1. Introduction to Modern Cryptography
Homework assignments
Pollards (p-1) method for factoring integers with prime factors p such that p-1 has small prime factors
Pollards ρ algorithm for discrete log

2. Pollards p-1 factoring algorithm
Let B be a smoothness bound
Let Q be the LCM of all prime powers ≤ B
If (p-1) is B-smooth then
and for any a, gcd(a,p)=1,
How many bits in Q?

3. Pollards p-1 factoring algorithm
Thus,

4. Pollards p-1 factoring algorithm
Select a bound B
Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d)
For each prime q ≤ B do
Compute
Return d = gcd(a-1,n)

5. Pollards ρ algorithm for discrete log
Problem with Shank’s Baby step Giant step algorithms: too much memory
Pollards ρ algorithm for discrete log: takes O(1) memory

6. Pollards discrete log ρ algorithm
Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2)
Define x0 = 1
Define

7. Pollards discrete log ρ algorithm

8. Pollards discrete log ρ algorithm

9. Beyond Homework Assignments
Recap of Quadratic sieve factoring algorithm
Index calculus methods for the discrete log problem

10. Using smoothness for factoring
(Repeating what’s been done in class):
Factor n = pq by computing two different square roots modolu n
Compute x2 mod n
If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n
p1, p2, …, pm – all primes ≤ B

11. Using smoothness for factoring
Solve for the all-zero vector
This gives us

12. Using smoothness for discrete log? The Index Calculus Method
We want to compute logg x mod q
If we knew
logg 2 mod q,
logg 3 mod q,
logg 5 mod q, …,
logg pm mod q
Then we could try to solve for logg x mod q as follows:

13. The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …

14. Back To Digital Signatures
Summary of Discussion in Class
RSA, El Gamal, Fiat-Shamir, DSS

15. Handwritten Signatures
Relate an individual, through a handwritten signature, to a document.
Signature can be verified against a prior
authenticated one, signed in person.
Should be hard to forge.
Are legally binding (convince a third party, e.g. a judge).

16. Digital Signatures: Desired Properties
Relate an individual, through a digital string, to a document.
Signature should be easy to verify.
Should be hard to forge.
Are legally binding (convince a third party, e.g. a judge).

17. Diffie and Hellman (76) “New Directions in Cryptography”
Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.
To sign the message M, Alice computes
the string y=DA (M) and sends M,y to Bob.
To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M.
Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.

18. Problems with “Pure” DH Paradigm
Easy to forge signatures of random messages even without holding DA:
Bob picks R arbitrarily, computes S=EA(R).
Then the pair (S,R) is a valid signature
of Alice on the “message” S.
Therefore the scheme is subject to existential forgery.
“So what” ?

19. Problems with “Pure” DH Paradigm
Consider specifically RSA. Being multiplicative, we have (products mod N)
DA (M1M2) = DA (M1) DA (M2).
If M2=“I OWE BOB $20” and M1=“100”
then under certain encoding of letters we
could get M1M2 =“I OWE BOB $2000”…

20. Standard Solution: Hash First
Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.
To sign the message M, Alice first computes
the strings y=H(M) and z=DA (y). Sends M,z to Bob.
To verify this is indeed Alice’s signature, Bob computes the string y=EA (z) and checks y=H(M).
The function H should be collision resistent, so
that cannot find another M’ with H(M)=H(M’).

21. General Structure: Signature Schemes
Generation of private and public keys
(randomized).
Signing (either deterministic or randomized)
Verification (accept/reject) - usually deterministic.

22. Schemes Used in Practice
RSA
El-Gamal Signature Scheme (85)
The DSS (digital signature standard,
adopted by NIST in 94 is based on
a modification of El-Gamal signature.

23. El-Gamal Signature Scheme
Generation
Pick a prime p of length 1024 bits such that DL in Zp* is hard.
Let g be a generator of Zp*.
Pick x in [2,p-2] at random.
Compute y=gx mod p.
Public key: p,g,y.
Private key: x.

24. El-Gamal Signature Scheme
Signing M
Hash: Let m=H(M).
Pick k in [1,p-2] relatively prime to
p-1 at random.
Compute r=gk mod p.
Compute s=(m-rx)k-1 mod (p-1) (***)
Output r and s.

25. El-Gamal Signature Scheme
Verify M,r,s,PK
Compute m=H(M).
Accept if 0<r<p and yrrs=gm mod p.
else reject.
What’s going on?
By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

26. Homework Assignment 2, part I
Implement via Maple the El Gamal Signature Scheme:
Key Generation
Message Signature
Message Verification
What happens if you use the same k twice?

27. The Digital Signature Algorithm (DSA)
Let p be an L bit prime such that the discrete log problem mod p is intractable
Let q be a 160 bit prime that divides p-1
Let α be a q’th root of 1 modulo p.
How do we compute α?

28. The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p
Private key: random 1 ≤ s ≤ q-1.
Public key: (p, q, α, β = αs mod p)
Signature on message M:
Choose a random 1 ≤ k ≤ p-1, secret!!
Part II: (SHA (M) + s (PART I)) / k mod q
Part I: ((αk mod p) mod q

29. The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M:
Choose a random 1 ≤ k ≤ p-1, secret!!
Part I: ((αk mod p) mod q
Part II: (SHA (M) + s (PART I)) /k mod q
Verification:
e1 = SHA (M) / (PART II) mod q
e2 = (PART I) / (PART II) mod q
OK if

30. The Digital Signature Algorithm
Homework 2 part II:
Prove that if the signature is generated correctly then the
verification works correctly.
What happens if PART II of the signature is 0?

31. Signatures vs. MACs Suppose parties A and B share the secret
key K. Then M, MACK(M) convinces A that
indeed M originated with B. But in case of
dispute A cannot convince a judge that
M, MACK (M) was sent by B, since A could
generate it herself.

32. Identification: Model
Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc.
Bob may ask the following:
Who are you? (prove that you’re Alice)
Who the **** is Alice?
Eve wishes to impersonate Alice:
One time impersonation
Full impersonation (identity theft)

33. Identification Scenarios
Local identification
Human authenticator
Device
Remote identification
Corporate environment (e.g. LAN)
E-commerce environment
Cable TV/Satellite: Pay-per-view;
subscription verification
Remote login or from an internet cafe.

34. Initial Authentication
The problem: how does Alice initially convince anyone that she’s Alice?
The solution must often involve a “real-world” type of authentication – id card, driver’s license etc.
Errors due to the human factor are numerous
(example – the Microsoft-Verisign fiasco).
Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).

35. Closed Environments
The initial authentication problem is fully solved by a trusted party, Carol
Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines
Example – a corporate environment
Eve’s attack avenue is the Alice-Bob connection
We begin by looking at remote authentication

36. Fiat-Shamir Scheme Initialization Set Up Basic Construction
Improved Construction
Zero Knowledge
Removing Interaction

37. Initialization Bob gets from Carol N=pq but not its factorization.
Alice picks m numbers R1,R2,…,Rm in ZN at random.
Alice computes S1= R12 mod N , …, Sm= Rm2 mod N .
Alice gives Bob S1,S2,…,Sm .
She keeps R1,R2,…,Rm secret .

38. Set Up Bob holds S1,S2,…,Sm . She keeps R1,R2,…,Rm secret .
Who is Alice? Anyone that convinces Bob she can
produce square roots mod N of S1,S2,…,Sm .
A bad way to convince Bob: Send him R1,R2,…,Rm .
Instead, we seek a method that will give Bob (and
Eve) nothing more than being convinced Alice can
produce these square roots (zero knowledge).

39. Basic Protocol Let S1= R12 such that Alice holds R1 .
To convince Bob that Alice knows a square root
mod N of S1 , Alice picks at random X1 in ZN ,
computes Y1= X12 mod N, and sends Y1 to Bob.
Alice: “I know both a square root mod N of Y1 (=X1)
and a square root mod N of Y1 S1 (=X1 R1).
Make a choice which of the two you want
me to reveal.’’
Bob flips a coin, outcome (heads/tails) determines
the challenge he poses to Alice.

40. Basic Protocol (cont.) If Alice knows both a square root of Y1 (=X1)
and a square root of Y1 S1 (=X1 R1) then she knows
R1 (a square root of S1 ).
Thus if Alice does not know a square root of S1 ,
Bob will catch her cheating with probability 1/2.
In the protocol, Alice will produce Y1,Y2,…,Ym .
Bob will flip m coins b1,b2,…,bm as challenges.
Bob accept only if Alice succeeds in all m cases.

41. Bob accepts iff all m challenges are met.
Basic Protocol
Alice to Bob
Y1,Y2,…,Ym
Bob to Alice
(challenge)
b1,b2,…,bm
1, 0, …, 0
Alice to Bob
(m response)
X1S1,X2, …,Xm
Bob accepts iff all m challenges are met.

42. Product of XiRi with bi=1
Improved (more efficient) Protocol
Alice to Bob
Y1,Y2,…,Ym
Bob to Alice
(challenge)
b1,b2,…,bm
1, 0, …, 0
Alice to Bob
(2 response)
Product of XiRi with bi=1
Product of Xi with bi=0
Bob accepts iff challenges are met.

43. Correctness of Protocol (Intuition ONLY)
A cheating Eve, without knowledge of Ri’s,
will be caught with high probability.
2. Zero Knowledge:
By eavesdropping, Eve learns nothing
(all she learns she can simulate on her own).
Crucial ingredients:
1. Interaction.
2. Randomness.

44. Final Improvement (Fiat Shamir)
Alice to Bob
Let H be a secure
hash function
Y1,Y2,…,Ym
b1b2…bm=
H(Y1,Y2 ,…,Ym)
1, 0, …, 0
Bob to Alice
(challenge)
Alice to Bob
(2 response)
Product of XiRi, bi=1
Product of Xi, bi=0
Bob accepts iff challenges are met.

45. Final Improvement: Remove Interaction
Alice to Bob
Let H be secure
hash function
Y1,Y2,…,Ym
b1b2…bm=
H(Y1,Y2 ,…,Ym)
1, 0, …, 0
Bob to Alice
(challenge)
Alice to Bob
(2 response)
Product of XiRi, bi=1
Product of Xi, bi=0
Bob accepts iff challenges are met.

46. Correctness of Fiat-Shamir (Intuition ONLY)
A cheating Eve, without knowledge of Ri’s,
cannot succeed in producing Y1,Y2,…,Ym
that will be hashed to a convenient bit vector
b1b2…bm since m is too long and H behaves
like a random function (so the chances of
hitting a bit vector favourable to Eve are
negligible).
FS scheme used in practice.