9 January 1998

See related: Batch RSA and
Batch RSA for Stego Data

Date: Fri, 9 Jan 1998 20:35:11 +0100 (MET) From: Anonymous <nobody@replay.com> Subject: Batch DSA To: cypherpunks@cyberpass.net, coderpunks@toad.com Batch DSA Amos Fiat invented a way to do multiple RSA signatures using only one full-sized exponentiation [J Cryptology v10 n2 p75]. The trick is to sign each one with a different RSA key, where the keys all share the same modulus n but differ in their public exponents e. A similar technique allows DSA signatures to be batched. As with Batch RSA, each message ends up being signed with a different DSA key, where the keys share the same p, q, and g values, but differ in their public y values, where y = g^x mod p for a secret x. These techniques may be useful for situations where heavily loaded servers need to digitally sign many responses. A DSA signature on a message M (where M is the hash of the actual data) is done as follows: Choose a random value k. k must be different for every signature. Calculate R = g^k mod p mod q. Calculate S from S*k = M + R*x mod q. Then (R, S) is the signature. The time consuming part of this is the calculation of g^k. This is the only exponentiation which must be done. All the other calculations can be very fast. We can't re-use a k value because it allows x to be discovered very easily. If two signatures (R, S_1) and (R, S_2) use the same k value, we have (mod q): S_1*k = M_1 + R*x S_2*k = M_2 + R*x The capitalized values are known, the lower case k and x are the unknowns. We have two equations in two unknowns, which allows us to recover k and x. If different x values are used for each signature, then it should be safe to re-use k. This is how Batch DSA would work. The signer would publish his public key as p, q, and g as usual, but now he would publish multiple y_i = g^x_i values. The convention is that any message is considered signed by the key if it is signed by any of the y_i. To sign a batch of messages, one k value is used for all of them. The same calculation as above is used: R = g^k mod p mod q (same for all) S_i * k = M_i + R * x_i mod q The signature is (R, S_i, i), where the index i is included to tell the verifier which y_i to use. This is not vulnerable to the problem above of re-using k. The multiple signatures have the relationships: S_1*k = M_1 + R*x_1 S_2*k = M_2 + R*x_2 S_3*k = M_3 + R*x_3 ... We always have more unknowns than there are equations, which hides the values of k and x_i. This same technique can be applied to most other discrete log signatures, which generally have the same structure although they differ in the details of how x and k are used to construct R and S. With Batch RSA, there is a tradeoff between batch size and efficiency. The calculations become inefficient for batch sizes larger than tens of messages when keys are about 1K bits. Batch DSA can efficiently handle larger batches, but it has a tradeoff between batch size and key size. Each key variant requires specifying a full-sized y value, while with Batch RSA the variants just required listing a small e value (and possibly not even that, if the exponents are the small primes). This will limit Batch DSA in most circumstances to similar batch sizes of on the order of tens of messages, otherwise the keys become unreasonably large.