Cryptology Design Fundamentals Grundlagen des kryptographischen Systementwurfs Module ID: ET-IDA-048 17.12.2018, v26 Prof. W. Adi Tutorial-12 Cryptographic Identification

Problem 11-1: Set up Fiat Shamir Proof of Identity Protocol over Z33. User A has the secret key a=7. User A generated 3 random numbers 22,27,32 Which one of these numbers is a unit.. Use it as r for user‘s A first challenge and compute S 2. How many possible units can be selected in this system setup? 3. The verifier responded with the challenge b=1. Compute user A‘s response t . 4. Excute the verifier computations to check the response of A. 5. If the user A used the same random number again and the verifier challenged this time with b=0. How can you attack user‘s A identity. Solution: 1. As gcd (33,22) = 11, 22 is not invertible. gcd (33,27) = 3, 27 is not invertible, gcd (33,32) = 1, 32 is invertible or it is a unit. 2. The number of units is (33) = (11-1)(3-1)=20 And 4. See the protocol sketch below For b=0 and having the same random r the new response is t2 = r, as the first response t1 = r Xa solving for Xa from the above two equations yields Xa = t1 / t2 = t1 x 2 -1 = 26 x 32 = 7.

Solution 11.1 : Fiat-Shamir Proof-of-Identity Protocol (1986) A Zero-Knowledge proof protocol ! m = p1 p2 = 33 p1 p2 are secrets which no body should know Security relies on the Factoring Problem ! public directory m= 33 is RSA type modulus xa = secret key of A=7 ya = xa2 = 16 in Z33 (mod m) Prover A Verifier A chooses a unit r = 32 in Z33 and computes S = r 2 = ..2 = 1 ( I am user A, S ) randomly choose b b = 1 or 0 b=1 xa S ya If t2 = S . yab = 262 = 1 X 161 16 = 16 then A is authentic (A knows xa ) t1 =26 for b=1 t2 =32 for b=0 t = r. xab = 32 X 7b = -7=26 Prob. of a successful attack after k trials = 2-k

Problem 11-2: Set up Omura Proof of Identity Protocol over GF(24) . User the generator polynomial P(x) = x4 + x3+ x2 + x + 1. Compute all powers of x up to 10. Select a primitive element  from the following list 0010, 0011 and compute the order of the selected one. How many primitive elements do we have over GF(24)? State three other primitive elements If the verifier selects K= 6, compute the verifier‘s challenge R. Compute user‘s A response if the secret key of A is 7 Verify user‘s A response. Solution 11-2: P(x) = x4 + x3+ x2 + x + 1=0, x4 = x3+ x2 + x + 1. The powers of x are: x=x x2= x2 x3= x3 x4= x3+ x2 + x + 1 x5= x4+ x3 + x2 + x = x3+ x2 + x + 1 + x3 + x2 + x = 1 order of x=5 x6= x, x7= x2, x8= x3, x9= x4, x10= x0=1 The orders of elements are the divisors of 24-1= 15, that is 1,3,5,15 Order of 0010 = x = 5 the element is not primitive. Order of 0011 = 1+x : (1+x)3 = (1+x2)(1+x) = 1 + x2 + x + x3 1 (1+x)5 = (1+x)3 (1+x)2 = (1 + x2 + x + x3 )(1+x2 ) = 1 + x2 + x + x3 + x2 + x4 + x3 + x5 = 1 + x2 + x3 1 thus order of (1+x) is 15 and it is primitive. Ord(0010= x) = 5 => x ist not a primitive element x4= x3+ x2 + x + 1

Omura Proof-of-Identity Protocol Solution Cont. : 2. The number of primitive elements is (15) = (3-1)(5-1)=8 3. As (1+x) is primitive, then (1+x)i is also primitive iff gcd(15,i)=1 therefore (1+x)2 , (1+x)4 , (1+x)7 are all primitive elements. 4. See the sketch below: 6 = (1+x)6 = (1+x)5 (1+x) = (1 + x2 + x3 ) (1+ x) = 1 + x2 + x3 + x + x3 +x4 = 1+ x+x2 + 1 +x+ x2 + x3 = x3 Omura Proof-of-Identity Protocol public directory ya =αXa = (1+x)7 = (1+x)5 (1+x)2 = (1 + x2 + x3 ) (1+ x2) = 1 + x2 + x3 + x2 + x4 +x5 ya = x3 + 1 +x+ x2 + x3 = 1 +x+ x2 = ya = (1 +x) is a primitive element in GF( 24 ) P(x) = x4 + x3+ x2 + x + 1 ya = 0111= public key of A Verifier Prover A xa Randomly choose k=6 compute R =  6 =1000 =x3 Who are you?, R= x3 R=1000= x3 I am user A, RXa = x R Xa = (x3 )7 mod 5 = x check R Xa = yak x = (1+x+x2)6 x= x => User is authentic (1 + x + x2 )6 = (1 + x + x2 )4 (1 + x + x2 )2 = (1 + x4 + x8 ) (1 + x2 + x4 ) = 1 + x4 + x8 + x2 + x6 + x10 + x4 + x8 + x12 = = 1 + x2 + x + x0 + x2 = x