Leksion 9 Public Key Algorithms

of 18/18
8/12/2019 Leksion 9 Public Key Algorithms http://slidepdf.com/reader/full/leksion-9-public-key-algorithms 1/18 1 Public Key Algorithms II MsC, Ing. Ezmerina Kotobelli [email protected]
  • date post

    03-Jun-2018
  • Category

    Documents

  • view

    220
  • download

    0

Embed Size (px)

Transcript of Leksion 9 Public Key Algorithms

  • 8/12/2019 Leksion 9 Public Key Algorithms

    1/18

    1

    Public Key Algorithms II

    MsC, Ing. Ezmerina Kotobelli

    [email protected]

  • 8/12/2019 Leksion 9 Public Key Algorithms

    2/18

    2

    Overview

    Digital Signature Standard - DSS

    Zero-knowledge Proof Systems

  • 8/12/2019 Leksion 9 Public Key Algorithms

    3/18

    3

    Digital SignatureStandard (DSS)

    By NIST, designed by NSAo Proposed in 1991, approved in 1994

    o DSA algorithm

    o DSS standard

    Related to El Gamal

    Speeded up for signer rather than verifier: smart cards

    Controversy RSA vs. DSSo When DSS was proposed a lot of investments were made in

    RSA

    o DSS a royalty free standard

    o DSS key size initially 512 later 1024

    o Designed by NSA

  • 8/12/2019 Leksion 9 Public Key Algorithms

    4/18

    4

    DSS Algorithm

    Generate public:p (512 bit prime) and q (160 bit prime):

    p = kq + 1

    o This is a very expensive operation, but not often

    Generate publicg1:gq

    = 1 modpo Take a random h>1 getg = h(p-1)/q

    o Ifg = 1, chose another h

    Choose long-term public/private key pair , with

    random So T =gSmodp for S < q

  • 8/12/2019 Leksion 9 Public Key Algorithms

    5/18

    5

    DSS Algorithm (Contd)

    Choose a per message public/private key pair

    with random Sm for message m

    o Tm = (gSm modp) mod q

    o Calculate Sm-1

    mod q , so it wont need to be donein real time when signing a message

    Calculate a digest of the message dm = SHS (m)

    SHS a hashing function recommended by NIST for

    use with DSS. SHS hashes to 160 bits

  • 8/12/2019 Leksion 9 Public Key Algorithms

    6/18

    6

    DSS Algorithm (Contd)

    SignatureX = Sm-1 (dm + S Tm) mod q Transmit m, Tm, X

    Public key information T, p, q, andg are known

    beforehand

    Verify:

    o ComputeX-1 mod q

    o Compute dm

    o x = dmX-1

    mod qo y= TmX

    -1 mod q

    o z = (gx Ty modp) mod q

    o ifz = Tm, the signature is verified

  • 8/12/2019 Leksion 9 Public Key Algorithms

    7/18

    7

    Why Is DSS Secure

    No revealing of private key S

    Cant forge a signature without S

    No duplicate messages with matched signature

    Cant be tempered Need a per-message secret number (Sm)!

    o If Sm known, S can be computed

    o Two messages sharing the same Sm can reveal Sm, and

    thus S

  • 8/12/2019 Leksion 9 Public Key Algorithms

    8/18

    8

    Per message SecretNumber

    How is the private key exposed if the secret number

    per message is known? If Sm is known, one can compute:

    o (Xm Sm dm) Tm-1) mod q = S mod q

    How is the private key exposed when two messages

    share the same secret number?o If m and m are signed using the same Smo One can compute:

    (Xm X

    m)-1 ( d

    m- d

    m) mod q = S

    mmod q

    How to generate random numbers?

  • 8/12/2019 Leksion 9 Public Key Algorithms

    9/18

    9

    How Secure are RSAand Diffie-Hellman?

    The security of RSA is based on the difficulty of

    factoring The security of Diffie-Hellman is based on the

    difficulty of resolving discrete log problems

    It has been proved that they are equivalently difficult

    The best known algorithms to resolve them aresubexponencial but superpolynomial

    Thats why a larger key size is required (1024bits)

    compared to secret key (80 bits)

  • 8/12/2019 Leksion 9 Public Key Algorithms

    10/18

    10

    Elliptic CurveCryptography ECC

    No known subexponential algorithms to break ECC

    So it is secure with much smaller key improveperformance

    An elliptic curve is a set of points satisfying an

    equation of the form:

    y2 + ax + by = x3 + dx +eMathematical operation on two points in the set will

    always produce a point in the set

  • 8/12/2019 Leksion 9 Public Key Algorithms

    11/18

    11

    Zero-Knowledge Proofs

    Alice: I know the ingredients in McDonalds secret

    sauce

    Bob: No, you dont

    Alice: Yes, I do

    Bob: Prove it

    Alice: All right. Ill tell you. She whispers in Bobs

    ear

    Bob: Now I know it too. I will post in my web pageAlice: Oops

  • 8/12/2019 Leksion 9 Public Key Algorithms

    12/18

    12

    The Zero-knowledgeCave

  • 8/12/2019 Leksion 9 Public Key Algorithms

    13/18

    13

    The Zero-knowledgeCave

    1. Bob stands at point A

    2. Alice walks all the way into the cave, either to pointC or D

    3. Bob walks to point B

    4. Bob asks Alice to

    Come out of the left passage Come out of the right passage

    5. Alice complies by using the magic word to open the

    door C or D

    6. Bob and Alice repeat steps 1-5 n times.

  • 8/12/2019 Leksion 9 Public Key Algorithms

    14/18

    14

    Zero-knowledge ProofSystems

    Prove knowledge without revealing it

    RSA signatures

    Graph isomorphism: rename verticeso Alice: graphA andB ~A

    o Public key: graphsA,B

    o Private key: mapping between vertices

    o Alice: create Gi and sends to Bob

    o BobAlice: how did A orB Gi?o Zero-knowledge: Bob knows nothing about the mapping

    betweenA andB

    o Fred can generate Gi from eitherA orB, but not both

  • 8/12/2019 Leksion 9 Public Key Algorithms

    15/18

    15

    Zero-knowledgeProofs: Fiat-Shamir

    Alice: public key , n=pq, private keyso Alice selects random numbers, and computes v=s2 mod n

    Alice chooses k random numbers r1, , rkAlice sends ri

    2 mod n

    Bob chooses a random subset 1 of ri2, the rest is

    subseto For subset 1, Alice sendssri mod n, and Bob verifies (sri)

    2

    mod n = vri2 mod n

    o For subset 2, Alice simply sends ri mod n

    Finding square root mod n is hard

  • 8/12/2019 Leksion 9 Public Key Algorithms

    16/18

    16

    Fiat-Shamir (cont.)

    Suppose Fred wants to impersonate Alice

    Fred can computesquares mod n but cannot take

    square roots mod n

    Fred can send random r and compute r

    2

    , so he cangive correct answers for subset 2, but not for subset 1

    So what the purpose of subset 2? Why isnt the

    protocol simply that Alice sends pairs ( ri2, sri)?

  • 8/12/2019 Leksion 9 Public Key Algorithms

    17/18

    17

    Fiat-Shamir (cont.)

    If only (ri2, sri) was used

    o If Fred has overheard Alice providing (ri2, sri), he can

    impersonate Alice.

    But because both subsets are neededo Even if he knows subset 1 + answer and subset 2 +

    answer, the probability of having the new subset 1

    equal to subset 1 is very small

    o For each I the probability is 50%, for the whole subset(30) no chance to impersonate, on in ten billion

  • 8/12/2019 Leksion 9 Public Key Algorithms

    18/18

    18

    Summary

    Digital Signature Standard - DSS

    Zero-knowledge Proof Systems