DTTF/NB479: Dszquphsbqiz Day 30

Similar documents
Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Public-key Cryptography: Theory and Practice

Data security (Cryptography) exercise book

ElGamal Public-Key Encryption and Signature

The Chinese Remainder Theorem

Cryptography, Number Theory, and RSA

Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Diffie-Hellman key-exchange protocol

EE 418: Network Security and Cryptography

TMA4155 Cryptography, Intro

The Chinese Remainder Theorem

LECTURE NOTES ON SUBLIMINAL CHANNEL & COMMUNICATION SYSTEM

The number theory behind cryptography

Problem Set 6 Solutions Math 158, Fall 2016

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Assignment 2. Due: Monday Oct. 15, :59pm

Introduction to Cryptography CS 355

Foundations of Cryptography

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

MA 111, Topic 2: Cryptography

Solutions for the Practice Final

Math 319 Problem Set #7 Solution 18 April 2002

Wireless Network Security Spring 2014

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Principles of Ad Hoc Networking

CS70: Lecture 8. Outline.

DUBLIN CITY UNIVERSITY

NUMBER THEORY AMIN WITNO

Public Key Encryption

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Number Theory and Security in the Digital Age

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Knights, Spies, Games and Social Networks

A4M33PAL, ZS , FEL ČVUT

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Number Theory and Public Key Cryptography Kathryn Sommers

Discrete Square Root. Çetin Kaya Koç Winter / 11

4. Design Principles of Block Ciphers and Differential Attacks

CHAPTER 2. Modular Arithmetic

Secure Distributed Computation on Private Inputs

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Lecture 28: Applications of Crypto Protocols

Exploring Signature Schemes with Subliminal Channel

L29&30 - RSA Cryptography

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

PT. Primarity Tests Given an natural number n, we want to determine if n is a prime number.

Drill Time: Remainders from Long Division

Primitive Roots. Chapter Orders and Primitive Roots

Application: Public Key Cryptography. Public Key Cryptography

Final exam. Question Points Score. Total: 150

Multiples and Divisibility

DUBLIN CITY UNIVERSITY

Fair tracing based on VSS and blind signature without Trustees

Sequential Aggregate Signatures from Trapdoor Permutations

Related Ideas: DHM Key Mechanics

Security in Sensor Networks. Written by: Prof. Srdjan Capkun & Others Presented By : Siddharth Malhotra Mentor: Roland Flury

UNIVERSITY OF MANITOBA DATE: December 7, FINAL EXAMINATION TITLE PAGE TIME: 3 hours EXAMINER: M. Davidson

3. (8 points) If p, 4p 2 + 1, and 6p are prime numbers, find p. Solution: The answer is p = 5. Analyze the remainders upon division by 5.

Identity-based multisignature with message recovery

CS 261 Notes: Zerocash

Robust Key Establishment in Sensor Networks

Internet Engineering Task Force (IETF) ISSN: May 2013

DES Data Encryption standard

Yale University Department of Computer Science

18.S34 (FALL, 2007) PROBLEMS ON PROBABILITY

Saturday Morning Math Group October 27, Game Theory and Knowing about Knowledge PACKET A

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

CSE 373 DECEMBER 4 TH ALGORITHM DESIGN

Introduction to Cryptography

Fermat s little theorem. RSA.

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

Degree project NUMBER OF PERIODIC POINTS OF CONGRUENTIAL MONOMIAL DYNAMICAL SYSTEMS

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

Lecture 39: GMW Protocol GMW

Grading Delays. We don t have permission to grade you (yet) We re working with tstaff on a solution We ll get grades back to you as soon as we can

Monty Hall Problem & Birthday Paradox

Practice Midterm 2 Solutions

Section 1.6 Factors. To successfully complete this section,

Security Enhancement and Speed Monitoring of RSA Algorithm

Problem 4.R1: Best Range

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

Block Ciphers Security of block ciphers. Symmetric Ciphers

p 1 MAX(a,b) + MIN(a,b) = a+b n m means that m is a an integer multiple of n. Greatest Common Divisor: We say that n divides m.

Signatures for Network Coding

Wireless Network Security Spring 2016

Towards a Cryptanalysis of Scrambled Spectral-Phase Encoded OCDMA

Number Theory/Cryptography (part 1 of CSC 282)

Contributions to Mental Poker

Q(173)Q(177)Q(188)Q(193)Q(203)

Classical Cryptography

SOLUTIONS TO PROBLEM SET 5. Section 9.1

Multiplication and Probability

Sequential Aggregate Signatures from Trapdoor Permutations

Wireless Network Security Spring 2015

PROOFS OF SPACE AND TIME REMOVING WASTE BY BRAM COHEN

The Sign of a Permutation Matt Baker

Exercises to Chapter 2 solutions

1. The chance of getting a flush in a 5-card poker hand is about 2 in 1000.

Transcription:

DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone

RSA Signatures allow you to recover the message from the signature; ElGamal signatures don t Sig = f(user, message) RSA Alice chooses: p,q, n=pq, e: gcd(n, (p-1)(q-1))=1, d: ed 1(mod ((p-1)(q-1)) Publishes n, e Alice s signature: y m d (mod n). Delivers (m, y) Bob s verification: Does m y e (mod n)? ElGamal Alice chooses: p,primitive root α, secret a, and β α a (mod p) Publishes (p, α, β), keeps a secret Alice s signature: Chooses k: random, gcd(k, p-1)=1 Sends m, (r,s), where: r α k (mod p) s k -1 (m ar) (mod p-1) Bob s verification: Does β r r s α m (mod p)?

It s quicker to sign a short digest than to sign a long message Note that we need to choose n > m in RSA, p > m in ElGamal Problem: m could be long! But h(m) is short! So Alice sends (m, sig(h(m))) Eve intercepts this, wants to sign m with Alice s signature, so needs sig(h(m )) = sig(h(m)), and thus h(m)=h(m ) Why can t she do this?

Birthday attacks can be successful on signatures that are too short Slightly different paradigm: two rooms with r people each. What s the probability that someone in this room has the same birthday as someone in the other room. 2 r Approximation: N 1 e Note that we divide by N, not 2N. But setting the probability = 0.5 and solving for r, we get r=c*sqrt(n) again (where c=sqrt(ln 2)~.83) Consider a 50-bit hash. Only need 2^25 documents These are relatively easy to generate, actually.

Birthday attacks on signatures that are too short Mallory generates 2 groups of documents: r good docs r fraudulent docs Want a match (m 1, m 2 ) between them such that h(m 1 ) = h(m 2 ) Mallory sends (m 1, h(m 1 )) to Alice, who returns signed copy: (m 1, sig(h(m 1 )). Mallory replaces m 1 with m 2 and uses sig(h(m 1 ) as the signature. The pair (m 2, sig(h(m 1 )) looks like Alice s valid signature! Alice s defense? What can she do to defend herself?

Alice s defense She changes a random bit herself! Note this changes her signature: (m 1, sig(h(m 1 )) Mallory is forced to generate another message with the same hash as this new document. Good luck! Lessons: Birthday attacks essentially halve the number of bits of security. So SHA-1 is still secure against them Make a minor change to the document you sign!

Code-talkers? http://xkcd.com/c257.html As far as I can tell, Navajo doesn t have a word for zero. Do-neh-lini means neutral.

DSA: Digital Signature Algorithm 1994 Similar to ElGamal signature with appendix But verification is faster And it s guaranteed to be more secure Assume m is already hashed using SHA: so we are signing a 160-bit message, m.

1-3 DSA: Digital Signature Algorithm q=17 p=103 g=2 α=? Alice s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. α g (p-1)/q (mod p) Then α q 1 (mod p). (Why?) β α a. Secret a, 0 < a < q-1 Publishes: (p,q,α,β) Sig = (r,s) random k, 0 < k < q-1 r α k (mod q) s = k -1 (m + ar) (mod q) Verify: Compute u1 s -1 m (mod q), u2 s -1 r (mod q) Does (α u1 β u2 (mod p))(mod q) = r?

4 DSA: Digital Signature Algorithm q=17 p=103 g=2 α=64 Alice s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. α g (p-1)/q (mod p) Then α q 1 (mod p). (Why?) β α a. Secret a, 0 < a < q-1 Publishes: (p,q,α,β) Sig = (r,s) random k, 0 < k < q-1 r α k (mod q) s = k -1 (m + ar) (mod q) Verify: Compute u1 s -1 m (mod q), u2 s -1 r (mod q) Does (α u1 β u2 (mod p))(mod q) = r? Advantages over ElGamal? In ElGamal, if you could solve r = α k (mod p) by Pollig-Hellman, you d have k. In DSA, (p-1) has a large factor, q. If you could solve the non-q factors, there would still be q possibilities for k. How many ints (mod p) give a specific int (mod q)?

DSA: Digital Signature Algorithm q=17 p=103 g=2 α=64 Alice s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. α g (p-1)/q (mod p) Then α q 1 (mod p). (Why?) β α a. Secret a, 0 < a < q-1 Publishes: (p,q,α,β) Sig = (r,s) random k, 0 < k < q-1 r α k (mod q) s = k -1 (m + ar) (mod q) Verify: Compute u1 s -1 m (mod q), u2 s -1 r (mod q) Does (α u1 β u2 (mod p))(mod q) = r? How hard is it to search for a 512-bit prime p = kq + 1 for some even number k? How do we search for primes? 1/115 of odd 100-digit numbers are prime. What fraction of odd 512-bit integers are prime? Recall our discussion of the density of primes

(Day 21) Using within a primality testing scheme Finding large probable primes x #primes < x = π ( x) ln( x) Density of primes: ~1/ln(x) n Odd? no div by other small primes? For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We ll soon find one that is a likely prime. no Pass M-R? yes Prime by Factoring/ advanced techn.? yes prime

5 DSA: Digital Signature Algorithm Alice s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. α=g (p-1)/q (mod p) Then α q = 1 (mod p). (Why?) β = α a. Secret a, 0 < a < q-1 Publishes: (p,q,α,β) Sig = (r,s) random k, 0 < k < q-1 r = α k (mod p) s = k -1 (m + ar) (mod q) Verify: Compute u1 = s -1 m, u2 = s -1 r Does (a u1 b u2 (mod p))(mod q) = r? Show that order of ops matters: (α k (mod p))(mod q) (α k (mod q))(mod p) Easier: find (a(mod p))(mod q) (a(mod q))(mod p)

Latest versions Recommended: SHA-224/256/384/512 as the hash function q of size 224 and 256 bits p of size 2048 and 3072.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback