EE 418: Network Security and Cryptography
|
|
- Silvester Gardner
- 6 years ago
- Views:
Transcription
1 Problem 1 EE 418: Network Security an Cryptography Homework 5 Assigne: Wenesay, November 23, 2016, Due: Tuesay, December 6, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Consier the following moification of the Schnorr igital signature scheme. The keys are given by K = {(q,, a, ): a (mo p)} where (q,, ) comprise the public key an a is the private key. Given a message x, we compute the signature of x to be = x k (mo q) = k + a (mo q) (1) where k is a ranomly chosen number. In other wors, we start with the stanar Schnorr scheme an then use multiplication rather than a hash for. How is verification one using this revise scheme? Solution: To verify a signature generate using this Moifie Schnorr Signature scheme, we exponentiate, an check whether the obtaine result is equal to x 1,: = x 1 (2) Let s analyze, to show that the propose verification scheme is inee vali: = k+ = k a = k ( a ) = k = x 1 (3) Expression k = x 1 comes from equation (1), an is vali because q is a prime number. Problem 2 Consier the following igital signature scheme. The public key is given by (q,, ), where q is a prime number, is a primitive root of q, an is an integer satisfying <q. The private key is equal to a, for some positive integer a<qsatisfying a (mo q). To sign a message m, compute y = h(m), the hash of the message. Assume that gc(y, q 1) = 1 (if this is not the case, appen a ranom string to m an recompute the hash. Repeat the process until a message m is foun satisfying gc(y, q 1) = 1). Then calculate z such that yz a (mo (q 1)). The signature of the message is z. To verify the signature, a user verifies that =( z ) y (mo q). (a) Show that this scheme works. That is, show that the verification process prouces an equality if the signature is vali. (b) Show that the scheme is unacceptable by escribing a simple technique for forging a users signature on an arbitrary message. 1
2 (a) In orer to show that the verification process in the propose scheme prouces an equality if the signature is vali, let s analyze the expression ( z ) y : ( z ) y (mo q) = yz (mo q) = a+ (q 1) (mo q) = a (q 1) (mo q) (4) = a q 1 (mo q) = a (mo q) = (5) Equation (4) comes from using the remainer theorem to express the fact that yz a (mo q 1) an equation (5) from using the Fermat s Little theorem, which states that x (p) 1(mop), where p is a prime number. (b) To show that the propose signature scheme is not vali, we nee to show that an attacker can forge a signature for some arbitrary message ˆm. After choosing a message ˆm, an attacker first computes the hash of such a message ŷ = h(ˆm). His next step is to compute the multiplicative inverse of the obtaine hash ŷ 1 (mo q). Due to the fact that q is a prime number, such an inverse will always exist. An attacker then outputs ( ˆm, ŷ 1 ) as his message-signature pair. Obtaine signature will pass the verification test, since: ŷ 1 ŷ (mo q) = ŷ 1 ŷ (mo q) = (mo q) (6) Equation (6) proves that an attacker is able to forge a vali signature for an arbitrary message. Therefore, the propose signature scheme is not vali. Problem 3 (Stinson 7.2) Suppose I implement the ElGamal Signature Scheme with p = 31847, = 5 an = Write a computer program which oes the following: (a) Verify the signature (20679, 11082) on the message x = (b) Determine my private key, a, by solving an instance of the Discrete Logarithm problem. (c) Then etermine the ranom value k use in signing the message x, without solving an instance of the DiscreteLogarithm problem. 2
3 (a) A Matlab function that verifies the signature of some message x, signe using ElGamal Signature Scheme is calle ElGamal signatureverification, an its coe is given below. Using the provie Matlab function, we verify the signature (, ) = (20679, 11082) of the message x = 20543, signe with the ElGamal Signature Scheme with public keys given as p = 31847, = 5, = We obtain x = 20688, = 12575, = an finally = Therefore we conclue that a given signature is vali for the message x. (b) Matlab function that computes a private key a, given a public key (p,, ) is calle shanks, an its coe is given below. The provie function solves an instance of the iscrete logarithm problem a = log = using the Shanks algorithm. For the public key (p = 31847, =5, = 26379), we obtain a = (c) Function that fins a ranom number k, 1 apple k apple p 1, use in generating an ElGamal signature of a message m without solving an instance of a iscrete logarithm problem is calle ElGamal finranom, an its coe given below as well. Using the provie function on message x = 20543, whose signature is given as (, ) = (20679, 11082), with parameters of the ElGamal Signature Scheme p = 31847, = 5, = an private key a = 7973, we obtain k = function [verifie] = ElGamal signatureverification(p, alpha, beta, message, gamma, elta ) %ElGamal signatureverification verifies the signature of the message, %signe using ElGamal Signature Scheme %INPUTS : 6 %1. ( p, alpha, beta) public key in the ElGama public key scheme %2. message %3. (gamma, elta) signature of the message %OUTPUTS: %1. verifie returns verifie if the signature is vali, invali 11 %signature otherwise verifie = Invali signature ; %%Verification 16 alpha x = square an multiply(alpha, message, p) ; beta gamma = square an multiply(beta, gamma, p) ; gamma elta = square an multiply(gamma, elta, p) ; 21 ver aux = mo(beta gamma gamma elta, p) ; if(ver aux == alpha x) verifie = Verifie ; en 1 function [a] = shanks(alpha, beta, n) %Shanks solves a iscrete logarithm a = log alpha( beta) (mo n ) problem %using shanks algorithm. %INPUTS : %1. alpha basis 6 %2. beta exponent %3. n = phi( p ) = ( p 1), where p is a prime number %OUTPUT: %1. a solution of the iscrete logarithm problem 11 %%Initialization a = 0; m= ceil( sqrt(n)) ; 16 %Auxiliary calculation : alphaˆm (mo n ) x = square an multiply(alpha, (m), (n + 1)) ; 3
4 %First list for j = 1:m 21 L1 unsorte(j, :) = [ j, square an multiply(x, j 1, (n + 1) ) ] ; en L1 = sortrows ( L1 unsorte, 2) ; 26 for j = 1:m L2 aux = square an multiply(alpha, j 1, (n + 1)) ; [r, inverse, t] = exteneeucliean(l2 aux, (n + 1) ) ; L2 unsorte(j, :) = [ j, square an multiply(beta inverse, 1, (n + 1)) ]; en 31 L2 = sortrows ( L2 unsorte, 2) ; %%Fining the pair with ientical secon coorinate for j = 1:m 36 for i = 1:m if(l1(j, 2) == L2(i, 2)) a = mo((m (L1(j, 1) 1) + (L2( i, 1) 1)), n) ; break ; en 41 en en function [k] = ElGamal finranomk(p, alpha, beta, a, message, gamma, elta ) %ElGamal finranomk given private key, function fins ranom parameter k, use in signing 3 %message x using ElGamal Signature Scheme without solving an instance of %Discrete Logarithm problem %INPTUS : %1. ( p, alpha, beta) public key %2. a private key 8 %3. message signe message %4. (gamma, elta) signature of message %OUTPUT: %1. k ranom parameter k 13 % m = a gamma k elta (mo ( p 1)) > k = (m a gamma) eltaˆ( 1)(mo ( p 1)) 18 k = 0; aux = mo(( message a gamma), (p 1)) ; % Check gc ( elta, ( p 1)) if ( gc(elta, (p 1)) == 1) [r, inverse elta, t] = exteneeucliean(elta, (p 1)) ; k = mo((aux inverse elta), (p 1)) 23 else = gc(elta, (p 1)) ; elta prime = elta/; p prime = (p 1)/ ; m prime = aux/ ; 28 [r, inverse, t] = exteneeucliean(elta prime, p prime) ; k prime = mo((m prime inverse), p prime) ; for i=1: 33 k = k prime + i p prime ; beta aux = square an multiply(alpha, k, p) if(beta aux == gamma) break ; en 38 en 4
5 en Problem 4 (Stinson, Problem 7.3) Suppose that Alice is using the ElGamal Signature Scheme. In orer to save time in generating the ranom numbers k that are use in signing messages, Alice chooses an initial ranom value k 0 an then signs the i-th message using the value k i = k 0 +2i (mo (p 1)) (therefore k i = k i 1 +2 (mo (p 1)) for all i 1). (a) Suppose that Bob observes two consecutive signe messages, say (x i, sig(x i,k i )) an x i+1,sig(x i+1,k i+1 ). Describe how Bob can easily compute Alice s secret key, a, given this information, without solving an instance of the Discrete Logarithm problem. (Note that the value of i oes not have to be known for the attack to succee.) (b) Suppose that the parameters of the scheme are p = 28703, = 5 an observe by Bob are: x i = 12000, sig(x i,k i ) = (26530, 19862) x i+1 = 24567, sig(x i+1,k i+1 ) = (3081, 7604) = an two messages Fin the value of a using the attack escribe in part (a). 5
6 (a) (a) To show how Bob can easily compute Alice s private key a, let s recall the ElGamal Signature Scheme: = k (mo p) = (m a )k 1 (mo (p 1)) (7) Since k 2 = k 1 +2 (mo(p 1)), using the remainer theorem, we can write: k 2 = k (p 1) (8) After receiving two consecutive pairs message-signature from Alice, Bob can therefore write: 1 = k1 (mo p) 1 = (m 1 a 1 )k1 1 (mo (p 1)) (9) 2 = k2 (mo p) = k1+2+ (p 1) (mo p) = 2 k1 (p 1) (mo p) = 2 k1 (mo p) 2 = (m 2 a 2 )k 1 2 (mo (p 1)) (10) From equation (9), after multiplication with k 1, it follows that a 1 = m 1 1 k 1. Using obtaine expression for a 1, equation (10) can be rewritten as: 2k 2 = (m 2 a 2 ) (mo (p 1)) 2(k 1 + 2) = (m 2 a 2 1) (mo (p 1)) 2(k 1 + 2) = (m 2 2 [m 1 k 1 1 ]) (mo (p 1)) k 1 ( 2 2 1) = (m 2 2 m ) (mo (p 1)) (11) From equation (11), Bob obtains the value of k 1 in the following way: he first checks whether gc(( 2 2 1), (p 1)) = 1. If that is the case, then the multiplicative inverse of ( 2 2 1)(mo(p 1)) exists, an Bob fins k 1 simply by multiplying equation (11) with the multiplicative inverse of ( 2 2 1) (mo (p 1)). Otherwise, Bob ivies (p 1), ( 2 2 1) an (m 2 2 m ) by gc(( 2 2 1), (p 1)) =, > 1, an obtains the following equation: k 1 ( 2 2 1) = (m 2 2 m ) (mo (p 1) ) (12) which he then solves for k1 0 by multiplying it with the multiplicative inverse of ( 2 2 1) (mo p 1 ). Ranom parameter k 1 is therefore foun as: k 1 = k1 0 + i( p 1 ) (mo p), 0 apple i apple (13) Bob next fins a unique value of k 1 by fining i for which 1 = k1. Once Bob has obtaine k 1, he fins Alice s private key from equation: a 1 =(m 1 1 k 1 ) (mo (p 1)) (14) Similar to the case of k 1, Bob again checks whether = gc( 1, (p 1)) = 1. If = 1, he fins Alice s private key by multiplying equation (14) with the multiplicative inverse of 1 (mo (p 1)). 6
7 If >1, Bob ivies 1, (p 1) an (m 1 1 k 1 )with an obtains the following equation: a 1 = (m 1 1k 1 ) (mo (p 1) ) (15) 1 He then obtains a by multiplying equation (15) with the multiplicative inverse of (mo p 1 ). Finally, he obtains Alice s private key a as follows: A unique solution for a is obtaine by fining i such that = a. a = a 0 + i p 1, 0 apple i apple (16) (b) A Matlab function that fins Alice s private key, after obtaining two consecutive message-signature pairs from Alice is calle ElGamal finingprivatekey, an its coe is given below. 1 function [a, k] = ElGamal finingprivatekey(p, alpha, beta, m1, m2, gamma1, elta1, gamma2, elta2) %ElGamal finingprivate Key function fins a private key use to sign %two ifferent messages m1 an m2, signe using ElGamal Signature Scheme, %where secret ranom parameter k is generate by the following equation : % k ( i +1) = k ( i ) + 2 (mo ( p 1)) 6 %INPUTS : %1. ( p, alpha, beta) public key %2. m1, m2 messages %3. (gamma1, elta1) signature of the first message %4. (gamma2, elta2) signature of the secon message 11 %OUTPUTS: %1. a private key %2. k private ( ranom) number k 16 %IDEA : %k i [ elta ( i +1) elta i alpha ˆ2] = x ( i +1) x i alphaˆ2 2 elta ( i +1) 21 a = 0; k = 0; %% Init a = 0; k = 0; 26 elta = mo(( elta2 alpha alpha elta1), (p 1)) ; m=mo((m2 alpha alpha m1 2 elta2), (p 1)) ; = gc(elta, (p 1)) ; 31 %Check gc (( elta ( i +1) elta i alphaˆ2), p 1) if( == 1) [r, inverse, t] = exteneeucliean(elta, (p 1)) ; k = mo(m inverse, (p 1)) ; else 36 p prime = (p 1)/ ; elta prime = elta/; m prime = m/ ; 41 [r, inverse, t] = exteneeucliean(elta prime, (p 1)) ; k prime = mo((m prime inverse), p prime) ; for i=0: k = k prime + i p prime ; 46 gamma1 aux = square an multiply(alpha, k, p) ; 7
8 51 en en if(gamma1 aux == gamma1) break ; en %Fining secret key %IDEA : a gamma i = x i k i e l t a i 56 %Check gc( gamma i, p 1) = gc(gamma1, p 1) ; if( == 1) [r, inverse, t] = exteneeucliean(gamma1, (p 1)) ; a = mo(( inverse (m1 k elta1)), (p 1)) ; 61 else p prime = (p 1)/ ; x prime = (m1 k elta1)/; gamma prime = gamma1/ ; 66 [r, inverse, t] = exteneeucliean(gamma prime, p prime) ; a prime = mo(( x prime inverse), p prime) ; for i=0: 71 a = a prime + i p prime ; beta aux = square an multiply(alpha, a, p) if(beta aux == beta) break ; en 76 en en Problem 5 (Stinson, Problem 7.5) (a) A signature in the ElGamal Signature Scheme or the DSA is not allowe to have = 0. Show that if a messages were signe with a signature in which = 0, it woul be easy for an aversary to compute the secret key, a. (b) A signature in the DSA is not allowe ti have =0. Show that if a signature in which =0isknown, then the value of k use in that signature can be etermine. Given that value of k, show that it is now possible to forge a signature for any esire message (i.e. selective forgery can be carrie out.) 8
9 (a) ElGamal Signature Scheme In theelgamal Signature Scheme, a signature of a message x is efine by the following set of equations: = k (mo p) = (x a )k 1 (mo (p 1)) sign K (x, k) = (, ) (17) If, for a message x, we obtain signature (,0), then it follows: Equation (18) is satisfie when: =(x a )k 1 (mo q) 0 (mo (p 1)) (18) (p 1) k 1 or (p 1) (x a ) (19) If the first conition is satisfie, i.e. (p 1) k 1,thenk 1 woul not be a vali multiplicative inverse of k (mo (p 1)), since there oes not exist an integer k 2 Z p 1 such that k 0=1 (mo(p 1)). We therefore only consier the secon conition, when (p 1) (x a ). In orer to fin the private key a, we use the reminer theorem to rewrite the given conition as follows: x a = µ(p 1),µ2 Z (20) Equation (20) can be rewritten as follows: a =(x µ(p 1)) 1,µ2 Z (21) From equation (21), a unique private key a is foun by fining µ such that a =. DSA In DSA, a signature of a message x is efine by the following set of equations: = ( k (mo p)) (mo q) = (SHA-1(x)+a )k 1 (mo q) sign K (x, k) = (, ) (22) If, for a message x, we obtain the signature (,0), then it follows: Equation (23) is satisfie when: (SHA-1(x)+a )k 1 0 (mo q) (23) q k 1 or q (SHA-1(x)+a ) (24) Similarly to the case of the ElGamal Signature Scheme, if q k 1, then k 1 woul not be a vali multiplicative inverse of k (mo q), since there oes not exist an integer k 2 Z q such that k 0=1 (mo q). We therefore only consier the secon conition, when q (SHA-1(x) + a ). Again, using the remainer theorem, given conition can be rewritten as: Equation (25) can be rewritten as: (SHA-1(x)+a )=µq (25) a =(µq SHA-1(x)) 9 A unique private key a is foun from equation (26) by fining µ such that a =. 1 (26)
10 (b) If a signature of the message x, signe using DSA, is equal to (0, ), then it follows: Equation (27) can be rewritten as: 0 = ( k (mo p)) (mo q) = SHA-1(x)k 1 (mo q) (27) k = SHA-1(x) (mo q) (28) Knowing that q is a prime number, from equation (28), we obtain k as follows: k = 1 (SHA-1(x)) (mo q) (29) Now, choosing an arbitrary message y 6= x, an attacker can calculate SHA-1(y), an use the calculate hash to fin a vali signature for the forge message: = SHA-1(y)k 1 (mo q) (30) New forge signature is equal to (0, ), with efine by equation (30). A pair (y, (0, )) represents a vali message-signature pair an proves that an attacker is able to forge a signature for any message of his choice. Problem 6 (Stinson, Problem 7.8) We showe that using the same value k to sign two messages in the ElGamal Signature Scheme allows the scheme to be broken (i.e. an aversary can etermine the secret key without solving an instance of the Discrete Logarithm problem). Show how similar attacks can be carrie out for the Schnorr Signature Scheme an the DSA scheme. 10
11 The Schnorr Signature Scheme If a sener ecies to use the same value of k to sign two messages x 1 an x 2 : x 1 : 1 = h(x 1 k ) (mo p) 1 = k + a 1 (mo q) (31) x 2 : 2 = h(x 2 k ) (mo p) 2 = k + a 2 (mo q) (32) by combining the equations (31) an (32), we can write: 1 2 = a( 1 2 ) (mo q) (33) In orer to etermine the private key a, we first calculate gc (( 1 2 ),q). If gc (( 1 2 ),q) = 1, an then fin the private key using the following equation: a =( 1 2 )( 1 2 ) 1 (mo q) (34) If gc (( 1 2 ),q)=, > 1, we efine the following parameters: 0 0 = = q 0 = q an efine a new equation: Parameter a 0 is now foun as: From equation (37), the private key is foun as follows: A unique solution of a is foun by fining i, such that = a. (35) a 0 0 = 0 (mo q 0 ) (36) a 0 = (mo q 0 ) (37) a = a 0 + iq 0 (mo q), 0 apple i apple 1 (38) DSA If a sener ecies to sign two messages x 1 an x 2 using the same value of the ranom parameter k: x 1 : = ( k (mo p)) (mo q) 1 = (SHA-1(x 1 )+a )k 1 (mo q) (39) x 2 : = ( k (mo p)) (mo q) 2 = (SHA-1(x 2 )+a )k 1 (mo q) (40) Combining equations (39) an (40), we can write: ( 1 2 )k = SHA-1(x 1 ) SHA-1(x 2 ) (mo q) (41) 11
12 In orer to fin the private key a, we first compute gc (( 1 2 ),q). If gc (( 1 2 ),q) = 1, an then we fin the value of the ranom parameter k as follows: k = [SHA-1(x 1 ) SHA-1(x 2 )]( 1 2 ) 1 (mo q) (42) If gc (( 1 2 ),q)=, > 1, we efine the following parameters: 0 = 1 2 x 0 = [SHA-1(x 1) SHA-1(x 2 )] q 0 = q (43) an efine a new equation: k 0 0 = x 0 (mo q 0 ) (44) Using parameters (43), we fin the solution of k 0 as follows: k 0 = 0 1 x 0 (mo q 0 ) (45) From equation (45) we fin the value of the ranom parameter k as follows: k = 0 1 x 0 + iq 0 (mo q), 0 apple i apple ( 1) (46) We fin the private key a using the following equation: 1 = k + a 1 (mo q) (47) Since q is a prime number, from equation (46), we compute a as: a =( 1 k) 1 1 (mo q) (48) 12
EE 595 (PMP) Introduction to Security and Privacy Homework 4
EE 595 (PMP) Introuction to Security an Privacy Homework 4 Assigne: Monay, February 12, 2017, Due: Sunay, March 5, 2017 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington,
More informationDigital Signature Algorithm
Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 11 DSA: The is a US standard, proposed in 1991 by the NIST Along with the DSA, the hash function SHA-1 was also specified
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationLINEAR DIFFERENTIAL EQUATIONS OF ORDER 1. where a(x) and b(x) are functions. Observe that this class of equations includes equations of the form
LINEAR DIFFERENTIAL EQUATIONS OF ORDER 1 We consier ifferential equations of the form y + a()y = b(), (1) y( 0 ) = y 0, where a() an b() are functions. Observe that this class of equations inclues equations
More informationSIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography
SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 8 of Trappe and Washington DIGITAL SIGNATURES message sig 1. How do we bind
More informationLinear First-Order Equations
5 Linear First-Orer Equations Linear first-orer ifferential equations make up another important class of ifferential equations that commonly arise in applications an are relatively easy to solve (in theory)
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationUnit #6 - Families of Functions, Taylor Polynomials, l Hopital s Rule
Unit # - Families of Functions, Taylor Polynomials, l Hopital s Rule Some problems an solutions selecte or aapte from Hughes-Hallett Calculus. Critical Points. Consier the function f) = 54 +. b) a) Fin
More informationand from it produce the action integral whose variation we set to zero:
Lagrange Multipliers Monay, 6 September 01 Sometimes it is convenient to use reunant coorinates, an to effect the variation of the action consistent with the constraints via the metho of Lagrange unetermine
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationNew Variant of ElGamal Signature Scheme
Int. J. Contemp. Math. Sciences, Vol. 5, 2010, no. 34, 1653-1662 New Variant of ElGamal Signature Scheme Omar Khadir Department of Mathematics Faculty of Science and Technology University of Hassan II-Mohammedia,
More informationSeparation of Variables
Physics 342 Lecture 1 Separation of Variables Lecture 1 Physics 342 Quantum Mechanics I Monay, January 25th, 2010 There are three basic mathematical tools we nee, an then we can begin working on the physical
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More informationLecture V : Public Key Cryptography
Lecture V : Public Key Cryptography Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Amir Rezapoor Computer Science Department, National Chiao Tung University 2 Outline Functional
More informationOn the Big Gap Between p and q in DSA
On the Big Gap Between p and in DSA Zhengjun Cao Department of Mathematics, Shanghai University, Shanghai, China, 200444. caozhj@shu.edu.cn Abstract We introduce a message attack against DSA and show that
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationImplicit Differentiation
Implicit Differentiation Thus far, the functions we have been concerne with have been efine explicitly. A function is efine explicitly if the output is given irectly in terms of the input. For instance,
More informationDigital Signatures. p1.
Digital Signatures p1. Digital Signatures Digital signature is the same as MAC except that the tag (signature) is produced using the secret key of a public-key cryptosystem. Message m MAC k (m) Message
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationG j dq i + G j. q i. = a jt. and
Lagrange Multipliers Wenesay, 8 September 011 Sometimes it is convenient to use reunant coorinates, an to effect the variation of the action consistent with the constraints via the metho of Lagrange unetermine
More informationChapter 7: Signature Schemes. COMP Lih-Yuan Deng
Chapter 7: Signature Schemes COMP 7120-8120 Lih-Yuan Deng lihdeng@memphis.edu Overview Introduction Security requirements for signature schemes ElGamal signature scheme Variants of ElGamal signature scheme
More informationMathematics 116 HWK 25a Solutions 8.6 p610
Mathematics 6 HWK 5a Solutions 8.6 p6 Problem, 8.6, p6 Fin a power series representation for the function f() = etermine the interval of convergence. an Solution. Begin with the geometric series = + +
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationA secure approach for embedding message text on an elliptic curve defined over prime fields, and building 'EC-RSA-ELGamal' Cryptographic System
International Journal of Comuter Science an Information Security (IJCSIS), Vol. 5, No. 6, June 7 A secure aroach for embeing message tet on an ellitic curve efine over rime fiels, an builing 'EC-RSA-ELGamal'
More informationMATH UN Midterm 2 November 10, 2016 (75 minutes)
Name: UNI: Instructor: Shrenik Shah MATH UN3025 - Midterm 2 November 10, 2016 (75 minutes) This examination booklet contains 6 problems. There are 10 sheets of paper including the front cover. This is
More informationSolving the Schrödinger Equation for the 1 Electron Atom (Hydrogen-Like)
Stockton Univeristy Chemistry Program, School of Natural Sciences an Mathematics 101 Vera King Farris Dr, Galloway, NJ CHEM 340: Physical Chemistry II Solving the Schröinger Equation for the 1 Electron
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationConstructing Provably-Secure Identity-Based Signature Schemes
Constructing Provably-Secure Identity-Based Signature Schemes Chethan Kamath Indian Institute of Science, Bangalore November 23, 2013 Overview Table of contents Background Formal Definitions Schnorr Signature
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationDigital Signatures. Adam O Neill based on
Digital Signatures Adam O Neill based on http://cseweb.ucsd.edu/~mihir/cse207/ Signing by hand COSMO ALICE ALICE Pay Bob $100 Cosmo Alice Alice Bank =? no Don t yes pay Bob Signing electronically SIGFILE
More informationinflow outflow Part I. Regular tasks for MAE598/494 Task 1
MAE 494/598, Fall 2016 Project #1 (Regular tasks = 20 points) Har copy of report is ue at the start of class on the ue ate. The rules on collaboration will be release separately. Please always follow the
More informationDiagonalization of Matrices Dr. E. Jacobs
Diagonalization of Matrices Dr. E. Jacobs One of the very interesting lessons in this course is how certain algebraic techniques can be use to solve ifferential equations. The purpose of these notes is
More informationChapter 5. Factorization of Integers
Chapter 5 Factorization of Integers 51 Definition: For a, b Z we say that a ivies b (or that a is a factor of b, or that b is a multiple of a, an we write a b, when b = ak for some k Z 52 Theorem: (Basic
More information5-4 Electrostatic Boundary Value Problems
11/8/4 Section 54 Electrostatic Bounary Value Problems blank 1/ 5-4 Electrostatic Bounary Value Problems Reaing Assignment: pp. 149-157 Q: A: We must solve ifferential equations, an apply bounary conitions
More informationLectures - Week 10 Introduction to Ordinary Differential Equations (ODES) First Order Linear ODEs
Lectures - Week 10 Introuction to Orinary Differential Equations (ODES) First Orer Linear ODEs When stuying ODEs we are consiering functions of one inepenent variable, e.g., f(x), where x is the inepenent
More informationTwo formulas for the Euler ϕ-function
Two formulas for the Euler ϕ-function Robert Frieman A multiplication formula for ϕ(n) The first formula we want to prove is the following: Theorem 1. If n 1 an n 2 are relatively prime positive integers,
More informationMath 342 Partial Differential Equations «Viktor Grigoryan
Math 342 Partial Differential Equations «Viktor Grigoryan 6 Wave equation: solution In this lecture we will solve the wave equation on the entire real line x R. This correspons to a string of infinite
More informationLecture 2 Lagrangian formulation of classical mechanics Mechanics
Lecture Lagrangian formulation of classical mechanics 70.00 Mechanics Principle of stationary action MATH-GA To specify a motion uniquely in classical mechanics, it suffices to give, at some time t 0,
More informationSchnorr Signature. Schnorr Signature. October 31, 2012
. October 31, 2012 Table of contents Salient Features Preliminaries Security Proofs Random Oracle Heuristic PKS and its Security Models Hardness Assumption The Construction Oracle Replay Attack Security
More informationOn the enumeration of partitions with summands in arithmetic progression
AUSTRALASIAN JOURNAL OF COMBINATORICS Volume 8 (003), Pages 149 159 On the enumeration of partitions with summans in arithmetic progression M. A. Nyblom C. Evans Department of Mathematics an Statistics
More informationOutcomes. Unit 14. Review of State Machines STATE MACHINES OVERVIEW. State Machine Design
4. Outcomes 4.2 Unit 4 tate Machine Design I can create a state iagram to solve a sequential problem I can implement a working state machine given a state iagram 4.3 Review of tate Machines 4.4 TATE MACHINE
More informationf(x + h) f(x) f (x) = lim
Introuction 4.3 Some Very Basic Differentiation Formulas If a ifferentiable function f is quite simple, ten it is possible to fin f by using te efinition of erivative irectly: f () 0 f( + ) f() However,
More informationELEC3114 Control Systems 1
ELEC34 Control Systems Linear Systems - Moelling - Some Issues Session 2, 2007 Introuction Linear systems may be represente in a number of ifferent ways. Figure shows the relationship between various representations.
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationb = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.
INTRODUCTION TO CRYPTOGRAPHY 5. Discrete Logarithms Recall the classical logarithm for real numbers: If we write b = 10 a, then a = log 10 b is the logarithm of b to the base 10. Changing the base to e
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information1 Lecture 20: Implicit differentiation
Lecture 20: Implicit ifferentiation. Outline The technique of implicit ifferentiation Tangent lines to a circle Derivatives of inverse functions by implicit ifferentiation Examples.2 Implicit ifferentiation
More informationSYNCHRONOUS SEQUENTIAL CIRCUITS
CHAPTER SYNCHRONOUS SEUENTIAL CIRCUITS Registers an counters, two very common synchronous sequential circuits, are introuce in this chapter. Register is a igital circuit for storing information. Contents
More informationDiophantine Approximations: Examining the Farey Process and its Method on Producing Best Approximations
Diophantine Approximations: Examining the Farey Process an its Metho on Proucing Best Approximations Kelly Bowen Introuction When a person hears the phrase irrational number, one oes not think of anything
More informationMath 1271 Solutions for Fall 2005 Final Exam
Math 7 Solutions for Fall 5 Final Eam ) Since the equation + y = e y cannot be rearrange algebraically in orer to write y as an eplicit function of, we must instea ifferentiate this relation implicitly
More informationIterated Point-Line Configurations Grow Doubly-Exponentially
Iterate Point-Line Configurations Grow Doubly-Exponentially Joshua Cooper an Mark Walters July 9, 008 Abstract Begin with a set of four points in the real plane in general position. A to this collection
More informationThis module is part of the. Memobust Handbook. on Methodology of Modern Business Statistics
This moule is part of the Memobust Hanbook on Methoology of Moern Business Statistics 26 March 2014 Metho: Balance Sampling for Multi-Way Stratification Contents General section... 3 1. Summary... 3 2.
More informationSchrödinger s equation.
Physics 342 Lecture 5 Schröinger s Equation Lecture 5 Physics 342 Quantum Mechanics I Wenesay, February 3r, 2010 Toay we iscuss Schröinger s equation an show that it supports the basic interpretation of
More informationQF101: Quantitative Finance September 5, Week 3: Derivatives. Facilitator: Christopher Ting AY 2017/2018. f ( x + ) f(x) f(x) = lim
QF101: Quantitative Finance September 5, 2017 Week 3: Derivatives Facilitator: Christopher Ting AY 2017/2018 I recoil with ismay an horror at this lamentable plague of functions which o not have erivatives.
More information19 Eigenvalues, Eigenvectors, Ordinary Differential Equations, and Control
19 Eigenvalues, Eigenvectors, Orinary Differential Equations, an Control This section introuces eigenvalues an eigenvectors of a matrix, an iscusses the role of the eigenvalues in etermining the behavior
More informationA Weak First Digit Law for a Class of Sequences
International Mathematical Forum, Vol. 11, 2016, no. 15, 67-702 HIKARI Lt, www.m-hikari.com http://x.oi.org/10.1288/imf.2016.6562 A Weak First Digit Law for a Class of Sequences M. A. Nyblom School of
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationCPSC 467b: Cryptography and Computer Security
Outline Quadratic residues Useful tests Digital Signatures CPSC 467b: Cryptography and Computer Security Lecture 14 Michael J. Fischer Department of Computer Science Yale University March 1, 2010 Michael
More informationPseudo-Free Families of Finite Computational Elementary Abelian p-groups
Pseuo-Free Families of Finite Computational Elementary Abelian p-groups Mikhail Anokhin Information Security Institute, Lomonosov University, Moscow, Russia anokhin@mccme.ru Abstract We initiate the stuy
More informationWinter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2
0368.3049.01 Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod Assignment #2 Published Sunday, February 17, 2008 and very slightly revised Feb. 18. Due Tues., March 4, in Rani Hod
More informationCode_Aster. Detection of the singularities and calculation of a map of size of elements
Titre : Détection es singularités et calcul une carte [...] Date : 0/0/0 Page : /6 Responsable : DLMAS Josselin Clé : R4.0.04 Révision : Detection of the singularities an calculation of a map of size of
More informationDigital signature schemes
Digital signature schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction digital signature scheme security of digital
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More information1 dx. where is a large constant, i.e., 1, (7.6) and Px is of the order of unity. Indeed, if px is given by (7.5), the inequality (7.
Lectures Nine an Ten The WKB Approximation The WKB metho is a powerful tool to obtain solutions for many physical problems It is generally applicable to problems of wave propagation in which the frequency
More informationPDE Notes, Lecture #11
PDE Notes, Lecture # from Professor Jalal Shatah s Lectures Febuary 9th, 2009 Sobolev Spaces Recall that for u L loc we can efine the weak erivative Du by Du, φ := udφ φ C0 If v L loc such that Du, φ =
More informationSYDE 112, LECTURE 1: Review & Antidifferentiation
SYDE 112, LECTURE 1: Review & Antiifferentiation 1 Course Information For a etaile breakown of the course content an available resources, see the Course Outline. Other relevant information for this section
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationAuthentication. Chapter Message Authentication
Chapter 5 Authentication 5.1 Message Authentication Suppose Bob receives a message addressed from Alice. How does Bob ensure that the message received is the same as the message sent by Alice? For example,
More informationHomework 2 EM, Mixture Models, PCA, Dualitys
Homework 2 EM, Mixture Moels, PCA, Dualitys CMU 10-715: Machine Learning (Fall 2015) http://www.cs.cmu.eu/~bapoczos/classes/ml10715_2015fall/ OUT: Oct 5, 2015 DUE: Oct 19, 2015, 10:20 AM Guielines The
More informationAttacking Unbalanced RSA-CRT Using SPA
Attacking Unbalance RSA-CRT Using SPA Pierre-Alain Fouque, Gwenaëlle Martinet, an Guillaume Poupar DCSSI Crypto Lab 51, Boulevar e Latour-Maubourg 75700 Paris 07 SP, France Pierre-Alain.Fouque@ens.fr Gwenaelle.Martinet@worlonline.fr
More informationA. Incorrect! The letter t does not appear in the expression of the given integral
AP Physics C - Problem Drill 1: The Funamental Theorem of Calculus Question No. 1 of 1 Instruction: (1) Rea the problem statement an answer choices carefully () Work the problems on paper as neee (3) Question
More informationHomework 2 Solutions EM, Mixture Models, PCA, Dualitys
Homewor Solutions EM, Mixture Moels, PCA, Dualitys CMU 0-75: Machine Learning Fall 05 http://www.cs.cmu.eu/~bapoczos/classes/ml075_05fall/ OUT: Oct 5, 05 DUE: Oct 9, 05, 0:0 AM An EM algorithm for a Mixture
More informationThe Exact Form and General Integrating Factors
7 The Exact Form an General Integrating Factors In the previous chapters, we ve seen how separable an linear ifferential equations can be solve using methos for converting them to forms that can be easily
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationMath Notes on differentials, the Chain Rule, gradients, directional derivative, and normal vectors
Math 18.02 Notes on ifferentials, the Chain Rule, graients, irectional erivative, an normal vectors Tangent plane an linear approximation We efine the partial erivatives of f( xy, ) as follows: f f( x+
More informationTopic 7: Convergence of Random Variables
Topic 7: Convergence of Ranom Variables Course 003, 2016 Page 0 The Inference Problem So far, our starting point has been a given probability space (S, F, P). We now look at how to generate information
More informationCode_Aster. Detection of the singularities and computation of a card of size of elements
Titre : Détection es singularités et calcul une carte [...] Date : 0/0/0 Page : /6 Responsable : Josselin DLMAS Clé : R4.0.04 Révision : 9755 Detection of the singularities an computation of a car of size
More informationd dx [xn ] = nx n 1. (1) dy dx = 4x4 1 = 4x 3. Theorem 1.3 (Derivative of a constant function). If f(x) = k and k is a constant, then f (x) = 0.
Calculus refresher Disclaimer: I claim no original content on this ocument, which is mostly a summary-rewrite of what any stanar college calculus book offers. (Here I ve use Calculus by Dennis Zill.) I
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationGenerating EIGamal Signatures Without Knowing the Secret Key
Generating EIGamal Signatures Without Knowing the Secret Key Daniel Bleichenbacher ETH Zurich Institute for Theoretical Computer Science CH-8092 Zurich, Switzerlan email: bleichenminf.ethz. ch Abstract.
More informationPure Further Mathematics 1. Revision Notes
Pure Further Mathematics Revision Notes June 20 2 FP JUNE 20 SDB Further Pure Complex Numbers... 3 Definitions an arithmetical operations... 3 Complex conjugate... 3 Properties... 3 Complex number plane,
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationLower bounds on Locality Sensitive Hashing
Lower bouns on Locality Sensitive Hashing Rajeev Motwani Assaf Naor Rina Panigrahy Abstract Given a metric space (X, X ), c 1, r > 0, an p, q [0, 1], a istribution over mappings H : X N is calle a (r,
More informationCONTROL CHARTS FOR VARIABLES
UNIT CONTOL CHATS FO VAIABLES Structure.1 Introuction Objectives. Control Chart Technique.3 Control Charts for Variables.4 Control Chart for Mean(-Chart).5 ange Chart (-Chart).6 Stanar Deviation Chart
More informationQuestion: Total Points: Score:
University of California, Irvine COMPSCI 134: Elements of Cryptography and Computer and Network Security Midterm Exam (Fall 2016) Duration: 90 minutes November 2, 2016, 7pm-8:30pm Name (First, Last): Please
More informationParameter estimation: A new approach to weighting a priori information
Parameter estimation: A new approach to weighting a priori information J.L. Mea Department of Mathematics, Boise State University, Boise, ID 83725-555 E-mail: jmea@boisestate.eu Abstract. We propose a
More informationLenny Jones Department of Mathematics, Shippensburg University, Shippensburg, Pennsylvania Daniel White
#A10 INTEGERS 1A (01): John Selfrige Memorial Issue SIERPIŃSKI NUMBERS IN IMAGINARY QUADRATIC FIELDS Lenny Jones Deartment of Mathematics, Shiensburg University, Shiensburg, Pennsylvania lkjone@shi.eu
More informationGCD of Random Linear Combinations
JOACHIM VON ZUR GATHEN & IGOR E. SHPARLINSKI (2006). GCD of Ranom Linear Combinations. Algorithmica 46(1), 137 148. ISSN 0178-4617 (Print), 1432-0541 (Online). URL https://x.oi.org/10.1007/s00453-006-0072-1.
More informationA Simulative Comparison of BB84 Protocol with its Improved Version
JCS&T Vol. 7 No. 3 October 007 A Simulative Comparison of BB84 Protocol with its Improve Version Mohsen Sharifi an Hooshang Azizi Computer Engineering Department Iran University of Science an Technology,
More informationarxiv: v4 [quant-ph] 4 Jan 2019
Device inepenent witness of arbitrary imensional quantum systems employing binary outcome measurements Mikołaj Czechlewski, 1, Debashis Saha, 2, 3, Armin Tavakoli, 4, an Marcin Pawłowski 2, 1 Institute
More informationImplicit Differentiation. Lecture 16.
Implicit Differentiation. Lecture 16. We are use to working only with functions that are efine explicitly. That is, ones like f(x) = 5x 3 + 7x x 2 + 1 or s(t) = e t5 3, in which the function is escribe
More informationCODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.
CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES A selection of the following questions will be chosen by the lecturer to form the Cryptology Assignment. The Cryptology Assignment is due by 5pm Sunday 1
More informationComputing Exact Confidence Coefficients of Simultaneous Confidence Intervals for Multinomial Proportions and their Functions
Working Paper 2013:5 Department of Statistics Computing Exact Confience Coefficients of Simultaneous Confience Intervals for Multinomial Proportions an their Functions Shaobo Jin Working Paper 2013:5
More informationAssignment 1. g i (x 1,..., x n ) dx i = 0. i=1
Assignment 1 Golstein 1.4 The equations of motion for the rolling isk are special cases of general linear ifferential equations of constraint of the form g i (x 1,..., x n x i = 0. i=1 A constraint conition
More informationLecture XII. where Φ is called the potential function. Let us introduce spherical coordinates defined through the relations
Lecture XII Abstract We introuce the Laplace equation in spherical coorinates an apply the metho of separation of variables to solve it. This will generate three linear orinary secon orer ifferential equations:
More information6 Wave equation in spherical polar coordinates
6 Wave equation in spherical polar coorinates We now look at solving problems involving the Laplacian in spherical polar coorinates. The angular epenence of the solutions will be escribe by spherical harmonics.
More informationMake graph of g by adding c to the y-values. on the graph of f by c. multiplying the y-values. even-degree polynomial. graph goes up on both sides
Reference 1: Transformations of Graphs an En Behavior of Polynomial Graphs Transformations of graphs aitive constant constant on the outsie g(x) = + c Make graph of g by aing c to the y-values on the graph
More informationLATTICE-BASED D-OPTIMUM DESIGN FOR FOURIER REGRESSION
The Annals of Statistics 1997, Vol. 25, No. 6, 2313 2327 LATTICE-BASED D-OPTIMUM DESIGN FOR FOURIER REGRESSION By Eva Riccomagno, 1 Rainer Schwabe 2 an Henry P. Wynn 1 University of Warwick, Technische
More information