Post on 08-Jan-2016
description
Introduction to Modern Cryptography
Homework assignments • Pollards (p-1) method for
factoring integers with prime factors p such that p-1 has small prime factors
• Pollards ρ algorithm for discrete log
Pollards p-1 factoring algorithm
• Let B be a smoothness bound• Let Q be the LCM of all prime
powers ≤ B
• If (p-1) is B-smooth then and for any a, gcd(a,p)=1,
ln / lnn q
q B
Q q
( 1)
Qp
1 (mod )Qa p
How many bits in Q?
Pollards p-1 factoring algorithm
ln / lnn q
q B
Q q
1 (mod )Qa p
gcd( 1, )Qd
d a n p
Thus,
Pollards p-1 factoring algorithm
• Select a bound B• Select a random 2 ≤ a ≤ n-1, and
compute d = gcd(a,n), if d ≥ 2 then return(d)
• For each prime q ≤ B do– Compute
• Return d = gcd(a-1,n)
ln / lnn q (mod )qa a n
Pollards ρ algorithm for discrete log
• Problem with Shank’s Baby step Giant step algorithms: too much memory
• Pollards ρ algorithm for discrete log: takes O(1) memory
Pollards discrete log ρ algorithm
• Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2)
• Define x0 = 1
• Define1
21 2
3
(mod ) if
(mod ) if
(mod ) if
i i
i i i
i i
x p x S
x x p x S
x p x S
log (mod )p
Pollards discrete log ρ algorithm
0 0log (mod ), 0, 0p a b
12
1 2
3
if
2 (mod 1) if
1 (mod 1) if
i i
i i i
i i
a x S
a a p x S
a p x S
12
1 2
3
(mod ) if
(mod ) if
(mod ) if
i i
i i i
i i
x p x S
x x p x S
x p x S
12
1 2
3
1 (mod ) if
2 (mod ) if
if
i i
i i i
i i
b p x S
b b p x S
b x S
Pollards discrete log ρ algorithm
0 0log (mod ), 0, 0p a b
12
1 2
3
if
if
if
i i
i i i
i i
x x S
x x x S
x x S
2 2
2
2 2
2 2
(mod )
(mod )
log log (mod 1)
log ( ) /( ) (mod 1)
i i i i
i i
a b a b
i i i i
i i i i
x x p
p
a b a b p
b b a a p
Beyond Homework Assignments
• Recap of Quadratic sieve factoring algorithm
• Index calculus methods for the discrete log problem
Using smoothness for factoring
(Repeating what’s been done in class):• Factor n = pq by computing two
different square roots modolu n• Compute x2 mod n• If x2 mod n is smooth with respect to B
then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n
• p1, p2, …, pm – all primes ≤ B
Using smoothness for factoring
(1)
( 2)
(3)
( )
21
1
22
1
23
1
2
1
mod
mod
mod
mod
j
j
j
mj
me
jj
me
jj
me
jj
me
m jj
x n p
x n p
x n p
x n p
1 2 3
2 (1) (1) (1)1 1 22 (1) (2)2 2 223
2 ( ) ( ) ( ) ( )1 2 3
2 3 5
mod 2 mod 2 mod 2
mod 2 mod 2
mod 2 mod 2 mod 2 mod 2
m
m
m m m mm m
p p p p B
x e e e
x e e
x
x e e e e
Solve for the all-zero vectorThis gives us
22
1
2 2
1
mod
mod
i
i
md
i ii S i
md
i ii S i
x p n
x p n
Using smoothness for discrete log? The Index Calculus Method
• We want to compute logg x mod q
• If we knew – logg 2 mod q,
– logg 3 mod q,
– logg 5 mod q, …,
– logg pm mod q
• Then we could try to solve for logg x mod q as follows:
1
1
mod
log log
j
me
jj
m
g j g ji
g x q p
x e p
The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod
q, …(1)
1
( 2)2
(3)3
( )
1
1
1
1
(mod )
(mod )
(mod )
(mod )
j
j
j
mjm
mexj
j
mexj
j
mexj
j
mexj
j
g q p
g q p
g q p
g q p
(1)1
1
(2)2
1
(3)3
1
( )
1
log mod ( 1)
log mod ( 1)
log mod ( 1)
log mod ( 1)
m
j g jj
m
j g jj
m
j g jj
mm
m j g jj
x e p q
x e p q
x e p q
x e p q
Back To Digital Signatures
• Summary of Discussion in Class• RSA, El Gamal, Fiat-Shamir, DSS
Handwritten Signatures
• Relate an individual, through a handwritten signature, to a document.• Signature can be verified against a priorauthenticated one, signed in person.• Should be hard to forge.• Are legally binding (convince a third party, e.g. a judge).
Digital Signatures: Desired Properties
• Relate an individual, through a digital string, to a document.• Signature should be easy to verify. • Should be hard to forge.• Are legally binding (convince a third party, e.g. a judge).
Diffie and Hellman (76)“New Directions in
Cryptography”Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.
• To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob.• To verify this is indeed Alice’s signature, Bob
computes the string x = EA (y) and checks x=M.
Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.
Problems with “Pure” DH Paradigm
• Easy to forge signatures of random messages even without holding DA:
Bob picks R arbitrarily, computes S=EA(R).
Then the pair (S,R) is a valid signature of Alice on the “message” S.• Therefore the scheme is subject to
existential forgery. • “So what” ?
Problems with “Pure” DH Paradigm
• Consider specifically RSA. Being multiplicative, we have (products mod N)
DA (M1M2) = DA (M1) DA (M2).
• If M2=“I OWE BOB $20” and M1=“100”
then under certain encoding of letters we
could get M1M2 =“I OWE BOB $2000”…
Standard Solution: Hash FirstLet EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.
• To sign the message M, Alice first computes the strings y=H(M) and z=DA (y). Sends M,z to
Bob.• To verify this is indeed Alice’s signature, Bob
computes the string y=EA (z) and checks y=H(M).
• The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).
General Structure: Signature Schemes
• Generation of private and public keys (randomized).• Signing (either deterministic or
randomized)• Verification (accept/reject) - usually
deterministic.
Schemes Used in Practice
• RSA• El-Gamal Signature Scheme (85)• The DSS (digital signature
standard, adopted by NIST in 94 is based ona modification of El-Gamal signature.
El-Gamal Signature Scheme
• Pick a prime p of length 1024 bits such that DL in Zp* is hard.
• Let g be a generator of Zp*.• Pick x in [2,p-2] at random.• Compute y=gx mod p. • Public key: p,g,y.• Private key: x.
Generation
El-Gamal Signature Scheme
• Hash: Let m=H(M). • Pick k in [1,p-2] relatively prime to p-1 at random.• Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1)
(***)• Output r and s.
Signing M
El-Gamal Signature Scheme
• Compute m=H(M).• Accept if 0<r<p and yrrs=gm mod
p. else reject.• What’s going on?By (***) s=(m-rx)k-1 mod p-1, so
sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .
Verify M,r,s,PK
Homework Assignment 2, part I
• Implement via Maple the El Gamal Signature Scheme:– Key Generation– Message Signature– Message Verification
• What happens if you use the same k twice?
The Digital Signature Algorithm (DSA)
• Let p be an L bit prime such that the discrete log problem mod p is intractable
• Let q be a 160 bit prime that divides p-1
• Let α be a q’th root of 1 modulo p.How do we compute α?
The Digital Signature Algorithm (DSA)
• p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p
• Private key: random 1 ≤ s ≤ q-1.• Public key: (p, q, α, β = αs mod p)• Signature on message M:
– Choose a random 1 ≤ k ≤ p-1, secret!!• Part II: (SHA (M) + s (PART I)) / k mod q• Part I: ((αk mod p) mod q
The Digital Signature Algorithm (DSA)
– p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M:
• Choose a random 1 ≤ k ≤ p-1, secret!!– Part I: ((αk mod p) mod q– Part II: (SHA (M) + s (PART I)) /k mod q
• Verification: – e1 = SHA (M) / (PART II) mod q
– e2 = (PART I) / (PART II) mod q
– OK if 1 2( mod ) mod (PART I)e e p q
The Digital Signature Algorithm
1
22
( ) / ( ) ( mod )mod / mod
( mod )mod / ( ) ( mod )mod / mod
k
k k
SHA M SHA M s p q k qe
e p q SHA M s p q k qe s s
Homework 2 part II:
Prove that if the signature is generated correctly then the verification works correctly.What happens if PART II of the signature is 0?
Signatures vs. MACs
Suppose parties A and B share the secret key K. Then M, MACK(M) convinces A that indeed M originated with B. But in case of dispute A cannot convince a judge that M, MACK (M) was sent by B, since A couldgenerate it herself.
Identification: Model
• Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc.
• Bob may ask the following:– Who are you? (prove that you’re
Alice)– Who the **** is Alice?
• Eve wishes to impersonate Alice:– One time impersonation– Full impersonation (identity theft)
Identification Scenarios• Local identification
– Human authenticator – Device
• Remote identification– Human authenticator– Corporate environment (e.g. LAN)– E-commerce environment– Cable TV/Satellite: Pay-per-view; subscription verification– Remote login or e-mail from an internet
cafe.
Initial Authentication
• The problem: how does Alice initially convince anyone that she’s Alice?
• The solution must often involve a “real-world” type of authentication – id card, driver’s license etc.
• Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco).• Even in scenarios where OK for Alice to be
whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).
Closed Environments
• The initial authentication problem is fully solved by a trusted party, Carol
• Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines
• Example – a corporate environment• Eve’s attack avenue is the Alice-Bob
connection• We begin by looking at remote
authentication
Fiat-Shamir Scheme• Initialization• Set Up• Basic Construction• Improved Construction• Zero Knowledge• Removing Interaction
Initialization• Bob gets from Carol N=pq but not its factorization.
• Alice picks m numbers R1,R2,…,Rm in ZN at random.
• Alice computes S1= R12 mod N , …, Sm= Rm
2
mod N .
• Alice gives Bob S1,S2,…,Sm .
• She keeps R1,R2,…,Rm secret .
Set Up• Bob holds S1,S2,…,Sm .
• She keeps R1,R2,…,Rm secret .
• Who is Alice? Anyone that convinces Bob she can produce square roots mod N of S1,S2,…,Sm .
• A bad way to convince Bob: Send him R1,R2,…,Rm .
• Instead, we seek a method that will give Bob (and Eve) nothing more than being convinced Alice can produce these square roots (zero knowledge).
Basic Protocol• Let S1= R1
2 such that Alice holds R1 .
• To convince Bob that Alice knows a square root mod N of S1 , Alice picks at random X1 in ZN ,
computes Y1= X12 mod N, and sends Y1 to Bob.
• Alice: “I know both a square root mod N of Y1
(=X1)
and a square root mod N of Y1 S1 (=X1
R1).
Make a choice which of the two you want me to reveal.’’• Bob flips a coin, outcome (heads/tails) determines the challenge he poses to Alice.
Basic Protocol (cont.)• If Alice knows both a square root of Y1 (=X1)
and a square root of Y1 S1 (=X1 R1) then she knows R1 (a square root of S1 ).
• Thus if Alice does not know a square root of S1 ,
Bob will catch her cheating with probability 1/2.
• In the protocol, Alice will produce Y1,Y2,…,Ym .
• Bob will flip m coins b1,b2,…,bm as challenges.
• Bob accept only if Alice succeeds in all m cases.
Basic Protocol
Y1,Y2,…,Ym
b1,b2,…,bm
1 ,0 ,… ,0
X1S1,X2, …,Xm
Bob to Alice(challenge)
Alice to Bob
Alice to Bob(m response)
Bob accepts iff all m challenges are met.
Improved (more efficient) Protocol
Y1,Y2,…,Ym
b1,b2,…,bm
1 ,0 ,… ,0
Product of XiRi with bi=1Product of Xi with bi=0
Bob to Alice(challenge)
Alice to Bob
Alice to Bob(2 response)
Bob accepts iff challenges are met.
Correctness of Protocol (Intuition ONLY)
1. A cheating Eve, without knowledge of Ri’s, will be caught with high probability.
2. Zero Knowledge:By eavesdropping, Eve learns nothing(all she learns she can simulate on her own).
Crucial ingredients: 1. Interaction. 2. Randomness.
Final Improvement (Fiat Shamir)
Y1,Y2,…,Ym
b1b2…bm=H(Y1,Y2 ,…,Ym)
1 ,0 ,… ,0
Product of XiRi, bi=1Product of Xi, bi=0
Bob to Alice(challenge)
Alice to Bob
Alice to Bob(2 response)
Bob accepts iff challenges are met.
Let H be a securehash function
Final Improvement: Remove Interaction
Y1,Y2,…,Ym
b1b2…bm=H(Y1,Y2 ,…,Ym)
1 ,0 ,… ,0
Product of XiRi, bi=1Product of Xi, bi=0
Bob to Alice(challenge)
Alice to Bob
Alice to Bob(2 response)
Bob accepts iff challenges are met.
Let H be securehash function
Correctness of Fiat-Shamir (Intuition ONLY)
A cheating Eve, without knowledge of Ri’s ,cannot succeed in producing Y1,Y2,…,Ym
that will be hashed to a convenient bit vectorb1b2…bm since m is too long and H behaveslike a random function (so the chances of hitting a bit vector favourable to Eve are negligible.)
FS scheme used in practice.