(alpha,sk1,P):
        if (sk1%q)==(s-m*sk_2p)%q :
            print(sk1)

26


In [20]:
sk_1p=26

## Unprovable forgery on $m^{*}$

$m^{*}$ is another message with $q\mid (m-m^{*})$.

We select $m^{*}=m-2q.$

In [21]:
m_star=m-2*q; print(m_star)

45


In [22]:
m

71

$s^{*}=sk_1^{\prime}+m^{*}sk_2^{\prime}$ mod $n$.

In [23]:
s_star=(sk_1p+m_star*sk_2p)%n; print(s_star)

128


Alice's signature on $m^{*}$.

In [24]:
print((sk_1+m_star*sk_2)%n)

128
