4

I've struggled with this for a while. Here's my scenario. I am trying to generate 25-character software product keys (like Microsoft style FFFFF-EEEEE-DDDDD-BBBBB-77777). I have succesfully generated by nonce (raw product key) - according to this article, my final product key (before encoding in base 24 format) should be exactly 15 bytes (4 bytes for my nonce and 11 bytes for my digital signature).

Now the problem is how do I generate an 11-byte signature? I've tried using the currently shortest signature cryptography (ECC - using a secp128r2 curve - which gives me a 128-bit private key). After signing, the size of my signature is 80 bytes (as printed by the Java statement 

System.out.println("length: "+signedProductKeyBytes.length);

My questions are:

  1. What exactly is the relationship between an EC key size (in bits) and the length of the resulting EC signature (in bytes)?

  2. For instance an EC key of 128-bits is supposed to produce a signature size of how many bytes?

  3. How do I generate an 11-byte signature (by the way, I'm sure there was no EC keys in the days of Windows XP - so MS wasnt using EC - is there a better way? Say use an RSA 32-bit key or something?)?

  4. Also does the size of the string (in my case it's a stringof just 9 chars e.g "123456789" being signed play a part in the final length of signature?

Have struggled with this for a while, searched everywhere online - answers with a lot of technical talks - but nothing specific to answering my questions (the nearest I got was this article for RSA keys)

I hope I get some quick response - my project is late by weeks already. Thanks guys!

Community
  • 1
  • 1
DeepCoder
  • 61
  • 1
  • 6
  • Why not just grab the first 11 bytes of your existing 80 bytes? As long as it is unique, do you care about the other properties...? – Rory Alsop Feb 19 '13 at 09:41
  • Rory, thanks very much for the quick response! (1)How would I verify the signature? Would thecode still work if I use public key to verify only first 11 bytes? (2) Isn't there just a possibility that the first 11 bytes of 2 or more signatures may match (not be unique), because of the truncation? Thanks – DeepCoder Feb 19 '13 at 10:00

1 Answers1

8

I know of no secure signature scheme that generates that small signatures.

  • A raw ECC signature(ECDSA etc.) is four time the security level. If you want an 80 bit security level (using a 160 bit curve), you get 40 byte signatures. You can shave off a few bytes, sacrificing a bit of security, but it becomes trivial to break it somewhere between 20 and 30 bytes.

    A 128 bit curve (64 bit security, can be broken, but it's probably too expensive to be worthwhile) will produce a 32 byte signature.

  • Finite field signatures(DSA etc.) have the same size as signatures with ECC at the same security level.

  • RSA signatures have the same size as the modulus. With a rather small 768 bit key you get 96 byte signatures.

  • BLS signatures come pretty close. The signature size is only twice the security level. 20 bytes at an 80-bit level. 16 bytes at a 64-bit level. You should be able to shave off another two bytes or so by truncation, in exchange for higher signature verification times.

CodesInChaos
  • 106,488
  • 23
  • 218
  • 262
  • Thanks for the valued explanation. So what is the best approach to solving this problem? Also as you mentioned - araw ECC signature (ECDSA) is 4times security level. So why am I getting a signature with byte arraysize of 34 (as printed by Java byte[] signedBytes = ecdsa.sign(); signedBytes.length displays 80) instead of (128/8 = 32 bytes), and I am using secp128r2? Also are you saying it would be insecure to use secp128r2 curves because it givesless than 20 bytes andwould be easy to break? – DeepCoder Feb 19 '13 at 10:46
  • What's your signature size? 34 or 80? 34 can be explained by some ASN.1/BER related overhead. It's possible but expensive to break a 128 bit elliptic curve. – CodesInChaos Feb 19 '13 at 10:56
  • @CodesInChaos correct, java outputs X9.62 compatible signatures (SEQUENCE with two signed INTEGER values) – Maarten Bodewes Feb 19 '13 at 11:15
  • My signature size is 34. So what woul be the safest and quickest way to solve this problem? – DeepCoder Feb 19 '13 at 11:55
  • Hey guys, Any further help on this please? – DeepCoder Feb 19 '13 at 17:50
  • Your solution space is empty. I'm rather surprised at the size of the signature you are getting. Could you post the hexadecimals? Does it start with a byte valued `30` in hexadecimals (`48` decimal)? – Maarten Bodewes Feb 19 '13 at 22:41
  • @owlstead I am getting a signature size of 34 (not 80, above signedBytes.length was a typo, correct thing is "signedBytes.length displays 34"). Problem is how do I generate lower-sized signatures (even if it's not exactly 11-byte signatures)...The first 10 hex characters of my generated signature is 3020020e25, as you requested. Thanks! – DeepCoder Feb 20 '13 at 00:34
  • Ok, so the signature format has got the format I specified, so you can bring back the signature size to 32 bytes quite easily (strip off the BER encoding and encode the integers as using two times key size). Note that the output of your function may differ; normally you would expect 38 bytes, you got 34 because by (small) chance both encoded values of the signature were 14 bytes instead of 16. – Maarten Bodewes Feb 20 '13 at 01:16
  • @owlstead Thanks for your valued advice. But 32 bytes is way too long for what I need.By the time I encode to Base24 - I'll have a 40-character product key - and that's obviously not acceptable. What I need is a way to reduce the signatures to 11 bytes (or something similar perhaps 15 or 16 byes). This stuff is just soooo urgent. Just wish someone would point me in the right direction. – DeepCoder Feb 20 '13 at 15:47
  • Negative answers are also answers, DeepCoder, I don't see a solution to your problem. 11 characters is just to small for a verifiable asymmetric signature... – Maarten Bodewes Feb 20 '13 at 15:59
  • So how did Microsoft produce 11-byte signatures way back in 2002 for Windows XP product keys, without using ECDSA - and none of the private key used for signing their product keys remains unbroken till now? – DeepCoder Feb 20 '13 at 16:07