KCDSA (Korean Certificate-based Digital Signature Algorithm) is a digital signature algorithm created by a team led by the Korea Internet & Security Agency (KISA). It is an ElGamal variant, similar to the Digital Signature Algorithm and GOST R 34.10-94. The standard algorithm is implemented over
GF(p)
KCDSA requires a collision-resistant cryptographic hash function that can produce a variable-sized output (from 128 to 256 bits, in 32-bit increments). HAS-160, another Korean standard, is the suggested choice.
p
|p|=512+256i
i=0,1,...,6
q
p-1
|q|=128+32j
j=0,1,...,4
g
q
\operatorname{GF}(p)
The revised version of the spec additional requires either that
(p-1)/(2q)
q
x
0<x<q
y
y=g\bar{x}\pmod{p},
\bar{x}=x-1\pmod{q}
z
z=h(CertData)
The 1998 spec is unclear about the exact format of the "Cert Data". In the revised spec, z is defined as being the bottom B bits of the public key y, where B is the block size of the hash function in bits (typically 512 or 1024). The effect is that the first input block corresponds to y mod 2^B.
z
h
To sign a message
m
0<k<q
w=gk\mod{p}
r=h(w)
s=x(k-r ⊕ h(z\parallelm))\pmod{q}
s=0
(r,s)
The specification is vague about how the integer
w
r=h(I2OSP(w,|q|/8))
To verify a signature
(r,s)
m
0\ler<2|q|
0<s<q
e=r ⊕ h(z\parallelm)
r=h(ys ⋅ ge\mod{p})
EC-KCDSA is essentially the same algorithm using Elliptic-curve cryptography instead of discrete log cryptography.
The domain parameters are:
E
G
E
q
q
n
The user parameters and algorithms are essentially the same as for discrete log KCDSA except that modular exponentiation is replaced by point multiplication. The specific differences are:
Y=\bar{x}G
r=h(Wx||Wy)
W=kG
r=h(sY+eG)