8/3/2019 K-DSA

1/4

A P P E N D I XP E N D I X KP r o o f o f t h e D i g i t a l S i g n a t u r er o o f o f t h e D i g i t a l S i g n a t u r eA l g o r i t h ml g o r i t h m

William Stallings

Copyright 2010

Supplement to

Cryptography and Network Security, Fifth Edition

William Stallings

Prentice Hall 2010

ISBN-10: 0136097049http://williamstallings.com/Crypto/Crypto5e.html

8/3/2019 K-DSA

2/4

K-2

The purpose of this appendix is to provide a proof that in the DSA signature verification we have

v = r if the signature is valid. The following proof is based on that which appears in the FIPS

standard, but it includes additional details to make the derivation clearer.

LEMMA 1. For any integer t, if g = h(p1)/q modp

then gt modp = gt mod q modp

Proof: By Fermat's theorem (Chapter 8), because h is relatively prime top, we have

Hp1 modp = 1. Hence, for any nonnegative integer n,

gnq modp = h p1( ) q mod p nqmod p = h((p1)/q)nq modp by the rules of modular arithmetic

= h(p1)n modp

= hp1( )

mod p n

mod p by the rules of modular arithmetic

= 1n modp = 1

So, for nonnegative integers n andz, we have

gnq+z modp = (gnq gz) modp

= gnqmod p( ) gz mod p( ) mod p

= gz modp

Any nonnegative integer tcan be represented uniquely as t= nq +z, where n andz arenonnegative integers and 0

8/3/2019 K-DSA

3/4

K-3

Proof: By Lemma 1, we have

g(a mod q + b mod q) modp = g(a mod q + b mod q) mod q modp

= g(a + b) mod q modp

QED.

LEMMA 3.y(rw) mod q modp = g(xrw) mod q modp

Proof: By definition (Figure 13.2),y = gx modp. Then:

y(rw) mod q modp = (gx modp)(rw) mod q mod p

= gx((rw) mod q) modp by the rules of modular

arithmetic

= g(x((rw) mod q)) mod q modp by Lemma 1

= g(xrw) mod q modp

QED.

LEMMA 4. ((H(M) +xr)w) mod q = k

Proof: By definition (Figure 13.2), s = k1 H M( )+ xr( )( )mod q . Also, because q is prime, anynonnegative integer less than q has a multiplicative inverse (Chapter 8). So (k k1) mod q = 1.

Then:

ks( ) mod q = k k1 H M( )+ xr( )( )mod q( )mod q

= k k1 H M( )+ xr( )( )( )

mod q

= kk1( )mod q( ) H M( )+ xr( )mod q( )mod

q

= H M( ) + xr( )( )mod q

8/3/2019 K-DSA

4/4

K-4

By definition, w = s1 mod q and therefore (ws) mod q = 1. Therefore,

((H(M) +xr)w) mod q = (((H(M) +xr) mod q) (w mod q)) mod q

= (((ks) mod q) (w mod q)) mod q

= (kws) mod q

= ((kmod q) ((ws) mod q)) mod q

= kmod q

Because 0 < k< q, we have kmod q = k. QED.

THEOREM: Using the definitions of Figure 13.2, v = r.

v = gu1yu2( )mod p( )mod q by definition

= gH M( )w( ) modq

yrw( )mod q

mod p mod q = g

H M( )w( ) modqgxrw( )mod q

mod p mod q by Lemma 3= g

H M( )w( ) modq+ xrw( ) modq

mod p

mod q

= gH M( )w+xrw( ) mod q

mod p

mod q by Lemma 2

= gH M( )+xr( )w( ) mod q

mod p

mod q

= gkmod p( ) mod q by Lemma 4

= r by definition

QED.