Administrative Details

1
Introduction to Modern Cryptography
Homework assignments
2
Pollards p-1 factoring algorithm

• Let B be a smoothness bound
• Let Q be the LCM of all prime powers B
• If (p-1) is B-smooth then
• and for any a, gcd(a,p)1,

How many bits in Q?
3
Pollards p-1 factoring algorithm
Thus,
4
Pollards p-1 factoring algorithm

• Select a bound B
• Select a random 2 a n-1, and compute d
  gcd(a,n), if d 2 then return(d)
• For each prime q B do
• Compute
• Return d gcd(a-1,n)

5
Pollards ? algorithm for discrete log

• Problem with Shanks Baby step Giant step
  algorithms too much memory
• Pollards ? algorithm for discrete log takes O(1)
  memory

6
Pollards discrete log ? algorithm

• Define sets S1, S2, S3 (e.g., divisible by 3, 1
  not in S2)
• Define x0 1
• Define

7
Pollards discrete log ? algorithm
8
Pollards discrete log ? algorithm
9
Beyond Homework Assignments

• Recap of Quadratic sieve factoring algorithm
• Index calculus methods for the discrete log
  problem

10
Using smoothness for factoring

• (Repeating whats been done in class)
• Factor n pq by computing two different square
  roots modolu n
• Compute x2 mod n
• If x2 mod n is smooth with respect to B then add
  a row to a matrix where the jth coordinate is the
  parity of the power of pj that divides x2 mod n
• p1, p2, , pm all primes B

11
Using smoothness for factoring
Solve for the all-zero vector This gives us
12
Using smoothness for discrete log? The Index
Calculus Method

• We want to compute logg x mod q
• If we knew
• logg 2 mod q,
• logg 3 mod q,
• logg 5 mod q, ,
• logg pm mod q
• Then we could try to solve for logg x mod q as
  follows

13
The problem compute logg 2 mod q, logg 3 mod q,
logg 5 mod q,
14
Back To Digital Signatures

• Summary of Discussion in Class
• RSA, El Gamal, Fiat-Shamir, DSS

15
Handwritten Signatures

• Relate an individual, through a handwritten
  signature, to a document.
• Signature can be verified against a prior
• authenticated one, signed in person.
• Should be hard to forge.
• Are legally binding (convince a third party,
  e.g. a judge).

16
Digital Signatures Desired Properties

• Relate an individual, through a digital string,
  to a document.
• Signature should be easy to verify.
• Should be hard to forge.
• Are legally binding (convince a third party,
  e.g. a judge).

17
Diffie and Hellman (76)New Directions in
Cryptography

• Let EA be Alices public encryption key,
• and let DA be Alices private decryption key.
• To sign the message M, Alice computes
• the string yDA (M) and sends M,y to Bob.
• To verify this is indeed Alices signature, Bob
  computes the string x EA (y) and checks xM.
• Intuition Only Alice can compute yDA (M), thus
  forgery should be computationally infeasible.

18
Problems with Pure DH Paradigm

• Easy to forge signatures of random messages even
  without holding DA
• Bob picks R arbitrarily, computes SEA(R).
• Then the pair (S,R) is a valid signature
• of Alice on the message S.
• Therefore the scheme is subject to existential
  forgery.
• So what ?

19
Problems with Pure DH Paradigm

• Consider specifically RSA. Being multiplicative,
  we have (products mod N)
• DA (M1M2) DA (M1) DA (M2).
• If M2I OWE BOB 20 and M1100
• then under certain encoding of letters we
• could get M1M2 I OWE BOB 2000

20
Standard Solution Hash First

• Let EA be Alices public encryption key,
• and let DA be Alices private decryption key.
• To sign the message M, Alice first computes
• the strings yH(M) and zDA (y). Sends M,z to
  Bob.
• To verify this is indeed Alices signature, Bob
  computes the string yEA (z) and checks yH(M).
• The function H should be collision resistent, so
• that cannot find another M with H(M)H(M).

21
General Structure Signature Schemes

• Generation of private and public keys
• (randomized).
• Signing (either deterministic or randomized)
• Verification (accept/reject) - usually
  deterministic.

22
Schemes Used in Practice

• RSA
• El-Gamal Signature Scheme (85)
• The DSS (digital signature standard,
• adopted by NIST in 94 is based on
• a modification of El-Gamal signature.

23
El-Gamal Signature Scheme
Generation

• Pick a prime p of length 1024 bits such that DL
  in Zp is hard.
• Let g be a generator of Zp.
• Pick x in 2,p-2 at random.
• Compute ygx mod p.
• Public key p,g,y.
• Private key x.

24
El-Gamal Signature Scheme
Signing M

• Hash Let mH(M).
• Pick k in 1,p-2 relatively prime to
• p-1 at random.
• Compute rgk mod p.
• Compute s(m-rx)k-1 mod (p-1) ()
• Output r and s.

25
El-Gamal Signature Scheme
Verify M,r,s,PK

• Compute mH(M).
• Accept if 0ltrltp and yrrsgm mod p.
• else reject.
• Whats going on?
• By () s(m-rx)k-1 mod p-1, so skrxm. Now
  rgk so rsgks, and ygx so yrgrx, implying
  yrrsgm .

26
Homework Assignment 3, part I

• Implement via Maple the El Gamal Signature
  Scheme
• Key Generation
• Message Signature
• Message Verification
• What happens if you use the same k twice?

27
Comments on Homework assignment

• Takes too long to find primes
• Idea shorten the process by removing clear
  non-primes
• To generate a pair p,q, such that q is prime, p
  2q1 is prime, you must have an efficient way of
  removing non-primes
• Use a sieve compute candidate mod 2, mod 3, mod
  5, mod 997, only if all are non-zero then use
  more complex test.

28
The Digital Signature Algorithm (DSA)

• Let p be an L bit prime such that the discrete
  log problem mod p is intractable
• Let q be a 160 bit prime that divides p-1
• Let a be a qth root of 1 modulo p.

How do we compute a?
29
The Digital Signature Algorithm (DSA)

• p prime, q prime, p-1 0 mod q, a 1(1/q)
  mod p
• Private key random 1 s q-1.
• Public key (p, q, a, ß as mod p)
• Signature on message M
• Choose a random 1 k p-1, secret!!
• Part II (SHA (M) s (PART I)) / k mod q
• Part I ((ak mod p) mod q

30
The Digital Signature Algorithm (DSA)

• p prime, q prime, p-1 0 mod q, a 1(1/q)
  mod p, Private key random 1 s q-1. Public
  key (p, q, a, ß as mod p). Signature on
  message M
• Choose a random 1 k p-1, secret!!
• Part I ((ak mod p) mod q
• Part II (SHA (M) s (PART I)) /k mod q
• Verification
• e1 SHA (M) / (PART II) mod q
• e2 (PART I) / (PART II) mod q
• OK if

31
The Digital Signature Algorithm
Homework 3 part II
Prove that if the signature is generated
correctly then the verification works
correctly. What happens if PART II of the
signature is 0?