Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification."— Presentation transcript:

1 Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification

2 There is an interactive (randomized) proof for any statement in PSpace There is also a zero knowledge proof for any statement which has an interactive proof This is not very useful (practically) because the setting may require the prover to use exponential time

3 An example of an interactive proof for a statement that does not seem to be in NP Graph non-isomorphism Two graphs G, and H, prover claims that they are not isomorphic How would a polytime machine verify that they are indeed not isomorphic?

4 Interactive proof for graph non- isomorphism Prover presents the two graphs: Verifier chooses one of the graphs at random, performs a random permutation and asks the prover which graph was chosen.

5 Interactive proof for graph 3 colorability What ’ s the point? There ’ s a non- interactive proof for graph 3- colorability. So, the point is that we can give a zero knowledge proof of graph 3 colorability

6 Non interactive proof of graph 3 colorability

7 Graph 3 colorability Imagine that the prover performs a random permuation of the colors The verifier can ask to see the colors assigned to two adjacent vertices The prover will now reveal these two colors Repeat

8 Why is this convincing? If the graph is three colorable: then the prover can answer all the queries correctly If the graph is not three colorable, then with prob 1/E, the prover will be caught All the verifier learns is that the two vertices have different colors

9 What does this mean? Informally, we ’ ve shown that every problem in NP has an interactive zero knowledge proof. What would a proof be for Hamiltonian cycle?

10 Identification: Model Alice wishes to prove to Bob her identity in order to access a resource, obtain a service etc. Bob may ask the following: –Who are you? (prove that you ’ re Alice) –Who the **** is Alice? Eve wishes to impersonate Alice: –One time impersonation –Full impersonation (identity theft)

11 Identification Scenarios Local identification –Human authenticator –Device Remote identification –Human authenticator –Corporate environment (e.g. LAN) –E-commerce environment –Cable TV/Satellite: Pay-per-view; subscription verification –Remote login or e-mail from an internet cafe.

12 Initial Authentication The problem: how does Alice initially convince anyone that she ’ s Alice? The solution must often involve a “ real-world ” type of authentication – id card, driver ’ s license etc. Errors due to the human factor are numerous (example – the Microsoft-Verisign fiasco). Even in scenarios where OK for Alice to be whoever she claims she is, may want to at least make sure Alice is human (implemented, e.g. for new users in Yahoo mail ).

13 Closed Environments The initial authentication problem is fully solved by a trusted party, Carol Carol can distribute the identification material in a secure fashion, e.g by hand, or over encrypted and authenticated lines Example – a corporate environment Eve ’ s attack avenue is the Alice-Bob connection We begin by looking at remote authentication

14 Fiat-Shamir Scheme Initialization Set Up Basic Construction Improved Construction Zero Knowledge Removing Interaction

15 Initialization There is a universal N=pq and no one knows its factorization. Alternately, N is chosen by Alice and is part of Alice’s public key. Alice picks R in Z N at random. Alice computes S= R 2 mod N. S is published as Alice’s Public key. She keeps R secret.

16 Set Up Bob knows S. Alice keeps R secret. Who is Alice? Anyone that convinces Bob she can produce square roots mod N of S. A bad way to convince Bob: Send him R. Instead, we seek a method that will give Bob (and Eve) nothing more than being convinced Alice can produce these square roots (zero knowledge).

17 Basic Protocol Let S= R 2 such that Alice holds R. To convince Bob that Alice knows a square root mod N of S, Alice picks at random X in Z N, computes Y= X 2 mod N, and sends Y to Bob. Alice: “I know both a square root mod N of Y (=X) and a square root mod N of Y S (= X R). Make a choice which of the two you want me to reveal.’’ Bob flips a coin, outcome (heads/tails) determines the challenge he poses to Alice.

18 Basic Protocol (cont.) If Alice knows both a square root of Y (=X) and a square root of Y S (=X R) then she knows R (a square root of S). Thus if Alice does not know a square root of S, Bob will catch her cheating with probability 1/2. In the protocol, Alice will produce Y 1,Y 2,…,Y t. Bob will flip m coins b 1,b 2,…,b t as challenges. Bob accept only if Alice succeeds in all t cases.

19 Basic Protocol, repeat t times: S=R 2, Y i =X i 2 b i 1, 0 X i R, X i Bob to Alice (challenge) Alice to Bob (t response) Bob accepts iff all t challenges are met.

20 Reducing the communication, Larger public key, setup: Alice picks m numbers R 1,R 2,…,R m in Z N at random. Alice computes S 1 = R 1 2 mod N, …, S m = R m 2 mod N. Alice publishes a public key S 1,S 2,…,S m. She keeps R 1,R 2,…,R m secret.

21 Reducing the communication, increasing the size of the public key: Y=X 2 b 1,b 2,…,b m 1, 0, …, 0 Z= X times Product of R j with b j =1 Bob to Alice (challenge) Alice to Bob Bob accepts iff Z 2 =Y times product of S j with b j =1

22 Correctness of Protocol (Intuition ONLY) 1.A cheating Eve, without knowledge of R i ’s, will be caught with high probability. 2. Zero Knowledge: By eavesdropping, Eve learns nothing (all she learns she can simulate on her own). Crucial ingredients: 1. Interaction. 2. Randomness.

23 Removing randomization by Verifier Y=X 2 b 1 b 2 …b m = H(Y) 1, 0, …, 0 Bob to Alice (challenge) Alice to Bob Bob accepts iff challenges are met. Let H be a secure hash function Z= X times Product of R j with b j =1

24 What we have is a signature scheme b 1 b 2 …b m = H(M,Y) 1, 1, 0, 1 …, 0 Message M Z= X times Product of R j with b j =1 Alice to Bob Bob accepts iff challenges are met. Let H be secure hash function Y=X 2

25 Correctness of Fiat-Shamir (Intuition ONLY) A cheating Eve, without knowledge of R i ’s, cannot succeed in producing Y that will be hashed to a convenient bit vector b 1 b 2 … b m since m is too long and H behaves like a random function (so the chances of hitting a bit vector favorable to Eve are negligible). FS scheme used in practice.

26 El-Gamal Signature Scheme Pick a prime p of length 1024 bits such that DL in Z p * is hard. Let g be a generator of Z p *. Pick x in [2,p-2] at random. Compute y=g x mod p. Public key: p,g,y. Private key: x. Generation

27 El-Gamal Signature Scheme Hash: Let m=H(M). Pick k in [1,p-2] relatively prime to p-1 at random. Compute r=g k mod p. Compute s=(m-rx)k -1 mod (p-1) (***) Output r and s. Signing M

28 El-Gamal Signature Scheme Compute m=H(M). Accept if 0<r<p and y r r s =g m mod p. else reject. What’s going on? By (***) s=(m-rx)k -1 mod p-1, so sk+rx=m. Now r=g k so r s =g ks, and y=g x so y r =g rx, implying y r r s =g m. Verify M,r,s,PK

29 The Digital Signature Algorithm (DSA) Let p be an L bit prime such that the discrete log problem mod p is intractable Let q be a 160 bit prime that divides p-1 Let α be a q’th root of 1 modulo p. How do we compute α?

30 The Digital Signature Algorithm (DSA) p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p) Signature on message M: –Choose a random 1 ≤ k ≤ p-1, secret!! Part II: (SHA (M) + s (PART I)) / k mod q Part I: ((α k mod p) mod q

31 The Digital Signature Algorithm (DSA) –p – prime, q – prime, p-1 = 0 mod q, α = 1 (1/q) mod p, Private key: random 1 ≤ s ≤ q-1. Public key: (p, q, α, β = α s mod p). Signature on message M: Choose a random 1 ≤ k ≤ p-1, secret!! –Part I: ((α k mod p) mod q –Part II: (SHA (M) + s (PART I)) /k mod q Verification: –e 1 = SHA (M) / (PART II) mod q –e 2 = (PART I) / (PART II) mod q –OK if

32 The Digital Signature Algorithm Homework 2 part II: Prove that if the signature is generated correctly then the verification works correctly. What happens if PART II of the signature is 0?

Download ppt "Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification."

Similar presentations

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
1 Adapted from Oded Goldreich’s course lecture notes.

1 Adapted from Oded Goldreich’s course lecture notes.
Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.

Zero Knowledge Proofs By Subha Rajagopalan Jaisheela Kandagal.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.

Zero-Knowledge Proofs And Their Applications in Cryptographic Systems Sultan Almuhammadi ICS 454.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.

Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.

Introduction to Modern Cryptography Lecture 7 1.RSA Public Key CryptoSystem 2.One way Trapdoor Functions.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.

Similar presentations

Ads by Google