Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptology Design Fundamentals

Published by소정 장 Modified over 5 years ago

Similar presentations

Presentation on theme: "Cryptology Design Fundamentals"— Presentation transcript:

1 Cryptology Design Fundamentals
Grundlagen des kryptographischen Systementwurfs Module ID: ET-IDA-048 , v26 Prof. W. Adi Tutorial-12 Cryptographic Identification

2 Problem 11-1: Set up Fiat Shamir Proof of Identity Protocol over Z33. User A has the secret key a=7. User A generated 3 random numbers 22,27,32 Which one of these numbers is a unit.. Use it as r for user‘s A first challenge and compute S How many possible units can be selected in this system setup? The verifier responded with the challenge b=1. Compute user A‘s response t . Excute the verifier computations to check the response of A. If the user A used the same random number again and the verifier challenged this time with b=0. How can you attack user‘s A identity. Solution: 1. As gcd (33,22) = 11, 22 is not invertible. gcd (33,27) = 3, 27 is not invertible, gcd (33,32) = 1, 32 is invertible or it is a unit. 2. The number of units is (33) = (11-1)(3-1)=20 And 4. See the protocol sketch below For b=0 and having the same random r the new response is t2 = r, as the first response t1 = r Xa solving for Xa from the above two equations yields Xa = t1 / t2 = t1 x 2 -1 = 26 x 32 = 7.

3 Solution 11.1 : Fiat-Shamir Proof-of-Identity Protocol (1986)
A Zero-Knowledge proof protocol ! m = p1 p2 = 33 p1 p2 are secrets which no body should know Security relies on the Factoring Problem ! public directory m= is RSA type modulus xa = secret key of A=7 ya = xa2 = in Z33 (mod m) Prover A Verifier A chooses a unit r = 32 in Z33 and computes S = r 2 = ..2 = 1 ( I am user A, S ) randomly choose b b = 1 or 0 b=1 xa S ya If t2 = S . yab = 262 = 1 X 161 16 = 16 then A is authentic (A knows xa ) t1 =26 for b=1 t2 =32 for b=0 t = r. xab = 32 X 7b = -7=26 Prob. of a successful attack after k trials = 2-k

4 Problem 11-2: Solution 11-2: x4= x3+ x2 + x + 1
Set up Omura Proof of Identity Protocol over GF(24) . User the generator polynomial P(x) = x4 + x3+ x2 + x + 1. Compute all powers of x up to 10. Select a primitive element  from the following list 0010, 0011 and compute the order of the selected one. How many primitive elements do we have over GF(24)? State three other primitive elements If the verifier selects K= 6, compute the verifier‘s challenge R. Compute user‘s A response if the secret key of A is 7 Verify user‘s A response. Solution 11-2: P(x) = x4 + x3+ x2 + x + 1=0, x4 = x3+ x2 + x + 1. The powers of x are: x=x x2= x2 x3= x3 x4= x3+ x2 + x + 1 x5= x4+ x3 + x2 + x = x3+ x2 + x x3 + x2 + x = 1 order of x=5 x6= x, x7= x2, x8= x3, x9= x4, x10= x0=1 The orders of elements are the divisors of 24-1= 15, that is 1,3,5,15 Order of 0010 = x = 5 the element is not primitive. Order of = 1+x : (1+x)3 = (1+x2)(1+x) = 1 + x2 + x + x3 1 (1+x)5 = (1+x)3 (1+x)2 = (1 + x2 + x + x3 )(1+x2 ) = 1 + x2 + x + x3 + x2 + x4 + x3 + x5 = 1 + x2 + x3 1 thus order of (1+x) is 15 and it is primitive. Ord(0010= x) = 5 => x ist not a primitive element x4= x3+ x2 + x + 1

5 Omura Proof-of-Identity Protocol
Solution Cont. : 2. The number of primitive elements is (15) = (3-1)(5-1)=8 3. As (1+x) is primitive, then (1+x)i is also primitive iff gcd(15,i)=1 therefore (1+x)2 , (1+x)4 , (1+x)7 are all primitive elements. 4. See the sketch below: 6 = (1+x)6 = (1+x)5 (1+x) = (1 + x2 + x3 ) (1+ x) = 1 + x2 + x3 + x + x3 +x4 = 1+ x+x x+ x2 + x3 = x3 Omura Proof-of-Identity Protocol public directory ya =αXa = (1+x)7 = (1+x)5 (1+x)2 = (1 + x2 + x3 ) (1+ x2) = 1 + x2 + x3 + x2 + x4 +x5 ya = x x+ x2 + x3 = 1 +x+ x = ya = (1 +x) is a primitive element in GF( 24 ) P(x) = x4 + x3+ x2 + x + 1 ya = 0111= public key of A Verifier Prover A xa Randomly choose k=6 compute R =  6 =1000 =x3 Who are you?, R= x3 R=1000= x3 I am user A, RXa = x R Xa = (x3 )7 mod 5 = x check R Xa = yak x = (1+x+x2)6 x= x => User is authentic (1 + x + x2 )6 = (1 + x + x2 )4 (1 + x + x2 )2 = (1 + x4 + x8 ) (1 + x2 + x4 ) = 1 + x4 + x8 + x2 + x6 + x x4 + x8 + x12 = = x2 + x + x x2 = x

6 Problem 11-3: (Schnorr’s Identification/signature Scheme)
Set up Schnorr’s Identification/signature Scheme over GF(139). User A has the secret key XA=18. 1. Compute q the order of the element α=26 in GF(139). Is q suitable for Schnorr’s Identification/signature Scheme.? 2. Compute the public key of A: 3. Compute , for a random value k=15. 4. Compute the hash value H(M|r) for a message message M =37 by using the following hash function: 5. Prover A sings a hash value H(M|r) for a message message M=37. 6. The verifier checks the A‘signature.

7 Schnorr’s Identification/signature Scheme
Open Directory (as DH public directory) GF(p), Element α has order q such that q is prime which divides p-1 is the public key of A having secret key xA< q User A sings a hash value H(M|r) for a message message M: Similarity to ElGamal Signature Prover A verifier - A proves that he knows xA - A good ans strong hash function is required

8 Solution 11-3: 1. The possible units orders in GF(139) are the divisors of φ(139) = 138 => the divisors of 138 are 1, 2, 3, 6, 23, 46,69, and 138 Order of 2: 21 = 2 1, 22 = 4 1, 23 = 8 1, 26 = 64 1, , 223 = 97 1 , 246 = 96 1, 269 = 96 138, => order of 2 is 138 Order of 26=64: ord(2k)= ord(2)/gcd(k,ord(2)) Ord(64)=ord(26)= ord(2)/gcd(6,ord(2))=138/gcd(6,138)=138/6=23 2. The public key of A: = 6418 mod 139 = 34 3. For k=15; =6415mod 139=80 4. For M=37; =(3780)3mod 83=74

9 verifier Prover A 5. Prover A sings a hash value H(M|r).
public directory Prover A GF(139), α=26 =64 YA= 34 =(15- 18x 74)mod 23=17 verifier 6. verify A‘signature. =(6417 x 3474)mod 139= 80 (3780)3mod 83=74=m Then, A is authentic

Download ppt "Cryptology Design Fundamentals"

Similar presentations

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.

Improvement of Hwang-Lo-Lin scheme based on an ID-based cryptosystem No author given (Korea information security Agency) Presented by J.Liu.
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F 1 2 3 4 5 6 7 8 9...

A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 F F
Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.

Zero Knowledge Proofs Matthew Pouliotte Anthony Pringle Cryptography November 22, 2005 “A proof is whatever convinces me.” -~ Shimon Even.
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-9 Public-Key Cryptography.

Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-9 Public-Key Cryptography.
Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-5 Mathematical Background:

Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-5 Mathematical Background:
Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-12 Public-Key Cryptography.

Page : 1 bfolieq.drw Technical University of Braunschweig IDA: Institute of Computer and Network Engineering  W. Adi 2011 Lecture-12 Public-Key Cryptography.
Page : 1 Date : 31.08. 2013 Duration : 90 Minutes Maximum marks 70% Vorname ……………………………………….. Nachname ……………………………………….. Matrikel-Nr. ………………………………………..

Page : 1 Date : Duration : 90 Minutes Maximum marks 70% Vorname ……………………………………….. Nachname ……………………………………….. Matrikel-Nr. ………………………………………..
Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.

Feige-Fiat-Shamir Zero Knowledge Proof Based on difficulty of computing square roots mod a composite n Given two large primes p, q and n=p * q, computing.
Public-Key Cryptography ElGamal Public-Key Crypto-System

Public-Key Cryptography ElGamal Public-Key Crypto-System
Cryptographic Protocols Secret sharing, Threshold Security

Cryptographic Protocols Secret sharing, Threshold Security
Mathematical Background : A quick approach to Group and Field Theory

Mathematical Background : A quick approach to Group and Field Theory
Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 and 111

Network Security Netzwerksicherheit Lecture ID: ET-IDA-082 and 111
Mathematical Background: Groups, Rings, Finite Fields (GF)

Mathematical Background: Groups, Rings, Finite Fields (GF)
Rabin Lock and Public-Key Systems

Rabin Lock and Public-Key Systems
Mathematical Background: Extension Fields

Mathematical Background: Extension Fields
Network Security Design Fundamentals Lecture-13

Network Security Design Fundamentals Lecture-13
Key Exchange References: Applied Cryptography, Bruce Schneier

Key Exchange References: Applied Cryptography, Bruce Schneier

Similar presentations

Ads by Google