IntroductiontoCryptology(NSchapter2) - - PowerPoint PPT Presentation

2/6/2009shankar

• cryptoslide1
• ComputerandNetworkSecurity

CMSC414

CRYPTO

• UdayaShankar

shankar@cs.umd.edu

2/6/2009shankar

• cryptoslide2
• IntroductiontoCryptology(NSchapter2)
• Encryption:

plaintext+key→ciphertext Decryption: plaintext←ciphertext+same/relatedkey

• Keyissecret.Encryption/decryptionalgorithmsnotsecret.

Givenplaintextandcyphertext,computationallyhardtogetkey. Attacksdependonwhatisavailable ▪ Ciphertextavailable:searchkey/plaintextspace,replay,… ▪ Plaintext7ciphertextpairsavailable:… ▪ Chosenplaintext7ciphertextpairsavailable:… Typesofcryptographicfunctions: ▪ Secretkey(symmetrickey):DES,AES,… ▪ Publickey(asymmetric):RSA,DH(Diffie7Helman),… ▪ Hashfunctions(ofcryptographickind):MD5,SHA71,…

2/6/2009shankar

• cryptoslide3

Secret7key(symmetric)crypto

• Singlekey:usedinencryptionandindecryption.
• Ciphertextaboutthesamelengthasplaintext.
• Providesconfidentialityoverinsecurechannel/storage.
• AandBsharesecretkeyK
• AsendsK(plaintext).
• BreceivesanddecryptsusingK.
• Providesauthenticationoverinsecurechannel:
• AandBsharesecretkeyK
• AsendsrandomnumberrAtoB,andexpectsK(rA)back
• BsendsrandomnumberrBtoA,andexpectsK(rB)back
• Thisparticularoneisflawed.
• Providesintegrityoverinsecurechannel:
• AandBsharesecretkeyK
• AsendsplaintextandpartofK(plaintext)toB,eg,last128bits
• CalledMAC(msgauthenticationcode)orMIC(msgintegritycode))
• Breceivesplaintext,computesitsMACandchecksagainstreceivedMAC
• Thisparticularprotocolprovidesattackerwithplaintext7ciphertextpairs
• 2/6/2009shankar
• cryptoslide4

Hashing(ofcryptographickind)

• HashfunctionH(.)transformsplaintextmsgofarbitrarylength

tofixed7lengthhashH(msg)

• EasytocomputeH(msg)frommsg
• Noteasytofindmsg1andmsg2suchthatH(msg1)=H(msg2)
• :HashmsgalongwithasharedsecretS,e.g.,H(msg|S)
• Keyedhashingprovidesallthecapabilitesofsecret7keycrypto.
• Integrity:
• SendmsgandH(msg|S)asMAC.
• Confidentiality:
• GeneratesequenceC0,C1,C2,…,whereC0israndomandCi+1=H(Ci|S);

toencryptanarbitrary7lengthmessage,XORitwiththesequence.

• Sotosendmessage=[M0,M1,M2,…],send[C0,M1⊕C1,M2⊕C2,…]

2/6/2009shankar

• cryptoslide5
• Publickey(asymmetric)crypto
• Eachprincipalhastworelatedkeys:
• privatekey(notshared)
• publickey(sharedwithworld).
• Plaintextencryptedwithonecanonlybedecryptedwiththeother.
• Confidentiality:
• BtransmitspubkeyA(plaintext).AdecryptsusingprivkeyA.
• Integrityanddigitalsignature(non7repudiation)
• AtransmitsprivkeyA(plaintext)
• AnyonewithpubkeyAcandecryptit

andbeassuredthatitcouldonlyhavebeensentbyA.

• Butpublic7keycryptoisordersslowerthansecret7keycrypto/hashing,

soitisusedinconjunctionwiththelatter.

• Tosignamessage:signthehashofthemessage.
• Toencryptorintegrity7protectamessage:
• Firstusepublic7keycryptotoestablishaper7sesssionsecret;

eg,Bcreatesper7sessionkeyKandsendspubkeyA(K)toA

• Thenusesecret7keycryptoorkeyed7hashing.
• 2/6/2009shankar
• cryptoslide6

SecretKeyCrypto(NSchapter3)

• Considermessageofkbitshere.
• Variable7lengthmessageaddressedlater.
• Fixed7lengthmessageandFixed7lengthkey→message7lengthoutput
• DES:647bitmessage,567bitkey
• Ifkeylengthjistoosmall,insecure.Ifjistoolarge,expensive.
• WantfunctionSmappingk7bitmsgtok7bitoutputsuchthat:
• Fordecryption,Smustbe171mappingfrom2Kto2K.
• Forsecurity,Smustbe“random”:
• evenifmsg1andmsg2differinjustonebit,
• S(msg1)andS(msg2)differinmanybits(approxk/2bits).
• SoScannotbea“simple”function;sofollowingarenogood:

S(msg)=msg⊕key S(msg)=msgbitsinreverseorder

2/6/2009shankar

• cryptoslide7

SecretKeyCrypto(contd.)

• “Substitution”table:randompermutationofallN7bitstrings.
• S(i)isithrowoftable
• Tableobtainedwithphysical7worldrandomness(eg,cointoss).
• Pro:Sisperfectlyrandom
• Con:needtostoretableofsizek.2k.Impracticalfork=64
• Deterministicalgorithmthatproduces“randomlooking”output.

Wanteachoutputbittobe“influenced”byallinputbits.

• :mixpermutationsandsubstitutions
• Dividek7bitblockintop7bitblocksforreasonablysmallp(eg,p=8).
• Usepxpsubstitutiontables“garble”p7bitoutputblocks.
• Concatenatethep7bitoutputblockstogetak7bitblock
• andpermutetogetgarbledk7bitoutputblock.
• Repeat1,2,3fornrounds,wherenislargeenoughtogetgoodscrambling.
• ,ie,reversing,isnomoreexpensive.

Oftencanbedonewiththesamealgorithm/hardware.

2/6/2009shankar

• cryptoslide8

DES

• Finalpermutationisinverseofinitialpermutation.

Notofsecurityvalue(why?,whatdoesthismean?)

• initial permutation
• generate16

487bitkeys K1,K2,...,K16

• roundi,i=0,1,...,15,uses

Kiandoutputofpreviousround

• swapleftandrighthalves
• 647bitinput

647bitintermediate 567bitkey 647bitintermediate 647bitoutput 647bitoutput finalpermutation(inverseofinitial)

2/6/2009shankar

• cryptoslide9

DES:GenerationofK1,K2,...,K16

• 56-bit key

C0 D0 rotate each left by 1 bit in rounds 1,2,9,16 2 bits in other rounds C1 D1 permute 56-bit key, split to form two 28-bit parts 48-bit key K1 Each part: permute, drop some bits to form 24-bit chunk. Join to form one 48-bit key K1 repeat 16 times get Ci, Di, Ki

• i=1,…,16

2/6/2009shankar

• cryptoslide10

DESencryptionround

• DESdecryptionround:givenR(n+1)|L(n+1)→R(n)|L(n)

sameasencryptionwitharrowsreversedexceptformanglerfunction

64-bit input L(n) R(n) L(n+1) R(n+1) 64-bit output key Kn Mangler function XOR key K(n+1)

n=0,…,15

2/6/2009shankar

• cryptoslide11

DES:decryption=encryptionwithKi’sinreverseorder

• a1:L0|R0←iperm(dblk);

a2:forn=0,…,15do a3: Ln+1←Rn; a4: Rn+1←Manglern(Rn,Kn+1)⊕Ln;

• //YieldsL16|R16
• a5: L17|R17←R16|L16;

a6: crblk←ipermInv(R16|L16); !

• //keyorder:K1,...,K16
• b1: R16|L16←iperm(cblk);//a6bkw

b2: forn=15,⋅⋅⋅,0do//a2bkw b3: Rn←Ln+1;

• //a3bkw

b4:Ln←Mnglrn(Rn,Kn)⊕Rn+1;//a4bkw //setsLntoXsuchthat //Rn+1←Manglern(Rn,Kn)⊕X //YieldsR0|L0 b5: L0|R0←swap(R0|L0); //a5bkw b6: dblk←ipermInv(L0|R0);//a1bkw !

• //keyorderK16,…,K1
• 2/6/2009shankar
• cryptoslide12

DES:Manglerfunction

• "#$%&'($→

→ → →"#$

• 327bitRissplitupinto867bitchunks(duplicatingsomebits)
• 487bitKsplitupinto867bitchunks
• chunkiofR⊕chunkiofK
• Put67bitresultinSboxi(differentforeachround)
• OutputofSboxis47bitchunk
• Allchunksconcatenatedandpermutedtoget327bitoutput

2/6/2009shankar

• cryptoslide13

DES:Weakandsemi7weakkeys

• ')generateC0=D0=allonesorallzeros
• *#)generateC0andD0ofalternating0and1
• +)),-..-$$/$01/$0
• Proof

AweakDESkeyhaseachofC0andD0tobeallonesorallzeroes. SinceeachCiisapermutationofC0,eachCiisthesameasC0. SinceeachDiisapermutationofD0,eachDiisthesameasD0. Eachper7roundkeyKidependsonlyonCiandDi. Sotheper7roundkeysK1,...,K16areallequaltoeachother. SothekeysequenceK1,...,K16(usedinencryption)isthesameas thekeysequenceK16,...,K1(usedindecryption). Soencryptionanddecryptionarethesame,i.e.,Ex(b)=Dx(b). SoEx(Ex(b))=b.

• 2/6/2009shankar
• cryptoslide14

DES:Weakandsemi7weakkeys

• +),)-

..-$$/$01/$0

• Proof

Let<K1(x),...,K16(x)>betheper7roundkeysobtainedfromx. Showthatthereisanothersemi7weakkeyysuchthaty <K1(x),...,K16(x)>=<K16(y),...,K1(y)>. Henceforanyblockb:Ex(block)=Dy(block)

2/6/2009shankar

• cryptoslide15

MultipleEncryptionDES(EDEor3DES)

• MakesDESmoresecure
• Encryption:encryptkey1→decryptkey2→ encryptkey1
• Decryption:decryptkey1→encryptkey2→decryptkey1
• EE(encryptingtwice)withsamekeyisnoteffective.

Justequivalenttousinganothersinglekey.

• EEwithkey1andkey2isnotsogood.
• Given<m1,c1>,<m2,c2>,...,thereisanattackthatrequires256storage.
• TableAwith256entries<keyKi,E(Ki,m1)>,sortedbycolumn2.
• TableBwith256entries<keyKi,D(Ki,c1)>,sortedbycolumn2.
• DojoinofTableAandTableB.
• Eachmatchprovidescandidate<KA,KB>for<key1,key2>.
• Use<m2,c2>,etc.toweedoutfalsecandidates.
• +
• differentsizesofkeys(64,128,…)
• differentdatablocksizes(…,64,128,…)

2/6/2009shankar

• cryptoslide16

RC4encryptionalgorithm

• Streamcipher(onetimepad),canusevariablelengthkey.
• Keystreamindependentofplaintext
• 8x8S7box.eachentryisakey7permutationof0..255

byteS[0..255]←0..255;//S[i]=i bytei:=0;j←0;//counters byteK[0..255]←key|…|key; fori=0to255do j←(j+S[i]+K[i])mod256; swapS[i]andS[j] $ 2 i←(i+1)mod256; j←(j+S[i])mod256; swapS[i]andS[j]; returnS[(S[i]+S[j])mod256];

• $

⊕withpt/ctfor encrypt/decrypt

2/6/2009shankar

• cryptoslide17

EncryptingLargeMessages(NSchapter4)

• ,$$
• Padmessagetomultiplenumberofblocks:1/3*-3#-4-0
• Useblockencryptionrepeatedlytogetciphertext1/*-#-4-0
• SameMi’sgetencryptedtodifferentCi’s
• Repeatedencryptionsofsamemsgresultindifferentciphertexts.
• Ciphertextcannotbechangedtocausepredictablechangetodecrypted

plaintext.

• 5ECB,CBC,CFB,OFB,CTR,others

_________________________________________________________ /)

• Obviousapproach:encrypt/decrypteachblockindependently
• Encryption:Ci=EK(Mi)
• Decryption:Mi=DK(Ci)
• notgood:repeatedblocksgetsamecipherblock

2/6/2009shankar

• cryptoslide18

CipherBlockChaining(CBC)

• Ci=EK(Mi⊕Ci71),whereC0isarandomIV(initializationvector)
• TransmitIVandC1,...,Cn
• reversearrows;changeEKtoDK
• Mi=DK(Ci⊕Ci71),whereC0isIV
• +*ModifyCn:garblesMnunpredictablyandMi+1predictably
• therMi’sunchanged.CanuseaCRCtoovercomethis.
• +#:ExchangingcipherblockscancounteractCRCtosomeextent

⊕ ⊕ ⊕ ⊕

EK C1 M1

⊕ ⊕ ⊕ ⊕

EK

C2 M2 IV

⊕MiwithrandomRi

• btainedfromCi71

⊕ ⊕ ⊕ ⊕

EK Cn Mn Cn71

2/6/2009shankar

• cryptoslide19

OutputFeedbackMode(OFB)

6'$78

• GeneratestreamcipherB0,B1,...,whereB0isIVandBi=EK(Bi71)
• ThenCi=Bi⊕Mi
• Soaone7timepadthatcanbegeneratedinadvance.
• One7timepad:
• Attackerwith<plaintext,ciphertext>canobtainBi’s
• andsogenerateciphertextforanyplaintext
• $78/96'0
• Generatestreamcipherink7bitchunks,ratherthan647bitchunks.
• LetXi=EK(Bi71),whereB0is647bitIV
• LetYibekleftmostbitsofXi
• Ci=Yi⊕Mi
• Biisrightmost64bitsofBi71|Yi

2/6/2009shankar

• cryptoslide20

CipherFeedbackMode(CFB)

6'$8

• LikeOFBexceptthatoutputCi71isusedinsteadofBi
• Ci=Mi⊕EK(Ci71)whereC0isIV
• Cannotgenerateone7timepadinadvance.
• $8/96'0
• Generateciphersink7bitchunks,ratherthan647bitchunks.
• LetXi=EK(Bi71),whereB0is647bitIV(padwithzerosonleftifneeded).
• LetYibekleftmostbitsofXi
• Ci=Yi⊕Mi
• Biisrightmost64bitsofBi71|Ci

2/6/2009shankar

• cryptoslide21
• CounterMode(CTR)
• Seetext
• 3DESonLargeMessages

3DESisusedwithCBConthe“outside”not“inside” UsingwithCBConinsideeliminatesself7synchronizationofreceivedciphertext (ie,ifsomeciphertextisgarbled,everythingislost)

• 2/6/2009shankar
• cryptoslide22

MACsfromencryption/decryption(NSchapter4)

• /$0
• CBC,CFB,OFB,…donotprotectagainst“undetectable”modificationsby

attackerknowingtheplaintext

• Ofcourse,ahumanmayfindsomethingfishy.

Socanacomputerthatchecksforstructureinplaintext.

• Needacryptographicchecksum.
• Standardway:sendCBC(lastblockinCBCencryption)

alongwiththeplaintextmessageandIV.

2/6/2009shankar

• cryptoslide23

Ensuringconfidentialityandintegrityofalargemesssage

• Notok:SendCBCencryptedmessageandCBCresidue.
• Justrepeatsthelastcipherblock
• Notok:CBC_Encrypt[plaintext,CBC_residue[plaintext]]
• Lastblockisencryptionofzero(⊕oflastcipherblockwithitself)
• Notok:Encrypt[plaintext,noncryptographicchecksum(eg,CRC)]
• Almostworks.Subtleattacksareknown.
• Ok:Encrypt_Key2[plaintext,CBC_residue_Key1[plaintext]]
• Buttwicethework.
• Key2canberelatedtoKey2(eg,key1=key2⊕C),butstillsamework.
• Probablyok:CBC_encrypt[plaintext,weakcryptographicchecksum(plaintext]]
• Probablyok:CBC_encrypt[plaintext,hash[plaintext]]
• 7$3/70

2/6/2009shankar

• cryptoslide24

HashesandMessageDigests(NSchapter5)

• msg→fixed7lengthhashH(msg)
• Not171sincemsgspaceismuchlargerthanhashspace
• secureone7wayfunction:

computationallyhardtofindtwomsgsm1andm2s.t.h(m1)=h(m2) +-)$:

• ConsiderhashspaceofK(ie,hashof(logK)bits)
• ConsiderNrandomlychosenmessages,m1,m2,…,mN
• Pr[thereisapairofdistinctmsgs<mi,mj>:H(mi)=H(mj)]
• =Pr[H(m1)=H(m2)orH(m1)=H(m3)or…orH(mN71)=H(mN)]
• ≈Sum{overdistinct<mi,mj>pairs}(1/K)
• =[N(N71)/2][1/K]
• SoifN=

K thenPris1/2

• Kshouldbelargeenoughsothatsearchingthrough

K ishard.

• SoK=2128isok(assumingsearchthrough264ishard)

2/6/2009shankar

• cryptoslide25

KeyedHash:Hashwithsecretkey

• ;,
• confidentiality
• authentication
• integrity
• Authenticationwithkeyedhash
• AandBsharesecretkeyKAB
• AsendsrandomnumberrAtoB.
• BcomputesH(KAB|rA)andsendsitback.
• AcomputesH(KAB|rA)(cannotinvertit)andcheckifreceivedvalueequalsit.

MatchauthenticatesBtoA.

• Similarly,BsendsrandomnumberrBtoAandexpectsH(KAB|rB)back.

2/6/2009shankar

• cryptoslide26

MAC(messageintegritychecksum)withkeyedhash

• 7$3+1/*-#-4-0,+
• Obviousapproach:MAC=H(KAB|msg)
• NotokbecauseH(m1,m2,…,mn)isusuallyH(H(m1,m2,…,mn71)mn)
• Soattackercanaddanymn+1andgetitsMACasH(oldMAC,mn+1).
• Possiblefixes:
• MAC=H(msg|KAB)
• MAC=halfthebitsofH(KAB|msg)
• MAC=H(KAB|msg|KAB)
• HMAC(defactostandard):MAC=H(KAB|H(KAB|msg))(almost)

2/6/2009shankar

• cryptoslide27

Encryption/encryption+integritywithkeyedhash

• 1/*-#-4-0
• Generate(canbeprecomputed)one7timepad:
• bi=H(KAB|bi71)whereb0isIV
• ci=bi⊕mi
• transmitIVandc1,c2,...,cn
• Decryptionidentical
• 1/*-#-4-0
• Encryptionwithplaintextmixedintoone7timepad
• bi=H(KAB|ci71)wherec0isIV
• ci=bi⊕mi
• Decryptionstraightforward(homework)

2/6/2009shankar

• cryptoslide28

Hashfromsecret7keyencryption/decryption

<$)

• Hash(block)=Encryptconstant(eg,0)usingblockasthekey

=/0,)

• Whenusersetspassword
• Concatenate77bitASCIIoffirsteightcharstoget567bitsecretkey
• Generate127bitrandomnumber(called)
• Encryptthenumber0usingthekeyandasalt7modifiedDES

defendsagainstDES7crackinghardware saltindicatesduplicatedbitsin327bitR487bitmanglerinput

• Storesaltandciphertext
• Whenuserenterspassword,
• comparestoredciphertextwiththatcomputedfrompassword

2/6/2009shankar

• cryptoslide29

<)/20

• Obviousextensionofaboveapproach:
• Dividelargemessageintok7bitchunksm1,m2,...
• Ci=encryptionofCi71withmiaskey,whereC0isaconstant
• LetthelastCibethehashofmessage
• NotokifCiisusuallytoosmalltobeagoodhash(eg,64bitsinDES)
• Sufficientfixisto⊕eachstage’sinputwithpreviousstage’soutput:
• C1=encryptionofaconstantC0_withM1askey
• Fori>1:Ci=encryptionofCi72⊕Ci71withMiaskey
• LetthelastCibethehashofmessage
• Onewaytogenerate128bitsofhashwithDES:
• Generate647bithashasabove.
• Generateanother647bithashwithmessageblocksinreverseorder
• Thisapproachhasaflaw(homework)
• Betterwaytogenerate128bitsofhashwithDES:
• Generatetwo647bithashesasabovebutwithdifferentconstants.

2/6/2009shankar

• cryptoslide30

MD4:327bit7word7orientedhashfunction

• $$$→

→ → →*#($

• *Padtomultipleof512bits

←|one1|p0’s|(647bitencodingofp); where[+1++64]isamultipleof512(note:in1..512)

• #Processin5127bitchunkstoobtain1287bithash
• 1287bittreatedas4words:d0,d1,d2,d3;
• 5127bitchunktreatedas16words:m0,m1,…,m15;

Initialize<d0…d3>to<01|23|...|89|ab|cd|ef|fe|dc|...10>; Foreach5127bitchunkcofmsg: e0…e3←d0…d3;//storecurrentmdforuselater //Pass1:mangled0…d3usingm0…m15,manglerH1,permutationJ Fori=0,...,15:dJ(i)←H1(i,d0,d1,d2,d3,mi); //Pass2:mangled0…d3usingm0…m15,manglerH2,permutationJ Fori=0,...,15:dJ(i)←H2(i,d0,d1,d2,d3,mi); //Pass3:mangled0…d3usingm0…m15,manglerH3,permutationJ Fori=0,...,15:dJ(i)←H3(i,d0,d1,d2,d3,mi); d0…d3←d0…d3⊕e0…e3; md←d0…d3;

2/6/2009shankar

• cryptoslide31

MoreHashFunctions

• 3#
• Messageofarbitrarynumberofoctets1287bitdigest
• LikeMD4except

Step1:padtomultipleof16octets Step2:append167octetchecksum(notcryptographic) Step3:do18passesovermsgin167octetchunks

• 3>"#$)
• Messageofarbitrarynumberofbits1287bitdigest
• LikeMD4exceptfourpassesanddifferentmanglerfunctions
• <+*"#$)
• Messageofarbitrarynumberofbitsupto264bits1607bitdigest
• LikeMD5exceptfivepasses,differentmanglerfunctions,and

atstartofeachstage,5127bitmsgchunk5x5127bitchunk usingrotatedversionsofthemsgchunk

2/6/2009shankar

• cryptoslide32

HMAC:defactoMACstandard

• CanuseanyhashfunctionH(eg,MD2,MD4,SHA71)
• Variable7sizedmessageandvariable7lengthkey

fixed7sizeMACofsamesizeasoutputofH

• padkeywith0’sto512bits
• Ifkeyislargerthan512bits,firsthashkeyandthenpad
• H(msg,⊕[stringof3616octets])
• H(,⊕[stringof5C16octets])

2/6/2009shankar

• cryptoslide33

ABitofNumberTheory(NSchapter7)

• ?$$
• Modularaddition,multiplication,exponentiationover@n={0,1,...,n−1}
• Euclid’salgorithm:gcdandmultiplicativeinverse
• Chineseremaindertheorem:(xmodpq)<=>(xmodp)and(xmodq)
• @n*={j:j>0andrelativelyprimeton}
• Euler’stotientfunctionφ(n)=|@n*|
• Euler’stheorem
• ,
• Allvariablesareintegers(positive,zero,negative)
• unlessotherwisestated
• nispositiveinteger

2/6/2009shankar

• cryptoslide34

?$

• Foranyx:(xmodn)equalsyinZns.t.x=y+k⋅nforsomeintegerk.
• Nonnegativeremainderofx/n:

3mod10=3(3=3+0Z10) 23mod10=3(23=3+2Z10) −27mod10=3(−27=3+(−3)Z10)(unlikeinmostproglang)

• Integersuandvaresaidtobe;if(umodn)=(vmodn)
• Mathbookssay“equivalentmod7n”,denotedumodn≡vmodn

_________________________________________________________ 3,,

• Mod7nadditionisordinaryadditionfollowedbyoperation
• (3+7)mod10=10mod10=0
• (3−7)mod10=−4mod10=6
• Note:(u+v)modn=(umodn)+(vmodn))modn
• ofxisyst(x+y)modn=0
• denoted−xmodn
• existsforanyxandn
• easytocompute:eg,forxinZn,additiveinverseisn−x

2/6/2009shankar

• cryptoslide35

3,,

• Mod7nmultiplicationisordinarymultiplicationfollowedbyoperation
• (3Z7)mod10=21mod10=1
• (8)Z(−7)mod10=−56mod10=4
• Note:(uZv)modn=(umodn)Z(vmodn))modn
• ofintegerxisys.t.(x⋅y)modn=1
• denotedx71modn
• 371mod710is7(3⋅7=21=1mod10).
• x71existsandisuniqueiffxandnarerelativelyprime

ie,gcd(x,n)=1

• Euclid’salgorithm:efficientlycomputesgcd(x,n)andx71(ifitexists)

2/6/2009shankar

• cryptoslide36

3,,

• Modulo7nexponentiationisordinaryexponentiationfollowedby
• 32mod10=9
• 33mod10=27mod10=7
• (−3)3mod10=−27mod10=3
• Note:(uv)modn≠(uvmodn)modn
• ofintegerxisys.t.(xymodn)=1
• 34=81=1mod10,so4istheexponentiativeinversemod710of3
• Existsandisuniqueiffxandnarerelativelyprime
• Easytocomputeifnhascertainstructure.

_____________________________________________________________ A

• Positiveintegerpisprimeiffitisexactlydivisibleonlybyitselfand1
• Infinitelymanyprimes,buttheythinoutasnumbersgetlarger
• 25primeslessthan100
• Pr[random107digitnumberisaprime]=1/23
• Pr[random1007digitnumberisaprime]=1/230
• Pr[randomk7digitnumberisaprime]=/(10Zlnk)

2/6/2009shankar

• cryptoslide37

Euclid’salgorithmforgcd(x,y)

• [x,y]hassamedivisors/gcdas[x−y,y],as[x−k⋅y,y],as[xmod7y,y],
• as[y,xmod7y],as[y,remainder(x/y)]
• repeat[x,y][y,remainder(x/y)]untilfirstentryis0;

secondentryisgcd

• storeintermediateremaindersinarrayr

r=[r72r71r0

• r1
• r2
• ...]
• xyremainder(x/y)remainder(y/r0)remainder(r0/r1)...]
• /-0)
• arrayr=[r72r71r0r1r2...]
• r72x;r71y;
• integern0;
• whilern71≠0do
• rnremainder(rn72/rn71);
• nn+1;

rn72; //gcd(x,y)

• Togetmultiplicativeinverse,needtokeeptrackofquotients,differences

2/6/2009shankar

• cryptoslide38
• +/-0

arraysr,q,u,v; r72x;r71y; u721;v720; u710;v711; integern:=0; whilern71≠0do//invariantrn=un⋅x+vn⋅y rnremainder(rn72/rn71); qnquotient(rn72/rn71); unun72−qnZun71; vnvn72−qnZvn71; nn+1; //Termination:gcd(x,y)=rn72=un72Zx+vn72Zy rn72,un72,vn72;

• Ifgcd(x,y)=1then

multiplicativeinversemod7yofx=un72

• multiplicativeinversemod7xofy=vn72

elsemultiplicativeinversesdonotexist r= [r72 r71r0r1r2...] (remainders) q=[

• q0q1q2...] (quotients)

u=[u72u71u0u1u2...] (differences) v= [v72v71v0v1v2...] (differences)

2/6/2009shankar

• cryptoslide39

Chineseremaindertheorem

• Fork=2,(xmodz1⋅z2)=[x2⋅a⋅z1+x1⋅b⋅z2]modz1⋅z2,where1=a⋅z1+b⋅z2
• z1=3,z2=4(relativelyprime)

Z3⋅4 1 2 3 4 5 6 7 8 9 10 11 Z3×Z4〈0,0〉 〈1,1〉〈2,2〉 〈0,3〉 〈1,0〉 〈2,1〉 〈0,2〉 〈1,3〉 〈2,0〉 〈0,1〉 〈1,2〉 〈2,3〉

• z1=2,z2=4(notrelativelyprime)

Z2⋅4

1 2 3 4 5

6 7 Z2×Z4 〈0,0〉 〈1,1〉 〈0,2〉 〈1,3〉 〈0,0〉 〈1,1〉 〈0,2〉 〈1,3〉

• Ifz1,z2relativelyprime,nonumberin[1..z1⋅z2]ismultipleofz1andz2

Letz1,z2,...,zkberelativelyprime. ThenthemappingZz1,z2,...,zkZz1×Zz2×...×Zzkwhere x<xmodz1,xmodz2,...,xmodzk>is1−1onto(soinvertible). Sofor<x1,x2,...,xk>:exactlyonexinZz1,z2,...,zks.t.(xmodzi)=xi

• 2/6/2009shankar
• cryptoslide40

A1#

• NoteZz1Zz2andZz1×Zz2havethesamenumberofelements(namelyz1⋅z2)
• Willshowmappingis171andobtaininverse.
• Foranyintegerx,let
• (xmodz1)=x1and
• (xmodz2)=x2
• ByEuclid:thereexistaandbsuchthat1=a⋅z1+b⋅z2
• Multiplyingbothsidesbyxandtakingmodz1⋅z2

(xmodz1⋅z2)=[x⋅a⋅z1+x⋅b⋅z2]modz1⋅z2 =[(x2+k.z2)⋅a⋅z1+(x1+j.z1)⋅b⋅z2)]modz1⋅z2 =[x2⋅a⋅z1+x1⋅b⋅z2]modz1⋅z2 LHSdependsonlyonx1,x2,a,b. Soforany<x1,x2>,exactlyonexs.t.(xmodz1)=x1and(xmodz1)=x2

• Soxandyarethesamemodz1⋅z2

AB#$

• Ifz1,z2,...,zk,zk+1rel.prime,then(z1⋅z2⋅⋅⋅zk)andzk+1arerel.prime

2/6/2009shankar

• cryptoslide41

Zn*

Zn*={x:xismod7nintegerrelativelyprimeton}

• Z10*={1,3,7,9}whereasZ10={0,1,2,3,4,5,6,7,8,9}
• 0isnotanelementofZn*becausegcd(0,n)=nforanyn
• Proof

LetaandbbeinZn*.Bydefinitiongcd(a,n)=gcd(b,n)=1. Sothereexistua,va,ub,vbs.t.ua⋅a+va⋅n=1andub⋅b+vb⋅n=1. Multiplythetwoequations: ua⋅ub⋅(a⋅b)+n⋅(ua⋅vb⋅a+vb⋅ub⋅b+ua⋅vb⋅n)=1 Hence,byEuclidalg,a⋅bisrelativelyprimeton,andsoa⋅bisinZn*.

• ToshowxZZn*isapermutationofZn*,showthatmappingis171.

(Workoutthedetails) Theorem: Zn*closedundermultiplicationmod7n:forx,yinZn*,x⋅ymod7ninZn*. Also,multiplyingelementsofZn*withanyxisapermutationofZn*.

2/6/2009shankar

• cryptoslide42

Euler’sTotientFunction

A 8φ(n)=n−1.Obvious. 81)BCφ(n)=(p−1)⋅pa−1 Zn={0,1,2,…,p,…,2⋅p,…,3⋅p,…,…,…,(pa71−1)⋅p,…,(pa)−1}. Onlythemultiplesofpcandividen.Thereare(pa71−1)ofthem. Removingthemfromtheset{1,2,...,n71}yields@n* Soφ(n)=(n−1)−(pa−1−1)=(pa−1)−(pa−1−1)=pa−pa−1=(p−1)⋅pa−1 φ(n):numberofelementsinZn*

• Fornprime:φ(n)=n−1
• Forn=pawherepisprimeanda>0:φ(n)=(p−1)⋅pa−1
• Forn=pZqwherepandqarerelativelyprime:φ(n)=φ(p)⋅φ(q)
• Forn=p1

a1⋅p2 a2⋅⋅⋅⋅pk akwherep1,...,pkareprime:

φ(n)=φ(p1)a1⋅φ(p2)a2⋅⋅⋅⋅φ(pk)ak

2/6/2009shankar

• cryptoslide43

81⋅ ⋅ ⋅ ⋅;);,φ(n)=φ(p)⋅φ(q) Letmp=mmodpandmq=mmodq.Abbr“relativelyprimeto”torpt. Firstshowthatmrptp⋅qiffmprptpandmqrptq.

• Assumemrptp⋅q.Thenthereexistuandvsuchthatu⋅m+v⋅p⋅q=1.

Substitutingm=mp+k⋅p,wegetu⋅mp+p⋅(u⋅k+v⋅q)=1,somprptp. Similarly,mqrptq.

• Assumemprptpandmqrptq.Thenthereexistup,vp,uq,vq,suchthat

up⋅mp+vp⋅p=1anduq⋅mq+vq⋅q=1. Soup⋅(m−k⋅p)+vp⋅p=1forsomek,or up⋅m+(vp−up⋅k)⋅p=1 Similarly,forsomej,

• uq⋅m+(vq−uq⋅j)⋅q=1

Multiplyingthetwo,weget [upuqm+up(vq−uqj)⋅q+uq(vp−upk)⋅p]⋅m+(vp−upk)⋅(vq−uqj)⋅p⋅q=1 Somrptn.

• Sothereisa171correspondencebetweennumbersin@p.q*and@p*×

× × ×@p*.Soφ(n) =φ(p)⋅φ(q). 81*

*⋅

⋅ ⋅ ⋅#

#⋅

⋅ ⋅ ⋅⋅ ⋅ ⋅ ⋅⋅ ⋅ ⋅ ⋅⋅ ⋅ ⋅ ⋅

)*-...-.

(homework)

• 2/6/2009shankar
• cryptoslide44

Euler’sTheorem

Proof: LetxbetheproductofalltheelementsofZn*. BecauseZn*isclosedundermultiplication,xisinZn*andx−1exists. Letb1,b2,⋅⋅⋅,bφ(n)betheelementsofZn*listedinsomeorder. Lety=(a⋅b1)⋅(a⋅b2)⋅⋅⋅⋅(a⋅bφ(n))⋅Soy=aφ(n)⋅xmod7n. Buta⋅b1,a⋅b2,⋅⋅⋅,a⋅bφ(n)isalsoZn*permuted.Soy=xmod7n. Thusaφ(n)⋅x=xmod7n.Multiplyingsidesbyx−1yieldsaφ(n)=1mod7n.

• Proof:ak⋅φ(n)+1=ak⋅φ(n)⋅a=aφ(n)k⋅⋅a=[aφ(n)]k⋅⋅a=1k⋅a=a

ForallainZn*:aφ(n)=1mod7n DE5 Forallain@*andanynon7negativeintegerk:ak⋅φ(n)+1=amod7n FDoesaφ(n)=1mod7nholdforallainZn(notjustZn*)?

2/6/2009shankar

• cryptoslide45

2DE/@1⋅ ⋅ ⋅ ⋅;0 Proof:Assumeanotin@n*(o/wfollowsfromEuler’sTheoremVariant). Alsoassumeaisnot0(otherwiseresultholdstrivially). Soaisamultipleofporqbutnotboth.Supposeaisamultipleofq. Decompose(ak⋅φ(n)+1mod7n)intomod7pandmod7q,anduseCRT. ak⋅φ(n)+1mod7p =akφ(n)⋅amod7p

• =akφ(p)⋅φ(q)⋅amod7p

(becauseφ(n)=φ(p)⋅φ(q))

• =aφ(p)⋅k⋅φ(q)⋅amod7p
• =1k⋅φ(q)⋅amod7p(arptp,soaφ(p)=1mod7pbyEuler’stheorem)
• =amod7p

Similarlyak⋅φ(n)+1mod7q =amod7q SobyCRTak⋅φ(n)+1mod7n=amod7n

• 82:

Aboveistrueforanynthatisaproductofdistinctprimes. Ifn=p⋅q,wherepandqaredistinctprimesthen ak⋅φ(n)+1=amod7nforallain@nandanynon7negativeintegerk.

2/6/2009shankar

• cryptoslide46

PublicKeyAlgorithms(NSchapter6)

• Publickeyalgorithm:prinicpalhas$and,
• Examples:
• RSAandECC:encryptionanddigitalsignatures.
• ElGamalandDSS:digitalsignatures.
• Diffie7Hellman:establishmentofasharedsecret
• Zeroknowledgeproofsystems:authentication
• Mostpublickeyalgorithmsarebasedonmodulo7narithmetic.

2/6/2009shankar

• cryptoslide47

Recallsomemodulo7narithmetic

• Modulo7naddition:(a+b)mod7n
• Anyxhasauniqueadditiveinversemod7n.
• Easilycomputed.
• Modulo7nmuliplication:(a⋅b)mod7n
• Anyxhasauniquemultiplicativeinversemod7niffgcd(x,n)=1
• Existenceandvalueeasilycomputed(Euclid’salg)
• Zn={0,1,...,n71}
• Zn*={numbersinZnthatarerelativelyprimeton}
• φ(n)=numberofelementsinZn*;easytogetgivenprimefactorization
• Modulo7nexponentiation:(ab)mod7n
• Anyxhasauniqueexponentiativeinversemod7niffgcd(x,n)=1.
• Easytocompute?
• ForallxinZn*:xφ(n)=1mod7n.(Euler’sTheorem)
• ForallxinZn*andnon7negativek:xkφ(n)+1=xmod7n.(Variant)
• ForallxinZnandnon7negativeintegerk:xkφ(n)+1=xmod7n
• ifn=p⋅qwherepandqaredistinctprimes.(Generalization)

2/6/2009shankar

• cryptoslide48

RSA(Rivest,Shamir,Adleman)

• Keysizevariable(longerforbettersecurity,usually512bits,100digits).
• Plaintextblocksizevariablebutsmallerthankeylength.
• Ciphertextblockofkeylength.
• RSAismuchslowertocomputethansecretkeyalgorithms(e.g.,DES)
• Sonotusedfordataencryption

2/6/2009shankar

• cryptoslide49

RSAAlgorithm

• Generationofpublickeyandcorrespondingprivatekey
• Choosetwolargeprimes,pandq(pandqremainsecret).
• Letn=p⋅q.
• Chooseanumbererelativelyprimetoφ(n)(=(p−1)⋅(q−1))
• Publickey=<e,n>
• Findmultiplicativeinversedofemod7φ(n)[i.e.,e⋅d=1mod7φ(n)]
• Privatekey=<d,n>
• Encryption/decryption
• Toencryptmessagemusingpublickey:

ciphertextc=memod7n

• Todecryptciphertextcusingprivatekey:

plaintextm=cdmod7n

• Signing/Verifyingsignature
• Tosignamessagemusingprivatekey:

signatures=mdmod7n

• Toverifysignaturecusingpublickey:

plaintextm=semod7n

2/6/2009shankar

• cryptoslide50

G)--)⋅

⋅ ⋅ ⋅1

me⋅d =m1mod7φ(n)[becausee⋅d=1mod7φ(n)] =m1+k⋅φ(n) [definitionofmod] =m

• [Euler’stheoremgeneralization,applicablebecause
• 7minZn(inRSA)
• 7nisproductofdistinctprimespandq]
• G%+
• Onlyknownwaytoobtainmfrommeisbyme⋅dwhered=e−1mod7φ(n)
• Onlyknownwaytoobtainφ(n)iswithpandq
• Factoringalargenumberishard,sohardtoobtainpandqgivenn
• 2/6/2009shankar
• cryptoslide51

Efficientmoduloexponentation

• Needtogetmemod7n,for5127bit(1007digit)numbersm,e,n
• Considerasmallexample:12354mod678
• ?,):Multiplymwithitselfetimesandthentakemod7n.
• emultiplicationsofincreasinglylargernumbers(m2,m3,…).

Tooexpensive.

• 12354isapprox100digits(54Zlog10123)
• ):Multiplymwithitselfandtakemod7n;repeatetimes.
• emultiplicationsoflarge(1007digit)numbers,andedivisions.
• Stillexpensive.
• 3$:Exploitm2x=mx⋅mxandm2x+1=m2x⋅m.
• Logemultiplications.

2/6/2009shankar

• cryptoslide52

3/--0 (x0,x1,⋅⋅⋅⋅,xk)einbinary;

• //x0=1

initiallyym;j0;

• //y=mx0

whilej<kdo //loopinvariant:y=m(x0,⋅⋅⋅,xj)mod7n yy·ymod7n;

• //y=m(x0,⋅⋅⋅,xj,0)mod7n

ifxj+1=1thenyy·mmod7n; //y=m(x0,⋅⋅⋅,xj,1)mod7n jj+1;

• //y=m(x0,⋅⋅⋅,xj)mod7n

//y=memod7n

• :12354mod678.54=(1101110)2
• 123(1)mod7678=123
• 123(10)mod7678=123Z123mod7678=15129mod7678=213
• 123(11)mod7678=213Z123mod7678=26199mod7678=435
• 123(110)mod7678=435Z435mod7678=1889225mod7678=63
• 123(1100)mod7678=63Z63mod7678=3969mod7678=579
• 123(1101)mod7678=579Z123mod7678=71217mod7678=27
• 123(11010)mod7678=27Z27mod7678=729mod7678=51
• 123(11011)mod7678=51Z123mod7678=6273mod7678=171
• 123(110110)mod7678=171Z171mod7678=29241mod7678=87

2/6/2009shankar

• cryptoslide53

%+)

• findbigprimespandq
• findingerelativelyprimetoφ(n)(=(p−1)Z(q−1))
• d=e71mod7φ(n)
• 8$;/*CC$0
• Chooserandomnandtestforprime.Ifnotprime,retry.

(recallthatPr(1007digitnumberisprime)=1/230)

• Testingnforprime:
• Nopracticaldeterministicway(eg,dividingnbyeveryj< n )
• Practicalprobabilisticways(ie,nisprimewithhighprob)
• Probabilistictest1:

Generaterandomnandain1..n; Treatnasprimeifan−1=1mod7n; Prob[testfails]islow(−10−13for1007digitn). Note:converseholdsfromEuler’stheorem Canmaketheteststrongerbytryingseveraldifferenta. But:561,1105,1729,2465,2821,6601,...

• Probabilistictest2(Miller7Rabin):worksevenforCarmichaelnumbers.

2/6/2009shankar

• cryptoslide54

8/*0

• Choosepandqasdescribedabove
• Chooseeatrandomuntilitisrelativelyprimetoφ(n)

8/#0

• Fixesuchthatmeeasytocompute(i.e.,few1’sinbinary)
• Chooseprimespandqsuchthaterelativelyprimeto(p−1)·(q−1)
• 71"=(11)2[someneeds2multiplications]
• Needtopadsmallm.

Ifm<n1/3thenmemod7n=m3,soattackercangetmby(me)1/3

• Needtousedifferentpadsifmissentto3principalswithpublickeys(3,n1),

(3,n2),(3,n3). Attackerhasm3mod7n1,m3mod7n2,m3mod7n3 CRTyieldsm3mod7n1⋅n2⋅n3 Becausem<n1,m<n2,m<n3, attackerhasm3<n1·n2·n3andso(m3mod7n1⋅n2⋅n3)1/3yieldsm.

• +:e=216+1=65537[somerequires17multiplications]
• Noneedforpadsinceunlikelythatm65537<n.
• Noneedforrandompadwhenmsentmorethanoncesinceunlikelythatm

wouldbesentto65537differentrecipients.

2/6/2009shankar

• cryptoslide55

PublicKeyCryptographyStandard(PKCS)

• Standardencodingofinformationtobesigned/encryptedinRSA
• Takescareof
• encryptingguessablemessages
• signingsmoothnumbers
• multipleencryptionsofsamemessagewithe=3
• …
• (fieldsareoctets)
• msb

2 atleasteightrandomnon7zerooctets 0 data lsb

• Notethatthedataisusuallysmall(DES/3DES/AESkey,hash,etc)
• (fieldsareoctets)
• msb

1 atleasteightoctets

• f9FF16

ASN.1encodeddigest typeanddigest lsb

• 2/6/2009shankar
• cryptoslide56

Diffie7Helman(Basic)

• Allowsanytwoprincipalsthatdonothavealreadyhaveasharedsecret

toestablishasharedsecretoveranopenchannel.

• InitiallyAandBshare:(large)primepandg<p(publiclyknown).

Achoosesrandom5127bitnumberSA,sendsTA=gSAmod7ptoB. Bchoosesrandom5127bitnumberSB,sendsTB=gSBmod7ptoA. AcomputesTB

SAmod7p[=gSB·SAmod7p=gSA·SBmod7p].

BcomputesTA

SBmod7p[=equalsgSA·SBmod7p].

AandBnowsharegSA·SBmod7p,whichcanserveasakey. AttackerknowingTAandTBandpandgcannotobtaingSA·SBmod7p,because logarithmmodulo7nishard.

• Doesnotprovideauthentication:

AdoesnotknowwhetheritistalkingtoBorC. Asends[senderidA,gSAmod7p]

• Csends[senderidB,gSCmod7p]

AandCsharesecretgSA·SCmod7p,butAthinksitistalkingtoB

2/6/2009shankar

• cryptoslide57

Diffie7HelmanwithPublishedNumbers

• AssumePKI(publickeyinfrastructure)thatpublishes

foreveryprincipalX:(X,g,p,gSXmod7p)

• ThenAcanencryptinfowith(gSA·SBmod7p)andonlyBcandecryptit.
• Notethatinitialhandshakeisnotneededeither.

2/6/2009shankar

• cryptoslide58

AuthenticatedDiffie7Helman

• IfAandBknowasecret(eg,sharedsecretkey,publickey),

therearevariouswaysforAandBtoauthenticateeachother:

• EncryptDiffie7Helmanexchangewithpre7sharedsecret.
• EncryptDiffie7Helmanexchangewithother’spublickey.
• SignDiffie7Helmanvaluewithyourprivatekey.
• FollowingDiffie7Helmanexchange,transmithashofsharedDiffie7Helman

value,sendername,andpre7sharedsecret.

• FollowingDiffie7Helmanexchange,transmithashofinitiallytransmitted

Diffie7Helmanvalueandpre7sharedsecret.

• ButifAandBhavepre7sharedsecret,whyresorttoDiffie7Helman?
• Perfect7forwardsecrecy

2/6/2009shankar

• cryptoslide59

3$,+) LetpwABbeA’spasswordtoB,andpwBAbeB’spasswordtoA (belowgXmod7pabbreviatedtogX)

• A

C B send[A,gSA]toB altermsgto[A,gSC]

• altermsgto[B,gSC]

send[B,gSB]toA <777AandCsharegSC⋅SA777> <777CandBsharegSC⋅SB777> send[gSC⋅SA{pwAB}] decryptwithgSC⋅SA,alterto [gSC⋅SB{pwAB}]

• decryptusinggSC⋅SB

Aauthenticated(error)

• 2/6/2009shankar
• cryptoslide60

Zero7knowledgeproofsystems

• Allowsyoutoprovethatyouknowasecretwithoutrevealingit.
• RSAisanexample(secretisprivatekey)

$

• “Key”generation
• Achoosesalargegraph(eg,500vertices)GA1.
• ArenamestheverticestoproduceanisomorphicgraphGA2.
• GraphsGA1andGA2areA’s“publickey”.
• ThevertexrenamingtransformingGA1toGA2isA’s“privatekey”.
• AauthenticatestoBasfollows:
• AsendsBanewsetofgraphs{G1,⋅⋅⋅,Gk},eachisomorphictoGA1.
• Brandomlydividesthegraphsintosubset1andsubset2.
• BchallengesAtoprovidevertex7renamingsestablishingthat

everygraphinsubset1isisomorphictoGA1 everygraphinsubset2isisomorphictoGA2

• Asuppliesthevertex7renamings,therebyauthenticatingitself.

2/6/2009shankar

• cryptoslide61
• Whydoesitwork?
• Graphisomorphismisahardproblem:

knowingarenamingtoGA1doesnothelpobtainarenamingtoGA2.

• SorenamingscouldonlyhavebeengeneratedbyAoriginally.
• UnlikelythattheyweregeneratedbyC(havingeavesdroppedonmany

previousauthenticationsofA),becausethechoiceofthesubsets1and2is random.

2/6/2009shankar

• cryptoslide62

Fiat7Shamirvariant

• Keygeneration
• A’sprivatekey:alargerandomnumbers
• A’spublickey:(n,v),

nisproductoftwolargeprimes(asinRSA) viss2mod7n(soonlyAknowssquarerootmod7nofv)

• Authentication
• Achooseskrandomnumbers,r1,⋅⋅⋅,rk
• Asendsr1

2mod7n,⋅⋅⋅,rk 2mod7n,toB

• Brandomlysplitstheseintosubset1andsubset2,andinformsA
• Asends

s⋅rimod7nforeachri

2mod7ninsubset1

rimod7nforeachri

2mod7ninsubset2

• Bcheckswhether

foreachentryinsubset1:(replyi)2=v⋅ri

2mod7n

foreachentryinsubset2:(replyi)2=ri

2mod7n

Ifso,Aisauthenticated

2/6/2009shankar

• cryptoslide63
• Whydoesitwork?
• Findingsquarerootmod7nisatleastashardasfactoring.
• Knowings⋅rimod7ndoesnothelpobtainrimod7n,andviceversa.
• SorepliescouldonlyhavebeengeneratedbyAoriginally.
• UnlikelythattheyweregeneratedbyC(havingeavesdroppedonmany

previousauthenticationsofA),becausethechoiceofthesubsets1and2is random.

2/6/2009shankar

• cryptoslide64

Zero7knowledgesignatures

• Azero7knowledgesystemcanbetransformedtoapublickeysignature,but

performanceispoor.

• Notethatauthenticationisinteractivebutsignatureisnot.
• Trick:useahashtoprovidea“random”choiceofsubset1andsubset2.
• Supposehashfunctionchosenprovidesk7bithash(e.g.,k=128).
• Achooseskrandomnumbers,r1,⋅⋅⋅,rk
• Aformsmsg[datatobesigned|r1

2mod7n,⋅⋅⋅,rk 2mod7n]

• Aobtainshashofmsg,andprovidesareplyvectorinwhichthe1’sinthe

hashcorrespondtosubset1andthe0’scorrespondtosubset2: ifhashbitiis1thenthereplyvectorhass⋅rimod7ninpositioni ifhashbitiis0thenthereplyvectorhasri

2mod7ninpositioni

• Whydoesitwork?

Forgingasignatureonamessagerequireshavingbothpossiblereplies foralltheri’s.