Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography

Published byKurt Andresen Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography"— Presentation transcript:

1 Introduction to Modern Cryptography
Homework assignments

2 Pollards p-1 factoring algorithm
Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

3 Pollards p-1 factoring algorithm
Thus,

4 Pollards p-1 factoring algorithm
Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do Compute Return d = gcd(a-1,n)

5 Pollards ρ algorithm for discrete log
Problem with Shank’s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory

6 Pollards discrete log ρ algorithm
Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) Define x0 = 1 Define

7 Pollards discrete log ρ algorithm

8 Pollards discrete log ρ algorithm

9 Beyond Homework Assignments
Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem

10 Using smoothness for factoring
(Repeating what’s been done in class): Factor n = pq by computing two different square roots modolu n Compute x2 mod n If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n p1, p2, …, pm – all primes ≤ B

11 Using smoothness for factoring
Solve for the all-zero vector This gives us

12 Using smoothness for discrete log? The Index Calculus Method
We want to compute logg x mod q If we knew logg 2 mod q, logg 3 mod q, logg 5 mod q, …, logg pm mod q Then we could try to solve for logg x mod q as follows:

13 The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …

14 Back To Digital Signatures
Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS

15 Handwritten Signatures
Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

16 Digital Signatures: Desired Properties
Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

17 Diffie and Hellman (76) “New Directions in Cryptography”
Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible.

18 Problems with “Pure” DH Paradigm
Easy to forge signatures of random messages even without holding DA: Bob picks R arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?

19 Problems with “Pure” DH Paradigm
Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…

20 Standard Solution: Hash First
Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=DA (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=EA (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

21 General Structure: Signature Schemes
Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.

22 Schemes Used in Practice
RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

23 El-Gamal Signature Scheme
Generation Pick a prime p of length 1024 bits such that DL in Zp* is hard. Let g be a generator of Zp*. Pick x in [2,p-2] at random. Compute y=gx mod p. Public key: p,g,y. Private key: x.

24 El-Gamal Signature Scheme
Signing M Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=gk mod p. Compute s=(m-rx)k-1 mod (p-1) (***) Output r and s.

25 El-Gamal Signature Scheme
Verify M,r,s,PK Compute m=H(M). Accept if 0<r<p and yrrs=gm mod p. else reject. What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm .

26 Homework Assignment 3, part I
Implement via Maple the El Gamal Signature Scheme: Key Generation Message Signature Message Verification What happens if you use the same k twice?

27 Comments on Homework assignment
Takes too long to find primes Idea: shorten the process by removing clear non-primes To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.

28 The Digital Signature Algorithm (DSA)
Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

29 The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p) Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((αk mod p) mod q

30 The Digital Signature Algorithm (DSA)
p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! Part I: ((αk mod p) mod q Part II: (SHA (M) + s (PART I)) /k mod q Verification: e1 = SHA (M) / (PART II) mod q e2 = (PART I) / (PART II) mod q OK if

31 The Digital Signature Algorithm
Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?

Download ppt "Introduction to Modern Cryptography"

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,

Public Key Cryptography RSA Diffie Hellman Key Management Based on slides by Dr. Lawrie Brown of the Australian Defence Force Academy, University College,
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 2.5 Public Key Algorithms.
CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.

CSE 597E Fall 2001 PennState University1 Digital Signature Schemes Presented By: Munaiza Matin.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13

Similar presentations

Ads by Google