460 likes | 600 Vues
Introduction to Modern Cryptography Homework assignments Pollards ( p -1) method for factoring integers with prime factors p such that p -1 has small prime factors Pollards ρ algorithm for discrete log. Pollards p -1 factoring algorithm.
E N D
Introduction to Modern Cryptography • Homework assignments • Pollards (p-1) method for factoring integers with prime factors p such that p-1 has small prime factors • Pollards ρalgorithm for discrete log
Pollards p-1 factoring algorithm • Let B be a smoothness bound • Let Q be the LCM of all prime powers ≤ B • If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?
Pollards p-1 factoring algorithm • Select a bound B • Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) • For each prime q ≤ B do • Compute • Return d = gcd(a-1,n)
Pollards ρ algorithm for discrete log • Problem with Shank’s Baby step Giant step algorithms: too much memory • Pollards ρ algorithm for discrete log: takes O(1) memory
Pollards discrete logρ algorithm • Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) • Define x0 = 1 • Define
Beyond Homework Assignments • Recap of Quadratic sieve factoring algorithm • Index calculus methods for the discrete log problem
Using smoothness for factoring (Repeating what’s been done in class): • Factor n = pq by computing two different square roots modolu n • Compute x2 mod n • If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n • p1, p2, …, pm–all primes ≤ B
Using smoothness for factoring Solve for the all-zero vector This gives us
Using smoothness for discrete log? The Index Calculus Method • We want to compute loggx mod q • If we knew • logg 2 mod q, • logg 3 mod q, • logg 5 mod q, …, • loggpm mod q • Then we could try to solve for loggx mod q as follows:
The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …
Back To Digital Signatures • Summary of Discussion in Class • RSA, El Gamal, Fiat-Shamir, DSS
Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).
Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).
Diffie and Hellman (76)“New Directions in Cryptography” Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. • To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should becomputationally infeasible.
Problems with “Pure” DH Paradigm • Easy to forge signatures of random messages even without holding DA: Bob picksR arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message”S. • Therefore the scheme is subject to existential forgery. • “So what” ?
Problems with “Pure” DH Paradigm • Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). • If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…
Standard Solution: Hash First Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice first computes the strings y=H(M)and z=DA (y). Sends M,z to Bob. • To verify this is indeed Alice’s signature, Bob computes the string y=EA (z)and checks y=H(M). • The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).
General Structure: Signature Schemes • Generation of private and public keys (randomized). • Signing (either deterministic or randomized) • Verification (accept/reject) - usually deterministic.
Schemes Used in Practice • RSA • El-GamalSignature Scheme (85) • The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.
El-Gamal Signature Scheme Generation • Pick a prime p of length 1024 bits such that DL in Zp* is hard. • Let g be a generator of Zp*. • Pickxin[2,p-2]at random. • Compute y=gx mod p. • Public key: p,g,y. • Private key: x.
El-Gamal Signature Scheme Signing M • Hash: Let m=H(M). • Pick k in[1,p-2]relatively prime to p-1 at random. • Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***) • Output r and s.
El-Gamal Signature Scheme Verify M,r,s,PK • Compute m=H(M). • Accept if 0<r<p and yrrs=gmmod p. elsereject. • What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gkso rs=gks, and y=gx so yr=grx,implying yrrs=gm .
Homework Assignment 2, part I • Implement via Maple the El Gamal Signature Scheme: • Key Generation • Message Signature • Message Verification • What happens if you use the same k twice?
The Digital Signature Algorithm (DSA) • Let p be an L bit prime such that the discrete log problem mod p is intractable • Let q be a 160 bit prime that divides p-1 • Let α be a q’th root of 1 modulo p. How do we compute α?
The Digital Signature Algorithm (DSA) • p– prime, q– prime, p-1 = 0 mod q, α = 1(1/q) mod p • Private key: random 1 ≤ s ≤ q-1. • Public key: (p, q, α, β = αs mod p) • Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part II: (SHA(M) + s (PART I)) / k mod q • Part I: ((αk mod p) mod q
The Digital Signature Algorithm (DSA) • p– prime, q– prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part I: ((αk mod p) mod q • Part II: (SHA(M) + s (PART I)) /k mod q • Verification: • e1 = SHA(M) / (PART II) mod q • e2 = (PART I) / (PART II) mod q • OK if
The Digital Signature Algorithm Homework 2 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?
Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MACK(M) convinces A that indeed M originated with B. But in case of dispute A cannot convincea judge that M, MACK (M) was sent by B, sinceA could generate it herself.
Identification: Model • Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc. • Bob may ask the following: • Who are you? (prove that you’re Alice) • Who the **** is Alice? • Eve wishes to impersonate Alice: • One time impersonation • Full impersonation (identity theft)
Identification Scenarios • Local identification • Human authenticator • Device • Remote identification • Human authenticator • Corporate environment (e.g. LAN) • E-commerce environment • Cable TV/Satellite: Pay-per-view; subscription verification • Remote login or e-mail from an internet cafe.
Initial Authentication • The problem: how does Alice initially convince anyone that she’s Alice? • The solution must often involve a “real-world” type of authentication – id card, driver’s license etc. • Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco). • Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).
Closed Environments • The initial authentication problem is fully solved by a trusted party, Carol • Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines • Example – a corporate environment • Eve’s attack avenue is the Alice-Bob connection • We begin by looking at remote authentication
Fiat-Shamir Scheme • Initialization • Set Up • Basic Construction • Improved Construction • Zero Knowledge • Removing Interaction
Initialization • Bob gets from Carol N=pq but notitsfactorization. • Alice picks m numbers R1,R2,…,Rm in ZN at random. • Alice computes S1= R12 mod N , …, Sm= Rm2 mod N . • Alice gives Bob S1,S2,…,Sm . • She keeps R1,R2,…,Rm secret .
Bob holds S1,S2,…,Sm . • She keeps R1,R2,…,Rm secret . • Who is Alice? Anyone that convinces Bob she can • produce square roots mod N of S1,S2,…,Sm . • A bad way to convince Bob: Send him R1,R2,…,Rm . • Instead, we seek a method that will give Bob (and • Eve) nothing more than being convinced Alice can • produce these square roots (zero knowledge). Set Up
Let S1= R12 such that Alice holds R1. • To convince Bob that Alice knows a square root • mod N of S1 , Alice picks at random X1 in ZN , • computes Y1= X12 mod N, and sends Y1 to Bob. • Alice: “I know both a square root mod N of Y1 (=X1) • and a square root mod N of Y1 S1 (=X1 R1). • Make a choice which of the two you want • me to reveal.’’ • Bob flips a coin, outcome (heads/tails) determines • the challenge he poses to Alice. Basic Protocol
If Alice knows both a square root of Y1 (=X1) • and a square root of Y1 S1 (=X1 R1) then she knows • R1 (a square root of S1 ). • Thus if Alice does not know a square root of S1 , • Bob will catch her cheating with probability 1/2. • In the protocol, Alice will produce Y1,Y2,…,Ym . • Bob will flip m coins b1,b2,…,bm as challenges. • Bob accept only if Alice succeeds in all m cases. Basic Protocol (cont.)
Basic Protocol Alice to Bob Y1,Y2,…,Ym Bob to Alice (challenge) b1,b2,…,bm 1, 0, …, 0 Alice to Bob (m response) X1S1,X2, …,Xm Bob accepts iff all m challenges are met.
Improved (more efficient) Protocol Alice to Bob Y1,Y2,…,Ym Bob to Alice (challenge) b1,b2,…,bm 1, 0, …, 0 Alice to Bob (2 response) Product of XiRi with bi=1 Product of Xi with bi=0 Bob accepts iff challenges are met.
Correctness of Protocol (Intuition ONLY) A cheating Eve, without knowledge ofRi’s, will be caught with high probability. 2. Zero Knowledge: By eavesdropping, Eve learns nothing (all she learns she can simulate on her own). Crucial ingredients: 1. Interaction. 2. Randomness.
Final Improvement (Fiat Shamir) Alice to Bob Let H be a secure hash function Y1,Y2,…,Ym Bob to Alice (challenge) b1b2…bm= H(Y1,Y2 ,…,Ym) 1, 0, …, 0 Alice to Bob (2 response) Product of XiRi, bi=1 Product of Xi, bi=0 Bob accepts iff challenges are met.
Final Improvement: Remove Interaction Alice to Bob Let H be secure hash function Y1,Y2,…,Ym Bob to Alice (challenge) b1b2…bm= H(Y1,Y2 ,…,Ym) 1, 0, …, 0 Alice to Bob (2 response) Product of XiRi, bi=1 Product of Xi, bi=0 Bob accepts iff challenges are met.
Correctness of Fiat-Shamir (Intuition ONLY) A cheating Eve, without knowledge ofRi’s, cannot succeed in producing Y1,Y2,…,Ym that will be hashedto a convenient bit vector b1b2…bm since m is too long and H behaves like a random function (so the chances of hitting a bit vector favourable to Eve are negligible). FS scheme used in practice.