Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes

Similar documents
Katz, Lindell Introduction to Modern Cryptrography

March 19: Zero-Knowledge (cont.) and Signatures

5199/IOC5063 Theory of Cryptology, 2014 Fall

George Danezis Microsoft Research, Cambridge, UK

Schnorr Signature. Schnorr Signature. October 31, 2012

Lecture 14 More on Digital Signatures and Variants. COSC-260 Codes and Ciphers Adam O Neill Adapted from

Digital signature schemes

GQ and Schnorr Identification Schemes: Proofs of Security against Impersonation under Active and Concurrent Attacks

1 Number Theory Basics

Dr George Danezis University College London, UK

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Digital Signatures. p1.

Introduction to Cybersecurity Cryptography (Part 5)

An Identification Scheme Based on KEA1 Assumption

Chapter 8 Public-key Cryptography and Digital Signatures

Lecture 7: ElGamal and Discrete Logarithms

Homework 3 Solutions

Lecture 1: Introduction to Public key cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Question: Total Points: Score:

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Digital Signatures. Adam O Neill based on

Cryptography IV: Asymmetric Ciphers

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Introduction to Cryptography Lecture 13

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Encryption: The RSA Public Key Cipher

Authentication. Chapter Message Authentication

Practical Verifiable Encryption and Decryption of Discrete Logarithms

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

CIS 551 / TCOM 401 Computer and Network Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Lecture 10 - MAC s continued, hash & MAC

Entity Authentication

Introduction to Elliptic Curve Cryptography

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Mathematics of Cryptography

Tightly-Secure Signatures From Lossy Identification Schemes

1 Basic Number Theory

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Exam Security January 19, :30 11:30

NUMBER THEORY AND CODES. Álvaro Pelayo WUSTL

Introduction to Modern Cryptography. Benny Chor

Notes on Zero Knowledge

ASYMMETRIC ENCRYPTION

Public Key Algorithms

On the Big Gap Between p and q in DSA

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Applied cryptography

CPSC 467b: Cryptography and Computer Security

basics of security/cryptography

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Introduction to Cybersecurity Cryptography (Part 4)

Public Key Cryptography

Cryptography CS 555. Topic 23: Zero-Knowledge Proof and Cryptographic Commitment. CS555 Topic 23 1

PAPER An Identification Scheme with Tight Reduction

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 16: Public Key Encryption:II

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Transitive Signatures Based on Non-adaptive Standard Signatures

14 Diffie-Hellman Key Agreement

Digital Signature Algorithm

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Lecture 10: Zero-Knowledge Proofs

Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Introduction to Modern Cryptography. Benny Chor

Montgomery-Suitable Cryptosystems

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

Week : Public Key Cryptosystem and Digital Signatures

Cryptography and Security Final Exam

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Public Key Cryptography

III. Authentication - identification protocols

Lecture 10. Public Key Cryptography: Encryption + Signatures. Identification

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Ti Secured communications

Introduction to Public-Key Cryptosystems:

Discrete Logarithm Problem

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Recent Advances in Identity-based Encryption Pairing-free Constructions

Security II: Cryptography exercises

RSA and Rabin Signatures Signcryption

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Digital Signatures from Challenge-Divided Σ-Protocols

CS483 Design and Analysis of Algorithms

Transcription:

Introduction to cryptology (GBIN8U16) More on discrete-logarithm based schemes Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 03 13 More on DH, Signatures 2018 03 13 1/16

Signatures: what? Objectives of a signature algorithm: Given (sk, pk) a key pair message m + secret key sk signature s = Ssk (m) message m + signature s + public key pk verified message V pk (m, s) Informal security objectives Given pk, it should be hard to find sk Given pk, it should be hard to forge signatures (Variant: given access to a signing oracle O(sk,pk), it should be hard to forge signatures) More on DH, Signatures 2018 03 13 2/16

Related: interactive proof of identity Objective of a proof of ID scheme: Publish public identification data α When challenged, prove knowledge of a secret related to α Example of a one-time scheme: 1 Let H be a preimage-resistant hash function, R a large set 2 The prover draws x $ R, computes and publishes X = H(x) 3 When challenged, reveals x Many-time variant: 1 Draw x $ R, compute and publish X = H N (x) 2 When challenged, reveal H N 1 (x), reset X = H N 1 (x) More on DH, Signatures 2018 03 13 3/16

A discrete-log based PoID scheme From last week s TD ( Schnorr): 1 Let G = g be a group with a hard DLP 2 The prover draws x $ R, computes and publishes X = g x 3 When challenged; draws r, sends R = g r 4 The verifier picks c and sends it 5 The prover computes a = r + cx and sends it 6 The verifier checks that RX c = g a This can be run many times, BUT r s should be random and never repeat! More on DH, Signatures 2018 03 13 4/16

From PoID to signature Differences between PoID and signatures: PoIDs are interactive (in the verification), signatures are not Signatures also involve a message One major observation: If the prover can convince that it doesn t control both R and c, interaction is unnecessary (Otherwise, nothing is proved) Fiat-Shamir transformation: generate c from R with a hash function More on DH, Signatures 2018 03 13 5/16

Schnorr signatures To sign a message m with the key (sk, pk) pair (x, X = g x ) 1 Pick r $ R and compute R = g r 2 Compute c = H(R, m) 3 Compute a = r + cx and output (c, a) as the signature of m To verify a signature: 1 Compute ˆR = g a /X c = g a /g cx 2 Check that c = H( ˆR, m) Important: r must (again) be random and not repeat! (Why?) More on DH, Signatures 2018 03 13 6/16

Remember randomness (always)! Figure: Not good for Schnorr signatures More on DH, Signatures 2018 03 13 7/16

Where are we with dlog? If G = g is a prime-order group where the DLP is hard (on average in the worst case (cf. TD)), then: Can do asymmetric key exchange Can do public-key signatures For signatures we also need Good hash functions Good pseudorandom number generation More on DH, Signatures 2018 03 13 8/16

Some comments on dlog attacks When G F p, the current dlog records are: p 768 bits (Kleinjung et al., 2017), using a Number Field Sieve (NFS) algorithm Took about 5300 core years p 1024 bits for a trapdoored prime (Fried et al., 2017), using a Special NFS (SNFS) algorithm Took about 385 core years Note: it may be hard to decide if a prime is trapdoored One nice (for an attacker) feature of (S)NFS: The largest part of the cost is a precomputation, then computing individual dlogs is very fast More on DH, Signatures 2018 03 13 9/16

Some more comments on dlog: small subgroup attack Consider a semi-static key exchange, Where one of g a or g b (say g b ) is fixed using g F p where F p has many small subgroups Then B must check that ĝ sent by A is in the correct group Otherwise, if ĝ b is in a small group of order N, a malicious A can learn b mod N... Then b mod N, etc. One way to easily prevent this: use p = 2q + 1, q a Sophie Germain prime Only a small subgroup of order 2 to check for in F p More on DH, Signatures 2018 03 13 10/16

What about implementation, though? We need to compute g x, for a large x (e.g. 256 bits) Cannot just do g g g... g 2 256 times! Notice that g g = g 2, g 2 g 2 = g 4, g 4 g 4 = g 16, etc. Also: g g 2 = g 3, g 2 g 16 = g 18, etc. Square & multiply algorithm More on DH, Signatures 2018 03 13 11/16

Square & multiply Square & multiply Input x, g Output g x 1 h = 1 2 While x 0 3 if (x&1) 4 h h g 5 g g g 6 x x 1 7 Return h Only log(x) iterations needed! (Problem here, runtime also depends on wt(x)) More on DH, Signatures 2018 03 13 12/16

Implementation: what else? We also need multiplication, addition in G If G F p modular arithmetic Require big number multiplication, (integer) division, remainders, addition split f as e.g. f0 + 2 64 f 1 + 2 128 f 2 +... Can use dedicated arithmetic for efficient primes More on DH, Signatures 2018 03 13 13/16

Implementation digression Consider p = 2 111 37, then 2 111 37 mod p a 2 111 a 37 mod p a 2 112 a 74 mod p a 2 28 b 2 84 ab 74 mod p a 2 56 b 2 56 ab 74 mod p etc. More on DH, Signatures 2018 03 13 14/16

Multiplication mod 2 111 37 Let f = f 0 + 2 28 f 1 + 2 56 f 2 + 2 84 f 3, g = g 0 + 2 28 g 1 + 2 56 g 2 + 2 84 g 3, set h0 = f 0 g 0 + 74f 1 g 3 + 74f 2 g 2 + 74f 3 g 1 h1 = f 0 g 1 + f 1 g 0 + 74f 2 g 3 + 74f 3 g 2 h2 = f 0 g 2 + f 1 g 1 + f 2 g 0 + 74f 3 g 3 h3 = f 0 g 3 + f 1 g 2 + f 2 g 1 + f 3 g 0 Then fg mod 2 111 37 = h 0 + 2 28 h 1 + 2 56 h 2 + 2 84 h 3 mod 2 111 37 To be complete: Have to reduce the hi s mod 2 28 (2 27 ) Have to ensure that all fi g j can be computed with, say, a 64 64 64 multiplier (in fact, desktop CPUs have 64 64 128 multipliers) Modular multiplication w/o explicit division More on DH, Signatures 2018 03 13 15/16

What next? In two weeks: Inversion in integer rings: extended Euclid algorithm The Chinese Remainder Theorem (CRT) How to do asymmetric key exchange, public key signatures differently: RSA More on DH, Signatures 2018 03 13 16/16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback