Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography Homework assignments.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography Homework assignments."— Presentation transcript:

1 Introduction to Modern Cryptography Homework assignments

2 Pollards p-1 factoring algorithm Let B be a smoothness bound Let Q be the LCM of all prime powers ≤ B If (p-1) is B-smooth then and for any a, gcd(a,p)=1, How many bits in Q?

3 Pollards p-1 factoring algorithm Thus,

4 Pollards p-1 factoring algorithm Select a bound B Select a random 2 ≤ a ≤ n-1, and compute d = gcd(a,n), if d ≥ 2 then return(d) For each prime q ≤ B do –Compute Return d = gcd(a-1,n)

5 Pollards ρ algorithm for discrete log Problem with Shank ’ s Baby step Giant step algorithms: too much memory Pollards ρ algorithm for discrete log: takes O(1) memory

6 Pollards discrete log ρ algorithm Define sets S 1, S 2, S 3 (e.g., divisible by 3, 1 not in S 2 ) Define x 0 = 1 Define

7 Pollards discrete log ρ algorithm

8

9 Beyond Homework Assignments Recap of Quadratic sieve factoring algorithm Index calculus methods for the discrete log problem

10 Using smoothness for factoring (Repeating what ’ s been done in class): Factor n = pq by computing two different square roots modolu n Compute x 2 mod n If x 2 mod n is smooth with respect to B then add a row to a matrix where the jth coordinate is the parity of the power of p j that divides x 2 mod n p 1, p 2, …, p m – all primes ≤ B

11 Using smoothness for factoring Solve for the all-zero vector This gives us

12 Using smoothness for discrete log? The Index Calculus Method We want to compute log g x mod q If we knew –log g 2 mod q, –log g 3 mod q, –log g 5 mod q, …, –log g p m mod q Then we could try to solve for log g x mod q as follows:

13 The problem: compute log g 2 mod q, log g 3 mod q, log g 5 mod q, …

14 Back To Digital Signatures Summary of Discussion in Class RSA, El Gamal, Fiat-Shamir, DSS

15 Handwritten Signatures Relate an individual, through a handwritten signature, to a document. Signature can be verified against a prior authenticated one, signed in person. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

16 Digital Signatures: Desired Properties Relate an individual, through a digital string, to a document. Signature should be easy to verify. Should be hard to forge. Are legally binding (convince a third party, e.g. a judge).

17 Diffie and Hellman (76) “New Directions in Cryptography” Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice computes the string y=D A (M) and sends M,y to Bob. To verify this is indeed Alice’s signature, Bob computes the string x = E A (y) and checks x=M. Intuition: Only Alice can compute y=D A (M), thus forgery should be computationally infeasible.

18 Problems with “Pure” DH Paradigm Easy to forge signatures of random messages even without holding D A : Bob picks R arbitrarily, computes S=E A (R). Then the pair (S,R) is a valid signature of Alice on the “message” S. Therefore the scheme is subject to existential forgery. “So what” ?

19 Problems with “Pure” DH Paradigm Consider specifically RSA. Being multiplicative, we have (products mod N) D A (M 1 M 2 ) = D A (M 1 ) D A (M 2 ). If M 2 =“I OWE BOB $20” and M 1 =“100” then under certain encoding of letters we could get M 1 M 2 =“I OWE BOB $2000”…

20 Standard Solution: Hash First Let E A be Alice’s public encryption key, and let D A be Alice’s private decryption key. To sign the message M, Alice first computes the strings y=H(M) and z=D A (y). Sends M,z to Bob. To verify this is indeed Alice’s signature, Bob computes the string y=E A (z) and checks y=H(M). The function H should be collision resistent, so that cannot find another M’ with H(M)=H(M’).

21 General Structure: Signature Schemes Generation of private and public keys (randomized). Signing (either deterministic or randomized) Verification (accept/reject) - usually deterministic.

22 Schemes Used in Practice RSA El-Gamal Signature Scheme (85) The DSS (digital signature standard, adopted by NIST in 94 is based on a modification of El-Gamal signature.

23 El-Gamal Signature Scheme Pick a prime p of length 1024 bits such that DL in Z p * is hard. Let g be a generator of Z p *. Pick x in [2,p-2] at random. Compute y=g x mod p. Public key: p,g,y. Private key: x. Generation

24 El-Gamal Signature Scheme Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=g k mod p. Compute s=(m-rx)k -1 mod (p-1) (***) Output r and s. Signing M

25 El-Gamal Signature Scheme Compute m=H(M). Accept if 0<r<p and y r r s =g m mod p. else reject. What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks, and y=g x so y r =g rx, implying y r r s =g m. Verify M,r,s,PK

26 Homework Assignment 3, part I Implement via Maple the El Gamal Signature Scheme: –Key Generation –Message Signature –Message Verification What happens if you use the same k twice?

27 Comments on Homework assignment Takes too long to find primes Idea: shorten the process by removing clear non- primes To generate a pair p,q, such that q is prime, p = 2q+1 is prime, you must have an efficient way of removing non-primes Use a sieve: compute candidate mod 2, mod 3, mod 5, … mod 997, only if all are non-zero then use more complex test.

28 The Digital Signature Algorithm (DSA) Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

29 The Digital Signature Algorithm (DSA) p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p) Signature on message M: –Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((α k mod p) mod q

30 The Digital Signature Algorithm (DSA) –p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! –Part I: ((α k mod p) mod q –Part II: (SHA (M) + s (PART I)) /k mod q Verification: –e 1 = SHA (M) / (PART II) mod q –e 2 = (PART I) / (PART II) mod q –OK if

31 The Digital Signature Algorithm Homework 3 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?

Download ppt "Introduction to Modern Cryptography Homework assignments."

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography and Network Security

Cryptography and Network Security
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.

HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.

Public Key Crytography1 From: Introduction to Algorithms Cormen, Leiserson and Rivest.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.

Theory I Algorithm Design and Analysis (9 – Randomized algorithms) Prof. Dr. Th. Ottmann.
WS 2006-07 Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.

WS Algorithmentheorie 03 – Randomized Algorithms (Public Key Cryptosystems) Prof. Dr. Th. Ottmann.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Similar presentations

Ads by Google