Cryptology Design Fundamentals Grundlagen des kryptographischen Systementwurfs Module ID: ET-IDA-048 17.12.2018, v26 Prof. W. Adi Tutorial-12 Cryptographic Identification

Problem 11-1: Set up Fiat Shamir Proof of Identity Protocol over Z33. User A has the secret key a=7. User A generated 3 random numbers 22,27,32 Which one of these numbers is a unit.. Use it as r for user‘s A first challenge and compute S 2. How many possible units can be selected in this system setup? 3. The verifier responded with the challenge b=1. Compute user A‘s response t . 4. Excute the verifier computations to check the response of A. 5. If the user A used the same random number again and the verifier challenged this time with b=0. How can you attack user‘s A identity. Solution: 1. As gcd (33,22) = 11, 22 is not invertible. gcd (33,27) = 3, 27 is not invertible, gcd (33,32) = 1, 32 is invertible or it is a unit. 2. The number of units is (33) = (11-1)(3-1)=20 And 4. See the protocol sketch below For b=0 and having the same random r the new response is t2 = r, as the first response t1 = r Xa solving for Xa from the above two equations yields Xa = t1 / t2 = t1 x 2 -1 = 26 x 32 = 7.

Solution 11.1 : Fiat-Shamir Proof-of-Identity Protocol (1986) A Zero-Knowledge proof protocol ! m = p1 p2 = 33 p1 p2 are secrets which no body should know Security relies on the Factoring Problem ! public directory m= 33 is RSA type modulus xa = secret key of A=7 ya = xa2 = 16 in Z33 (mod m) Prover A Verifier A chooses a unit r = 32 in Z33 and computes S = r 2 = ..2 = 1 ( I am user A, S ) randomly choose b b = 1 or 0 b=1 xa S ya If t2 = S . yab = 262 = 1 X 161 16 = 16 then A is authentic (A knows xa ) t1 =26 for b=1 t2 =32 for b=0 t = r. xab = 32 X 7b = -7=26 Prob. of a successful attack after k trials = 2-k

Problem 11-2: Solution 11-2: x4= x3+ x2 + x + 1 Set up Omura Proof of Identity Protocol over GF(24) . User the generator polynomial P(x) = x4 + x3+ x2 + x + 1. Compute all powers of x up to 10. Select a primitive element  from the following list 0010, 0011 and compute the order of the selected one. How many primitive elements do we have over GF(24)? State three other primitive elements If the verifier selects K= 6, compute the verifier‘s challenge R. Compute user‘s A response if the secret key of A is 7 Verify user‘s A response. Solution 11-2: P(x) = x4 + x3+ x2 + x + 1=0, x4 = x3+ x2 + x + 1. The powers of x are: x=x x2= x2 x3= x3 x4= x3+ x2 + x + 1 x5= x4+ x3 + x2 + x = x3+ x2 + x + 1 + x3 + x2 + x = 1 order of x=5 x6= x, x7= x2, x8= x3, x9= x4, x10= x0=1 The orders of elements are the divisors of 24-1= 15, that is 1,3,5,15 Order of 0010 = x = 5 the element is not primitive. Order of 0011 = 1+x : (1+x)3 = (1+x2)(1+x) = 1 + x2 + x + x3 1 (1+x)5 = (1+x)3 (1+x)2 = (1 + x2 + x + x3 )(1+x2 ) = 1 + x2 + x + x3 + x2 + x4 + x3 + x5 = 1 + x2 + x3 1 thus order of (1+x) is 15 and it is primitive. Ord(0010= x) = 5 => x ist not a primitive element x4= x3+ x2 + x + 1

Omura Proof-of-Identity Protocol Solution Cont. : 2. The number of primitive elements is (15) = (3-1)(5-1)=8 3. As (1+x) is primitive, then (1+x)i is also primitive iff gcd(15,i)=1 therefore (1+x)2 , (1+x)4 , (1+x)7 are all primitive elements. 4. See the sketch below: 6 = (1+x)6 = (1+x)5 (1+x) = (1 + x2 + x3 ) (1+ x) = 1 + x2 + x3 + x + x3 +x4 = 1+ x+x2 + 1 +x+ x2 + x3 = x3 Omura Proof-of-Identity Protocol public directory ya =αXa = (1+x)7 = (1+x)5 (1+x)2 = (1 + x2 + x3 ) (1+ x2) = 1 + x2 + x3 + x2 + x4 +x5 ya = x3 + 1 +x+ x2 + x3 = 1 +x+ x2 = ya = (1 +x) is a primitive element in GF( 24 ) P(x) = x4 + x3+ x2 + x + 1 ya = 0111= public key of A Verifier Prover A xa Randomly choose k=6 compute R =  6 =1000 =x3 Who are you?, R= x3 R=1000= x3 I am user A, RXa = x R Xa = (x3 )7 mod 5 = x check R Xa = yak x = (1+x+x2)6 x= x => User is authentic (1 + x + x2 )6 = (1 + x + x2 )4 (1 + x + x2 )2 = (1 + x4 + x8 ) (1 + x2 + x4 ) = 1 + x4 + x8 + x2 + x6 + x10 + x4 + x8 + x12 = = 1 + x2 + x + x0 + x2 = x

Problem 11-3: (Schnorr’s Identification/signature Scheme) Set up Schnorr’s Identification/signature Scheme over GF(139). User A has the secret key XA=18. 1. Compute q the order of the element α=26 in GF(139). Is q suitable for Schnorr’s Identification/signature Scheme.? 2. Compute the public key of A: 3. Compute , for a random value k=15. 4. Compute the hash value H(M|r) for a message message M =37 by using the following hash function: 5. Prover A sings a hash value H(M|r) for a message message M=37. 6. The verifier checks the A‘signature.

Schnorr’s Identification/signature Scheme Open Directory (as DH public directory) GF(p), Element α has order q such that q is prime which divides p-1 is the public key of A having secret key xA< q User A sings a hash value H(M|r) for a message message M: Similarity to ElGamal Signature Prover A verifier - A proves that he knows xA - A good ans strong hash function is required

Solution 11-3: 1. The possible units orders in GF(139) are the divisors of φ(139) = 138 => the divisors of 138 are 1, 2, 3, 6, 23, 46,69, and 138 Order of 2: 21 = 2 1, 22 = 4 1, 23 = 8 1, 26 = 64 1, , 223 = 97 1 , 246 = 96 1, 269 = 96 138, => order of 2 is 138 Order of 26=64: ord(2k)= ord(2)/gcd(k,ord(2)) Ord(64)=ord(26)= ord(2)/gcd(6,ord(2))=138/gcd(6,138)=138/6=23 2. The public key of A: = 6418 mod 139 = 34 3. For k=15; =6415mod 139=80 4. For M=37; =(3780)3mod 83=74

verifier Prover A 5. Prover A sings a hash value H(M|r). public directory Prover A GF(139), α=26 =64 YA= 34 =(15- 18x 74)mod 23=17 verifier 6. verify A‘signature. =(6417 x 3474)mod 139= 80 (3780)3mod 83=74=m Then, A is authentic