310 likes | 323 Views
Introduction to Modern Cryptography Homework assignments. Pollards p -1 factoring algorithm. Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If ( p -1) is B -smooth then and for any a , gcd( a , p )=1,. How many bits in Q?.
E N D
Introduction to Modern Cryptography Homework assignments
Pollards p-1 factoring algorithm • Let B be a smoothness bound • Let Q be the LCM of all prime powers ≤ B • If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?
Pollards p-1 factoring algorithm • Select a bound B • Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) • For each prime q ≤ B do • Compute • Return d = gcd(a-1,n)
Pollards ρ algorithm for discrete log • Problem with Shank’s Baby step Giant step algorithms: too much memory • Pollards ρ algorithm for discrete log: takes O(1) memory
Pollards discrete logρ algorithm • Define sets S1, S2, S3 (e.g., divisible by 3, 1 not in S2) • Define x0 = 1 • Define
Beyond Homework Assignments • Recap of Quadratic sieve factoring algorithm • Index calculus methods for the discrete log problem
Using smoothness for factoring (Repeating what’s been done in class): • Factor n = pq by computing two different square roots modolu n • Compute x2 mod n • If x2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of pj that divides x2 mod n • p1, p2, …, pm–all primes ≤ B
Using smoothness for factoring Solve for the all-zero vector This gives us
Using smoothness for discrete log? The Index Calculus Method • We want to compute loggx mod q • If we knew • logg 2 mod q, • logg 3 mod q, • logg 5 mod q, …, • loggpm mod q • Then we could try to solve for loggx mod q as follows:
The problem: compute logg 2 mod q, logg 3 mod q, logg 5 mod q, …
Back To Digital Signatures • Summary of Discussion in Class • RSA, El Gamal, Fiat-Shamir, DSS
Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).
Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).
Diffie and Hellman (76)“New Directions in Cryptography” Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice computes the string y=DA (M) and sends M,y to Bob. • To verify this is indeed Alice’s signature, Bob computes the string x = EA (y) and checks x=M. Intuition: Only Alice can compute y=DA (M), thus forgery should becomputationally infeasible.
Problems with “Pure” DH Paradigm • Easy to forge signatures of random messages even without holding DA: Bob picksR arbitrarily, computes S=EA(R). Then the pair (S,R) is a valid signature of Alice on the “message”S. • Therefore the scheme is subject to existential forgery. • “So what” ?
Problems with “Pure” DH Paradigm • Consider specifically RSA. Being multiplicative, we have (products mod N) DA (M1M2) = DA (M1) DA (M2). • If M2=“I OWE BOB $20” and M1=“100” then under certain encoding of letters we could get M1M2 =“I OWE BOB $2000”…
Standard Solution: Hash First Let EA be Alice’s public encryption key, and let DA be Alice’s private decryption key. • To sign the message M, Alice first computes the strings y=H(M)and z=DA (y). Sends M,z to Bob. • To verify this is indeed Alice’s signature, Bob computes the string y=EA (z)and checks y=H(M). • The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).
General Structure: Signature Schemes • Generation of private and public keys (randomized). • Signing (either deterministic or randomized) • Verification (accept/reject) - usually deterministic.
Schemes Used in Practice • RSA • El-GamalSignature Scheme (85) • The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.
El-Gamal Signature Scheme Generation • Pick a prime p of length 1024 bits such that DL in Zp* is hard. • Let g be a generator of Zp*. • Pickxin[2,p-2]at random. • Compute y=gx mod p. • Public key: p,g,y. • Private key: x.
El-Gamal Signature Scheme Signing M • Hash: Let m=H(M). • Pick k in[1,p-2]relatively prime to p-1 at random. • Compute r=gk mod p. • Compute s=(m-rx)k-1 mod (p-1) (***) • Output r and s.
El-Gamal Signature Scheme Verify M,r,s,PK • Compute m=H(M). • Accept if 0<r<p and yrrs=gmmod p. elsereject. • What’s going on? By (***) s=(m-rx)k-1 mod p-1, so sk+rx=m. Now r=gkso rs=gks, and y=gx so yr=grx,implying yrrs=gm .
Homework Assignment 3, part I • Implement via Maple the El Gamal Signature Scheme: • Key Generation • Message Signature • Message Verification • What happens if you use the same k twice?
Comments on Homework assignment • Takes too long to find primes • Idea: shorten the process by removing clear non-primes • To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes • Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.
The Digital Signature Algorithm (DSA) • Let p be an L bit prime such that the discrete log problem mod p is intractable • Let q be a 160 bit prime that divides p-1 • Let α be a q’th root of 1 modulo p. How do we compute α?
The Digital Signature Algorithm (DSA) • p– prime, q– prime, p-1 = 0 mod q, α = 1(1/q) mod p • Private key: random 1 ≤ s ≤ q-1. • Public key: (p, q, α, β = αs mod p) • Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part II: (SHA(M) + s (PART I)) / k mod q • Part I: ((αk mod p) mod q
The Digital Signature Algorithm (DSA) • p– prime, q– prime, p-1 = 0 mod q, α = 1(1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = αs mod p). Signature on message M: • Choose a random 1 ≤ k ≤ p-1, secret!! • Part I: ((αk mod p) mod q • Part II: (SHA(M) + s (PART I)) /k mod q • Verification: • e1 = SHA(M) / (PART II) mod q • e2 = (PART I) / (PART II) mod q • OK if
The Digital Signature Algorithm Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?