1 / 31

Introduction to Modern Cryptography Homework assignments

Introduction to Modern Cryptography Homework assignments . Pollards p -1 factoring algorithm . Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If ( p -1) is B -smooth then and for any a , gcd( a , p )=1, .

craig
Download Presentation

Introduction to Modern Cryptography Homework assignments

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Modern Cryptography Homework assignments

  2. Pollards p-1 factoring algorithm • Let B be a smoothness bound • Let Q be the LCM of all prime powers ≤ B • If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

  3. Pollards p-1 factoring algorithm Thus,

  4. Pollards p-1 factoring algorithm • Select a bound B • Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) • For each prime q ≤ B do • Compute • Return d = gcd(a-1,n)

  5. Pollards ρ algorithm for discrete log • Problem with Shank’s Baby step Giant step algorithms: too much memory • Pollards ρ algorithm for discrete log: takes O(1) memory

  6. Pollards discrete logρ algorithm • Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) • Define x0 = 1 • Define

  7. Pollards discrete logρ algorithm

  8. Pollards discrete logρ algorithm

  9. Beyond Homework Assignments • Recap of Quadratic sieve factoring algorithm • Index calculus methods for the discrete log problem

  10. Using smoothness for factoring (Repeating what’s been done in class): • Factor n = pq by computing two different square roots modolu n • Compute x2 mod n • If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n • p1, p2, …, pm–all primes ≤ B

  11. Using smoothness for factoring Solve for the all-zero vector This gives us

  12. Using smoothness for discrete log? The Index Calculus Method • We want to compute loggx mod q • If we knew • logg 2 mod q, • logg 3 mod q, • logg 5 mod q, …, • loggpm mod q • Then we could try to solve for loggx mod q as follows:

  13. The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …

  14. Back To Digital Signatures • Summary of Discussion in Class • RSA, El Gamal, Fiat-Shamir, DSS

  15. Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

  16. Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

  17. Diffie and Hellman (76)“New Directions in Cryptography” Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. • To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should becomputationally infeasible.

  18. Problems with “Pure” DH Paradigm • Easy to forge signatures of random messages even without holding DA: Bob picksR arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message”S. • Therefore the scheme is subject to existential forgery. • “So what” ?

  19. Problems with “Pure” DH Paradigm • Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). • If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…

  20. Standard Solution: Hash First Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice first computes the strings y=H(M)and z=DA (y). Sends M,z to Bob. • To verify this is indeed Alice’s signature, Bob computes the string y=EA (z)and checks y=H(M). • The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

  21. General Structure: Signature Schemes • Generation of private and public keys (randomized). • Signing (either deterministic or randomized) • Verification (accept/reject) - usually deterministic.

  22. Schemes Used in Practice • RSA • El-GamalSignature Scheme (85) • The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

  23. El-Gamal Signature Scheme Generation • Pick a prime p of length 1024 bits such that DL in Zp* is hard. • Let g be a generator of Zp*. • Pickxin[2,p-2]at random. • Compute y=gx mod p. • Public key: p,g,y. • Private key: x.

  24. El-Gamal Signature Scheme Signing M • Hash: Let m=H(M). • Pick k in[1,p-2]relatively prime to p-1 at random. • Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***) • Output r and s.

  25. El-Gamal Signature Scheme Verify M,r,s,PK • Compute m=H(M). • Accept if 0<r<p and yrrs=gmmod p. elsereject. • What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gkso rs=gks, and y=gx so yr=grx,implying yrrs=gm .

  26. Homework Assignment 3, part I • Implement via Maple the El Gamal Signature Scheme: • Key Generation • Message Signature • Message Verification • What happens if you use the same k twice?

  27. Comments on Homework assignment • Takes too long to find primes • Idea: shorten the process by removing clear non-primes • To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes • Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.

  28. The Digital Signature Algorithm (DSA) • Let p be an L bit prime such that the discrete log problem mod p is intractable • Let q be a 160 bit prime that divides p-1 • Let α be a q’th root of 1 modulo p. How do we compute α?

  29. The Digital Signature Algorithm (DSA) • p– prime, q– prime, p-1 = 0 mod q, α = 1(1/q) mod p • Private key: random 1 ≤ s ≤ q-1. • Public key: (p, q, α, β = αs mod p) • Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part II: (SHA(M) + s (PART I)) / k mod q • Part I: ((αk mod p) mod q

  30. The Digital Signature Algorithm (DSA) • p– prime, q– prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part I: ((αk mod p) mod q • Part II: (SHA(M) + s (PART I)) /k mod q • Verification: • e1 = SHA(M) / (PART II) mod q • e2 = (PART I) / (PART II) mod q • OK if

  31. The Digital Signature Algorithm Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?

More Related