Introduction to Modern Cryptography Homework assignments

Introduction to Modern Cryptography

Homework assignments • Pollards (p-1) method for

factoring integers with prime factors p such that p-1 has small prime factors

• Pollards ρ algorithm for discrete log

Pollards p-1 factoring algorithm

• Let B be a smoothness bound• Let Q be the LCM of all prime

powers ≤ B

• If (p-1) is B-smooth then and for any a, gcd(a,p)=1,

ln / lnn q

q B

Q q

( 1)

Qp

1 (mod )Qa p

How many bits in Q?


ln / lnn q

q B

Q q

1 (mod )Qa p

gcd( 1, )Qd

d a n p

Thus,


• Select a bound B• Select a random 2 ≤ a ≤ n-1, and

compute d = gcd(a,n), if d ≥ 2 then return(d)

• For each prime q ≤ B do– Compute

• Return d = gcd(a-1,n)

ln / lnn q (mod )qa a n

Pollards ρ algorithm for discrete log

• Problem with Shank’s Baby step Giant step algorithms: too much memory

• Pollards ρ algorithm for discrete log: takes O(1) memory

Pollards discrete log ρ algorithm

• Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2)

• Define x0 = 1

• Define1

21 2

3

(mod ) if

(mod ) if

(mod ) if

i i

i i i

i i

x p x S

x x p x S

x p x S

log (mod )p


0 0log (mod ), 0, 0p a b

12

1 2

3

if

2 (mod 1) if

1 (mod 1) if

i i

i i i

i i

a x S

a a p x S

a p x S

12

1 2

3

(mod ) if

(mod ) if

(mod ) if

i i

i i i

i i

x p x S

x x p x S

x p x S

12

1 2

3

1 (mod ) if

2 (mod ) if

if

i i

i i i

i i

b p x S

b b p x S

b x S


0 0log (mod ), 0, 0p a b

12

1 2

3

if

if

if

i i

i i i

i i

x x S

x x x S

x x S

2 2

2

2 2

2 2

(mod )

(mod )

log log (mod 1)

log ( ) /( ) (mod 1)

i i i i

i i

a b a b

i i i i

i i i i

x x p

p

a b a b p

b b a a p

Beyond Homework Assignments

• Recap of Quadratic sieve factoring algorithm

• Index calculus methods for the discrete log problem

Using smoothness for factoring

(Repeating what’s been done in class):• Factor n = pq by computing two

different square roots modolu n• Compute x2 mod n• If x2 mod n is smooth with respect to B

then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n

• p1, p2, …, pm – all primes ≤ B

Using smoothness for factoring

(1)

( 2)

(3)

( )

21

1

22

1

23

1

2

1

mod

mod

mod

mod

j

j

j

mj

me

jj

me

jj

me

jj

me

m jj

x n p

x n p

x n p

x n p

1 2 3

2 (1) (1) (1)1 1 22 (1) (2)2 2 223

2 ( ) ( ) ( ) ( )1 2 3

2 3 5

mod 2 mod 2 mod 2

mod 2 mod 2

mod 2 mod 2 mod 2 mod 2

m

m

m m m mm m

p p p p B

x e e e

x e e

x

x e e e e

Solve for the all-zero vectorThis gives us

22

1

2 2

1

mod

mod

i

i

md

i ii S i

md

i ii S i

x p n

x p n

Using smoothness for discrete log? The Index Calculus Method

• We want to compute logg x mod q

• If we knew – logg 2 mod q,

– logg 3 mod q,

– logg 5 mod q, …,

– logg pm mod q

• Then we could try to solve for logg x mod q as follows:

1

1

mod

log log

j

me

jj

m

g j g ji

g x q p

x e p

The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod

q, …(1)

1

( 2)2

(3)3

( )

1

1

1

1

(mod )

(mod )

(mod )

(mod )

j

j

j

mjm

mexj

j

mexj

j

mexj

j

mexj

j

g q p

g q p

g q p

g q p

(1)1

1

(2)2

1

(3)3

1

( )

1

log mod ( 1)

log mod ( 1)

log mod ( 1)

log mod ( 1)

m

j g jj

m

j g jj

m

j g jj

mm

m j g jj

x e p q

x e p q

x e p q

x e p q

Back To Digital Signatures

• Summary of Discussion in Class• RSA, El Gamal, Fiat-Shamir, DSS

Handwritten Signatures

• Relate an individual, through a handwritten signature, to a document.• Signature can be verified against a priorauthenticated one, signed in person.• Should be hard to forge.• Are legally binding (convince a third party, e.g. a judge).

Digital Signatures: Desired Properties

• Relate an individual, through a digital string, to a document.• Signature should be easy to verify. • Should be hard to forge.• Are legally binding (convince a third party, e.g. a judge).

Diffie and Hellman (76)“New Directions in

Cryptography”Let EA be Alice’s public encryption key,

and let DA be Alice’s private decryption key.

• To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob.• To verify this is indeed Alice’s signature, Bob

computes the string x = EA (y) and checks x=M.

Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.

Problems with “Pure” DH Paradigm

• Easy to forge signatures of random messages even without holding DA:

Bob picks R arbitrarily, computes S=EA(R).

Then the pair (S,R) is a valid signature of Alice on the “message” S.• Therefore the scheme is subject to

existential forgery. • “So what” ?

Problems with “Pure” DH Paradigm

• Consider specifically RSA. Being multiplicative, we have (products mod N)

DA (M1M2) = DA (M1) DA (M2).

• If M2=“I OWE BOB $20” and M1=“100”

then under certain encoding of letters we

could get M1M2 =“I OWE BOB $2000”…

Standard Solution: Hash FirstLet EA be Alice’s public encryption key,

and let DA be Alice’s private decryption key.

• To sign the message M, Alice first computes the strings y=H(M) and z=DA (y). Sends M,z to

Bob.• To verify this is indeed Alice’s signature, Bob

computes the string y=EA (z) and checks y=H(M).

• The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

General Structure: Signature Schemes

• Generation of private and public keys (randomized).• Signing (either deterministic or

randomized)• Verification (accept/reject) - usually

deterministic.

Schemes Used in Practice

• RSA• El-Gamal Signature Scheme (85)• The DSS (digital signature

standard, adopted by NIST in 94 is based ona modification of El-Gamal signature.

El-Gamal Signature Scheme

• Pick a prime p of length 1024 bits such that DL in Zp* is hard.

• Let g be a generator of Zp*.• Pick x in [2,p-2] at random.• Compute y=gx mod p. • Public key: p,g,y.• Private key: x.

Generation


• Hash: Let m=H(M). • Pick k in [1,p-2] relatively prime to p-1 at random.• Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1)

(***)• Output r and s.

Signing M


• Compute m=H(M).• Accept if 0<r<p and yrrs=gm mod

p. else reject.• What’s going on?By (***) s=(m-rx)k-1 mod p-1, so

sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

Verify M,r,s,PK

Homework Assignment 2, part I

• Implement via Maple the El Gamal Signature Scheme:– Key Generation– Message Signature– Message Verification

• What happens if you use the same k twice?

The Digital Signature Algorithm (DSA)

• Let p be an L bit prime such that the discrete log problem mod p is intractable

• Let q be a 160 bit prime that divides p-1

• Let α be a q’th root of 1 modulo p.How do we compute α?


• p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p

• Private key: random 1 ≤ s ≤ q-1.• Public key: (p, q, α, β = αs mod p)• Signature on message M:

– Choose a random 1 ≤ k ≤ p-1, secret!!• Part II: (SHA (M) + s (PART I)) / k mod q• Part I: ((αk mod p) mod q


– p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M:

• Choose a random 1 ≤ k ≤ p-1, secret!!– Part I: ((αk mod p) mod q– Part II: (SHA (M) + s (PART I)) /k mod q

• Verification: – e1 = SHA (M) / (PART II) mod q

– e2 = (PART I) / (PART II) mod q

– OK if 1 2( mod ) mod (PART I)e e p q

The Digital Signature Algorithm

1

22

( ) / ( ) ( mod )mod / mod

( mod )mod / ( ) ( mod )mod / mod

k

k k

SHA M SHA M s p q k qe

e p q SHA M s p q k qe s s

Homework 2 part II:

Prove that if the signature is generated correctly then the verification works correctly.What happens if PART II of the signature is 0?

Signatures vs. MACs

Suppose parties A and B share the secret key K. Then M, MACK(M) convinces A that indeed M originated with B. But in case of dispute A cannot convince a judge that M, MACK (M) was sent by B, since A couldgenerate it herself.

Identification: Model

• Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc.

• Bob may ask the following:– Who are you? (prove that you’re

Alice)– Who the **** is Alice?

• Eve wishes to impersonate Alice:– One time impersonation– Full impersonation (identity theft)

Identification Scenarios• Local identification

– Human authenticator – Device

• Remote identification– Human authenticator– Corporate environment (e.g. LAN)– E-commerce environment– Cable TV/Satellite: Pay-per-view; subscription verification– Remote login or e-mail from an internet

cafe.

Initial Authentication

• The problem: how does Alice initially convince anyone that she’s Alice?

• The solution must often involve a “real-world” type of authentication – id card, driver’s license etc.

• Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco).• Even in scenarios where OK for Alice to be

whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).

Closed Environments

• The initial authentication problem is fully solved by a trusted party, Carol

• Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines

• Example – a corporate environment• Eve’s attack avenue is the Alice-Bob

connection• We begin by looking at remote

authentication

Fiat-Shamir Scheme• Initialization• Set Up• Basic Construction• Improved Construction• Zero Knowledge• Removing Interaction

Initialization• Bob gets from Carol N=pq but not its factorization.

• Alice picks m numbers R1,R2,…,Rm in ZN at random.

• Alice computes S1= R12 mod N , …, Sm= Rm

2

mod N .

• Alice gives Bob S1,S2,…,Sm .

• She keeps R1,R2,…,Rm secret .

Set Up• Bob holds S1,S2,…,Sm .

• She keeps R1,R2,…,Rm secret .

• Who is Alice? Anyone that convinces Bob she can produce square roots mod N of S1,S2,…,Sm .

• A bad way to convince Bob: Send him R1,R2,…,Rm .

• Instead, we seek a method that will give Bob (and Eve) nothing more than being convinced Alice can produce these square roots (zero knowledge).

Basic Protocol• Let S1= R1

2 such that Alice holds R1 .

• To convince Bob that Alice knows a square root mod N of S1 , Alice picks at random X1 in ZN ,

computes Y1= X12 mod N, and sends Y1 to Bob.

• Alice: “I know both a square root mod N of Y1

(=X1)

and a square root mod N of Y1 S1 (=X1

R1).

Make a choice which of the two you want me to reveal.’’• Bob flips a coin, outcome (heads/tails) determines the challenge he poses to Alice.

Basic Protocol (cont.)• If Alice knows both a square root of Y1 (=X1)

and a square root of Y1 S1 (=X1 R1) then she knows R1 (a square root of S1 ).

• Thus if Alice does not know a square root of S1 ,

Bob will catch her cheating with probability 1/2.

• In the protocol, Alice will produce Y1,Y2,…,Ym .

• Bob will flip m coins b1,b2,…,bm as challenges.

• Bob accept only if Alice succeeds in all m cases.

Basic Protocol

Y1,Y2,…,Ym

b1,b2,…,bm

1 ,0 ,… ,0

X1S1,X2, …,Xm

Bob to Alice(challenge)

Alice to Bob

Alice to Bob(m response)

Bob accepts iff all m challenges are met.

Improved (more efficient) Protocol

Y1,Y2,…,Ym

b1,b2,…,bm

1 ,0 ,… ,0

Product of XiRi with bi=1Product of Xi with bi=0


Alice to Bob

Alice to Bob(2 response)

Bob accepts iff challenges are met.

Correctness of Protocol (Intuition ONLY)

1. A cheating Eve, without knowledge of Ri’s, will be caught with high probability.

2. Zero Knowledge:By eavesdropping, Eve learns nothing(all she learns she can simulate on her own).

Crucial ingredients: 1. Interaction. 2. Randomness.

Final Improvement (Fiat Shamir)

Y1,Y2,…,Ym

b1b2…bm=H(Y1,Y2 ,…,Ym)

1 ,0 ,… ,0

Product of XiRi, bi=1Product of Xi, bi=0


Alice to Bob



Let H be a securehash function

Final Improvement: Remove Interaction

Y1,Y2,…,Ym

b1b2…bm=H(Y1,Y2 ,…,Ym)

1 ,0 ,… ,0

Product of XiRi, bi=1Product of Xi, bi=0


Alice to Bob



Let H be securehash function

Correctness of Fiat-Shamir (Intuition ONLY)

A cheating Eve, without knowledge of Ri’s ,cannot succeed in producing Y1,Y2,…,Ym

that will be hashed to a convenient bit vectorb1b2…bm since m is too long and H behaveslike a random function (so the chances of hitting a bit vector favourable to Eve are negligible.)

FS scheme used in practice.

Introduction to Modern Cryptography Homework assignments

Documents

Transcript of Introduction to Modern Cryptography Homework assignments