Download presentation
Presentation is loading. Please wait.
1
Introduction to Modern Cryptography Homework assignments
2
Pollards p-1 factoring algorithm Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?
3
Pollards p-1 factoring algorithm Thus,
4
Pollards p-1 factoring algorithm Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do –Compute Return d = gcd(a-1,n)
5
Pollards ρ algorithm for discrete log Problem with Shank ’ s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory
6
Pollards discrete log ρ algorithm Define sets S 1, S 2, S 3 (e.g., divisible by 3, 1 not in S 2 ) Define x 0 = 1 Define
7
Pollards discrete log ρ algorithm
9
Beyond Homework Assignments Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem
10
Using smoothness for factoring (Repeating what ’ s been done in class): Factor n = pq by computing two different square roots modolu n Compute x 2 mod n If x 2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of p j that divides x 2 mod n p 1, p 2, …, p m – all primes ≤ B
11
Using smoothness for factoring Solve for the all-zero vector This gives us
12
Using smoothness for discrete log? The Index Calculus Method We want to compute log g x mod q If we knew –log g 2 mod q, –log g 3 mod q, –log g 5 mod q, …, –log g p m mod q Then we could try to solve for log g x mod q as follows:
13
The problem: compute log g 2 mod q, log g 3 mod q, log g 5 mod q, …
14
Back To Digital Signatures Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS
15
Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).
16
Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).
17
Diffie and Hellman (76) “New Directions in Cryptography” Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice computes the string y=D A (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = E A (y) and checks x=M. Intuition: Only Alice can compute y=D A (M), thus forgery should be computationally infeasible.
18
Problems with “Pure” DH Paradigm Easy to forge signatures of random messages even without holding D A : Bob picks R arbitrarily, computes S=E A (R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?
19
Problems with “Pure” DH Paradigm Consider specifically RSA. Being multiplicative, we have (products mod N) D A (M 1 M 2 ) = D A (M 1 ) D A (M 2 ). If M 2 =“I OWE BOB $20” and M 1 =“100” then under certain encoding of letters we could get M 1 M 2 =“I OWE BOB $2000”…
20
Standard Solution: Hash First Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=D A (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=E A (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).
21
General Structure: Signature Schemes Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.
22
Schemes Used in Practice RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.
23
El-Gamal Signature Scheme Pick a prime p of length 1024 bits such that DL in Z p * is hard. Let g be a generator of Z p *. Pick x in [2,p-2] at random. Compute y=g x mod p. Public key: p,g,y. Private key: x. Generation
24
El-Gamal Signature Scheme Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=g k mod p. Compute s=(m-rx)k -1 mod (p-1) (***) Output r and s. Signing M
25
El-Gamal Signature Scheme Compute m=H(M). Accept if 0<r<p and y r r s =g m mod p. else reject. What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks, and y=g x so y r =g rx, implying y r r s =g m. Verify M,r,s,PK
26
Homework Assignment 3, part I Implement via Maple the El Gamal Signature Scheme: –Key Generation –Message Signature –Message Verification What happens if you use the same k twice?
27
Comments on Homework assignment Takes too long to find primes Idea: shorten the process by removing clear non- primes To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.
28
The Digital Signature Algorithm (DSA) Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?
29
The Digital Signature Algorithm (DSA) p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p) Signature on message M: –Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((α k mod p) mod q
30
The Digital Signature Algorithm (DSA) –p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! –Part I: ((α k mod p) mod q –Part II: (SHA (M) + s (PART I)) /k mod q Verification: –e 1 = SHA (M) / (PART II) mod q –e 2 = (PART I) / (PART II) mod q –OK if
31
The Digital Signature Algorithm Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.