Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography

Similar presentations


Presentation on theme: "Introduction to Modern Cryptography"— Presentation transcript:

1 Introduction to Modern Cryptography
Homework assignments

2 Pollards p-1 factoring algorithm
Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

3 Pollards p-1 factoring algorithm
Thus,

4 Pollards p-1 factoring algorithm
Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do Compute Return d = gcd(a-1,n)

5 Pollards ρ algorithm for discrete log
Problem with Shank’s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory

6 Pollards discrete log ρ algorithm
Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) Define x0 = 1 Define

7 Pollards discrete log ρ algorithm

8 Pollards discrete log ρ algorithm

9 Beyond Homework Assignments
Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem

10 Using smoothness for factoring
(Repeating what’s been done in class): Factor n = pq by computing two different square roots modolu n Compute x2 mod n If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n p1, p2, …, pm – all primes ≤ B

11 Using smoothness for factoring
Solve for the all-zero vector This gives us

12 Using smoothness for discrete log? The Index Calculus Method
We want to compute logg x mod q If we knew logg 2 mod q, logg 3 mod q, logg 5 mod q, …, logg pm mod q Then we could try to solve for logg x mod q as follows:

13 The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …

14 Back To Digital Signatures
Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS

15 Handwritten Signatures
Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

16 Digital Signatures: Desired Properties
Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

17 Diffie and Hellman (76) “New Directions in Cryptography”
Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.

18 Problems with “Pure” DH Paradigm
Easy to forge signatures of random messages even without holding DA: Bob picks R arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?

19 Problems with “Pure” DH Paradigm
Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…

20 Standard Solution: Hash First
Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=DA (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=EA (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

21 General Structure: Signature Schemes
Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.

22 Schemes Used in Practice
RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

23 El-Gamal Signature Scheme
Generation Pick a prime p of length 1024 bits such that DL in Zp* is hard. Let g be a generator of Zp*. Pick x in [2,p-2] at random. Compute y=gx mod p. Public key: p,g,y. Private key: x.

24 El-Gamal Signature Scheme
Signing M Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=gk mod p. Compute s=(m-rx)k-1 mod (p-1) (***) Output r and s.

25 El-Gamal Signature Scheme
Verify M,r,s,PK Compute m=H(M). Accept if 0<r<p and yrrs=gm mod p. else reject. What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

26 Homework Assignment 3, part I
Implement via Maple the El Gamal Signature Scheme: Key Generation Message Signature Message Verification What happens if you use the same k twice?

27 Comments on Homework assignment
Takes too long to find primes Idea: shorten the process by removing clear non-primes To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.

28 The Digital Signature Algorithm (DSA)
Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

29 The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p) Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((αk mod p) mod q

30 The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! Part I: ((αk mod p) mod q Part II: (SHA (M) + s (PART I)) /k mod q Verification: e1 = SHA (M) / (PART II) mod q e2 = (PART I) / (PART II) mod q OK if

31 The Digital Signature Algorithm
Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?


Download ppt "Introduction to Modern Cryptography"

Similar presentations


Ads by Google