Introduction to Modern Cryptography Homework assignments • Pollards (p-1) method for factoring integers with prime factors p such that p-1 has small prime factors • Pollards ρ algorithm for discrete log Pollards p-1 factoring algorithm • Let B be a smoothness bound • Let Q be the LCM of all prime powers ≤B Q ln n / ln q q q B How many bits in Q? • If (p-1) is B-smooth then ( p 1) Q and for any a, gcd(a,p)=1, a 1 (mod p) Q Pollards p-1 factoring algorithm Q q ln n / ln q a 1 (mod p) Q q B Thus, d gcd(a 1, n) p d Q Pollards p-1 factoring algorithm • Select a bound B • Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) • For each prime q ≤ B do – Compute ln n / ln q a a (mod n) q • Return d = gcd(a-1,n) Pollards ρ algorithm for discrete log • Problem with Shank’s Baby step Giant step algorithms: too much memory • Pollards ρ algorithm for discrete log: takes O(1) memory Pollards discrete log ρ algorithm log (mod p) • Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) • Define x0 = 1 • Define xi (mod p ) if xi S1 2 xi 1 xi (mod p ) if xi S 2 x (mod p ) if x S i i 3 Pollards discrete log ρ algorithm log (mod p), a0 0, b0 0 ai if xi S1 xi (mod p ) if xi S1 2 ai 1 2ai (mod p 1) if xi S 2 2 xi 1 xi (mod p ) if xi S 2 a 1 (mod p 1) if x S i i 3 x (mod p ) if x S i i 3 bi 1 (mod p ) if xi S1 2 bi 1 2bi (mod p ) if xi S 2 if xi S3 bi Pollards discrete log ρ algorithm log (mod p), a0 0, b0 0 xi if xi S1 2 xi 1 xi if xi S 2 x if x S i i 3 xi x2i (mod p ) (mod p) ai bi a2 i b2 i ai log bi a2i log b2i (mod p 1) log (b2i bi ) /( a2i ai ) (mod p 1) Beyond Homework Assignments • Recap of Quadratic sieve factoring algorithm • Index calculus methods for the discrete log problem Using smoothness for factoring (Repeating what’s been done in class): • Factor n = pq by computing two different square roots modolu n • Compute x2 mod n • If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n • p1, p2, …, pm – all primes ≤ B Using smoothness for factoring p1 2 p2 3 p3 5 pm B m x12 e1(1) mod 2 e2 mod 2 em mod 2 x mod n p (1) (1) 2 e(1) j 2 (1) (2) 1 j x2 e2 mod 2 e2 mod 2 j 1 x3 2 m x mod n p 2 e(j 2 ) 2 (m) 2 j ( ( xm e1 mod 2 e2m ) mod 2 e3m ) mod 2 em mod 2 ( m) j 1 Solve for the all-zero vector m x mod n p 2 e(j3) This gives us 3 j j 1 m m x pi2 di mod n 2 i x mod n p 2 e(j m ) iS i 1 m j 2 2 di m xi pi mod n j 1 iS i 1 Using smoothness for discrete log? The Index Calculus Method • We want to compute logg x mod q • If we knew m g x mod q p ej – logg 2 mod q, j – logg 3 mod q, j 1 – logg 5 mod q, …, m – logg pm mod q log g x e j log g p j • Then we could try to i 1 solve for logg x mod q as follows: The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, … m g ( mod q ) p e(1) m x1 e(1) log g p j mod (q 1) x1 j j 1 j j m j 1 ( mod q ) p e(j 2 ) m x2 e(2) log g p j mod (q 1) x2 g j 1 j j j 1 m ( mod q) p e(j3) m x3 e(3) log g p j mod (q 1) x3 g j 1 j j j 1 m ( mod q ) p m xm e(jm ) log g p j mod (q 1) xm e(j m ) g j j 1 j 1 Back To Digital Signatures • Summary of Discussion in Class • RSA, El Gamal, Fiat-Shamir, DSS Handwritten Signatures • Relate an individual, through a handwritten signature, to a document. • Signature can be verified against a prior authenticated one, signed in person. • Should be hard to forge. • Are legally binding (convince a third party, e.g. a judge). Digital Signatures: Desired Properties • Relate an individual, through a digital string, to a document. • Signature should be easy to verify. • Should be hard to forge. • Are legally binding (convince a third party, e.g. a judge). Diffie and Hellman (76) “New Directions in Cryptography” Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. • To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should be computationally infeasible. Problems with “Pure” DH Paradigm • Easy to forge signatures of random messages even without holding DA: Bob picks R arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message” S. • Therefore the scheme is subject to existential forgery. • “So what” ? Problems with “Pure” DH Paradigm • Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). • If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”… Standard Solution: Hash First Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice first computes the strings y=H(M) and z=DA (y). Sends M,z to Bob. • To verify this is indeed Alice’s signature, Bob computes the string y=EA (z) and checks y=H(M). • The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’). General Structure: Signature Schemes • Generation of private and public keys (randomized). • Signing (either deterministic or randomized) • Verification (accept/reject) - usually deterministic. Schemes Used in Practice • RSA • El-Gamal Signature Scheme (85) • The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature. El-Gamal Signature Scheme Generation • Pick a prime p of length 1024 bits such that DL in Zp* is hard. • Let g be a generator of Zp*. • Pick x in [2,p-2] at random. • Compute y=gx mod p. • Public key: p,g,y. • Private key: x. El-Gamal Signature Scheme Signing M • Hash: Let m=H(M). • Pick k in [1,p-2] relatively prime to p-1 at random. • Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***) • Output r and s. El-Gamal Signature Scheme Verify M,r,s,PK • Compute m=H(M). • Accept if 0<r<p and y rrs=gm mod p. else reject. • What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gk so rs=gks, and y=gx so yr=grx, implying yrrs=gm . Homework Assignment 2, part I • Implement via Maple the El Gamal Signature Scheme: – Key Generation – Message Signature – Message Verification • What happens if you use the same k twice? The Digital Signature Algorithm (DSA) • Let p be an L bit prime such that the discrete log problem mod p is intractable • Let q be a 160 bit prime that divides p-1 • Let α be a q’th root of 1 modulo p. How do we compute α? The Digital Signature Algorithm (DSA) • p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p • Private key: random 1 ≤ s ≤ q-1. • Public key: (p, q, α, β = αs mod p) • Signature on message M: – Choose a random 1 ≤ k ≤ p-1, secret!! • Part II: (SHA (M) + s (PART I)) / k mod q • Part I: ((αk mod p) mod q The Digital Signature Algorithm (DSA) – p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! – Part I: ((αk mod p) mod q – Part II: (SHA (M) + s (PART I)) /k mod q • Verification: – e1 = SHA (M) / (PART II) mod q – e2 = (PART I) / (PART II) mod q – OK if ( mod p) mod q (PART I) e1 e2 The Digital Signature Algorithm e1 SHA ( M ) / SHA ( M ) s ( k mod p ) mod q / k mod q e2 e2 ( k mod p ) mod q / SHA ( M ) s ( k mod p ) mod q / k mod q s s Homework 2 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0? Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MACK(M) convinces A that indeed M originated with B. But in case of dispute A cannot convince a judge that M, MACK (M) was sent by B, since A could generate it herself. Identification: Model • Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc. • Bob may ask the following: – Who are you? (prove that you’re Alice) – Who the **** is Alice? • Eve wishes to impersonate Alice: – One time impersonation – Full impersonation (identity theft) Identification Scenarios • Local identification – Human authenticator – Device • Remote identification – Human authenticator – Corporate environment (e.g. LAN) – E-commerce environment – Cable TV/Satellite: Pay-per-view; subscription verification – Remote login or e-mail from an internet cafe. Initial Authentication • The problem: how does Alice initially convince anyone that she’s Alice? • The solution must often involve a “real- world” type of authentication – id card, driver’s license etc. • Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco). • Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human Closed Environments • The initial authentication problem is fully solved by a trusted party, Carol • Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines • Example – a corporate environment • Eve’s attack avenue is the Alice-Bob connection • We begin by looking at remote authentication Fiat-Shamir Scheme • Initialization • Set Up • Basic Construction • Improved Construction • Zero Knowledge • Removing Interaction Initialization • Bob gets from Carol N=pq but not its factorization. • Alice picks m numbers R1,R2,…,Rm in ZN at random. • Alice computes S1= R12 mod N , …, Sm= Rm2 mod N . • Alice gives Bob S1,S2,…,Sm . • She keeps R1,R2,…,Rm secret . Set Up • Bob holds S1,S2,…,Sm . • She keeps R1,R2,…,Rm secret . • Who is Alice? Anyone that convinces Bob she can produce square roots mod N of S1,S2,…,Sm . • A bad way to convince Bob: Send him R1,R2,…,Rm . • Instead, we seek a method that will give Bob (and Eve) nothing more than being convinced Alice can produce these square roots (zero knowledge). Basic Protocol • Let S1= R12 such that Alice holds R1 . • To convince Bob that Alice knows a square root mod N of S1 , Alice picks at random X1 in ZN , computes Y1= X12 mod N, and sends Y1 to Bob. • Alice: “I know both a square root mod N of Y1 (=X1) and a square root mod N of Y1 S1 (=X1 R1). Make a choice which of the two you want me to reveal.’’ • Bob flips a coin, outcome (heads/tails) determines the challenge he poses to Alice. Basic Protocol (cont.) • If Alice knows both a square root of Y1 (=X1) and a square root of Y1 S1 (=X1 R1) then she knows R1 (a square root of S1 ). • Thus if Alice does not know a square root of S1 , Bob will catch her cheating with probability 1/2. • In the protocol, Alice will produce Y1,Y2,…,Ym . • Bob will flip m coins b1,b2,…,bm as challenges. • Bob accept only if Alice succeeds in all m cases. Basic Protocol Alice to Bob Y1,Y2,…,Ym b1,b2,…,bm Bob to Alice (challenge) 1, 0, …, 0 Alice to Bob (m response) X S ,X , …,X 1 1 2 m Bob accepts iff all m challenges are met. Improved (more efficient) Protocol Alice to Bob Y1,Y2,…,Ym b1,b2,…,bm Bob to Alice (challenge) 1, 0, …, 0 Alice to Bob (2 response) Product of XiRi with bi=1 Product of Xi with bi=0 Bob accepts iff challenges are met. Correctness of Protocol (Intuition ONLY) 1. A cheating Eve, without knowledge of Ri’s, will be caught with high probability. 2. Zero Knowledge: By eavesdropping, Eve learns nothing (all she learns she can simulate on her own). Crucial ingredients: 1. Interaction. 2. Randomness. Final Improvement (Fiat Shamir) Alice to Bob Let H be a secure hash function Y1,Y2,…,Ym b1b2…bm= Bob to Alice H(Y1,Y2 ,…,Ym) (challenge) Alice to Bob 1, 0, …, 0 (2 response) Product of XiRi, bi=1 Product of Xi, bi=0 Bob accepts iff challenges are met. Final Improvement: Remove Interaction Alice to Bob Let H be secure hash function Y1,Y2,…,Ym b1b2…bm= Bob to Alice H(Y1,Y2 ,…,Ym) (challenge) 1, 0, …, 0 Alice to Bob (2 response) Product of XiRi, bi=1 Product of Xi, bi=0 Bob accepts iff challenges are met. Correctness of Fiat-Shamir (Intuition ONLY) A cheating Eve, without knowledge of Ri’s, cannot succeed in producing Y1,Y2,…,Ym that will be hashed to a convenient bit vector b1b2…bm since m is too long and H behaves like a random function (so the chances of hitting a bit vector favourable to Eve are negligible). FS scheme used in practice.