Introduction to Modern Cryptography Homework assignments

Pollards p-1 factoring algorithm Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

Pollards p-1 factoring algorithm Thus,

Pollards p-1 factoring algorithm Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do –Compute Return d = gcd(a-1,n)

Pollards ρ algorithm for discrete log Problem with Shank ’ s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory

Pollards discrete log ρ algorithm Define sets S 1, S 2, S 3 (e.g., divisible by 3, 1 not in S 2 ) Define x 0 = 1 Define

Pollards discrete log ρ algorithm

Beyond Homework Assignments Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem

Using smoothness for factoring (Repeating what ’ s been done in class): Factor n = pq by computing two different square roots modolu n Compute x 2 mod n If x 2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of p j that divides x 2 mod n p 1, p 2, …, p m – all primes ≤ B

Using smoothness for factoring Solve for the all-zero vector This gives us

Using smoothness for discrete log? The Index Calculus Method We want to compute log g x mod q If we knew –log g 2 mod q, –log g 3 mod q, –log g 5 mod q, …, –log g p m mod q Then we could try to solve for log g x mod q as follows:

The problem: compute log g 2 mod q, log g 3 mod q, log g 5 mod q, …

Back To Digital Signatures Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS

Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

Diffie and Hellman (76) “New Directions in Cryptography” Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice computes the string y=D A (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = E A (y) and checks x=M. Intuition: Only Alice can compute y=D A (M), thus forgery should be computationally infeasible.

Problems with “Pure” DH Paradigm Easy to forge signatures of random messages even without holding D A : Bob picks R arbitrarily, computes S=E A (R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?

Problems with “Pure” DH Paradigm Consider specifically RSA. Being multiplicative, we have (products mod N) D A (M 1 M 2 ) = D A (M 1 ) D A (M 2 ). If M 2 =“I OWE BOB $20” and M 1 =“100” then under certain encoding of letters we could get M 1 M 2 =“I OWE BOB $2000”…

Standard Solution: Hash First Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=D A (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=E A (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

General Structure: Signature Schemes Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.

Schemes Used in Practice RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

El-Gamal Signature Scheme Pick a prime p of length 1024 bits such that DL in Z p * is hard. Let g be a generator of Z p *. Pick x in [2,p-2] at random. Compute y=g x mod p. Public key: p,g,y. Private key: x. Generation

El-Gamal Signature Scheme Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=g k mod p. Compute s=(m-rx)k -1 mod (p-1) (***) Output r and s. Signing M

El-Gamal Signature Scheme Compute m=H(M). Accept if 0<r<p and y r r s =g m mod p. else reject. What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks, and y=g x so y r =g rx, implying y r r s =g m. Verify M,r,s,PK

Homework Assignment 3, part I Implement via Maple the El Gamal Signature Scheme: –Key Generation –Message Signature –Message Verification What happens if you use the same k twice?

Comments on Homework assignment Takes too long to find primes Idea: shorten the process by removing clear non- primes To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.

The Digital Signature Algorithm (DSA) Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

The Digital Signature Algorithm (DSA) p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p) Signature on message M: –Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((α k mod p) mod q

The Digital Signature Algorithm (DSA) –p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! –Part I: ((α k mod p) mod q –Part II: (SHA (M) + s (PART I)) /k mod q Verification: –e 1 = SHA (M) / (PART II) mod q –e 2 = (PART I) / (PART II) mod q –OK if

The Digital Signature Algorithm Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?