# blank by shuifanglj

VIEWS: 22 PAGES: 46

• pg 1
```									Introduction to Modern
Cryptography

Homework assignments

• Pollards (p-1) method for
factoring integers with prime
factors p such that p-1 has small
prime factors
• Pollards ρ algorithm for discrete
log
Pollards p-1 factoring algorithm
• Let B be a smoothness bound
• Let Q be the LCM of all prime powers
≤B    Q     ln n / ln q 
q
q B

How many bits in Q?

• If (p-1) is B-smooth then ( p  1)
Q
and for any a, gcd(a,p)=1,

a  1 (mod p)
Q
Pollards p-1 factoring algorithm
Q  q         ln n / ln q 
            
a  1 (mod p)
Q
q B

Thus,

d  gcd(a 1, n)  p d   Q
Pollards p-1 factoring algorithm
• Select a bound B
• Select a random 2 ≤ a ≤ n-1, and
compute d = gcd(a,n), if d ≥ 2 then
return(d)
• For each prime q ≤ B do
– Compute     ln n / ln q 
            
a  a (mod n)
q

• Return d = gcd(a-1,n)
Pollards ρ algorithm for discrete
log
• Problem with Shank’s Baby step Giant
step algorithms: too much memory
• Pollards ρ algorithm for discrete log:
takes O(1) memory
Pollards discrete log ρ algorithm
log   (mod p)
• Define sets S1, S2, S3 (e.g., divisible
by 3, 1 not in S2)
• Define x0 = 1
• Define
  xi (mod p ) if xi  S1
 2
xi 1   xi (mod p ) if xi  S 2
 x (mod p ) if x  S
 i                 i    3
Pollards discrete log ρ algorithm
log   (mod p), a0  0, b0  0

       ai         if xi  S1
  xi (mod p ) if xi  S1             2
ai 1   2ai (mod p  1) if xi  S 2
 2
xi 1   xi (mod p ) if xi  S 2             a  1 (mod p  1) if x  S
 i                    i    3
 x (mod p ) if x  S
 i                  i    3
bi  1 (mod p ) if xi  S1
 2
bi 1   2bi (mod p ) if xi  S 2
                if xi  S3
       bi
Pollards discrete log ρ algorithm
log   (mod p), a0  0, b0  0
  xi if xi  S1
 2
xi 1   xi if xi  S 2
 x if x  S
 i        i     3

xi  x2i (mod p ) 
     (mod p) 
ai   bi     a2 i   b2 i

ai log    bi  a2i log    b2i (mod p  1) 
log    (b2i  bi ) /( a2i  ai ) (mod p  1)
Beyond Homework Assignments
• Recap of Quadratic sieve factoring
algorithm
• Index calculus methods for the
discrete log problem
Using smoothness for factoring
(Repeating what’s been done in class):
• Factor n = pq by computing two different
square roots modolu n
• Compute x2 mod n
• If x2 mod n is smooth with respect to B
then add a row to a matrix where the jth
coordinate is the parity of the power of
pj that divides x2 mod n
• p1, p2, …, pm – all primes ≤ B
Using smoothness for factoring
p1  2           p2  3   p3  5     pm  B
m
x12  e1(1) mod 2 e2 mod 2                 em mod 2 
x mod n   p
(1)                      (1)
2              e(1)
j
2  (1)          (2)                              
1              j         x2  e2 mod 2 e2 mod 2                              
j 1
x3 
2

m                                                                   
x mod n   p
2              e(j 2 )                                                      
2  (m)
2              j
(       (
xm  e1 mod 2 e2m ) mod 2 e3m ) mod 2      em mod 2 
( m)

j 1

Solve for the all-zero vector
m
x mod n   p
2              e(j3)

This gives us
3              j
j 1
m

m                  x   pi2 di mod n 
2
i

x mod n   p
2               e(j m )     iS                i 1
m               j                          2                  2
             di 
m

  xi     pi  mod n
j 1

 iS   i 1     
Using smoothness for discrete log?
The Index Calculus Method
• We want to compute
logg x mod q
• If we knew                                m
g x mod q   p 
                    ej
–   logg 2 mod q,                              j
–   logg 3 mod q,                       j 1
–   logg 5 mod q, …,                   m
–   logg pm mod q         log g x   e j log g p j
• Then we could try to                    i 1
solve for logg x mod q
as follows:
The problem: compute logg 2 mod
q, logg 3 mod q, logg 5 mod q, …
m
g ( mod q )   p                        
e(1)                   m
x1   e(1) log g p j mod (q  1)
x1                       j

j 1
j
            j

m
       j 1

( mod q )   p
e(j 2 )               m
x2   e(2) log g p j mod (q  1)
x2
g
j 1
j
            j


j 1


m
( mod q)   p
e(j3)                 m
x3   e(3) log g p j mod (q  1)
x3
g
j 1
j
            j
j 1


m                    
( mod q )   p
m
 xm   e(jm ) log g p j mod (q  1)
xm                     e(j m )
g                           j
j 1                 
       j 1
Back To Digital Signatures
• Summary of Discussion in Class
• RSA, El Gamal, Fiat-Shamir, DSS
Handwritten Signatures

• Relate an individual, through a handwritten
signature, to a document.
• Signature can be verified against a prior
authenticated one, signed in person.
• Should be hard to forge.
• Are legally binding (convince a third party,
e.g. a judge).
Digital Signatures: Desired
Properties
• Relate an individual, through a digital
string, to a document.
• Signature should be easy to verify.
• Should be hard to forge.
• Are legally binding (convince a third party,
e.g. a judge).
Diffie and Hellman (76)
“New Directions in Cryptography”
Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.

• To sign the message M, Alice computes
the string y=DA (M) and sends M,y to Bob.
• To verify this is indeed Alice’s signature, Bob
computes the string x = EA (y) and checks x=M.

Intuition: Only Alice can compute y=DA (M), thus
forgery should be computationally infeasible.
Problems with “Pure” DH
• Easy to forge signatures of random
messages even without holding DA:
Bob picks R arbitrarily, computes S=EA(R).
Then the pair (S,R) is a valid signature
of Alice on the “message” S.
• Therefore the scheme is subject to
existential forgery.
• “So what” ?
Problems with “Pure” DH
• Consider specifically RSA. Being
multiplicative, we have (products mod N)
DA (M1M2) = DA (M1) DA (M2).

• If M2=“I OWE BOB \$20” and M1=“100”
then under certain encoding of letters we
could get M1M2 =“I OWE BOB \$2000”…
Standard Solution: Hash First
Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.

• To sign the message M, Alice first computes
the strings y=H(M) and z=DA (y). Sends M,z to
Bob.
• To verify this is indeed Alice’s signature, Bob
computes the string y=EA (z) and checks y=H(M).

• The function H should be collision resistent, so
that cannot find another M’ with H(M)=H(M’).
General Structure: Signature
Schemes
• Generation of private and public keys
(randomized).
• Signing (either deterministic or
randomized)
• Verification (accept/reject) - usually
deterministic.
Schemes Used in Practice
• RSA
• El-Gamal Signature Scheme (85)
• The DSS (digital signature standard,
adopted by NIST in 94 is based on
a modification of El-Gamal signature.
El-Gamal Signature Scheme
Generation
• Pick a prime p of length 1024 bits
such that DL in Zp* is hard.
• Let g be a generator of Zp*.
• Pick x in [2,p-2] at random.
• Compute y=gx mod p.
• Public key: p,g,y.
• Private key: x.
El-Gamal Signature Scheme
Signing M
• Hash: Let m=H(M).
• Pick k in [1,p-2] relatively prime to
p-1 at random.
• Compute r=gk mod p.
• Compute s=(m-rx)k-1 mod (p-1) (***)
• Output r and s.
El-Gamal Signature Scheme
Verify M,r,s,PK
• Compute m=H(M).
• Accept if 0<r<p and y rrs=gm mod p.

else reject.
• What’s going on?
By (***) s=(m-rx)k-1 mod p-1, so
sk+rx=m. Now r=gk so rs=gks, and y=gx
so yr=grx, implying yrrs=gm .
Homework Assignment 2, part I
• Implement via Maple the El Gamal
Signature Scheme:
– Key Generation
– Message Signature
– Message Verification
• What happens if you use the same k
twice?
The Digital Signature Algorithm
(DSA)
• Let p be an L bit prime such that the
discrete log problem mod p is
intractable
• Let q be a 160 bit prime that divides
p-1
• Let α be a q’th root of 1 modulo p.
How do we compute α?
The Digital Signature Algorithm
(DSA)
• p – prime, q – prime, p-1 = 0 mod q, α =
1(1/q) mod p
• Private key: random 1 ≤ s ≤ q-1.
• Public key: (p, q, α, β = αs mod p)
• Signature on message M:
– Choose a random 1 ≤ k ≤ p-1, secret!!
• Part II: (SHA (M) + s (PART I)) / k mod q
• Part I: ((αk mod p) mod q
The Digital Signature Algorithm
(DSA)
– p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod
p, Private key: random 1 ≤ s ≤ q-1. Public key: (p,
q, α, β = αs mod p). Signature on message M:
• Choose a random 1 ≤ k ≤ p-1, secret!!
– Part I: ((αk mod p) mod q
– Part II: (SHA (M) + s (PART I)) /k mod q

• Verification:
– e1 = SHA (M) / (PART II) mod q
– e2 = (PART I) / (PART II) mod q
– OK if
(  mod p) mod q  (PART I)
e1   e2
The Digital Signature Algorithm

 
e1                                                
SHA ( M ) / SHA ( M )  s ( k mod p ) mod q / k mod q

                                
             
e2            e2            ( k mod p ) mod q / SHA ( M )  s ( k mod p ) mod q / k mod q
s              s

Homework 2 part II:

Prove that if the signature is generated correctly then the
verification works correctly.
What happens if PART II of the signature is 0?
Signatures vs. MACs
Suppose parties A and B share the secret
key K. Then M, MACK(M) convinces A that
indeed M originated with B. But in case of
dispute A cannot convince a judge that
M, MACK (M) was sent by B, since A could
generate it herself.
Identification: Model
• Alice wishes to prove to Bob her
identity in order to access a
resource, obtain a service etc.
• Bob may ask the following:
– Who are you? (prove that you’re Alice)
– Who the **** is Alice?
• Eve wishes to impersonate Alice:
– One time impersonation
– Full impersonation (identity theft)
Identification Scenarios
• Local identification
– Human authenticator
– Device
• Remote identification
– Human authenticator
– Corporate environment (e.g. LAN)
– E-commerce environment
– Cable TV/Satellite: Pay-per-view;
subscription verification
– Remote login or e-mail from an internet
cafe.
Initial Authentication
• The problem: how does Alice initially
convince anyone that she’s Alice?
• The solution must often involve a “real-
world” type of authentication – id card,
• Errors due to the human factor are
numerous
(example – the Microsoft-Verisign fiasco).
• Even in scenarios where OK for Alice to be
whoever she claims she is, may want to at
least make sure Alice is human
Closed Environments
• The initial authentication problem is fully
solved by a trusted party, Carol
• Carol can distribute the identification
material in a secure fashion, e.g by hand, or
over encrypted and authenticated lines
• Example – a corporate environment
• Eve’s attack avenue is the Alice-Bob
connection
• We begin by looking at remote authentication
Fiat-Shamir Scheme
• Initialization
• Set Up
• Basic Construction
• Improved Construction
• Zero Knowledge
• Removing Interaction
Initialization
• Bob gets from Carol N=pq but not its factorization.
• Alice picks m numbers R1,R2,…,Rm in ZN at random.
• Alice computes S1= R12 mod N , …, Sm= Rm2 mod N .
• Alice gives Bob S1,S2,…,Sm .
• She keeps R1,R2,…,Rm secret .
Set Up
• Bob holds S1,S2,…,Sm .
• She keeps R1,R2,…,Rm secret .

• Who is Alice? Anyone that convinces Bob she can
produce square roots mod N of S1,S2,…,Sm .

• A bad way to convince Bob: Send him R1,R2,…,Rm .
• Instead, we seek a method that will give Bob (and
Eve) nothing more than being convinced Alice can
produce these square roots (zero knowledge).
Basic Protocol
• Let S1= R12 such that Alice holds R1 .
• To convince Bob that Alice knows a square root
mod N of S1 , Alice picks at random X1 in ZN ,
computes Y1= X12 mod N, and sends Y1 to Bob.
• Alice: “I know both a square root mod N of Y1 (=X1)
and a square root mod N of Y1 S1 (=X1 R1).
Make a choice which of the two you want
me to reveal.’’
• Bob flips a coin, outcome (heads/tails) determines
the challenge he poses to Alice.
Basic Protocol (cont.)
• If Alice knows both a square root of Y1 (=X1)
and a square root of Y1 S1 (=X1 R1) then she knows
R1 (a square root of S1 ).
• Thus if Alice does not know a square root of S1 ,
Bob will catch her cheating with probability 1/2.

• In the protocol, Alice will produce Y1,Y2,…,Ym .
• Bob will flip m coins b1,b2,…,bm as challenges.
• Bob accept only if Alice succeeds in all m cases.
Basic Protocol

Alice to Bob

Y1,Y2,…,Ym

b1,b2,…,bm         Bob to Alice
(challenge)
1, 0, …, 0
Alice to Bob
(m response) X S ,X , …,X
1 1 2       m

Bob accepts iff all m challenges are met.
Improved (more efficient) Protocol

Alice to Bob

Y1,Y2,…,Ym

b1,b2,…,bm           Bob to Alice
(challenge)
1, 0, …, 0
Alice to Bob
(2 response)     Product of XiRi with bi=1
Product of Xi   with bi=0

Bob accepts iff challenges are met.
Correctness of Protocol (Intuition ONLY)

1. A cheating Eve, without knowledge of Ri’s,
will be caught with high probability.

2. Zero Knowledge:
By eavesdropping, Eve learns nothing
(all she learns she can simulate on her own).

Crucial ingredients:
1. Interaction.
2. Randomness.
Final Improvement (Fiat Shamir)

Alice to Bob                    Let H be a secure
hash function
Y1,Y2,…,Ym

b1b2…bm=                 Bob to Alice
H(Y1,Y2 ,…,Ym)           (challenge)
Alice to Bob   1, 0, …, 0
(2 response)
Product of XiRi, bi=1
Product of Xi, bi=0
Bob accepts iff challenges are met.
Final Improvement: Remove Interaction

Alice to Bob                     Let H be secure
hash function
Y1,Y2,…,Ym

b1b2…bm=                  Bob to Alice
H(Y1,Y2 ,…,Ym)            (challenge)
1, 0, …, 0
Alice to Bob
(2 response)
Product of XiRi, bi=1
Product of Xi, bi=0
Bob accepts iff challenges are met.
Correctness of Fiat-Shamir (Intuition ONLY)

A cheating Eve, without knowledge of Ri’s,
cannot succeed in producing Y1,Y2,…,Ym
that will be hashed to a convenient bit vector
b1b2…bm since m is too long and H behaves
like a random function (so the chances of
hitting a bit vector favourable to Eve are
negligible).

FS scheme used in practice.

```
To top