KNAPSACK公開金鑰密碼學 Algorithms FINITE DEFINITENESS INPUT/OUTPUT GENERALITY EFFECTIVENESS
NP-Complete 問題 到目前為止尚未有好的Algorithm, 可在Polynomial time解決。 如 0/1-Knapsack
an
0/1 Knapsack problem (sum of subset) 已知一整數C及一向量A=(a1,a2,…,an) 求一A之子集合,其和為C亦即求一二元之向量 M=(m1,m2,…,mn)使得C=M×AT Example N=5,C=4,及A=(1,10,5,22,3) 則M=(1,1,0,0,1)
Simple Knapsack Problem 為一特例,其問題之解可以在Linear time求得 向量A內之元素呈Supper increasing,即 Example N=5,C=14,及A=(1,3,5,10,22) 則 m5=0----因14<22 m4=1----因14>10 m3=0----因4<5 m2=1----因4>3 m1=1----因1=1 M=(1,1,0,1,0)
Merkle-Hellman Knapsack 將Simple Knapsack 轉成一般的0/1 Knapsack 選一個Simple Knapsack A=(a1, a2, …, an) 選一整數u,使得 u > 選一整數e為加密金鑰,e和u互質 計算解密金鑰d,e × d=1 mod u 轉換A為一般的0/1 Knapsack A A=(e × A) mod u Public Key = A Trapdoor = d 和u (A=dA mod u) 密文C = M× AT
Merkle-Hellman Knapsack方法(續) 解密步驟 轉換密文C為可用Simple Knapsack求解之值C C=d × C mod u =d×MAT mod u =d×M×(e×AT) mod u =MAT 因A為Simple Knapsack,故M可以很快求得。
Example: Merkle-Hellman Knapsack 設A=(1, 3, 5, 10),u=20和e=7, 則d=3 A=(7, 1, 15, 10) 設M=13,以二進位法表示(1,1,0,1) C=M×AT=7+1+10=18 解密 C=3×18 mod 20=14
Merkle-Hellman Knapsack方法的保密性 原先建議n=100,但Knapsack Problem可在T=0 (2n/2) 時間解決,n=100,250=1015 使用一個processor約11574天可完成,1000個處理機 可在12天完成,故為安全起見,取n=200 Merkle-Hellman 建議使用多組e,d來重覆處A=eA。 雖然0/1 Knapsack 是NP-complete,但不意味著由 Simple Knapsack轉換之Problem一定是NP-complete
Graham-Shamir Knapsack 方法 和Merkle-Hellman Knapsack 相似,只有A`之結構稍有改變。 Aj=(Rj, Ij, Sj)以二進位表示之。 Rj, Sj: 為隨機亂數 Ij: 為第j 個bit為1,其他位置為0的單位元素。 Sj:前面的log2n位元值為0,以保證不會有進位產生。 ((In, Sn), (In-1, Sn-1), …, (I1, S1))為一Simple Knapsack 找d, e, u, 和A的方法同Merkle-Hellman Knapsack法 優點:解密時可以由C中直接求得M。
Example: Graham-Shamir Knapsacks j Rj Ij Sj 011010 10000 000101 =a1 001001 01000 000011 =a2 010010 00100 000100 =a3 011000 00010 000111 =a4 000110 00001 000001 =a5 M=(0,1,0,0,1) C`=M×AT=a2+a5 =(R2+R5, I2+I5, S2+S5)=001111 01001 000100 恰為明文
數位簽章 ‧RSA Digital Signature (R. L. Rivest, A. Shamir, and L. M. Adleman, 1978) ‧ElGamal Digital Signature (T. ElGamal, 1985) ‧Schnorr’s Digital Signature (C. P. Schnorr, 1989) ‧Blind Signature (D. Chaum, 1983)
Introduction Three Basic Services of Cryptography 1. Secrecy (provided by cryptosystems) 2. Authenticity (provided by digital signature scheme) 3. Integrity (provided by digital signature scheme) Two Famous Digital Signature Schemes 1. RSA Digital signature scheme (based on the factorization problem) 2. ElGamal digital signature scheme (based on the discrete logarithm)
Introduction Applications: Blind signature (for electronic commerce)
Check Message=?Message Introduction The Model of Digital Signature Signer’s public key Signer’s secret key Verification Function Sign Function Message Signature Message Message Check Message=?Message
RSA Public Key Cryptosystem and Digital Signature Scheme Rivest, Shamir, and Adleman proposed in 1978 RSA Public Key Cryptosystem ◆ Security Basis: Factorization Problem. ◆ Construction: 1. Choose two large prime numbers P and Q, then compute N=P×Q. 2. Select an integer e such that gcd(e, (N))=1. 3. Compute d such that e×d mod (N)=1. 4. Public key = (N, e). 5. Private key = (P, Q, d).
RSA Public Key Cryptosystem and Digital Signature Scheme RSA Digital Signature Scheme Sign Function: Signature S=Md mod N. Verification Function: M=Se mod N. Example P=11,Q=13, N=143, and (143)=120. e=103, then d=7 (for 103×7 mod 120=1 ). Sign for M=3: S=37 mod 143=42. Verification: M= Se mod N = 42103 mod 143=3.
ElGamal Public Key Cryptosystem and Digital Signature Scheme ElGamal proposed in 1985 ElGamal Public Key Cryptosystem ◆ Security Basis: Discrete Logarithm Problem 1. If P is a large prime and g and y are integers, find x such that y=gx mod P. 2. The security restriction on P: P-1 must contain a large prime factor Q. ◆ Construction: 1. Choose a large prime number P and a generator g of GF(P). 2. Private key: a random integer x between 1 and P-1. 3. Public key: y=gx mod P.
ElGamal Public Key Cryptosystem and Digital Signature Scheme ElGamal Digital Signature Scheme Sign Function: Signature (r, s) for message M. 1. Select a random integer k between 1 and P-1 such that gcd(k, P-1)=1. 2. Compute r=gk mod P. 3. Compute s=k-1(M-xr) mod (P-1). Verification Function: Verify by checking whether gM mod P = (rs) ×(yr) mod P. (rs) ×(yr)=g(M-xr) × gxr = g(M-xr)+xr=gM mod P.
ElGamal Public Key Cryptosystem and Digital Signature Scheme Example P=23, g=5. x=3, then y=10 (for 53 mod 23=10 ). Sign for the message M=8. Select k=5 between 1 and 22 (P-1). Compute r = gk mod P = 55 mod 23 = 20. Compute s = k-1(M-xr) mod (P-1) = 5-1(8-3×20) mod 22 = 9×14 mod 22 = 16. Verification: gM= 58 mod 23 =16 (rs)(yr) mod P = 2016 × 1020 mod 23= 13×3 mod 23 = 16.
Schnorr’s Digital Signature Scheme Sign Function: Signature (r, s) for message M. 1. Select a random integer k between 1 and P-1. 2. Compute r = h(M, gk mod P). 3. Compute s = k + x*r mod (P-1). , where the secret key x the public key y= g-x mod P 4. Send (M, r, s) to the receiver. Verification Function: Compute gk mod P=gsyr mod P. Verify by checking whether r = h(M, gk mod P).
Blind Signature D. Chaum proposed in 1983 D. Chaum’s Blind Signature Scheme ◆ It uses the RSA algorithm. Security Basis: Factorization Problem ◆ Construction: Bob has a public key, e, a private key, d, and a public modulus, N. Alice wants Bob to sign message M blindly. 1. Alice chooses a random integer k between 1 and N. Then she blinds M by computing t = Mke mod N. 2. Bob signs t, td=(Mke)d mod N. 3. Alice unblinds td by computing s=td/k mod N = Md mod N. s is the signature of message M.
Blind Signature Property: Untraceable Applications: Blind signature can be used in electronic cash system. signs coins database Bank 1. t=SN×ke mod N SN: Serial # k: random number 2. t 7. Coin 3. td mod N Consumer Merchant 5. Coin 4. s=(td)/k mod N=SNd mod N 6. Verify the signature s Coin: SN+s