Public Key Cryptography PKC january Melbourne - Australia. The Composite Discrete Logarithm and Secure Authentication

Transcription

1 Public K Cptoaph PKC janua Mlboun - Austalia Th Composit Disct Loaithm and Scu Authntication Dépatmnt d Infomatiqu ENS - CNRS Daid.Pointchal@ns.f Oiw Intoduction Zo-Knowld s. Witnss-Hidin Th Disct Loaithm Poblm Th GPS Idntification Schm Th Nw Schms Conclusion Th Composit Disct Loaithm and Scu Authntication - PKC 000 -

2 Intoduction Authntication Potocols: Idntification (Zo-Knowld Poofs) Sinatus (Non-Intacti Poofs) Blind Sinatus (Anonmit) Th Composit Disct Loaithm and Scu Authntication - PKC Pious Wo Fiat-Shami (SQRT), On-Schno ( -th oots) Guillou-Quisquat (RSA), Schno (DL(p)) -th oots and disct loaithm hih computational load PKP, SD, CLE, PPP combinatoial poblms hih communication load Th Composit Disct Loaithm and Scu Authntication - PKC 000-4

3 Tools: ZK s. WI Zo-Knowld: (GMR 85) no infomation lad about th sct Witnss Hidin/Indistinuishabilit: (FS 90) no usful infomation lad about th witnss (sct ) Th Composit Disct Loaithm and Scu Authntication - PKC Zo Knowld Adantas: no infomation lad about th sct pfct poof of nowld (pfct authntication) non-intacti sion sinatu schms Dawbacs: simulation man itations (FS86 - PS96) la computations/communications On of th bst: Schno s potocols Th Composit Disct Loaithm and Scu Authntication - PKC 000-6

4 Witnss Indistinuishabilit Adantas: no usful infomation lad about th witnss (sct) th ood popt fo authntication non-intacti sion sinatu schms no simulation onl on itation la computations/communications Candidats: Oamoto schms (Cpto 9) but lss fficint than Schno s Th Composit Disct Loaithm and Scu Authntication - PKC Th Disct Loaithm Poblm Sttin: n and m la numbs such that m ϕ(n) in n* of od m Sct: in m * Public: = Usuall DL(p): n=p and m=q p-1 a both la pim ints Th Composit Disct Loaithm and Scu Authntication - PKC 000-8

5 Th Composit Disct Loaithm Composit Modulus: DL(n) n had to facto (.. n=pq) DL(n) had than FACT(n) and DL(p) wh p is th atst pim facto of n DL(n) combins th two stonst poblms Factoization: FACT(n) cd( -, n) 1 Th Composit Disct Loaithm and Scu Authntication - PKC Nw Sttin: α-ston modulus α-ston pim p: p=+1 and fo an m α, cd(m,)=1 α-ston RSA modulus n: n=pq and both p and q a α-ston pims asmmtic basis n* : diids Od p () but not Od q () Thom: a collision of poids th factoization of n Th Composit Disct Loaithm and Scu Authntication - PKC

6 Th Schno s Idntification Common Data: p and q la pims such that q p-1 in p * of od q Ks: s in q and =-s mod p q and = + s mod q mod p = mod p Th Composit Disct Loaithm and Scu Authntication - PKC Th Schno s Idntification q and = = + s mod q mod p mod p Efficinc: (, = ) pcomputd just +s mod q to do on-lin Could w do btt Th Composit Disct Loaithm and Scu Authntication - PKC 000-1

7 Th GPS Schm Giault (EC 91) - Poupad-Stn (EC 98) n=pq la RSA modulus in n * of la od (unnown) Ks: s in S and = -s s - scuit ll s lo S - siz of th sct s lo R - siz of th andom R and = = + s Th Composit Disct Loaithm and Scu Authntication - PKC Th GPS Schm R and = = + s Poupad-Stn: no adsa can succd but with nliibl pobabilit o and. Othwis sh can ba DL(n) it is statisticall zo-nowld if S > Od() and S. /R nliibl Th Composit Disct Loaithm and Scu Authntication - PKC

8 Th GPS Schm Adantas: hih scuit ll: DL(n) just +s to do on-lin no mo modula duction Dawbacs: zo-nowld: sal itations S > Od() (fo an ): S > λ(n) and R >> S. la paamts (S and R) and la sct (s) Th Composit Disct Loaithm and Scu Authntication - PKC Nw Schm (Nw Sttin) n=pq la -ston RSA modulus asmmtic basis in n * of la od Ks: s in S and = -s s - scuit ll s lo S - siz of th sct s lo R - siz of th andom R and = = + s Th Composit Disct Loaithm and Scu Authntication - PKC

9 Poptis R and = = + s Statmnt: this potocol is a poof of nowld of s ( = -lo ) lati to FACT(n) statisticall witnss-indistinuishabl if S > Od() and S. /R nliibl Th Composit Disct Loaithm and Scu Authntication - PKC Efficinc Dawbacs: low scuit ll: FACT(n) but isn t that nouh Adantas: still just +s to do on-lin (no modula duction) witnss-indistinuishabl: onl on itation with la still S > Od() and R >> S. but Od() can b small (160 bits) small sct and numbs Th Composit Disct Loaithm and Scu Authntication - PKC

10 Mo Conct Efficinc Pactical sizs: scuit paamt: =4 n a 104-bit -ston RSA modulus of 160-bit lon od th sct s is lss than S= 168 infomation laa: = R/.S = 64 Computations: Mult(4,168) and Add(56,19) Communications: onl 360 bits (45 bts) Th Composit Disct Loaithm and Scu Authntication - PKC Sinatu Data: n=pq la -ston RSA modulus asmmtic basis in n * of la od Ks: s in S and = -s Sinatu: R and = H(m,) = + s sinatu of m = (,) Vification: = H(m, ) Th Composit Disct Loaithm and Scu Authntication - PKC 000-0

11 Scuit Poptis Statmnt: if S > Od(), thn an istntial fo und an adaptil chosn-mssa attac in th andom oacl modl is had than factoization Th Composit Disct Loaithm and Scu Authntication - PKC Blind Sinatu = n=pq la -ston RSA modulus asmmtic basis in n * of la od Ks: s in S and = -s R and = + s β M β h = γ {,..., } γ α = h ε = H( m, α) = ε γ until Th Composit Disct Loaithm and Scu Authntication - PKC 000 -

12 Scuit Poptis Poptis: this potocol is a statisticall blind sinatu if R/M is nliibl statisticall witnss-indistinuishabl if S > Od() and S. /R is nliibl (two witnsss factoization of n) a on-mo fo und a paalll attac in th andom oacl modl is had than th factoization of n Th Composit Disct Loaithm and Scu Authntication - PKC Paamts Schm GPS Nw ID Nw Sin. Modulus n=pq =104 bits with p = q =51 Od() 10 bits 160 bits Scuit () Infomation 64 laa ( ) S 1030 bits 168 bits 168 bits R 1118 bits 56 bits 360 bits Siz 1 bits 360 bits 488 bits Scuit = DL(n) >Fact(n) >Fact(n) Th Composit Disct Loaithm and Scu Authntication - PKC 000-4

13 Conclusion Nw sttin fo GPS schms: fficint idntification (pcomputation) fficint sinatu ( on th fl ) small sct (lss than 00 bits) scuit lati to factoization (at last) (and thn scuit of Schno s schms) Nw blind sinatu schm fficint fo th sin with scuit lati to factoization Th Composit Disct Loaithm and Scu Authntication - PKC 000-5