签名过程:

graph TD; id2 -.Signature.-> id12 subgraph Signature Generation; id0(Message/Data)-.-> id1(Hash Function) id1 -.Message Digest.-> id2(Sinature Generation) id3(Private Key) -.-> id2 end subgraph Signature Verification; id10(Message/Data)-.-> id11(Hash Function) id11 -.Message Digest.-> id12(Sinature Verification) id13(Public Key) -.-> id12 id12 -.-> id14(Valid/Invalid) end

初始化设置:
- Obtain Domain Parameter;
- Obtain Assurance of Domain Parameter Validity;
- Obtain DS Key Pair;
- Obtain Assurance of Public Key Validity;
- Obtain Assurance of Possession of the DS Private Key;
- Register the Public Key and Identify with a TTP(Optional);
数字签名生成:
- Generate a Message Digest;
- Obtain Additional Information for the Digital Signature Process;
- Generate a Digital Signature;
- Verify the Digital Signature(Optional);
数字签名的验证和确认:

graph LR; subgraph Actions; id1(Get the Claimed Signatory's Identifiers) -.-> id2(Obtain the Domain Parameters and Public Key) id2 -.-> id3(Generate a Message Digest) id3 -.-> id4(Verify the Digital Signature) end subgraph Assurance; aid1(Obtain assurance of the Claimed Signatory's Identity) aid2(Obtain Assurance of Domain Parameter Validity) -.-> aid3(Obtain Assurance of the Validity of the Owner's Public Key) aid2 -.-> aid4(Obtain Assurance that the Owner Possesses the Private Key) end subgraph ValidationComplete; vid1(Digital Signature Validation Complete) end aid1 -.-> vid1 aid3 -.-> vid1 aid4 -.-> vid1 id4 -.-> vid1

DSA参数

公钥\(y=g^x\mod p\);
私钥\(x\in [1,q-1]\);
素数\(p\), 位长度为\(L\), \(p\in (2^{L-1}, 2^L)\);
和\(p-1\)互质的素数\(q\), 位长度记为\(N\), \(q\in (2^{N-1}, 2^N)\);
乘法群\(GF(p)\)中阶为\(q\)的子群的生成子\(g\), \(g \in (1,p)\);
伪随机整数\(k\), \(k\in [1,q-1]\);

DSA域参数

\(p, q, g\);
可选的domain_parameter_seed/counter, 用于\(p,q\)的生成;

DSA参数选择

规范指定的(L,N)长度选择:
- L = 1024, N = 160;
- L = 2048, N = 224;
- L = 2048, N = 256;
- L = 3072, N = 256;
哈希函数的选择要满足其安全强度大于\(min(L,N)\);

DSA签名生成

记Hash函数的输出位字符串的位长度为\(outlen\);
记truncate_l(bit_str, len)表示取位字符串bit_str的最左边的len位;
\(k^{-1}\)表示关于随机数\(k\)的模\(q\)的逆, 即\((k^{-1}\cdot k)\mod q = 1\);
签名\((r,s)\)的计算如下:

\[\begin{aligned} & r = (g^k \mod p) \mod q \\ & z = truncate_l(Hash(M), min(N, outlen)) \\ & s = (k^{-1}(z+x\cdot r))\mod q; \end{aligned} \]

DSA签名的验证和确认

假设认证者已经确认了域参数和公钥;
记接受者收到了消息\(M'\), 和签名\((r', s')\), 则签名验证如下;
- 签名需满足\(0\lt r' \lt q\), \(0 \lt s' \lt q\);
- \(r'\)需满足\(r'=v\):
  - \(w = (s')^{-1}\mod q\);
  - \(z = truncate_l(Hash(M'), min(N, outlen))\);
  - \(u1 = (z\cdot w)\mod q\);
  - \(u2 = (r' \cdot w)\mod q\);
  - \(v = ((g^{u1}\cdot y^{u2})\mod p) \mod q\);