blank by shuifanglj

VIEWS: 22 PAGES: 46

									Introduction to Modern
Cryptography

    Homework assignments

• Pollards (p-1) method for
  factoring integers with prime
  factors p such that p-1 has small
  prime factors
• Pollards ρ algorithm for discrete
  log
Pollards p-1 factoring algorithm
 • Let B be a smoothness bound
 • Let Q be the LCM of all prime powers
   ≤B    Q     ln n / ln q 
                q
             q B
                              
                           How many bits in Q?

 • If (p-1) is B-smooth then ( p  1)
                                      Q
 and for any a, gcd(a,p)=1,

               a  1 (mod p)
                    Q
Pollards p-1 factoring algorithm
     Q  q         ln n / ln q 
                                
                                     a  1 (mod p)
                                      Q
             q B

     Thus,



    d  gcd(a 1, n)  p d   Q
Pollards p-1 factoring algorithm
 • Select a bound B
 • Select a random 2 ≤ a ≤ n-1, and
   compute d = gcd(a,n), if d ≥ 2 then
   return(d)
 • For each prime q ≤ B do
   – Compute     ln n / ln q 
                              
               a  a (mod n)
                    q


 • Return d = gcd(a-1,n)
Pollards ρ algorithm for discrete
                log
• Problem with Shank’s Baby step Giant
  step algorithms: too much memory
• Pollards ρ algorithm for discrete log:
  takes O(1) memory
Pollards discrete log ρ algorithm
             log   (mod p)
• Define sets S1, S2, S3 (e.g., divisible
  by 3, 1 not in S2)
• Define x0 = 1
• Define
                xi (mod p ) if xi  S1
               2
      xi 1   xi (mod p ) if xi  S 2
               x (mod p ) if x  S
               i                 i    3
    Pollards discrete log ρ algorithm
           log   (mod p), a0  0, b0  0

                                                     ai         if xi  S1
          xi (mod p ) if xi  S1             2
                                      ai 1   2ai (mod p  1) if xi  S 2
         2
xi 1   xi (mod p ) if xi  S 2             a  1 (mod p  1) if x  S
                                               i                    i    3
         x (mod p ) if x  S
         i                  i    3
                                              bi  1 (mod p ) if xi  S1
                                               2
                                      bi 1   2bi (mod p ) if xi  S 2
                                                              if xi  S3
                                                     bi
   Pollards discrete log ρ algorithm
                   log   (mod p), a0  0, b0  0
          xi if xi  S1
         2
xi 1   xi if xi  S 2
         x if x  S
         i        i     3

  xi  x2i (mod p ) 
       (mod p) 
     ai   bi     a2 i   b2 i


  ai log    bi  a2i log    b2i (mod p  1) 
  log    (b2i  bi ) /( a2i  ai ) (mod p  1)
Beyond Homework Assignments
 • Recap of Quadratic sieve factoring
   algorithm
 • Index calculus methods for the
   discrete log problem
Using smoothness for factoring
 (Repeating what’s been done in class):
   • Factor n = pq by computing two different
     square roots modolu n
   • Compute x2 mod n
   • If x2 mod n is smooth with respect to B
     then add a row to a matrix where the jth
     coordinate is the parity of the power of
     pj that divides x2 mod n
   • p1, p2, …, pm – all primes ≤ B
Using smoothness for factoring
                                   p1  2           p2  3   p3  5     pm  B
          m
                           x12  e1(1) mod 2 e2 mod 2                 em mod 2 
 x mod n   p
                                               (1)                      (1)
  2              e(1)
                   j
                             2  (1)          (2)                              
  1              j         x2  e2 mod 2 e2 mod 2                              
          j 1
                           x3 
                             2
                                                                               
          m                                                                   
 x mod n   p
  2              e(j 2 )                                                      
                             2  (m)
  2              j
                                              (       (
                           xm  e1 mod 2 e2m ) mod 2 e3m ) mod 2      em mod 2 
                                                                       ( m)
                                                                               
          j 1

                           Solve for the all-zero vector
          m
 x mod n   p
  2              e(j3)

                           This gives us
  3              j
          j 1
                                                m

          m                  x   pi2 di mod n 
                                      2
                                      i

 x mod n   p
 2               e(j m )     iS                i 1
 m               j                          2                  2
                                         di 
                                                        m

                              xi     pi  mod n
          j 1

                             iS   i 1     
Using smoothness for discrete log?
    The Index Calculus Method
 • We want to compute
   logg x mod q
 • If we knew                                m
                            g x mod q   p 
                                                  ej
    –   logg 2 mod q,                              j
    –   logg 3 mod q,                       j 1
    –   logg 5 mod q, …,                   m
    –   logg pm mod q         log g x   e j log g p j
 • Then we could try to                    i 1
   solve for logg x mod q
   as follows:
The problem: compute logg 2 mod
 q, logg 3 mod q, logg 5 mod q, …
                      m
  g ( mod q )   p                        
                             e(1)                   m
                                              x1   e(1) log g p j mod (q  1)
      x1                       j


                      j 1
                             j
                                                       j

                      m
                                                  j 1


           ( mod q )   p
                             e(j 2 )               m
                                             x2   e(2) log g p j mod (q  1)
      x2
  g
                      j 1
                             j
                                                       j
                                           
                                           
                                                   j 1

                                       
                      m
           ( mod q)   p
                             e(j3)                 m
                                             x3   e(3) log g p j mod (q  1)
      x3
  g
                      j 1
                             j
                                                       j
                                                   j 1
                                           
                                           
                      m                    
           ( mod q )   p
                                                    m
                                            xm   e(jm ) log g p j mod (q  1)
      xm                     e(j m )
 g                           j
                      j 1                 
                                                  j 1
 Back To Digital Signatures
• Summary of Discussion in Class
• RSA, El Gamal, Fiat-Shamir, DSS
      Handwritten Signatures

• Relate an individual, through a handwritten
signature, to a document.
• Signature can be verified against a prior
authenticated one, signed in person.
• Should be hard to forge.
• Are legally binding (convince a third party,
e.g. a judge).
    Digital Signatures: Desired
             Properties
• Relate an individual, through a digital
string, to a document.
• Signature should be easy to verify.
• Should be hard to forge.
• Are legally binding (convince a third party,
e.g. a judge).
      Diffie and Hellman (76)
  “New Directions in Cryptography”
Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.

• To sign the message M, Alice computes
  the string y=DA (M) and sends M,y to Bob.
• To verify this is indeed Alice’s signature, Bob
  computes the string x = EA (y) and checks x=M.

Intuition: Only Alice can compute y=DA (M), thus
  forgery should be computationally infeasible.
     Problems with “Pure” DH
            Paradigm
• Easy to forge signatures of random
  messages even without holding DA:
 Bob picks R arbitrarily, computes S=EA(R).
 Then the pair (S,R) is a valid signature
 of Alice on the “message” S.
• Therefore the scheme is subject to
  existential forgery.
• “So what” ?
     Problems with “Pure” DH
            Paradigm
• Consider specifically RSA. Being
  multiplicative, we have (products mod N)
 DA (M1M2) = DA (M1) DA (M2).

• If M2=“I OWE BOB $20” and M1=“100”
 then under certain encoding of letters we
 could get M1M2 =“I OWE BOB $2000”…
  Standard Solution: Hash First
Let EA be Alice’s public encryption key,
and let DA be Alice’s private decryption key.

• To sign the message M, Alice first computes
  the strings y=H(M) and z=DA (y). Sends M,z to
  Bob.
• To verify this is indeed Alice’s signature, Bob
  computes the string y=EA (z) and checks y=H(M).

• The function H should be collision resistent, so
  that cannot find another M’ with H(M)=H(M’).
  General Structure: Signature
           Schemes
• Generation of private and public keys
 (randomized).
• Signing (either deterministic or
  randomized)
• Verification (accept/reject) - usually
  deterministic.
  Schemes Used in Practice
• RSA
• El-Gamal Signature Scheme (85)
• The DSS (digital signature standard,
adopted by NIST in 94 is based on
a modification of El-Gamal signature.
   El-Gamal Signature Scheme
Generation
• Pick a prime p of length 1024 bits
  such that DL in Zp* is hard.
• Let g be a generator of Zp*.
• Pick x in [2,p-2] at random.
• Compute y=gx mod p.
• Public key: p,g,y.
• Private key: x.
   El-Gamal Signature Scheme
Signing M
• Hash: Let m=H(M).
• Pick k in [1,p-2] relatively prime to
p-1 at random.
• Compute r=gk mod p.
• Compute s=(m-rx)k-1 mod (p-1) (***)
• Output r and s.
   El-Gamal Signature Scheme
Verify M,r,s,PK
• Compute m=H(M).
• Accept if 0<r<p and y rrs=gm mod p.

  else reject.
• What’s going on?
By (***) s=(m-rx)k-1 mod p-1, so
  sk+rx=m. Now r=gk so rs=gks, and y=gx
  so yr=grx, implying yrrs=gm .
Homework Assignment 2, part I
 • Implement via Maple the El Gamal
   Signature Scheme:
   – Key Generation
   – Message Signature
   – Message Verification
 • What happens if you use the same k
   twice?
The Digital Signature Algorithm
             (DSA)
• Let p be an L bit prime such that the
  discrete log problem mod p is
  intractable
• Let q be a 160 bit prime that divides
  p-1
• Let α be a q’th root of 1 modulo p.
                How do we compute α?
  The Digital Signature Algorithm
               (DSA)
• p – prime, q – prime, p-1 = 0 mod q, α =
  1(1/q) mod p
• Private key: random 1 ≤ s ≤ q-1.
• Public key: (p, q, α, β = αs mod p)
• Signature on message M:
  – Choose a random 1 ≤ k ≤ p-1, secret!!
     • Part II: (SHA (M) + s (PART I)) / k mod q
     • Part I: ((αk mod p) mod q
The Digital Signature Algorithm
             (DSA)
  – p – prime, q – prime, p-1 = 0 mod q, α = 1(1/q) mod
    p, Private key: random 1 ≤ s ≤ q-1. Public key: (p,
    q, α, β = αs mod p). Signature on message M:
     • Choose a random 1 ≤ k ≤ p-1, secret!!
         – Part I: ((αk mod p) mod q
         – Part II: (SHA (M) + s (PART I)) /k mod q

• Verification:
  – e1 = SHA (M) / (PART II) mod q
  – e2 = (PART I) / (PART II) mod q
  – OK if
             (  mod p) mod q  (PART I)
                e1   e2
The Digital Signature Algorithm

 
 e1                                                
        SHA ( M ) / SHA ( M )  s ( k mod p ) mod q / k mod q


                                                                                
             
 e2            e2            ( k mod p ) mod q / SHA ( M )  s ( k mod p ) mod q / k mod q
          s              s




      Homework 2 part II:

              Prove that if the signature is generated correctly then the
              verification works correctly.
              What happens if PART II of the signature is 0?
         Signatures vs. MACs
Suppose parties A and B share the secret
key K. Then M, MACK(M) convinces A that
indeed M originated with B. But in case of
dispute A cannot convince a judge that
M, MACK (M) was sent by B, since A could
generate it herself.
     Identification: Model
• Alice wishes to prove to Bob her
  identity in order to access a
  resource, obtain a service etc.
• Bob may ask the following:
  – Who are you? (prove that you’re Alice)
  – Who the **** is Alice?
• Eve wishes to impersonate Alice:
  – One time impersonation
  – Full impersonation (identity theft)
   Identification Scenarios
• Local identification
  – Human authenticator
  – Device
• Remote identification
  – Human authenticator
  – Corporate environment (e.g. LAN)
  – E-commerce environment
  – Cable TV/Satellite: Pay-per-view;
     subscription verification
  – Remote login or e-mail from an internet
    cafe.
       Initial Authentication
• The problem: how does Alice initially
  convince anyone that she’s Alice?
• The solution must often involve a “real-
  world” type of authentication – id card,
  driver’s license etc.
• Errors due to the human factor are
  numerous
  (example – the Microsoft-Verisign fiasco).
• Even in scenarios where OK for Alice to be
  whoever she claims she is, may want to at
  least make sure Alice is human
         Closed Environments
• The initial authentication problem is fully
  solved by a trusted party, Carol
• Carol can distribute the identification
  material in a secure fashion, e.g by hand, or
  over encrypted and authenticated lines
• Example – a corporate environment
• Eve’s attack avenue is the Alice-Bob
  connection
• We begin by looking at remote authentication
     Fiat-Shamir Scheme
• Initialization
• Set Up
• Basic Construction
• Improved Construction
• Zero Knowledge
• Removing Interaction
                Initialization
• Bob gets from Carol N=pq but not its factorization.
• Alice picks m numbers R1,R2,…,Rm in ZN at random.
• Alice computes S1= R12 mod N , …, Sm= Rm2 mod N .
• Alice gives Bob S1,S2,…,Sm .
• She keeps R1,R2,…,Rm secret .
                     Set Up
• Bob holds S1,S2,…,Sm .
• She keeps R1,R2,…,Rm secret .

• Who is Alice? Anyone that convinces Bob she can
  produce square roots mod N of S1,S2,…,Sm .

• A bad way to convince Bob: Send him R1,R2,…,Rm .
• Instead, we seek a method that will give Bob (and
  Eve) nothing more than being convinced Alice can
  produce these square roots (zero knowledge).
               Basic Protocol
• Let S1= R12 such that Alice holds R1 .
• To convince Bob that Alice knows a square root
   mod N of S1 , Alice picks at random X1 in ZN ,
  computes Y1= X12 mod N, and sends Y1 to Bob.
• Alice: “I know both a square root mod N of Y1 (=X1)
          and a square root mod N of Y1 S1 (=X1 R1).
          Make a choice which of the two you want
          me to reveal.’’
• Bob flips a coin, outcome (heads/tails) determines
  the challenge he poses to Alice.
          Basic Protocol (cont.)
• If Alice knows both a square root of Y1 (=X1)
  and a square root of Y1 S1 (=X1 R1) then she knows
  R1 (a square root of S1 ).
• Thus if Alice does not know a square root of S1 ,
  Bob will catch her cheating with probability 1/2.

• In the protocol, Alice will produce Y1,Y2,…,Ym .
• Bob will flip m coins b1,b2,…,bm as challenges.
• Bob accept only if Alice succeeds in all m cases.
   Basic Protocol

Alice to Bob

               Y1,Y2,…,Ym

               b1,b2,…,bm         Bob to Alice
                                  (challenge)
               1, 0, …, 0
Alice to Bob
(m response) X S ,X , …,X
              1 1 2       m


   Bob accepts iff all m challenges are met.
   Improved (more efficient) Protocol

Alice to Bob

               Y1,Y2,…,Ym

               b1,b2,…,bm           Bob to Alice
                                    (challenge)
               1, 0, …, 0
Alice to Bob
(2 response)     Product of XiRi with bi=1
                 Product of Xi   with bi=0

   Bob accepts iff challenges are met.
   Correctness of Protocol (Intuition ONLY)

1. A cheating Eve, without knowledge of Ri’s,
will be caught with high probability.

2. Zero Knowledge:
By eavesdropping, Eve learns nothing
(all she learns she can simulate on her own).

Crucial ingredients:
     1. Interaction.
     2. Randomness.
   Final Improvement (Fiat Shamir)

Alice to Bob                    Let H be a secure
                                hash function
               Y1,Y2,…,Ym

               b1b2…bm=                 Bob to Alice
               H(Y1,Y2 ,…,Ym)           (challenge)
Alice to Bob   1, 0, …, 0
(2 response)
                Product of XiRi, bi=1
                 Product of Xi, bi=0
   Bob accepts iff challenges are met.
   Final Improvement: Remove Interaction

Alice to Bob                     Let H be secure
                                 hash function
                Y1,Y2,…,Ym

               b1b2…bm=                  Bob to Alice
               H(Y1,Y2 ,…,Ym)            (challenge)
                1, 0, …, 0
Alice to Bob
(2 response)
                 Product of XiRi, bi=1
                  Product of Xi, bi=0
   Bob accepts iff challenges are met.
Correctness of Fiat-Shamir (Intuition ONLY)

A cheating Eve, without knowledge of Ri’s,
cannot succeed in producing Y1,Y2,…,Ym
that will be hashed to a convenient bit vector
b1b2…bm since m is too long and H behaves
like a random function (so the chances of
hitting a bit vector favourable to Eve are
negligible).

FS scheme used in practice.

								
To top