# A Fail-stop Signature Scheme

## Parameters

* $p$: 11
* $q$: 3
* $P=67$
* $n=pq$

In [1]:
p=11
q=3
P=67
n=p*q

## Define a power function in $Z_N$

Computer $a^{b}\equiv c$ mod $N$.

In [2]:
def power_zn(a,b,N):
    c=1
    for i in range(b):
        c=c*a
        c=c%N
    return c

## Find Primative root

In [3]:
for i in range(P):
    i+=1
    if power_zn(i,p,P)==1:
        print(i)

1
9
14
15
22
24
25
40
59
62
64


We choose $\alpha=22.$

In [4]:
for i in range(11):
    i+=1
    print(power_zn(22,i,P))

22
15
62
24
59
25
14
40
9
64
1


Check the primative root:

In [5]:
power_zn(22,11,67)

1

In [6]:
power_zn(59,11,67)

1

## Choose secret keys

We choose $(sk_1,sk_2)=(7,24)\in Z_{33}\times Z_{33}$

In [7]:
P=67
alpha=22
sk_1=7
sk_2=24
pk_1=power_zn(alpha,sk_1,P)
pk_2=power_zn(alpha,sk_2,P)
print(pk_1)
print(pk_2)

14
15


$(pk_1,pk_2)=(14,15)$

## Signature/message

The message $m=31.$

$s\equiv sk_1+msk_2$ mod $n.$

In [8]:
m=31
s=(sk_1+m*sk_2)%n

In [9]:
s

25

## Testing a Signature

$\alpha ^s \equiv (pk_1)(pk_2)^m$ mod $P$

In [10]:
power_zn(alpha,s,P)

62

In [11]:
(power_zn(pk_2,m,P)*pk_1) % P

62

In [12]:
print(pk_1)
print(pk_2)
print(sk_1)
print(sk_2)

14
15
7
24


## Assume the Discrete Logarithm Problem being solved

Find $sk_1^{\prime}$ such that $pk_1 \equiv \alpha^{sk_1^\prime}$ mod $P$.

In [13]:
for sk1 in range(n):
    sk1 +=1
    if pk_1==power_zn(alpha,sk1,P):
        print(sk1)

7
18
29


We can choose $sk_1^{\prime}=29.$

Then, we want to find $sk_2^{\prime}$ such that $pk_2 = \alpha^{sk_2^\prime}$ mod $P$.

In [14]:
for sk2 in range(n):
    sk2 +=1
    if pk_2==power_zn(alpha,sk2,P):
        print(sk2)

2
13
24


We can choose $sk_2^{\prime}=13.$

Now, we have $(sk_1^{\prime},sk_2^{\prime})=(29,13).$ Note that $(sk_1,sk_2)=(7,24).$

## Check ...

Check $sk_1^{\prime} \equiv s-msk_2^{\prime}$ mod $q.$

In [15]:
s

25

In [16]:
m

31

In [17]:
sk_1p=29
sk_2p=13

In [18]:
sk_1p%p

7

In [19]:
(s-m*sk_2p)%p

7

Not correct! The correct one should be $sk_1^{\prime}\equiv s-msk_2^{\prime}$ mod $p$. 

In [20]:
alpha

22

In [21]:
n

33

## Proof of forgery

Signing...

$s^{*}\equiv sk_1^{\prime}+msk_2^{\prime}$ mod $n$

In [22]:
s_star=(sk_1p+m*sk_2p)%n; print(s_star)

3


Testing...

$\alpha ^{s^{*}} \equiv (pk_1)(pk_2)^m$ mod $P$

In [23]:
print(power_zn(alpha,s_star,P))

62


In [24]:
print((pk_1)*(power_zn(pk_2,m,P))%P)

62


$\alpha ^{s}\equiv \alpha^{s^{*}}$ mod $P$

In [25]:
power_zn(alpha,s,P)

62

In [26]:
s

25

In [27]:
s_star

3

In [28]:
p

11

In [29]:
n

33

${\rm gcd}(25-3,33)=11$

In [30]:
m

31

## Unprovable forgery on $m^{*}$ (Wrong!!)

$m^{*}$ is another message with $q\mid (m-m^{*})$.

We select $m^{*}=m-4q.$

In [31]:
m_star=m-4*q; print(m_star)

19


$s^{*}=sk_1^{\prime}+m^{*}sk_2^{\prime}$ mod $n$.

In [32]:
s_star=(sk_1p+m_star*sk_2p)%n; print(s_star)

12


Alice's signature on $m^{*}$.

In [33]:
print((sk_1+m_star*sk_2)%n)

1


## Check Lemma 1.

Check $s=sk_1+msk_2=sk_1^{\prime}+msk_2^{\prime}$ mod $n.$

In [34]:
s

25

In [35]:
n

33

$s$ mod $n.$

In [36]:
s%n

25

$sk_1+msk_2$ mod $n.$

In [37]:
(sk_1+m*sk_2)%n

25

$sk_1^{\prime}+msk_2^{\prime}$ mod $n.$

In [38]:
(sk_1p+m*sk_2p)%n

3