Course Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week

Similar documents
Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Cryptography CS 555. Topic 4: Computational Security

Lecture 1: Introduction to Public key cryptography

Introduction to Cryptography. Lecture 8

Lecture 7: ElGamal and Discrete Logarithms

1 Number Theory Basics

Lecture 17: Constructions of Public-Key Encryption

Lecture 11: Key Agreement

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Information Security

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

14 Diffie-Hellman Key Agreement

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

CSC 5930/9010 Modern Cryptography: Number Theory

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture Notes, Week 6

Introduction to Elliptic Curve Cryptography. Anupam Datta

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Public-Key Cryptosystems CHAPTER 4

ASYMMETRIC ENCRYPTION

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Cryptography CS 555. Topic 13: HMACs and Generic Attacks

Lecture 11: Number Theoretic Assumptions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Discrete Logarithm Problem

Public Key Cryptography

Cryptography IV: Asymmetric Ciphers

G Advanced Cryptography April 10th, Lecture 11

Worksheets for GCSE Mathematics. Quadratics. mr-mathematics.com Maths Resources for Teachers. Algebra

One can use elliptic curves to factor integers, although probably not RSA moduli.

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Elliptic Curve Cryptography with Derive

Introduction to Cybersecurity Cryptography (Part 4)

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

CPSC 467b: Cryptography and Computer Security

8 Elliptic Curve Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Introduction to Cybersecurity Cryptography (Part 4)

Cryptography and Security Final Exam

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Classical RSA algorithm

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

CS 355: Topics in Cryptography Spring Problem Set 5.

Authentication. Chapter Message Authentication

Asymmetric Encryption

5.4 ElGamal - definition

CS259C, Final Paper: Discrete Log, CDH, and DDH

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Discrete logarithm and related schemes

Public-key Cryptography and elliptic curves

Cryptography and Security Midterm Exam

Computational Number Theory. Adam O Neill Based on

El Gamal A DDH based encryption scheme. Table of contents

The RSA Cryptosystem: Factoring the public modulus. Debdeep Mukhopadhyay

CPSC 467b: Cryptography and Computer Security

Cryptography: A Comparison of Public Key Systems

Number theory (Chapter 4)

10 Concrete candidates for public key crypto

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Notes for Lecture 17

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Homework 7 Solutions

CPSC 467b: Cryptography and Computer Security

Advanced Topics in Cryptography

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Factoring. there exists some 1 i < j l such that x i x j (mod p). (1) p gcd(x i x j, n).

Other Public-Key Cryptosystems

Public-key Cryptography and elliptic curves

Lecture 10 - MAC s continued, hash & MAC

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Public Key Cryptography

Security II: Cryptography exercises

CPSC 467: Cryptography and Computer Security

9 Knapsack Cryptography

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Discrete Logarithm Problem

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Public Key Algorithms

Topics in Cryptography. Lecture 5: Basic Number Theory

5199/IOC5063 Theory of Cryptology, 2014 Fall

Chapter 11 : Private-Key Encryption

Digital Signatures. Adam O Neill based on

Transcription:

Course Business Homework 3 Due Now Homework 4 Released Professor Blocki is travelling, but will be back next week 1

Cryptography CS 555 Week 11: Discrete Log/DDH Applications of DDH Factoring Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters Readings: Katz and Lindell Chapter 8.4 & Chapter 9 Fall 2017 2

Recap: Cyclic Group GG = gg = gg 0, gg 1, gg 2, (g is generator) If mm = GG then for each h GG and each integer xx 0 we have h xx = hxx mmmmmm mm Fact 1: Let p be a prime then Z pp is a cyclic group of order p-1. Fact 2: Number of generators g s.t. of gg = Z pp is Example (generator): p=7, g=5 <2>={1,5,4,6,2,3} φφ pp 1 pp 1 3

Recap: Cyclic Group GG = gg = gg 0, gg 1, gg 2, (g is generator) If mm = GG then for each h GG and each integer xx 0 we have h xx = hxx mmmmmm mm Fact 1: Let p be a prime then Z pp is a cyclic group of order p-1. Fact 2: Number of generators g s.t. of gg = Z pp is Proof: Suppose that gg = Z pp and let h = gg ii then φφ pp 1 h = gg 0, gg ii, gg 2ii mmmmmm (pp 1), gg 3ii mmmmmm (pp 1), Recall: iijj mmmmmm pp 1 : jj 0 = {0,, pp 1} if and only if gcd(i,p-1)=1. pp 1 4

Recap Diffie-Hellman Problems Computational Diffie-Hellman Problem (CDH) Attacker is given h 1 = gg xx 1 GG and h 2 = gg xx 2 GG. Attackers goal is to find gg xx 1xx 2 = h 1 xx 2 = h 2 xx 1 CDH Assumption: For all PPT A there is a negligible function negl such that A succeeds with probability at most negl(n). Decisional Diffie-Hellman Problem (DDH) Let z 0 = gg xx 1xx 2 and let z 1 = gg rr, where x 1,x 2 and r are random Attacker is given gg xx 1, gg xx 2 and zz bb (for a random bit b) Attackers goal is to guess b DDH Assumption: For all PPT A there is a negligible function negl such that A succeeds with probability at most ½ + negl(n). 5

Can we find a cyclic group where DDH holds? Example 1: Z pp where p is a random n-bit prime. CDH is believed to be hard DDH is *not* hard (You will prove this in homework 4 ) Theorem: LLLLLL p=rq+1 be a random n-bit prime where q is a large λλbit prime then the set of r th residues modulo p is a cyclic subgroup of order q. Then GG rr = [h rr mmmmmm pp] h Z pp is a cyclic subgroup of Z pp of order q. Remark 1: DDH is believed to hold for such a group Remark 2: It is easy to generate uniformly random elements of GG rr Remark 3: Any element (besides 1) is a generator of GG rr 6

Can we find a cyclic group where DDH holds? Theorem: LLLLLL p=rq+1 be a random n-bit prime where q is a large λλ-bit prime then the set of rth residues modulo p is a cyclic subgroup of order q. Then GG rr = [h rr mmmmmm pp] h Z pp is a cyclic subgroup of Z pp of order q. Closure: h rr gg rr = hgg rr Inverse of h rr is h 1 rr GG rr Size h rr xx = h [rrrr mmmmmm rrrr] = h rr xx = h rr[xx mmmmmm qq] = h rr [xx mmmmmm qq] mmmmmm pp Remark: Two known attacks on Discrete Log Problem for GG rr (Section 9.2). First runs in time OO qq = OO 2 λλ/2 Second runs in time 2 OO 3 nn log nn 2/3 7

Can we find a cyclic group where DDH holds? Remark: Two known attacks (Section 9.2). First runs in time OO qq = OO 2 λλ/2 Second runs in time 2 OO 3 nn log nn 2/3, where n is bit length of p Goal: Set λλ and n to balance attacks λλ = OO 3 nn log nn 2/3 How to sample p=rq+1? First sample a random λλ-bit prime q and Repeatedly check if rq+1 is prime for a random n- λλ bit value r 8

More groups where DDH holds? Elliptic Curves Example: Let p be a prime (p > 3) and let A, B be constants. Consider the equation yy 2 = xx 3 + AAAA + BB mmmmmm pp And let EE Z pp = xx, yy Z 2 pp yy 2 = xx 3 + AAAA + BB mmmmmm pp OO Note: OO is defined to be an additive identity xx, yy + OO = xx, yy What is xx 1, yy 1 + xx 2, yy 2? 9

Elliptic Curve Example xx 11, yy 11 xx 22, yy 22 (x 3,y 3 ) The line passing through xx 11, yy 11 and xx 22, yy 22 has the equation yy = mm xx xx 1 + yy 1 mmmmmm PP Where the slope mm = yy 1 yy 2 xx 1 xx 2 mmmmmm pp (x 3,-y 3 )= xx 11, yy 11 + xx 22, yy 22 10

Elliptic Curve Example xx 11, yy 11 xx 22, yy 22 (x 3,y 3 ) Formally, let mm = yy 1 yy 2 xx 1 xx 2 mmmmmm pp (x 3,-y 3 )= xx 11, yy 11 + xx 22, yy 22 xx 3 = [mm 2 xx 1 xx 2 mmmmmm pp] yy 3 = [mm xx 3 xx 1 + yy 1 mmmmmm pp] Be the slope. Then the line passing through xx 11, yy 11 and xx 22, yy 22 has the equation yy = mm xx xx 1 + yy 1 mmmmmm PP mm xx xx 1 + yy 2 1 = xx 3 + AAAA + BB mmmmmm pp 11

12

Elliptic Curve Example No third point R on the line intersects our elliptic curve. Thus, PP + QQ = OO 13

Summary: Elliptic Curves Elliptic Curves Example: Let p be a prime (p > 3) and let A, B be constants. Consider the equation yy 2 = xx 3 + AAAA + BB mmmmmm pp And let EE Z pp = xx, yy Z pp 2 yy 2 = xx 3 + AAAA + BB mmmmmm pp OO Fact: EE Z pp defines an abelian group For appropriate curves the DDH assumption is believed to hold If you make up your own curve there is a good chance it is broken NIST has a list of recommendations 14

Week 11: Topic 1: Discrete Logarithm Applications Diffie-Hellman Key Exchange Collision Resistant Hash Functions Password Authenticated Key Exchange 15

Diffie-Hellman Key Exchange 1. Alice picks xx AA and sends gg xx AA to Bob 2. Bob picks xx BB and sends gg xx BB to Alice 3. Alice and Bob can both compute KK AA,BB = gg xx BB xx AA 16

Key-Exchange Experiment KKKK eeeeee AA,Π nn : Two parties run Π to exchange secret messages (with security parameter 1 n ). Let trans be a transcript which contains all messages sent and let k be the secret key output by each party. Let b be a random bit and let k b = k if b=0; otherwise k b is sampled uniformly at random. Attacker A is given trans and k b (passive attacker). Attacker outputs b (KKKK eeeeee AA,Π nn =1 if and only if b=b ) Security of Π against an eavesdropping attacker: For all PPT A there is a negligible function negl such that Pr KKKK eeeeee AA,Π nn =½ + nnnnnnnn n. 17

Diffie-Hellman Key-Exchange is Secure Theorem: If the decisional Diffie-Hellman problem is hard relative to group generator GG then the Diffie-Hellman key-exchange protocol Π is secure in the presence of a (passive) eavesdropper (*). (*) Assuming keys are chosen uniformly at random from the cyclic group GG Protocol Π 1. Alice picks xx AA and sends gg xx AA to Bob 2. Bob picks xx BB and sends gg xx BB to Alice 3. Alice and Bob can both compute KK AA,BB = gg xx xx BB AA 18

Diffie-Hellman Assumptions Computational Diffie-Hellman Problem (CDH) Attacker is given h 1 = gg xx 1 GG and h 2 = gg xx 2 GG. Attackers goal is to find gg xx 1xx 2 = h 1 xx 2 = h 2 xx 1 CDH Assumption: For all PPT A there is a negligible function negl upper bounding the probability that A succeeds Decisional Diffie-Hellman Problem (DDH) Let z 0 = gg xx 1xx 2 and let z 1 = gg rr, where x 1,x 2 and r are random Attacker is given gg xx 1, gg xx 2 and zz bb (for a random bit b) Attackers goal is to guess b DDH Assumption: For all PPT A there is a negligible function negl such that A succeeds with probability at most ½ + negl(n). 19

Diffie-Hellman Key Exchange 1. Alice picks xx AA and sends gg xx AA to Bob 2. 3. Bob picks xx BB and sends gg xx BB to Alice Alice and Bob can both compute KK AA,BB = gg xx xx BB AA Intuition: Decisional Diffie-Hellman assumption implies that a passive attacker who observes gg xx AA and gg xx BB still cannot distinguish between KK AA,BB = gg xx BB xx AA and a random group element. Remark: Modified protocol sets KK AA,BB = HH gg xx xx BB AA. You will prove that this protocol is secure under the weaker CDH assumption in homework 4. 20

Diffie-Hellman Key-Exchange is Secure Theorem: If the decisional Diffie-Hellman problem is hard relative to group generator GG then the Diffie-Hellman key-exchange protocol Π is secure in the presence of an eavesdropper (*). Proof: Pr KKKK eeeeee AA,Π nn = 1 =½Pr KKKK eeeeee AA,Π nn = 1 bb = 1 + ½Pr KKKK eeeeee AA,Π nn = 1 bb = 0 =½Pr AA GG, gg, qq, gg xx, gg yy, gg xxxx = 1 + ½Pr AA GG, gg, qq, gg xx, gg yy, gg zz = 1 =½+½ Pr AA GG, gg, qq, gg xx, gg yy, gg xxxx = 1 Pr AA GG, gg, qq, gg xx, gg yy, gg zz = 1. ½ + ½negl(n) (by DDH) (*) Assuming keys are chosen uniformly at random from the cyclic group GG 21

Diffie-Hellman Key Exchange 1. Alice picks xx AA and sends gg xx AA to Bob 2. Bob picks xx BB and sends gg xx BB to Alice 3. Alice and Bob can both compute KK AA,BB = gg xx BB xx AA Intuition: Decisional Diffie-Hellman assumption implies that a passive attacker who observes gg xx AA and gg xx BB still cannot distinguish between KK AA,BB = gg xx BB xx AA and a random group element. Remark: The protocol is vulnerable against active attackers who can tamper with messages. 22

Man in the Middle Attack (MITM) 23

Man in the Middle Attack (MITM) 1. Alice picks xx AA and sends gg xx AA to Bob Mallory intercepts gg xx AA, picks xx EE and sends gg xx EE to Bob instead 2. Bob picks xx BB and sends gg xx BB to Alice 1. Mallory intercepts gg xx BB, picks xx EE and sends gg xx EEE to Alice instead 3. Eve computes gg xx EE xx AA and gg xx EE xx BB 1. Alice computes secret key gg xx xx EE AA (shared with Eve not Bob) 2. Bob computes gg xx xx EE BB(shared with Eve not Alice) 4. Mallory forwards messages between Alice and Bob (tampering with the messages if desired) 5. Neither Alice nor Bob can detect the attack 24

Discrete Log Experiment DLog A,G (n) 1. Run GG 1 nn to obtain a cyclic group GG of order q (with qq = nn) and a generator g such that < g >= GG. 2. Select h GG uniformly at random. 3. Attacker A is given GG, q, g, h and outputs integer x. 4. Attacker wins (DLog A,G (n)=1) if and only if g x =h. We say that the discrete log problem is hard relative to generator GG if PPPPPP AA μμ (negligible) s. t Pr DLog A,n = 1 μμ(nn) 25

Collision Resistant Hash Functions (CRHFs) Recall: not known how to build CRHFs from OWFs Can build collision resistant hash functions from Discrete Logarithm Assumption Let GG 1 nn output GG, qq, gg where GG is a cyclic group of order qq and g is a generator of the group. Suppose that discrete log problem is hard relative to generator GG. PPPPPP AA μμ (negligible) s. t Pr DLog A,n = 1 μμ(nn) 26

Collision Resistant Hash Functions Let GG 1 nn output GG, qq, gg where GG is a cyclic group of order qq and g is a generator of the group. Collision Resistant Hash Function (Gen,H): GGGGGG 1 nn 1. GG, qq, gg GG 1 nn 2. Select random h GG 3. Output s = GG, qq, gg, h HH ss xx 1, xx 2 = gg xx 1h xx 2 (where, xx 1, xx 2 Z qq ) Claim: (Gen,H) is collision resistant if the discrete log assumption holds for GG 27

Collision Resistant Hash Functions HH ss xx 1, xx 2 = gg xx 1h xx 2 (where, xx 1, xx 2 Z qq ) Claim: (Gen,H) is collision resistant Proof: Suppose we find a collision HH ss xx 1, xx 2 have gg xx 1h xx 2 = gg yy 1h yy 2 which implies h xx 2 yy 2 = gg yy 1 xx 1 = HH ss yy 1, yy 2 then we Use extended GCD to find xx 2 yy 2 1 mod q then h = h xx 2 yy 2 xx 2 yy 2 1 mmmmmm qq = gg yy 1 xx 1 xx 2 yy 2 1 mmmmmm qq Which means that yy 1 xx 1 xx 2 yy 2 1 mmmmmm qq is the discrete log of h. 28

Password Authenticated Key-Exchange Suppose Alice and Bob share a low-entropy password pwd and wish to communicate securely (without using any trusted party) Assuming an active attacker may try to mount a man-in-the-middle attack Can they do it? Tempting Approach: Alice and Bob both compute K= KDF(pwd)=HH nn (pwd) and communicate with using an authenticated encryption scheme. Practice Midterm Exam: Secure in random oracle model if attacker cannot query random oracle H(.) too many times. 29

Password Authenticated Key-Exchange Tempting Approach: Alice and Bob both compute K= KDF(pwd)=H n (pwd) and communicate with using an authenticated encryption scheme. Midterm Exam: Secure in random oracle model if attacker cannot query random oracle too many time. Problems: In practice the attacker can (and will) query the random oracle many times. In practice people tend to pick very weak passwords Brute-force attack: Attacker enumerates over a dictionary of passwords and attempts to decrypt messages with K pwd =KDF(pwd ) (only succeeds if K pwd =K). An offline attack (brute-force) will almost always succeed 30

Attempt 2 1. Alice picks xx AA and sends gg HH pppppp +xxxx to Bob 2. 3. Bob picks xx BB and sends gg HH pppppp +xx BB to Alice Alice and Bob can both compute KK AA,BB = HH gg xx xx BB AA 4. Alice picks random nonce rr AA and sends EEEEEE KKAA,BB rr AA to Bob 1. Enc is an authentication encryption scheme 5. Bob decrypts and sends rr AA to Alice Advantage: MITM Attacker cannot establish connection without password Disadvantage: Mallory could mount a brute-force attack after attempted MITM attack 31

Attempt 2: MITM Attack 1. Alice picks xx AA and sends gg HH pppppp +xxxx to Bob 2. Bob picks xx BB and sends gg HH pppppp +xx BB to Alice 1. Mallory intercepts gg HH pppppp +xxxx, picks xx EE and sends gg xx EE to Alice instead 3. Bob can both compute KK AA,BB = HH gg xx BB xx AA 1. Allice computes KK AA,BB = HH gg xx EE HH pppppp xx AA instead 4. Alice picks random nonce rr AA and sends c = EEEEEE KK AA,BB rr AA to Bob 1. Mallory intercepts EEEEEE KK AA,BB rr AA and proceeds to mount brute-force attack on password 5. For each password guess y 1. let KK yy = HH gg xx EE HH yy xx AA and 2. if DDDDDD KK AA,BB cc then output y Advantage: MITM Attacker cannot establish connection without password Disadvantage: Mallory could mount a brute-force attack on password after attempted MITM attack 32

Password Authenticated Key-Exchange (PAKE) Better Approach (PAKE): 1. Alice and Bob both compute W = gg pppppp 2. Alice picks xx AA and sends Alice", XX = gg xx AA to Bob 3. Bob picks xx computes r = H 1, AAAAAAAAAA, BBBBBB, XX and YY = message: "BBBBBB, " YY XX WW rr xx BB and sends Alice the following 4. Alice computes K = YY ZZ = gg xx BB where zz = 1 pppppp rr + xx AA mmmmmm pp. Alice sends the message V A = H(2,Alice,Bob,X,Y,K) to Bob. 5. Bob verifies that V A == H(2,Alice,Bob,X,Y,K) where K = gg xx BB. Bob generates V B = H(3,Alice,Bob,X,Y,K) and sends V B to Alice. 6. Alice verifies that V B ==H(3,Alice,Bob,X,Y, YY ZZ ) where zz = 1 pppppp rr + xx AA. 7. If Alice and Bob don t terminate the session key is H(4,Alice,Bob,X,Y, KK) Security: No offline attack (brute-force) is possible. Attacker get s one password guess per instantiation of the protocol. If attacker is incorrect and he tampers with messages then he will cause the Alice & Bob to quit. If Alice and Bob accept the secret key K and the attacker did not know/guess the password then K is just as good as a truly random secret key. See RFC 6628 33

Week 11: Topic 2: Factoring Algorithms, Discrete Log Attacks + NIST Recommendations for Concrete Security Parameters 34

Pollard s p-1 Algorithm (Factoring) Let NN = pppp where (p-1) has only small prime factors. Pollard s p-1 algorithm can factor N. Remark 1: This happens with very small probability if p is a random n bit prime. Remark 2: One convenient/fast way to generate big primes it to multiply many small primes, add 1 and test for primality. Example: 2 3 5 7 + 1 = 211 is prime Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N. 35

Pollard s p-1 Algorithm (Factoring) Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N. Proof: Suppose B=c(p-1) for some integer c and let yy = xx BB 1 mmmmmm NN Applying the Chinese Remainder Theorem we have yy xx BB 1 mod p, xx BB 1 mod q = 0, xx BB 1 mod q This means that p divides y, but q does not divide y (unless xx BB = 1 mod q, which is very unlikely). Thus, GCD(y,N) = p 36

Pollard s p-1 Algorithm (Factoring) Let NN = pppp where (p-1) has only small prime factors. Pollard s p-1 algorithm can factor N. Claim: Suppose we are given an integer B such that (p-1) divides B but (q-1) does not divide B then we can factor N. Goal: Find B such that (p-1) divides B but (q-1) does not divide B. Remark: This is difficult if (p-1) has a large prime factor. kk BB = pp ii nn/ log pp ii ii=1 37

Pollard s p-1 Algorithm (Factoring) Goal: Find B such that (p-1) divides B but (q-1) does not divide B. Remark: This is difficult if (p-1) has a large prime factor. kk Here p 1 =2,p 2 =3, BB = pp ii nn/ log pp ii ii=1 Fact: If (q-1) has prime factor larger than p k then (q-1) does not divide B. Fact: If (p-1) does not have prime factor larger than p k then (p-1) does divide B. 38

Pollard s p-1 Algorithm (Factoring) Option 1: To defeat this attack we can choose strong primes p and q A prime p is strong if (p-1) has a large prime factor Drawback: It takes more time to generate (provably) strong primes Option 2: A random prime is strong with high probability Current Consensus: Just pick a random prime 39

Pollard s Rho Algorithm General Purpose Factoring Algorithm Doesn t assume (p-1) has no large prime factor Goal: factor N=pq (product of two n-bit primes) Running time: OO 4 NN polyyyyyyyy(nn) Naïve Algorithm takes time OO NN polyyyyyyyy(nn) to factor Core idea: find distinct x, x Z NN such that xx = xx mod pp Implies that x-x is a multiple of p and, thus, GCD(x-x,N)=p (whp) 40

Pollard s Rho Algorithm General Purpose Factoring Algorithm Doesn t assume (p-1) has no large prime factor Running time: OO 4 NN polyyyyyyyy(nn) Core idea: find distinct x, x Z NN such that xx = xx mod pp Implies that x-x is a multiple of p and, thus, GCD(x-x,N)=p (whp) Question: If we pick k = O pp random xx (1),, xx (kk) Z NN then what is the probability that we can find distinct ii and jj such that xx (ii) = xx (jj) mod p? 41

Pollard s Rho Algorithm Question: If we pick k = O pp random xx (1),, xx (kk) Z NN then what is the probability that we can find distinct ii and jj such that xx (ii) = xx (jj) mod p? Answer: 1 2 Proof (sketch): Use the Chinese Remainder Theorem + Birthday Bound xx (ii) = xx (ii) mmmmmm pp, xx (ii) mmmmmm qq Note: We will also have xx (ii) xx jj mod q (whp) 42

Pollard s Rho Algorithm Question: If we pick k = O pp random xx (1),, xx (kk) Z NN then what is the probability that we can find distinct ii and jj such that xx (ii) = xx (jj) mod p? Answer: 1 2 Challenge: We do not know p or q so we cannot sort the xx (ii) s using the Chinese Remainder Theorem Representation xx (ii) = xx (ii) mmmmmm pp, xx (ii) mmmmmm qq How can we identify the pair ii and jj such that xx (ii) = xx (jj) mod p? 43

Pollard s Rho Algorithm Pollard s Rho Algorithm is similar the low-space version of the birthday attack Input: N (product of two n bit primes) xx (0) Z NN, x = x = xx (0) For i=1 to 2 nn/2 xx FF(xx) xx FF FF xx p = GCD(x-x,N) if 1< p < N return p Remark 1: F should have the property that if x=x mod p then F(x) = F(x ) mod p. Remark 2: FF xx = xx 2 + 1 mmmmmm NN will work since FF xx = xx 2 + 1 mmmmmm NN xx 2 + 1 mmmmmm pp, xx 2 + 1 mmmmmm qq FF xx mod pp mmmmmm pp, FF xx mod qq mmmmmm qq 44

Pollard s Rho Algorithm Pollard s Rho Algorithm is similar the low-space version of the birthday attack Input: N (product of two n bit primes) xx (0) Z NN, x = x = xx (0) For i=1 to 2 nn/2 xx FF(xx) xx FF FF xx p = GCD(x-x,N) if 1< p < N return p Claim: Let xx (ii+1) = FF xx (ii) and suppose that for some distinct i, j < 2 nn/2 we have xx (ii) = xx (jj) mod p but xx (ii) xx (jj). Then the algorithm will find p. Cycle length: i-j xx (3) mod p 45

Pollard s Rho Algorithm (Summary) General Purpose Factoring Algorithm Doesn t assume (p-1) has no large prime factor Expected Running Time: OO 4 NN polyyyyyyyy(nn) (Birthday Bound) (still exponential in number of bits ~2 nn/4 ) Required Space: OO log(nn) 46

Quadratic Sieve Algorithm Runs in sub-exponential time 2 OO log NN log log NN = 2OO nn log nn Still not polynomial time but 2 nn log nn grows much slower than 2 nn/4. Core Idea: Find x, y Z NN such that xx 2 = yy 2 mod NN and xx ±yy mod NN 47

Quadratic Sieve Algorithm Core Idea: Find x, y Z NN such that xx 2 = yy 2 mod NN (1) and xx ±yy mod NN 2 Claim: gcd(x-y,n) pp, qq N=pq divides xx 2 yy 2 = xx yy xx + yy. (by (1)). xx yy xx + yy 0 (by (2)). N does not divide xx yy (by (2)). N does not divide xx + yy. (by (2)). p is a factor of exactly one of the terms xx yy and xx + yy. (q is a factor of the other term) 48

Quadratic Sieve Algorithm Core Idea: Find x, y Z NN such that and Key Question: How to find such an x, y Z NN? Step 1: j=0; For x = NN + 1, NN + 2,, NN + ii, q xx 2 = yy 2 mod NN xx ±yy mod NN NN + ii 2 mmmmmm NN = 2ii NN + ii 2 mmmmmm NN Check if q is B-smooth (all prime factors of q are in {p 1,,p k } where p k < B). If q is B smooth then factor q, increment j and define kk ee q j qq = pp jj,ii ii, ii=1 49

Quadratic Sieve Algorithm Core Idea: Find x, y Z NN such that xx 2 = yy 2 mod NN and xx ±yy mod NN Key Question: How to find such an x, y Z NN? Step 2: Once we have l > kk equations of the form kk q j qq = pp ii ee jj,ii We can use linear algebra to find S such that for each ii kk we have ee jj,ii jj SS ii=1 = 0 mmmmmm 2., 50

Quadratic Sieve Algorithm Key Question: How to find x, y Z NN such that xx 2 = yy 2 mod NN and xx ±yy mod NN? Step 2: Once we have l > kk equations of the form kk q j qq = pp ii ee jj,ii We can use linear algebra to find a subset S such that for each i k we have Thus, q j jj SS kk ee jj,ii jj SS jj SS ee jj,ii = pp ii ii=1 ii=1 = 0 mmmmmm 2. kk 1 2 = pp jj SS ee jj,ii ii ii=1, 2 = yy 2 51

Quadratic Sieve Algorithm Key Question: How to find x, y Z NN such that xx 2 = yy 2 mod NN and xx ±yy mod NN? Thus, q j kk jj SS ee jj,ii = pp ii kk 1 2 = pp jj SS ee jj,ii ii 2 = yy 2 jj SS ii=1 ii=1 But we also have 2 q j = xx jj 2 = xx jj = xx 2 mmmmmm NN jj SS jj SS jj SS 52

Quadratic Sieve Algorithm (Summary) Appropriate parameter tuning yields sub-exponential time algorithm 2 OO log NN log log NN = 2OO nn log nn Still not polynomial time but 2 nn log nn grows much slower than 2 nn/4. 53

Discrete Log Attacks Pohlig-Hellman Algorithm Given a cyclic group GG of non-prime order q= GG =rp Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller). Preference for prime order subgroups in cryptography Baby-step/Giant-Step Algorithm Solve discrete logarithm in time OO qq pppppppppppppp(qq) Pollard s Rho Algorithm Solve discrete logarithm in time OO Bonus: Constant memory! Index Calculus Algorithm Similar to quadratic sieve qq pppppppppppppp(qq) Runs in sub-exponential time 2 OO log qq log log qq Specific to the group Z pp (e.g., attack doesn t work elliptic-curves) 54

Discrete Log Attacks Pohlig-Hellman Algorithm Given a cyclic group GG of non-prime order q= GG =rp Reduce discrete log problem to discrete problem(s) for subgroup(s) of order p (or smaller). Preference for prime order subgroups in cryptography Let GG = gg and h = gg xx GG be given. For simplicity assume that r is prime and r < p. Observe that gg rr generates a subgroup of size p and that h r gg rr. Solve discrete log problem in subgroup gg rr with input h r. Find z such that h rz = gg rrzz. Observe that gg pp generates a subgroup of size p and that h p gg pp. Solve discrete log problem in subgroup gg pp with input h p. Find y such that h yp = gg yyyy. Chinese Remainder Theorem h = gg xx where x zz mod pp, [yy mod rr] 55

Baby-step/Giant-Step Algorithm Input: GG = gg of order q, generator g and h = gg xx GG Set tt = qq For i =0 to qq tt gg ii gg iiii Sort the pairs (i,g i ) by their second component For i =0 to tt h ii hgg ii if h ii = gggg gg 0,, gg tt then return [kt-i mod q] h ii = hgg ii = gg kkkk h = gg kkkk ii 56

Discrete Log Attacks Baby-step/Giant-Step Algorithm Solve discrete logarithm in time OO qq pppppppppppppp(qq) Requires memory OO qq pppppppppppppp(qq) Pollard s Rho Algorithm Solve discrete logarithm in time OO qq pppppppppppppp(qq) Bonus: Constant memory! Key Idea: Low-Space Birthday Attack (*) using our collision resistant hash function HH gg,h xx 1, xx 2 = gg xx 1h xx 2 HH gg,h yy 1, yy 2 = HH gg,h xx 1, xx 2 h yy 2 xx 2 = gg xx 1 yy 1 h = gg xx 1 yy 1 yy 2 xx 1 2 (*) A few small technical details to address 57

Discrete Log Attacks Baby-step/Giant-Step Algorithm Solve discrete logarithm in time OO qq pppppppppppppp(qq) Requires memory OO qq pppppppppppppp(qq) Pollard s Rho Algorithm Solve discrete logarithm in time OO qq pppppppppppppp(qq) Bonus: Constant memory! Key Idea: Low-Space Birthday Attack (*) HH gg,h xx 1, xx 2 = gg xx 1h xx 2 HH gg,h yy 1, yy 2 = HH gg,h xx 1, xx 2 h yy 2 xx 2 = gg xx 1 yy 1 h = gg xx 1 yy 1 (*) A few small technical details to address yy 2 xx 2 1 Remark: We used discrete-log problem to construct collision resistant hash functions. Security Reduction showed that attack on collision resistant hash function yields attack on discrete log. Generic attack on collision resistant hash functions (e.g., low space birthday attack) yields generic attack on discrete log. 58

Discrete Log Attacks Index Calculus Algorithm Similar to quadratic sieve Runs in sub-exponential time 2 OO log qq log log qq Specific to the group Z pp (e.g., attack doesn t work elliptic-curves) As before let {p 1,,p k } be set of prime numbers < B. Step 1.A: Find l > kk distinct values xx 1,, xx kk such that gg jj = gg xx jj mmmmmm pp is B-smooth for each j. That is kk gg jj = pp ii ee ii,jj ii=1. 59

Discrete Log Attacks As before let {p 1,,p k } be set of prime numbers < B. Step 1.A: Find l > kk distinct values xx 1,, xx kk such that gg jj = gg xx jj mmmmmm pp is B-smooth for each j. That is kk ee gg jj = pp ii,jj ii. ii=1 Step 1.B: Use linear algebra to solve the equations kk xx jj = llllll gg pp ii ee ii,jj mod (pp 1). ii=1 (Note: the llllll gg pp ii s are the unknowns) 60

Discrete Log As before let {p 1,,p k } be set of prime numbers < B. Step 1 (precomputation): Obtain y 1,,y k such that p i = gg yy ii mmmmmm pp. Step 2: Given discrete log challenge h=g x mod p. Find y such that gg yy h mod p is B-smooth gg yy h mod p = pp ii ee ii kk kk ii=1 = gg yy ii ee ii ii=1 = gg ii ee iiyy ii 61

Discrete Log As before let {p 1,,p k } be set of prime numbers < B. Step 1 (precomputation): Obtain y 1,,y k such that p i = gg yy ii mmmmmm pp. Step 2: Given discrete log challenge h=g x mod p. Find z such that gg zz h mod p is B-smooth gg zz h mod p = gg ii ee iiyy ii xx = ee ii yy ii ii h = gg ii ee iiyy ii Remark: Precomputation costs can be amortized over many discrete log instances In practice, the same group GG = gg and generator g are used repeatedly. zz zz Reference: https://www.weakdh.org/ 62

NIST Guidelines (Concrete Security) Best known attack against 1024 bit RSA takes time (approximately) 2 80 63

NIST Guidelines (Concrete Security) Diffie-Hellman uses subgroup of Z pp size q q=224 bits q=256 bits q=384 bits q=512 bits 64

65

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback