# Leksion 9 Public Key Algorithms

date post

03-Jun-2018Category

## Documents

view

220download

0

Embed Size (px)

### Transcript of Leksion 9 Public Key Algorithms

8/12/2019 Leksion 9 Public Key Algorithms

1/18

1

Public Key Algorithms II

MsC, Ing. Ezmerina Kotobelli

8/12/2019 Leksion 9 Public Key Algorithms

2/18

2

Overview

Digital Signature Standard - DSS

Zero-knowledge Proof Systems

8/12/2019 Leksion 9 Public Key Algorithms

3/18

3

Digital SignatureStandard (DSS)

By NIST, designed by NSAo Proposed in 1991, approved in 1994

o DSA algorithm

o DSS standard

Related to El Gamal

Speeded up for signer rather than verifier: smart cards

Controversy RSA vs. DSSo When DSS was proposed a lot of investments were made in

RSA

o DSS a royalty free standard

o DSS key size initially 512 later 1024

o Designed by NSA

8/12/2019 Leksion 9 Public Key Algorithms

4/18

4

DSS Algorithm

Generate public:p (512 bit prime) and q (160 bit prime):

p = kq + 1

o This is a very expensive operation, but not often

Generate publicg1:gq

= 1 modpo Take a random h>1 getg = h(p-1)/q

o Ifg = 1, chose another h

Choose long-term public/private key pair , with

random So T =gSmodp for S < q

8/12/2019 Leksion 9 Public Key Algorithms

5/18

5

DSS Algorithm (Contd)

Choose a per message public/private key pair

with random Sm for message m

o Tm = (gSm modp) mod q

o Calculate Sm-1

mod q , so it wont need to be donein real time when signing a message

Calculate a digest of the message dm = SHS (m)

SHS a hashing function recommended by NIST for

use with DSS. SHS hashes to 160 bits

8/12/2019 Leksion 9 Public Key Algorithms

6/18

6

DSS Algorithm (Contd)

SignatureX = Sm-1 (dm + S Tm) mod q Transmit m, Tm, X

Public key information T, p, q, andg are known

beforehand

Verify:

o ComputeX-1 mod q

o Compute dm

o x = dmX-1

mod qo y= TmX

-1 mod q

o z = (gx Ty modp) mod q

o ifz = Tm, the signature is verified

8/12/2019 Leksion 9 Public Key Algorithms

7/18

7

Why Is DSS Secure

No revealing of private key S

Cant forge a signature without S

No duplicate messages with matched signature

Cant be tempered Need a per-message secret number (Sm)!

o If Sm known, S can be computed

o Two messages sharing the same Sm can reveal Sm, and

thus S

8/12/2019 Leksion 9 Public Key Algorithms

8/18

8

Per message SecretNumber

How is the private key exposed if the secret number

per message is known? If Sm is known, one can compute:

o (Xm Sm dm) Tm-1) mod q = S mod q

How is the private key exposed when two messages

share the same secret number?o If m and m are signed using the same Smo One can compute:

(Xm X

m)-1 ( d

m- d

m) mod q = S

mmod q

How to generate random numbers?

8/12/2019 Leksion 9 Public Key Algorithms

9/18

9

How Secure are RSAand Diffie-Hellman?

The security of RSA is based on the difficulty of

factoring The security of Diffie-Hellman is based on the

difficulty of resolving discrete log problems

It has been proved that they are equivalently difficult

The best known algorithms to resolve them aresubexponencial but superpolynomial

Thats why a larger key size is required (1024bits)

compared to secret key (80 bits)

8/12/2019 Leksion 9 Public Key Algorithms

10/18

10

Elliptic CurveCryptography ECC

No known subexponential algorithms to break ECC

So it is secure with much smaller key improveperformance

An elliptic curve is a set of points satisfying an

equation of the form:

y2 + ax + by = x3 + dx +eMathematical operation on two points in the set will

always produce a point in the set

8/12/2019 Leksion 9 Public Key Algorithms

11/18

11

Zero-Knowledge Proofs

Alice: I know the ingredients in McDonalds secret

sauce

Bob: No, you dont

Alice: Yes, I do

Bob: Prove it

Alice: All right. Ill tell you. She whispers in Bobs

ear

Bob: Now I know it too. I will post in my web pageAlice: Oops

8/12/2019 Leksion 9 Public Key Algorithms

12/18

12

The Zero-knowledgeCave

8/12/2019 Leksion 9 Public Key Algorithms

13/18

13

The Zero-knowledgeCave

1. Bob stands at point A

2. Alice walks all the way into the cave, either to pointC or D

3. Bob walks to point B

4. Bob asks Alice to

Come out of the left passage Come out of the right passage

5. Alice complies by using the magic word to open the

door C or D

6. Bob and Alice repeat steps 1-5 n times.

8/12/2019 Leksion 9 Public Key Algorithms

14/18

14

Zero-knowledge ProofSystems

Prove knowledge without revealing it

RSA signatures

Graph isomorphism: rename verticeso Alice: graphA andB ~A

o Public key: graphsA,B

o Private key: mapping between vertices

o Alice: create Gi and sends to Bob

o BobAlice: how did A orB Gi?o Zero-knowledge: Bob knows nothing about the mapping

betweenA andB

o Fred can generate Gi from eitherA orB, but not both

8/12/2019 Leksion 9 Public Key Algorithms

15/18

15

Zero-knowledgeProofs: Fiat-Shamir

Alice: public key , n=pq, private keyso Alice selects random numbers, and computes v=s2 mod n

Alice chooses k random numbers r1, , rkAlice sends ri

2 mod n

Bob chooses a random subset 1 of ri2, the rest is

subseto For subset 1, Alice sendssri mod n, and Bob verifies (sri)

2

mod n = vri2 mod n

o For subset 2, Alice simply sends ri mod n

Finding square root mod n is hard

8/12/2019 Leksion 9 Public Key Algorithms

16/18

16

Fiat-Shamir (cont.)

Suppose Fred wants to impersonate Alice

Fred can computesquares mod n but cannot take

square roots mod n

Fred can send random r and compute r

2

, so he cangive correct answers for subset 2, but not for subset 1

So what the purpose of subset 2? Why isnt the

protocol simply that Alice sends pairs ( ri2, sri)?

8/12/2019 Leksion 9 Public Key Algorithms

17/18

17

Fiat-Shamir (cont.)

If only (ri2, sri) was used

o If Fred has overheard Alice providing (ri2, sri), he can

impersonate Alice.

But because both subsets are neededo Even if he knows subset 1 + answer and subset 2 +

answer, the probability of having the new subset 1

equal to subset 1 is very small

o For each I the probability is 50%, for the whole subset(30) no chance to impersonate, on in ten billion

8/12/2019 Leksion 9 Public Key Algorithms

18/18

18

Summary

Digital Signature Standard - DSS

Zero-knowledge Proof Systems