Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography

Similar presentations


Presentation on theme: "Introduction to Modern Cryptography"— Presentation transcript:

1 Introduction to Modern Cryptography
Homework assignments Pollards (p-1) method for factoring integers with prime factors p such that p-1 has small prime factors Pollards ρ algorithm for discrete log

2 Pollards p-1 factoring algorithm
Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

3 Pollards p-1 factoring algorithm
Thus,

4 Pollards p-1 factoring algorithm
Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do Compute Return d = gcd(a-1,n)

5 Pollards ρ algorithm for discrete log
Problem with Shank’s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory

6 Pollards discrete log ρ algorithm
Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) Define x0 = 1 Define

7 Pollards discrete log ρ algorithm

8 Pollards discrete log ρ algorithm

9 Beyond Homework Assignments
Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem

10 Using smoothness for factoring
(Repeating what’s been done in class): Factor n = pq by computing two different square roots modolu n Compute x2 mod n If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n p1, p2, …, pm – all primes ≤ B

11 Using smoothness for factoring
Solve for the all-zero vector This gives us

12 Using smoothness for discrete log? The Index Calculus Method
We want to compute logg x mod q If we knew logg 2 mod q, logg 3 mod q, logg 5 mod q, …, logg pm mod q Then we could try to solve for logg x mod q as follows:

13 The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …

14 Back To Digital Signatures
Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS

15 Handwritten Signatures
Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

16 Digital Signatures: Desired Properties
Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

17 Diffie and Hellman (76) “New Directions in Cryptography”
Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.

18 Problems with “Pure” DH Paradigm
Easy to forge signatures of random messages even without holding DA: Bob picks R arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?

19 Problems with “Pure” DH Paradigm
Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…

20 Standard Solution: Hash First
Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=DA (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=EA (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

21 General Structure: Signature Schemes
Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.

22 Schemes Used in Practice
RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

23 El-Gamal Signature Scheme
Generation Pick a prime p of length 1024 bits such that DL in Zp* is hard. Let g be a generator of Zp*. Pick x in [2,p-2] at random. Compute y=gx mod p. Public key: p,g,y. Private key: x.

24 El-Gamal Signature Scheme
Signing M Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=gk mod p. Compute s=(m-rx)k-1 mod (p-1) (***) Output r and s.

25 El-Gamal Signature Scheme
Verify M,r,s,PK Compute m=H(M). Accept if 0<r<p and yrrs=gm mod p. else reject. What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

26 Homework Assignment 2, part I
Implement via Maple the El Gamal Signature Scheme: Key Generation Message Signature Message Verification What happens if you use the same k twice?

27 The Digital Signature Algorithm (DSA)
Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

28 The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p) Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((αk mod p) mod q

29 The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! Part I: ((αk mod p) mod q Part II: (SHA (M) + s (PART I)) /k mod q Verification: e1 = SHA (M) / (PART II) mod q e2 = (PART I) / (PART II) mod q OK if

30 The Digital Signature Algorithm
Homework 2 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?

31 Signatures vs. MACs Suppose parties A and B share the secret
key K. Then M, MACK(M) convinces A that indeed M originated with B. But in case of dispute A cannot convince a judge that M, MACK (M) was sent by B, since A could generate it herself.

32 Identification: Model
Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc. Bob may ask the following: Who are you? (prove that you’re Alice) Who the **** is Alice? Eve wishes to impersonate Alice: One time impersonation Full impersonation (identity theft)

33 Identification Scenarios
Local identification Human authenticator Device Remote identification Corporate environment (e.g. LAN) E-commerce environment Cable TV/Satellite: Pay-per-view; subscription verification Remote login or from an internet cafe.

34 Initial Authentication
The problem: how does Alice initially convince anyone that she’s Alice? The solution must often involve a “real-world” type of authentication – id card, driver’s license etc. Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco). Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).

35 Closed Environments The initial authentication problem is fully solved by a trusted party, Carol Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines Example – a corporate environment Eve’s attack avenue is the Alice-Bob connection We begin by looking at remote authentication

36 Fiat-Shamir Scheme Initialization Set Up Basic Construction
Improved Construction Zero Knowledge Removing Interaction

37 Initialization Bob gets from Carol N=pq but not its factorization.
Alice picks m numbers R1,R2,…,Rm in ZN at random. Alice computes S1= R12 mod N , …, Sm= Rm2 mod N . Alice gives Bob S1,S2,…,Sm . She keeps R1,R2,…,Rm secret .

38 Set Up Bob holds S1,S2,…,Sm . She keeps R1,R2,…,Rm secret .
Who is Alice? Anyone that convinces Bob she can produce square roots mod N of S1,S2,…,Sm . A bad way to convince Bob: Send him R1,R2,…,Rm . Instead, we seek a method that will give Bob (and Eve) nothing more than being convinced Alice can produce these square roots (zero knowledge).

39 Basic Protocol Let S1= R12 such that Alice holds R1 .
To convince Bob that Alice knows a square root mod N of S1 , Alice picks at random X1 in ZN , computes Y1= X12 mod N, and sends Y1 to Bob. Alice: “I know both a square root mod N of Y1 (=X1) and a square root mod N of Y1 S1 (=X1 R1). Make a choice which of the two you want me to reveal.’’ Bob flips a coin, outcome (heads/tails) determines the challenge he poses to Alice.

40 Basic Protocol (cont.) If Alice knows both a square root of Y1 (=X1)
and a square root of Y1 S1 (=X1 R1) then she knows R1 (a square root of S1 ). Thus if Alice does not know a square root of S1 , Bob will catch her cheating with probability 1/2. In the protocol, Alice will produce Y1,Y2,…,Ym . Bob will flip m coins b1,b2,…,bm as challenges. Bob accept only if Alice succeeds in all m cases.

41 Bob accepts iff all m challenges are met.
Basic Protocol Alice to Bob Y1,Y2,…,Ym Bob to Alice (challenge) b1,b2,…,bm 1, 0, …, 0 Alice to Bob (m response) X1S1,X2, …,Xm Bob accepts iff all m challenges are met.

42 Product of XiRi with bi=1
Improved (more efficient) Protocol Alice to Bob Y1,Y2,…,Ym Bob to Alice (challenge) b1,b2,…,bm 1, 0, …, 0 Alice to Bob (2 response) Product of XiRi with bi=1 Product of Xi with bi=0 Bob accepts iff challenges are met.

43 Correctness of Protocol (Intuition ONLY)
A cheating Eve, without knowledge of Ri’s, will be caught with high probability. 2. Zero Knowledge: By eavesdropping, Eve learns nothing (all she learns she can simulate on her own). Crucial ingredients: 1. Interaction. 2. Randomness.

44 Final Improvement (Fiat Shamir)
Alice to Bob Let H be a secure hash function Y1,Y2,…,Ym b1b2…bm= H(Y1,Y2 ,…,Ym) 1, 0, …, 0 Bob to Alice (challenge) Alice to Bob (2 response) Product of XiRi, bi=1 Product of Xi, bi=0 Bob accepts iff challenges are met.

45 Final Improvement: Remove Interaction
Alice to Bob Let H be secure hash function Y1,Y2,…,Ym b1b2…bm= H(Y1,Y2 ,…,Ym) 1, 0, …, 0 Bob to Alice (challenge) Alice to Bob (2 response) Product of XiRi, bi=1 Product of Xi, bi=0 Bob accepts iff challenges are met.

46 Correctness of Fiat-Shamir (Intuition ONLY)
A cheating Eve, without knowledge of Ri’s, cannot succeed in producing Y1,Y2,…,Ym that will be hashed to a convenient bit vector b1b2…bm since m is too long and H behaves like a random function (so the chances of hitting a bit vector favourable to Eve are negligible). FS scheme used in practice.


Download ppt "Introduction to Modern Cryptography"

Similar presentations


Ads by Google