Cryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC

Transcription

1 Cryptography and Security Protocols Paulo Mateus MMA MEIC Previously on CSP Symmetric Cryptosystems. Asymmetric Cryptosystem. Basics on Complexity theory : Diffie-Hellman key agreement. Algorithmic complexity. One-way function. NP problem. P NP. Asymmetric Cryptosystem: RSA, Soundness, Setup, Efficiency of encryption. Attacks to RSA: knowing decryption exponent, knowing the parity, Shor s algorithm, Wiener s attack. ElGamal, Discrete Logarithm Problem, PH Theorem. Attacks to ElGamal. Partial knowledge attacks. Signature schemes: Asymmetric crypto to Signature, DSA, ElGamal signature scheme. Today Signatures schemes: Attacks to ElGamal. General ElGamal: Galois Fields and Elliptic curve. El Gamal (and DSS) signature scheme Let p be a prime number such that the discrete log is hard and α a primitive element X = Z p S= Z p Z p-1 K = {(a, β) : β = α a mod p) u(a,β)=β // public key is β, and private is the discrete log of β sig a (x)=(γ,δ) where -γ = α k mod p -δ = (x - aγ) k -1 mod (p - 1) for some random k Z p-1 (so gcd(k,p-1)=1)

2 2 Lecture16cps.nb ver β (x, γ, δ) = 1 iff β γ γ δ = α x mod p Consider the following example: p = Prime[103] 563 PrimeQ[(p - 1) / 2] True α = 5; Length[Union[Table[PowerMod[α, i, p], {i, 0, p - 2}]]] p - 1 False sig = Function[{x, a}, Module[{k, γ, δ, ik}, k = Random[Integer, {0, (p - 1) / 2-1}]; (* Sony forgot this step *) k = 2 k + 1; (* only odd k's are coprime with p-1 *) While[GCD[k, p - 1] 1, k = Random[Integer, {0, (p - 1) / 2-1}]; k = 2 k + 1;]; γ = PowerMod[α, k, p]; ik = PowerMod[k, -1, p - 1]; δ = Mod[(x - a γ) ik, p - 1]; {γ, δ} ]]; ver = Function[{x, s, β}, Module[{γ, δ}, γ = s[[1]]; δ = s[[2]]; PowerMod[α, x, p] Mod[PowerMod[β, γ, p] * PowerMod[γ, δ, p], p] ]]; a = 100; β = PowerMod[α, a, p]; x = 89; ver[x, sig[x, a], β] True Exercise: Show that if k is revealed then one can get a in PT (knowing k can be reduced to finding the seed of the PRG). δ = (x - aγ) k -1, so if one know k, kδ=(x-aγ) and so -kδ+x=aγ mod p-1 and then (-kδ + x) γ -1 =a mod p-1 if γ is invertible, otherwise d=gcd(γ, p-1) and so p-1=e d γ=λ d (and so e and λ are co-prime) (notice d=1,2,q) p-1=2q and so -kδ+x=aλ mod e and now λ is invertible mod e since d=gcd(γ, p-1) which means that a = (-kδ + x) λ -1 mod e and therefore a=i e + (-kδ + x) λ -1 mod p-1 with 0 i<d (assuming d =1,2)

3 Lecture16cps.nb 3 i<d (assuming d =1,2) Theorem[PS3 hack] If k is used twice, then k is revealed with high probability (and so by the previous exercise one gets a). Proof Assume two message x 1 and x 2 are signed with the same k, then sig(x 1 ) = (γ, δ 1 ) and sig(x 2 ) = (γ, δ 2 ) (se how easy it is to check this...) (1) β γ γ δ 1 = α x 1 mod p β γ γ δ 2 = α x 2 mod p (2) β -γ γ -δ 2 = α -x 2 mod p and so we have α k (δ 1-δ 2 ) =γ δ 1-δ 2 = α x 1-x 2 mod p iff k(δ 1 - δ 2 ) = x 1 - x 2 mod p-1 (note that p-1=2q) so either gcd(δ 1 - δ 2, p - 1) = 1 and so we are done k = (x 1 - x 2 ) (δ 1 - δ 2 ) -1 mod p-1 gcd(δ 1 - δ 2, p - 1) = d > 1 (which can be d = 2 or d = q if (p - 1) = 2 q, note that if p - 1 is non - smooth then d has high probability of being low) let λ=(δ 1 - δ 2 ) d, note that gcd(λ,(p-1)/d)=1 k λ = x 1 - x 2 mod (p-1)/d and so k = (x 1 - x 2 ) λ -1 mod (p-1)/d and so k = i(p - 1)/d + (x 1 - x 2 ) λ -1 mod p-1 for 0 i<d (since d is small, we can get k and then a and so, the private key) Other discrete log cases One can generalize ElGamal as follows. Let (G, ) be a commutative group such that H is a cyclic subgroup with order n ( H =n)and generator α. X=G (plaintext space) Y=H G (ciphertext space) K={ (a,β) : α a = β } Z n H (key space) u:k H where u(a,β)=β (publication map) e β (x) = (y 1, y 2 ) with (encryption random map) -y 1 =α k, -y 2 = xβ k - and k randomly chosen in Z n d (a,β) (y 1, y 2 ) = y 2 (y 1 a ) -1 (decryption map)

4 4 Lecture16cps.nb Definition[Ring of polynomials mod p]: Let p be prime, then Z p [x], +, x denotes the ring of all polynomials with coefficients in Z p. Note that multiplication and summation are defined as usual but mod p. Clear[x] (x^2 + 3) (x^3 + 3 x + 5) Expand 3 + x x + x x + 5 x x 3 + x 5 PolynomialMod[(x^2) (x^3 + 2), 3] 2 x 2 + x 5 Note that if p is a prime, it is always possible to divide a polynomial D(x) by another polynomial d(x) such that D(x)=d(x)q(x)+r(x) (for integer D=d q+r) and the degree of r(x) < degree of d(x). x 2 +1 =2x*2x+1 this means that x x=2x=q(x) with remainder r(x)= 1 mod 3 x x we cannot define this division mod 4 (Why do we need p to be prime?) x 2 2x mod 4 PolynomialQuotient[x^2, 2 x, x, Modulus 5] 3 x PolynomialRemainder[x^3 + x^2, 2 x^2 + 2, x, Modulus 5] Now we can also reduce a polynomial modulo another polynomial Definition[Ring of polynomials mod q(x) and p]: Let p be prime and q(x) a polynomial in Z p [x], then Z p [x] q[x], +, x denotes the ring of all polynomials with coefficients in Z p modulo q(x). Note that multiplication and summation are defined as usual but mod q(x). PolynomialRemainder[(x^3 + x^2) * (2 x^3 + 1), 2 x^4 + 2, x, Modulus 5] 3 x + 4 x 2 + x 3 Expand[(x^3 + x^2) * (2 x^3 + 1)] x 2 + x x x 6 PolynomialRemainder[x^3 + x^2, 2 x^3 + 2, x, Modulus 5] x so, d(x) q(x) iff q(x)=0 mod d(x) and so we can also define GCD between polynomials q(x) and t(x)! q(x)=r(x) mod d(x) iff q(x)-r(x)=0 mod d(x)

5 Lecture16cps.nb 5 PolynomialGCD[x^3 + 3 x^2, 2 x^2 + 2, Modulus 5] 3 + x Factor[x^3 + 3 x^2, Modulus 5] x 2 (3 + x) Factor[2 x^2 + 2, Modulus 5] 2 (2 + x) (3 + x) Note that we can represent the elements of Z p [x] q[x] as a list of coefficients in Z p with length degree of q(x). PolynomialGCD x 2 + x + 1, 1 + x 2 + x 3 + x 4 + x 5 + x 8 + x 10 + x 11 + x 12, Modulus = p (x) x 2 + x q (x) 1 + x 2 + x 3 + x 4 + x 5 + x 8 + x 10 + x 11 + x 12 Factor 1 + x 2 + x 3 + x 4 + x 5 + x 8 + x 10 + x 11 + x 12, Modulus x 2 + x 3 + x 4 + x 5 + x 8 + x 10 + x 11 + x 12 This representation is particularly relevant when p=2, as in this case this list can be represented as a bit string! If a polynomial cannot be factored, then it is said to be irreducible Definition: An element q(x) with degree d in Z p [x] is said to be irreducible if there is no polynomial d(x) with degree between [1,d-1] such that d(x) t(x) mod p. In other words, t(x) cannot be factored properly in polynomials with smaller degree. Which elements in Z p [x] q(x) are invertible? Similarly to the case of Z n, we have Theorem: An element t(x) in Z p [x] q(x) is invertible iff gcd(q(x),t(x))=1 mod p. Moreover, if q(x) is irreducible all elements in Z p [x] q(x) are invertible with exception of 0 (and therefore form a field). For each prime p and k, there is always an irreducible polynomial of degree k. Impressively, Galois [22 years old] showed the following result: Theorem[Galois]: If (F,+, ) is a finite field, then F =p k for some prime p and positive integer k and moreover F is isomorphic to Z p [x] q(x) for an irreducible polynomial q(x) of degree k. As corollary one can use (F, ) as the group for the ElGamal elements; GF p k in computer science and crypto GF 2 k Exercise: Implement the ElGamal for the multiplicative group of a Galois Field. Let (G, ) be a commutative group such that H is a cyclic subgroup with order n ( H =n)and genera-

6 6 Lecture16cps.nb Let (G, ) be a commutative group such that H is a cyclic subgroup with order n ( H =n)and generator α. X=G (plaintext space) Y=H G (ciphertext space) K={ (a,β) : α a = β } Z n H (key space) u:k H where u(a,β)=β (publication map) e β (x) = (y 1, y 2 ) with (encryption random map) -y 1 =α k, -y 2 = xβ k - and k randomly chosen in Z n d (a,β) (y 1, y 2 ) = y 2 (y 1 a ) -1 (decryption map) << FiniteFields` GF[2, 8] GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}] GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}] * GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}] {1, 0, 0, 0, 1, 1, 0, 0} 2 Length[ Union[Table[GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}]^i, {i, 0, 255}]]] H = Table[GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}]^i, {i, 0, 51}]; α = GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}] a = 13; {1, 1, 0, 0, 1, 1, 0, 0} 2 β = GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}]^13 GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 0, 1, 1}]^ - 1 (* EuclideExtended Algorithm *) El Gamal generalized encryption scheme enc[x_, k_] := α k, x * β k dec[y_, a_] := y[[2]] * (y[[1]]^a) -1 dec[enc[gf[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 0, 0, 1, 0, 1, 0, 1}], 8], a] {1, 0, 0, 1, 0, 1, 0, 1} 2 GF[2, {1, 0, 1, 1, 0, 0, 1, 0, 1}][{1, 1, 0, 1, 1, 0, 0, 1}] {1, 1, 0, 1, 1, 0, 0, 1} 2 NIST standards for discrete log G = Z p G = GF 2 k and some α

7 Lecture16cps.nb 7 G = EC Z p (where bitcoin and most of the cryptocurrencies are signed) 5