EE 418: Network Security and Cryptography

Transcription

1 Problem 1 EE 418: Network Security an Cryptography Homework 5 Assigne: Wenesay, November 23, 2016, Due: Tuesay, December 6, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle Consier the following moification of the Schnorr igital signature scheme. The keys are given by K = {(q,, a, ): a (mo p)} where (q,, ) comprise the public key an a is the private key. Given a message x, we compute the signature of x to be = x k (mo q) = k + a (mo q) (1) where k is a ranomly chosen number. In other wors, we start with the stanar Schnorr scheme an then use multiplication rather than a hash for. How is verification one using this revise scheme? Solution: To verify a signature generate using this Moifie Schnorr Signature scheme, we exponentiate, an check whether the obtaine result is equal to x 1,: = x 1 (2) Let s analyze, to show that the propose verification scheme is inee vali: = k+ = k a = k ( a ) = k = x 1 (3) Expression k = x 1 comes from equation (1), an is vali because q is a prime number. Problem 2 Consier the following igital signature scheme. The public key is given by (q,, ), where q is a prime number, is a primitive root of q, an is an integer satisfying <q. The private key is equal to a, for some positive integer a<qsatisfying a (mo q). To sign a message m, compute y = h(m), the hash of the message. Assume that gc(y, q 1) = 1 (if this is not the case, appen a ranom string to m an recompute the hash. Repeat the process until a message m is foun satisfying gc(y, q 1) = 1). Then calculate z such that yz a (mo (q 1)). The signature of the message is z. To verify the signature, a user verifies that =( z ) y (mo q). (a) Show that this scheme works. That is, show that the verification process prouces an equality if the signature is vali. (b) Show that the scheme is unacceptable by escribing a simple technique for forging a users signature on an arbitrary message. 1

2 (a) In orer to show that the verification process in the propose scheme prouces an equality if the signature is vali, let s analyze the expression ( z ) y : ( z ) y (mo q) = yz (mo q) = a+ (q 1) (mo q) = a (q 1) (mo q) (4) = a q 1 (mo q) = a (mo q) = (5) Equation (4) comes from using the remainer theorem to express the fact that yz a (mo q 1) an equation (5) from using the Fermat s Little theorem, which states that x (p) 1(mop), where p is a prime number. (b) To show that the propose signature scheme is not vali, we nee to show that an attacker can forge a signature for some arbitrary message ˆm. After choosing a message ˆm, an attacker first computes the hash of such a message ŷ = h(ˆm). His next step is to compute the multiplicative inverse of the obtaine hash ŷ 1 (mo q). Due to the fact that q is a prime number, such an inverse will always exist. An attacker then outputs ( ˆm, ŷ 1 ) as his message-signature pair. Obtaine signature will pass the verification test, since: ŷ 1 ŷ (mo q) = ŷ 1 ŷ (mo q) = (mo q) (6) Equation (6) proves that an attacker is able to forge a vali signature for an arbitrary message. Therefore, the propose signature scheme is not vali. Problem 3 (Stinson 7.2) Suppose I implement the ElGamal Signature Scheme with p = 31847, = 5 an = Write a computer program which oes the following: (a) Verify the signature (20679, 11082) on the message x = (b) Determine my private key, a, by solving an instance of the Discrete Logarithm problem. (c) Then etermine the ranom value k use in signing the message x, without solving an instance of the DiscreteLogarithm problem. 2

3 (a) A Matlab function that verifies the signature of some message x, signe using ElGamal Signature Scheme is calle ElGamal signatureverification, an its coe is given below. Using the provie Matlab function, we verify the signature (, ) = (20679, 11082) of the message x = 20543, signe with the ElGamal Signature Scheme with public keys given as p = 31847, = 5, = We obtain x = 20688, = 12575, = an finally = Therefore we conclue that a given signature is vali for the message x. (b) Matlab function that computes a private key a, given a public key (p,, ) is calle shanks, an its coe is given below. The provie function solves an instance of the iscrete logarithm problem a = log = using the Shanks algorithm. For the public key (p = 31847, =5, = 26379), we obtain a = (c) Function that fins a ranom number k, 1 apple k apple p 1, use in generating an ElGamal signature of a message m without solving an instance of a iscrete logarithm problem is calle ElGamal finranom, an its coe given below as well. Using the provie function on message x = 20543, whose signature is given as (, ) = (20679, 11082), with parameters of the ElGamal Signature Scheme p = 31847, = 5, = an private key a = 7973, we obtain k = function [verifie] = ElGamal signatureverification(p, alpha, beta, message, gamma, elta ) %ElGamal signatureverification verifies the signature of the message, %signe using ElGamal Signature Scheme %INPUTS : 6 %1. ( p, alpha, beta) public key in the ElGama public key scheme %2. message %3. (gamma, elta) signature of the message %OUTPUTS: %1. verifie returns verifie if the signature is vali, invali 11 %signature otherwise verifie = Invali signature ; %%Verification 16 alpha x = square an multiply(alpha, message, p) ; beta gamma = square an multiply(beta, gamma, p) ; gamma elta = square an multiply(gamma, elta, p) ; 21 ver aux = mo(beta gamma gamma elta, p) ; if(ver aux == alpha x) verifie = Verifie ; en 1 function [a] = shanks(alpha, beta, n) %Shanks solves a iscrete logarithm a = log alpha( beta) (mo n ) problem %using shanks algorithm. %INPUTS : %1. alpha basis 6 %2. beta exponent %3. n = phi( p ) = ( p 1), where p is a prime number %OUTPUT: %1. a solution of the iscrete logarithm problem 11 %%Initialization a = 0; m= ceil( sqrt(n)) ; 16 %Auxiliary calculation : alphaˆm (mo n ) x = square an multiply(alpha, (m), (n + 1)) ; 3

4 %First list for j = 1:m 21 L1 unsorte(j, :) = [ j, square an multiply(x, j 1, (n + 1) ) ] ; en L1 = sortrows ( L1 unsorte, 2) ; 26 for j = 1:m L2 aux = square an multiply(alpha, j 1, (n + 1)) ; [r, inverse, t] = exteneeucliean(l2 aux, (n + 1) ) ; L2 unsorte(j, :) = [ j, square an multiply(beta inverse, 1, (n + 1)) ]; en 31 L2 = sortrows ( L2 unsorte, 2) ; %%Fining the pair with ientical secon coorinate for j = 1:m 36 for i = 1:m if(l1(j, 2) == L2(i, 2)) a = mo((m (L1(j, 1) 1) + (L2( i, 1) 1)), n) ; break ; en 41 en en function [k] = ElGamal finranomk(p, alpha, beta, a, message, gamma, elta ) %ElGamal finranomk given private key, function fins ranom parameter k, use in signing 3 %message x using ElGamal Signature Scheme without solving an instance of %Discrete Logarithm problem %INPTUS : %1. ( p, alpha, beta) public key %2. a private key 8 %3. message signe message %4. (gamma, elta) signature of message %OUTPUT: %1. k ranom parameter k 13 % m = a gamma k elta (mo ( p 1)) > k = (m a gamma) eltaˆ( 1)(mo ( p 1)) 18 k = 0; aux = mo(( message a gamma), (p 1)) ; % Check gc ( elta, ( p 1)) if ( gc(elta, (p 1)) == 1) [r, inverse elta, t] = exteneeucliean(elta, (p 1)) ; k = mo((aux inverse elta), (p 1)) 23 else = gc(elta, (p 1)) ; elta prime = elta/; p prime = (p 1)/ ; m prime = aux/ ; 28 [r, inverse, t] = exteneeucliean(elta prime, p prime) ; k prime = mo((m prime inverse), p prime) ; for i=1: 33 k = k prime + i p prime ; beta aux = square an multiply(alpha, k, p) if(beta aux == gamma) break ; en 38 en 4

5 en Problem 4 (Stinson, Problem 7.3) Suppose that Alice is using the ElGamal Signature Scheme. In orer to save time in generating the ranom numbers k that are use in signing messages, Alice chooses an initial ranom value k 0 an then signs the i-th message using the value k i = k 0 +2i (mo (p 1)) (therefore k i = k i 1 +2 (mo (p 1)) for all i 1). (a) Suppose that Bob observes two consecutive signe messages, say (x i, sig(x i,k i )) an x i+1,sig(x i+1,k i+1 ). Describe how Bob can easily compute Alice s secret key, a, given this information, without solving an instance of the Discrete Logarithm problem. (Note that the value of i oes not have to be known for the attack to succee.) (b) Suppose that the parameters of the scheme are p = 28703, = 5 an observe by Bob are: x i = 12000, sig(x i,k i ) = (26530, 19862) x i+1 = 24567, sig(x i+1,k i+1 ) = (3081, 7604) = an two messages Fin the value of a using the attack escribe in part (a). 5

6 (a) (a) To show how Bob can easily compute Alice s private key a, let s recall the ElGamal Signature Scheme: = k (mo p) = (m a )k 1 (mo (p 1)) (7) Since k 2 = k 1 +2 (mo(p 1)), using the remainer theorem, we can write: k 2 = k (p 1) (8) After receiving two consecutive pairs message-signature from Alice, Bob can therefore write: 1 = k1 (mo p) 1 = (m 1 a 1 )k1 1 (mo (p 1)) (9) 2 = k2 (mo p) = k1+2+ (p 1) (mo p) = 2 k1 (p 1) (mo p) = 2 k1 (mo p) 2 = (m 2 a 2 )k 1 2 (mo (p 1)) (10) From equation (9), after multiplication with k 1, it follows that a 1 = m 1 1 k 1. Using obtaine expression for a 1, equation (10) can be rewritten as: 2k 2 = (m 2 a 2 ) (mo (p 1)) 2(k 1 + 2) = (m 2 a 2 1) (mo (p 1)) 2(k 1 + 2) = (m 2 2 [m 1 k 1 1 ]) (mo (p 1)) k 1 ( 2 2 1) = (m 2 2 m ) (mo (p 1)) (11) From equation (11), Bob obtains the value of k 1 in the following way: he first checks whether gc(( 2 2 1), (p 1)) = 1. If that is the case, then the multiplicative inverse of ( 2 2 1)(mo(p 1)) exists, an Bob fins k 1 simply by multiplying equation (11) with the multiplicative inverse of ( 2 2 1) (mo (p 1)). Otherwise, Bob ivies (p 1), ( 2 2 1) an (m 2 2 m ) by gc(( 2 2 1), (p 1)) =, > 1, an obtains the following equation: k 1 ( 2 2 1) = (m 2 2 m ) (mo (p 1) ) (12) which he then solves for k1 0 by multiplying it with the multiplicative inverse of ( 2 2 1) (mo p 1 ). Ranom parameter k 1 is therefore foun as: k 1 = k1 0 + i( p 1 ) (mo p), 0 apple i apple (13) Bob next fins a unique value of k 1 by fining i for which 1 = k1. Once Bob has obtaine k 1, he fins Alice s private key from equation: a 1 =(m 1 1 k 1 ) (mo (p 1)) (14) Similar to the case of k 1, Bob again checks whether = gc( 1, (p 1)) = 1. If = 1, he fins Alice s private key by multiplying equation (14) with the multiplicative inverse of 1 (mo (p 1)). 6

7 If >1, Bob ivies 1, (p 1) an (m 1 1 k 1 )with an obtains the following equation: a 1 = (m 1 1k 1 ) (mo (p 1) ) (15) 1 He then obtains a by multiplying equation (15) with the multiplicative inverse of (mo p 1 ). Finally, he obtains Alice s private key a as follows: A unique solution for a is obtaine by fining i such that = a. a = a 0 + i p 1, 0 apple i apple (16) (b) A Matlab function that fins Alice s private key, after obtaining two consecutive message-signature pairs from Alice is calle ElGamal finingprivatekey, an its coe is given below. 1 function [a, k] = ElGamal finingprivatekey(p, alpha, beta, m1, m2, gamma1, elta1, gamma2, elta2) %ElGamal finingprivate Key function fins a private key use to sign %two ifferent messages m1 an m2, signe using ElGamal Signature Scheme, %where secret ranom parameter k is generate by the following equation : % k ( i +1) = k ( i ) + 2 (mo ( p 1)) 6 %INPUTS : %1. ( p, alpha, beta) public key %2. m1, m2 messages %3. (gamma1, elta1) signature of the first message %4. (gamma2, elta2) signature of the secon message 11 %OUTPUTS: %1. a private key %2. k private ( ranom) number k 16 %IDEA : %k i [ elta ( i +1) elta i alpha ˆ2] = x ( i +1) x i alphaˆ2 2 elta ( i +1) 21 a = 0; k = 0; %% Init a = 0; k = 0; 26 elta = mo(( elta2 alpha alpha elta1), (p 1)) ; m=mo((m2 alpha alpha m1 2 elta2), (p 1)) ; = gc(elta, (p 1)) ; 31 %Check gc (( elta ( i +1) elta i alphaˆ2), p 1) if( == 1) [r, inverse, t] = exteneeucliean(elta, (p 1)) ; k = mo(m inverse, (p 1)) ; else 36 p prime = (p 1)/ ; elta prime = elta/; m prime = m/ ; 41 [r, inverse, t] = exteneeucliean(elta prime, (p 1)) ; k prime = mo((m prime inverse), p prime) ; for i=0: k = k prime + i p prime ; 46 gamma1 aux = square an multiply(alpha, k, p) ; 7

8 51 en en if(gamma1 aux == gamma1) break ; en %Fining secret key %IDEA : a gamma i = x i k i e l t a i 56 %Check gc( gamma i, p 1) = gc(gamma1, p 1) ; if( == 1) [r, inverse, t] = exteneeucliean(gamma1, (p 1)) ; a = mo(( inverse (m1 k elta1)), (p 1)) ; 61 else p prime = (p 1)/ ; x prime = (m1 k elta1)/; gamma prime = gamma1/ ; 66 [r, inverse, t] = exteneeucliean(gamma prime, p prime) ; a prime = mo(( x prime inverse), p prime) ; for i=0: 71 a = a prime + i p prime ; beta aux = square an multiply(alpha, a, p) if(beta aux == beta) break ; en 76 en en Problem 5 (Stinson, Problem 7.5) (a) A signature in the ElGamal Signature Scheme or the DSA is not allowe to have = 0. Show that if a messages were signe with a signature in which = 0, it woul be easy for an aversary to compute the secret key, a. (b) A signature in the DSA is not allowe ti have =0. Show that if a signature in which =0isknown, then the value of k use in that signature can be etermine. Given that value of k, show that it is now possible to forge a signature for any esire message (i.e. selective forgery can be carrie out.) 8

9 (a) ElGamal Signature Scheme In theelgamal Signature Scheme, a signature of a message x is efine by the following set of equations: = k (mo p) = (x a )k 1 (mo (p 1)) sign K (x, k) = (, ) (17) If, for a message x, we obtain signature (,0), then it follows: Equation (18) is satisfie when: =(x a )k 1 (mo q) 0 (mo (p 1)) (18) (p 1) k 1 or (p 1) (x a ) (19) If the first conition is satisfie, i.e. (p 1) k 1,thenk 1 woul not be a vali multiplicative inverse of k (mo (p 1)), since there oes not exist an integer k 2 Z p 1 such that k 0=1 (mo(p 1)). We therefore only consier the secon conition, when (p 1) (x a ). In orer to fin the private key a, we use the reminer theorem to rewrite the given conition as follows: x a = µ(p 1),µ2 Z (20) Equation (20) can be rewritten as follows: a =(x µ(p 1)) 1,µ2 Z (21) From equation (21), a unique private key a is foun by fining µ such that a =. DSA In DSA, a signature of a message x is efine by the following set of equations: = ( k (mo p)) (mo q) = (SHA-1(x)+a )k 1 (mo q) sign K (x, k) = (, ) (22) If, for a message x, we obtain the signature (,0), then it follows: Equation (23) is satisfie when: (SHA-1(x)+a )k 1 0 (mo q) (23) q k 1 or q (SHA-1(x)+a ) (24) Similarly to the case of the ElGamal Signature Scheme, if q k 1, then k 1 woul not be a vali multiplicative inverse of k (mo q), since there oes not exist an integer k 2 Z q such that k 0=1 (mo q). We therefore only consier the secon conition, when q (SHA-1(x) + a ). Again, using the remainer theorem, given conition can be rewritten as: Equation (25) can be rewritten as: (SHA-1(x)+a )=µq (25) a =(µq SHA-1(x)) 9 A unique private key a is foun from equation (26) by fining µ such that a =. 1 (26)

10 (b) If a signature of the message x, signe using DSA, is equal to (0, ), then it follows: Equation (27) can be rewritten as: 0 = ( k (mo p)) (mo q) = SHA-1(x)k 1 (mo q) (27) k = SHA-1(x) (mo q) (28) Knowing that q is a prime number, from equation (28), we obtain k as follows: k = 1 (SHA-1(x)) (mo q) (29) Now, choosing an arbitrary message y 6= x, an attacker can calculate SHA-1(y), an use the calculate hash to fin a vali signature for the forge message: = SHA-1(y)k 1 (mo q) (30) New forge signature is equal to (0, ), with efine by equation (30). A pair (y, (0, )) represents a vali message-signature pair an proves that an attacker is able to forge a signature for any message of his choice. Problem 6 (Stinson, Problem 7.8) We showe that using the same value k to sign two messages in the ElGamal Signature Scheme allows the scheme to be broken (i.e. an aversary can etermine the secret key without solving an instance of the Discrete Logarithm problem). Show how similar attacks can be carrie out for the Schnorr Signature Scheme an the DSA scheme. 10

11 The Schnorr Signature Scheme If a sener ecies to use the same value of k to sign two messages x 1 an x 2 : x 1 : 1 = h(x 1 k ) (mo p) 1 = k + a 1 (mo q) (31) x 2 : 2 = h(x 2 k ) (mo p) 2 = k + a 2 (mo q) (32) by combining the equations (31) an (32), we can write: 1 2 = a( 1 2 ) (mo q) (33) In orer to etermine the private key a, we first calculate gc (( 1 2 ),q). If gc (( 1 2 ),q) = 1, an then fin the private key using the following equation: a =( 1 2 )( 1 2 ) 1 (mo q) (34) If gc (( 1 2 ),q)=, > 1, we efine the following parameters: 0 0 = = q 0 = q an efine a new equation: Parameter a 0 is now foun as: From equation (37), the private key is foun as follows: A unique solution of a is foun by fining i, such that = a. (35) a 0 0 = 0 (mo q 0 ) (36) a 0 = (mo q 0 ) (37) a = a 0 + iq 0 (mo q), 0 apple i apple 1 (38) DSA If a sener ecies to sign two messages x 1 an x 2 using the same value of the ranom parameter k: x 1 : = ( k (mo p)) (mo q) 1 = (SHA-1(x 1 )+a )k 1 (mo q) (39) x 2 : = ( k (mo p)) (mo q) 2 = (SHA-1(x 2 )+a )k 1 (mo q) (40) Combining equations (39) an (40), we can write: ( 1 2 )k = SHA-1(x 1 ) SHA-1(x 2 ) (mo q) (41) 11

12 In orer to fin the private key a, we first compute gc (( 1 2 ),q). If gc (( 1 2 ),q) = 1, an then we fin the value of the ranom parameter k as follows: k = [SHA-1(x 1 ) SHA-1(x 2 )]( 1 2 ) 1 (mo q) (42) If gc (( 1 2 ),q)=, > 1, we efine the following parameters: 0 = 1 2 x 0 = [SHA-1(x 1) SHA-1(x 2 )] q 0 = q (43) an efine a new equation: k 0 0 = x 0 (mo q 0 ) (44) Using parameters (43), we fin the solution of k 0 as follows: k 0 = 0 1 x 0 (mo q 0 ) (45) From equation (45) we fin the value of the ranom parameter k as follows: k = 0 1 x 0 + iq 0 (mo q), 0 apple i apple ( 1) (46) We fin the private key a using the following equation: 1 = k + a 1 (mo q) (47) Since q is a prime number, from equation (46), we compute a as: a =( 1 k) 1 1 (mo q) (48) 12