DTTF/NB479: Dszquphsbqiz Day 26

Transcription

1 DTTF/NB479: Dszquphsbqiz Day 26 Announceents:. HW6 due now 2. HW7 posted 3. Will pick pres dates Friday Questions? This week: Discrete Logs, Diffie-Hellan, ElGaal Hash Functions, SHA, Birthday attacks

2 ElGaal Bob publishes (α, p, β), where < < p and β=α a Alice chooses secret k, coputes and sends to Bob the pair (r,t) where r=α k (od p) t = β k (od p) Bob finds: tr -a = (od p) Notes:. Show that Bob s decryption works Plug in values for t, r, and β. Nae: 2. Eve would like to know k. Show that knowing k allows decrpytion. Why? =β -k t 3. Why can t Eve copute k fro r or t? Need to calculate a discrete log to do so, which is hard when p is large 4. Challenge: Alice should randoize k each tie. If not, and Eve gets hold of a plaintext / ciphertext (, r, t ), she can decrypt other ciphertexts ( 2, r 2, t 2 ). Show how. Use, t to solve for β k. Then use β -k and t 2 to find 2 5. If Eve says she found fro (r,t), can we verify that she really found it, using only the public key (and not k or a)? Explain. Not easily (see next slide)

3 Known plaintext attack Bob publishes (α, p, β), where < < p and β=α a Alice chooses secret k, coputes and sends to Bob the pair (r,t) where r=α k (od p) t = β k (od p) Bob finds: tr -a = (od p) Why does this work? If Eve got hold of a plaintext/ciphertext (, r, t ), she can decrypt other ciphertexts ( 2, r 2, t 2 ): Answer: r=α k (od p), t = β k (od p), t 2 = β k 2 (od p) So t t2 β k (od p) You can solve for 2, since everything else in the proportion is known. 2 Alice should randoize k each tie.

4 Tying everything together Bob publishes (α, p, β), where < < p and β=α a Alice chooses secret k, coputes and sends to Bob the pair (r,t) where r=α k (od p) t = β k (od p) Bob finds: tr -a = (od p) Why does this work? If Eve says she found fro (r,t), can we verify that she really found it, using just,r,t and the public key? Not easily! Decision D-H Validity of (od p) ElGaal ciphertexts. Coputational D-H Decrypting (od p) ElGaal ciphertexts.

5 Cryptographic hash functions shrink essages into a digest Message (long) Cryptographic hash Function, h Message digest, y (Shorter fixed length) Shrinks data, so 2 essages can have the sae digest:!= 2, but h( ) = h( 2 ) Goal: to provide a unique fingerprint of the essage.

6 Cryptographic hash functions ust satisfy three properties to be useful and secure 2 Message (long) Cryptographic hash Function, h Message digest, y (Shorter fixed length) Shrinks data, so 2 essages can have the sae digest:!= 2, but h( ) = h( 2 ). Fast to copute y fro. 2. One-way: given y = h(), can t find any satisfying h( ) = y easily. 3. Strongly collision-free: Can t find any pair 2 such that h( )=h( 2 ) easily 4. (Soeties we can settle for weakly collision-free: given, can t find with h() = h( ).

7 Hash functions can be used for digital signatures and error detection 3 3 properties:. Fast to copute 2. One-way: given y = h(), can t find any satisfying h( ) = y easily. 3. Strongly collisionfree: Can t find 2 such that h( )=h( 2 ) Why do we care about these properties? Use #: Digital signatures If Alice signs h(), what if Bob could find, such that h() = h( )? He could clai Alice signed! Consider two contracts Use #2: Error detection siple exaple: Alice sends (, h()), Bob receives (M, H). Bob checks if H=h(M). If not, there s an error.

8 Hash function exaples 4a-b 3 properties:. Fast to copute 2. One-way: given y = h(), can t find any satisfying h( ) = y easily. 3. Strongly collision-free: Can t find 2 such that h( )=h( 2 ) Exaples:. h() = (od n) 2. h() = α (od p) for large prie p, which doesn t divide α 3. Discrete log hash Given large prie p, such that q=(p-)/2 is also prie, and EHA (next) priitive roots α and β for p: β h ) α ( where = 0 + q SHA- (toorrow) (od 0 p MD4, MD5 (weaker than SHA; won t discuss) ) For first 2 exaples, please check properties 2-3.

9 Easy Hash Algorith (EHA) isn t very secure! Break into n-bit blocks, append zeros to get a ultiple of n. There are L of the, where L = /n Fast! But not very secure. Does perforing a left shift on the rows first help? Define y as leftshifting by y bits Then = ( i ) i i 2 2 = =... l l 2 22 l 2 n 2n ln [ c c... ] 22 ll c n n 2 l, l+ l, l =h()

10 Easy Hash Algorith (EHA) isn t very secure! 4c 3 properties:. Fast to copute 2. One-way: given y = h(), can t find any satisfying h( ) = y easily. 3. Strongly collisionfree: Can t find 2 such that h( )=h( 2 ) 2 =... l = l 2 [ c c... ] 2 22 l 2 2 n 2n ln c n =h() Exercise:. Show that the basic (unrotated) version doesn t satisfy properties 2 and What about the version that uses rotations?