1 / 16

Announcements: Presentations start Friday Cem Kaner presenting O167 10 th block today.

DTTF/NB479: Dszquphsbqiz Day 33. Announcements: Presentations start Friday Cem Kaner presenting O167 10 th block today. Questions? This week: DSA, Digital Cash. Birthday attacks on signatures. Mallory generates 2 groups of documents:

harrisa
Download Presentation

Announcements: Presentations start Friday Cem Kaner presenting O167 10 th block today.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DTTF/NB479: Dszquphsbqiz Day 33 • Announcements: • Presentations start Friday • Cem Kaner presenting O167 10th block today. • Questions? • This week: • DSA, Digital Cash

  2. Birthday attacks on signatures • Mallory generates 2 groups of documents: • Want a match (m1, m2) between them such that h(m1) = h(m2) • Mallory sends (m1, h(m1)) to Alice, who returns signed copy: (m1, sig(h(m1)). • Mallory replaces m1 with m2 and uses sig(h(m1) as the signature. • The pair (m2, sig(h(m1)) looks like Alice’s valid signature! • Alice’s defense? What can she do to defend herself? r “fraudulent docs” r “good docs”

  3. Alice’s defense • She changes a random bit herself! • Note this changes her signature: (m1’, sig(h(m1’)) • Mallory is forced to generate another message with the same hash as this new document. • Good luck! • Lessons: • Birthday attacks essentially halve the number of bits of security. • So SHA-1 is still secure against them • Make a minor change to the document you sign!

  4. DSA: Digital Signature Algorithm • 1994 • Similar to ElGamal • Assume m is already hashed using SHA: so signing 160-bit message, m.

  5. DSA: Digital Signature Algorithm • Alice’s Setup: • m: 160-bit message • q: 160-bit prime • p: 512-bit prime, such that q is a factor of (p-1) • g: a primitive root of p. • a=g(p-1)/q (mod p) • Then aq = 1 (mod p). (Why?) • b = aa. Secret a, 0 < a < q-1 • Publishes: (p,q,a,b) • Sig = (r,s) • random k, 0 < k < q-1 • r = ak (mod p) • s = k-1(m + ar) (mod q) • Verify: • Compute u1 = s-1m, u2 = s-1r • Does (au1bu2 (mod p))(mod q) = r? q=17 p=103 g=2 a=?

  6. Alice’s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. a=g(p-1)/q (mod p) Then aq = 1 (mod p). (Why?) b = aa. Secret a, 0 < a < q-1 Publishes: (p,q,a,b) Sig = (r,s) random k, 0 < k < q-1 r = ak (mod p) s = k-1(m + ar) (mod q) Verify: Compute u1 = s-1m, u2 = s-1r Does (au1bu2 (mod p))(mod q) = r? Verify that verification works Advantages over ElGamal? In ElGamal, if you could solve r = ak (mod p) by Pollig-Hellman, you’d have k. In DSA, (p-1) has a large factor, q. If you could solve the non-q factors, there would still be q possibilities for k. How many ints (mod p) give a specific int (mod q)? How hard is it to search for a 512-bit prime p = kq + 1 for some even number k? DSA: Digital Signature Algorithm

  7. Alice’s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. a=g(p-1)/q (mod p) Then aq = 1 (mod p). (Why?) b = aa. Secret a, 0 < a < q-1 Publishes: (p,q,a,b) Sig = (r,s) random k, 0 < k < q-1 r = ak (mod p) s = k-1(m + ar) (mod q) Verify: Compute u1 = s-1m, u2 = s-1r Does (au1bu2 (mod p))(mod q) = r? Verify that verification works DSA: Digital Signature Algorithm

  8. Alice’s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. a=g(p-1)/q (mod p) Then aq = 1 (mod p). (Why?) b = aa. Secret a, 0 < a < q-1 Publishes: (p,q,a,b) Sig = (r,s) random k, 0 < k < q-1 r = ak (mod p) s = k-1(m + ar) (mod q) Verify: Compute u1 = s-1m, u2 = s-1r Does (au1bu2 (mod p))(mod q) = r? Advantages over ElGamal? In ElGamal, if you could solve r = ak (mod p) by Pollig-Hellman, you’d have k. In DSA, (p-1) has a large factor, q. If you could solve the non-q factors, there would still be q possibilities for k. How many ints (mod p) give a specific int (mod q)? DSA: Digital Signature Algorithm q=17 p=103 g=2 a=64

  9. Alice’s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. a=g(p-1)/q (mod p) Then aq = 1 (mod p). (Why?) b = aa. Secret a, 0 < a < q-1 Publishes: (p,q,a,b) Sig = (r,s) random k, 0 < k < q-1 r = ak (mod p) s = k-1(m + ar) (mod q) Verify: Compute u1 = s-1m, u2 = s-1r Does (au1bu2 (mod p))(mod q) = r? How hard is it to search for a 512-bit prime p = kq + 1 for some even number k? How do we search for primes? 1/115 of odd 100-digit numbers are prime. What fraction of odd 512-bit integers are prime? Recall our discussion of the density of primes DSA: Digital Signature Algorithm

  10. (Day 21) Using within a primality testing scheme n • Finding large probable primes • #primes < x = Density of primes: ~1/ln(x) For 100-digit numbers, ~1/230. So ~1/115 of odd 100-digit numbers are prime Can start with a random large odd number and iterate, applying M-R to remove composites. We’ll soon find one that is a likely prime. Odd? no div by other small primes? no Pass M-R? yes Prime by Factoring/advanced techn.? yes prime

  11. Alice’s Setup: m: 160-bit message q: 160-bit prime p: 512-bit prime, such that q is a factor of (p-1) g: a primitive root of p. a=g(p-1)/q (mod p) Then aq = 1 (mod p). (Why?) b = aa. Secret a, 0 < a < q-1 Publishes: (p,q,a,b) Sig = (r,s) random k, 0 < k < q-1 r = ak (mod p) s = k-1(m + ar) (mod q) Verify: Compute u1 = s-1m, u2 = s-1r Does (au1bu2 (mod p))(mod q) = r? Show that order of ops matters: Show for p=11, q=5, a=3, k=3, that (ak(mod p))(mod q) != (ak (mod q))(mod p) DSA: Digital Signature Algorithm

  12. Show me the money!

  13. Digital cash (chapter 11) • Want it to be electronic, like a credit card. • But what’s so attractive about cash (vs. a credit card)?

  14. Digital Cash: goals • Electronic: want speed and security • Can’t be counterfeited • Can a central bank just track electronic notes? • Then not anonymous! • Neither could transactions be done offline

  15. Digital Cash: goals • Electronic: want speed and security • Can’t be counterfeited • Anonymous: spender’s ID not disclosed to merchant • Payment done offline • Transferable • Divisible (can make change) Okimoto and Ohta: Universal electronic cash, In Proc. Advances in Computing – CRYPTO, 1991

More Related