Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography Homework assignments.

Similar presentations


Presentation on theme: "Introduction to Modern Cryptography Homework assignments."— Presentation transcript:

1 Introduction to Modern Cryptography Homework assignments

2 Pollards p-1 factoring algorithm Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

3 Pollards p-1 factoring algorithm Thus,

4 Pollards p-1 factoring algorithm Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do –Compute Return d = gcd(a-1,n)

5 Pollards ρ algorithm for discrete log Problem with Shank ’ s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory

6 Pollards discrete log ρ algorithm Define sets S 1, S 2, S 3 (e.g., divisible by 3, 1 not in S 2 ) Define x 0 = 1 Define

7 Pollards discrete log ρ algorithm

8

9 Beyond Homework Assignments Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem

10 Using smoothness for factoring (Repeating what ’ s been done in class): Factor n = pq by computing two different square roots modolu n Compute x 2 mod n If x 2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of p j that divides x 2 mod n p 1, p 2, …, p m – all primes ≤ B

11 Using smoothness for factoring Solve for the all-zero vector This gives us

12 Using smoothness for discrete log? The Index Calculus Method We want to compute log g x mod q If we knew –log g 2 mod q, –log g 3 mod q, –log g 5 mod q, …, –log g p m mod q Then we could try to solve for log g x mod q as follows:

13 The problem: compute log g 2 mod q, log g 3 mod q, log g 5 mod q, …

14 Back To Digital Signatures Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS

15 Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

16 Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

17 Diffie and Hellman (76) “New Directions in Cryptography” Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice computes the string y=D A (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = E A (y) and checks x=M. Intuition: Only Alice can compute y=D A (M), thus forgery should be computationally infeasible.

18 Problems with “Pure” DH Paradigm Easy to forge signatures of random messages even without holding D A : Bob picks R arbitrarily, computes S=E A (R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?

19 Problems with “Pure” DH Paradigm Consider specifically RSA. Being multiplicative, we have (products mod N) D A (M 1 M 2 ) = D A (M 1 ) D A (M 2 ). If M 2 =“I OWE BOB $20” and M 1 =“100” then under certain encoding of letters we could get M 1 M 2 =“I OWE BOB $2000”…

20 Standard Solution: Hash First Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=D A (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=E A (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

21 General Structure: Signature Schemes Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.

22 Schemes Used in Practice RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

23 El-Gamal Signature Scheme Pick a prime p of length 1024 bits such that DL in Z p * is hard. Let g be a generator of Z p *. Pick x in [2,p-2] at random. Compute y=g x mod p. Public key: p,g,y. Private key: x. Generation

24 El-Gamal Signature Scheme Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=g k mod p. Compute s=(m-rx)k -1 mod (p-1) (***) Output r and s. Signing M

25 El-Gamal Signature Scheme Compute m=H(M). Accept if 0<r<p and y r r s =g m mod p. else reject. What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks, and y=g x so y r =g rx, implying y r r s =g m. Verify M,r,s,PK

26 Homework Assignment 3, part I Implement via Maple the El Gamal Signature Scheme: –Key Generation –Message Signature –Message Verification What happens if you use the same k twice?

27 Comments on Homework assignment Takes too long to find primes Idea: shorten the process by removing clear non- primes To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.

28 The Digital Signature Algorithm (DSA) Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

29 The Digital Signature Algorithm (DSA) p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p) Signature on message M: –Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((α k mod p) mod q

30 The Digital Signature Algorithm (DSA) –p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! –Part I: ((α k mod p) mod q –Part II: (SHA (M) + s (PART I)) /k mod q Verification: –e 1 = SHA (M) / (PART II) mod q –e 2 = (PART I) / (PART II) mod q –OK if

31 The Digital Signature Algorithm Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?


Download ppt "Introduction to Modern Cryptography Homework assignments."

Similar presentations


Ads by Google