[Gzz-commits] manuscripts/Sigs article.rst

[Tuomas J. Lukka]

CVSROOT:        /cvsroot/gzz
Module name:    manuscripts
Changes by:     Tuomas J. Lukka <address@hidden>        03/05/17 15:04:02

Modified files:
        Sigs           : article.rst 

Log message:
        abs

CVSWeb URLs:
http://savannah.gnu.org/cgi-bin/viewcvs/gzz/manuscripts/Sigs/article.rst.diff?tr1=1.48&tr2=1.49&r1=text&r2=text

Patches:
Index: manuscripts/Sigs/article.rst
diff -u manuscripts/Sigs/article.rst:1.48 manuscripts/Sigs/article.rst:1.49
--- manuscripts/Sigs/article.rst:1.48   Sat May 17 14:52:53 2003
+++ manuscripts/Sigs/article.rst        Sat May 17 15:04:02 2003
@@ -7,12 +7,14 @@
 
 We propose an unlimited-time digital signature scheme based
 on a one-time signature scheme and a random oracle.
-The random oracle is used to map a private key to a 
+The random oracle is used to map a private key deterministically
+to a 
 set of new private keys. 
-The original private key is used to sign the new 
+The original private key is used (through a hash tree)
+to sign the new 
 private keys.
 For each message, one of the new keys is chosen,
-and this process is repeated recursively for a number
+and this process is iterated for a number
 of times to obtain the final private key used to sign
 the actual message. The signature consists of
 the chain of signatures from the original public key
@@ -20,20 +22,12 @@
 
 The detailed characteristics of the algorithm are determined
 by the one-time signature scheme used,
-the number of recursion levels,
+the number of iterations,
 and the algorithm for choosing which private key to use.
 
-A one-time signature algorithm can be used as the primitive
-because
-each private key is only used to sign the public keys
-corresponding to a constant number of 
-new private keys that only depend on the private key,
-not the message.
-
-Additionally, rejecting invalid signatures can be 
-significantly faster than in RSA-like systems.
-On the other hand, signing is comparatively slow
-and signatures can be large.
+On a theoretical level, our scheme allows the construction
+of a feasible algorithm with the full digital signature feature
+set without using a trapdoor function.
 
 Our scheme has applications in long-term digital publishing.
 Unlike signature schemes like RSA and DSA, it does not
@@ -45,6 +39,11 @@
 isn't broken, an exhaustive
 key search is the only way to break the scheme.
 
+..  Additionally, rejecting invalid signatures can be 
+    significantly faster than in RSA-like systems.
+    On the other hand, signing is comparatively slow
+    and signatures can be large.
+
 
 Introduction
 ============
@@ -287,6 +286,9 @@
 
 - can't copy key or restore from backup!
 
+- any scheme mapping the *action* of signing uniquely to a number between 0 
and `$q$`
+  will work.
+
 Probabilistic limited
 ---------------------
 
@@ -309,8 +311,15 @@
     - birthday paradox again: must not allow the attacker to have
       2**30 messages being signed
 
+- however, collisions *only* invalidate one leaf of the key tree, so 
+  it *is* possible to 
+  revoke only that leaf, not the whole key.
+
 Applicability to Digital Publishing
 ===================================
+
+In long-term digital publishing, the time limits on normal digital signatures
+are 
 
 foo