Introduction to Modern Cryptography, Lecture 9

1
Introduction to Modern Cryptography, Lecture 9

• More about Digital Signatures and Identification

2
Comments on Homework assignment

• Takes too long to find primes
• Idea shorten the process by removing clear
  non-primes
• To generate a pair p,q, such that q is prime, p
  2q1 is prime, you must have an efficient way of
  removing non-primes
• Use a sieve compute candidate mod 2, mod 3, mod
  5, mod 997, only if all are non-zero then use
  more complex test.

3
There is an interactive (randomized) proof for
any statement in PSpace

• There is also a zero knowledge proof for any
  statement which has an interactive proof
• This is not very useful (practically) because the
  setting may require the prover to use exponential
  time

4
An example of an interactive proof for a
statement that does not seem to be in NP

• Graph non-isomorphism
• Two graphs G, and H, prover claims that they are
  not isomorphic
• How would a polytime machine verify that they are
  indeed not isomorphic?

5
Interactive proof for graph non-isomorphism

• Prover presents the two graphs

Verifier chooses one of the graphs at random,
performs a random permutation and asks the
prover which graph was chosen.
6
Interactive proof for graph 3 colorability

• Whats the point? Theres a non-interactive proof
  for graph 3-colorability.
• So, the point is that we can give a zero
  knowledge proof of graph 3 colorability

7
Non interactive proof of graph 3 colorability
8
Graph 3 colorability

• Imagine that the prover performs a random
  permuation of the colors
• The verifier can ask to see the colors assigned
  to two adjacent vertices
• The prover will now reveal these two colors
• Repeat

9
Why is this convincing?

• If the graph is three colorable then the prover
  can answer all the queries correctly
• If the graph is not three colorable, then with
  prob 1/E, the prover will be caught
• All the verifier learns is that the two vertices
  have different colors

10
What does this mean?

• Informally, weve shown that every problem in NP
  has an interactive zero knowledge proof.
• What would a proof be for Hamiltonian cycle?

11
Signatures vs. MACs

• Suppose parties A and B share the secret
• key K. Then M, MACK(M) convinces A that
• indeed M originated with B. But in case of
• dispute A cannot convince a judge that
• M, MACK (M) was sent by B, since A could
• generate it herself.

12
Identification Model

• Alice wishes to prove to Bob her identity in
  order to access a resource, obtain a service etc.
• Bob may ask the following
• Who are you? (prove that youre Alice)
• Who the is Alice?
• Eve wishes to impersonate Alice
• One time impersonation
• Full impersonation (identity theft)

13
Identification Scenarios

• Local identification
• Human authenticator
• Device
• Remote identification
• Human authenticator
• Corporate environment (e.g. LAN)
• E-commerce environment
• Cable TV/Satellite Pay-per-view
• subscription verification
• Remote login or e-mail from an internet cafe.

14
Initial Authentication

• The problem how does Alice initially convince
  anyone that shes Alice?
• The solution must often involve a real-world
  type of authentication id card, drivers
  license etc.
• Errors due to the human factor are numerous
• (example the Microsoft-Verisign fiasco).
• Even in scenarios where OK for Alice to be
  whoever she claims she is, may want to at least
  make sure Alice is human (implemented, e.g. for
  new users in Yahoo mail ).

15
Closed Environments

• The initial authentication problem is fully
  solved by a trusted party, Carol
• Carol can distribute the identification material
  in a secure fashion, e.g by hand, or over
  encrypted and authenticated lines
• Example a corporate environment
• Eves attack avenue is the Alice-Bob connection
• We begin by looking at remote authentication

16
Fiat-Shamir Scheme

• Initialization
• Set Up
• Basic Construction
• Improved Construction
• Zero Knowledge
• Removing Interaction

17
Initialization

• Bob gets from Carol Npq but not its
  factorization.
• Alice picks m numbers R1,R2,,Rm in ZN at
  random.
• Alice computes S1 R12 mod N , , Sm Rm2 mod N
  .
• Alice gives Bob S1,S2,,Sm .
• She keeps R1,R2,,Rm secret .

18
Set Up

• Bob holds S1,S2,,Sm .
• Alice keeps R1,R2,,Rm secret .
• Who is Alice? Anyone that convinces Bob she can
  
• produce square roots mod N of S1,S2,,Sm .
• A bad way to convince Bob Send him R1,R2,,Rm .
• Instead, we seek a method that will give Bob
  (and
• Eve) nothing more than being convinced Alice
  can
• produce these square roots (zero knowledge).

19
Basic Protocol

• Let S1 R12 such that Alice holds R1 .
• To convince Bob that Alice knows a square root
• mod N of S1 , Alice picks at random X1 in ZN ,
• computes Y1 X12 mod N, and sends Y1 to Bob.
• Alice I know both a square root mod N of Y1
  (X1)
• and a square root mod N of Y1 S1
  (X1 R1).
• Make a choice which of the two you
  want
• me to reveal.
• Bob flips a coin, outcome (heads/tails)
  determines
• the challenge he poses to Alice.

20
Basic Protocol (cont.)

• If Alice knows both a square root of Y1 (X1)
• and a square root of Y1 S1 (X1 R1) then she
  knows
• R1 (a square root of S1 ).
• Thus if Alice does not know a square root of S1
  ,
• Bob will catch her cheating with probability
  1/2.
• In the protocol, Alice will produce Y1,Y2,,Ym .
• Bob will flip m coins b1,b2,,bm as challenges.
• Bob accept only if Alice succeeds in all m cases.

21
Basic Protocol
Alice to Bob
Y1,Y2,,Ym
Bob to Alice (challenge)
b1,b2,,bm 1, 0, , 0
Alice to Bob (m response)
X1S1,X2, ,Xm
Bob accepts iff all m challenges are met.
22
Improved (more efficient) Protocol
Alice to Bob
Y1,Y2,,Ym
Bob to Alice (challenge)
b1,b2,,bm 1, 0, , 0
Alice to Bob (2 response)
Product of XiRi with bi1 Product of Xi
with bi0
Bob accepts iff challenges are met.
23
Correctness of Protocol (Intuition ONLY)

• A cheating Eve, without knowledge of Ris,
• will be caught with high probability.
• 2. Zero Knowledge
• By eavesdropping, Eve learns nothing
• (all she learns she can simulate on her own).
• Crucial ingredients
• 1. Interaction.
• 2. Randomness.

24
Removing randomization by Verifier
Alice to Bob
Let H be a secure hash function
Y1,Y2,,Ym
Bob to Alice (challenge)
b1b2bm H(Y1,Y2 ,,Ym) 1, 0, , 0
Alice to Bob (2 response)
Product of XiRi, bi1 Product of Xi, bi0
Bob accepts iff challenges are met.
25
What we have is a signature scheme
Alice to Bob
Let H be secure hash function
Y1,Y2,,Ym
b1b2bm H(M,Y1,Y2 ,,Ym) 1, 0, , 0
Alice to Bob
Message M Product of XiRi, bi1 Product of Xi,
bi0
Bob accepts iff challenges are met.
26
Final Improvement Remove Interaction
Alice to Bob
Let H be secure hash function
Y1,Y2,,Ym
Bob to Alice (challenge)
b1b2bm H(Y1,Y2 ,,Ym) 1, 0, , 0
Alice to Bob (2 response)
Product of XiRi, bi1 Product of Xi, bi0
Bob accepts iff challenges are met.
27
Correctness of Fiat-Shamir (Intuition ONLY)

• A cheating Eve, without knowledge of Ris,
• cannot succeed in producing Y1,Y2,,Ym
• that will be hashed to a convenient bit vector
• b1b2bm since m is too long and H behaves
• like a random function (so the chances of
• hitting a bit vector favourable to Eve are
• negligible).
• FS scheme used in practice.

28
El-Gamal Signature Scheme
Generation

• Pick a prime p of length 1024 bits such that DL
  in Zp is hard.
• Let g be a generator of Zp.
• Pick x in 2,p-2 at random.
• Compute ygx mod p.
• Public key p,g,y.
• Private key x.

29
El-Gamal Signature Scheme
Signing M

• Hash Let mH(M).
• Pick k in 1,p-2 relatively prime to
• p-1 at random.
• Compute rgk mod p.
• Compute s(m-rx)k-1 mod (p-1) ()
• Output r and s.

30
El-Gamal Signature Scheme
Verify M,r,s,PK

• Compute mH(M).
• Accept if 0ltrltp and yrrsgm mod p.
• else reject.
• Whats going on?
• By () s(m-rx)k-1 mod p-1, so skrxm. Now
  rgk so rsgks, and ygx so yrgrx, implying
  yrrsgm .

31
The Digital Signature Algorithm (DSA)

• Let p be an L bit prime such that the discrete
  log problem mod p is intractable
• Let q be a 160 bit prime that divides p-1
• Let a be a qth root of 1 modulo p.

How do we compute a?
32
The Digital Signature Algorithm (DSA)

• p prime, q prime, p-1 0 mod q, a 1(1/q)
  mod p
• Private key random 1 s q-1.
• Public key (p, q, a, ß as mod p)
• Signature on message M
• Choose a random 1 k p-1, secret!!
• Part II (SHA (M) s (PART I)) / k mod q
• Part I ((ak mod p) mod q

33
The Digital Signature Algorithm (DSA)

• p prime, q prime, p-1 0 mod q, a 1(1/q)
  mod p, Private key random 1 s q-1. Public
  key (p, q, a, ß as mod p). Signature on
  message M
• Choose a random 1 k p-1, secret!!
• Part I ((ak mod p) mod q
• Part II (SHA (M) s (PART I)) /k mod q
• Verification
• e1 SHA (M) / (PART II) mod q
• e2 (PART I) / (PART II) mod q
• OK if

34
The Digital Signature Algorithm
Homework 2 part II
Prove that if the signature is generated
correctly then the verification works
correctly. What happens if PART II of the
signature is 0?