Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction - PowerPoint PPT Presentation

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal Signature Scheme, Cryptography in Practice: Random Number Odds and Ends on Public Key Crypto 2 Generation, Key Management Cryptography in Real Life 3 Random Number Generation Renate Scheidler 4 Where are we at? Department of Mathematics & Statistics 5 Department of Computer Science University of Calgary Key Management 6 Key Distribution Centres Week 11 Public-Key Infrastructures ID-Based Cryptography Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 1 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 2 / 53 ElGamal Signature Scheme ElGamal Signature Scheme The El Gamal Signature Scheme Signing and Verifying A signs a message M ∈ { 0 , 1 } ∗ as follows: The El Gamal signature scheme is a variation of the El Gamal PKC (same 1985 paper). Security considerations are the same. 1 Selects a random integer k ∈ Z ∗ p − 1 . 2 Computes r ≡ g k (mod p ), 0 ≤ r < p . A produces her public and private keys as follows: 3 Solves ks ≡ H ( M � r ) − xr (mod p − 1) for s ∈ Z ∗ 1 Selects a large prime p and a primitive root g of p . p − 1 4 A’s signature is the pair ( r , s ) . 2 Randomly selects x such that 0 < x < p − 1 and computes y ≡ g x (mod p ) . B verifies A’s signature ( r , s ) as follows: 1 Obtains A’s authentic public key ( p , g , y ) . Public key: ( p , g , y ) Private key: { x } 2 Computes v 1 ≡ y r r s (mod p ) and v 2 ≡ g H ( M � r ) (mod p ) . 3 Accepts the signature if and only if r < p and v 1 = v 2 . A also fixes a public cryptographic hash function H : { 0 , 1 } ∗ �→ Z p − 1 . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 3 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 4 / 53

ElGamal Signature Scheme ElGamal Signature Scheme Proof of Correctness Solving General Linear Congruences For signature generation step 3, we need to solve the congruence (mod p − 1) for s ∈ Z ∗ ks ≡ H ( M � r ) − xr p − 1 . Proof of correctness. Note that ks + rx ≡ H ( M , r ) (mod p − 1). If the signature ( r , s ) to More generally, we want to solve a linear congruence of the form message M is valid, then aX ≡ b (mod m ) v 1 ≡ y r r s for X ∈ Z ∗ m , with m ∈ N , a ∈ Z ∗ m and b ∈ Z m . ≡ ( g x ) r ( g k ) s ≡ g xr + ks We already saw how to do this for b = 1; that’s just finding modular inverses. = g H ( M � r ) ≡ v 2 (mod p ) . To solve aX ≡ b (mod m ) for X , first solve aZ ≡ 1 (mod m ) for Z using the Extended Euclidean Algorithm. Then X ≡ bZ (mod m ) as aX ≡ a ( bZ ) ≡ ( aZ ) b ≡ 1 · b ≡ b (mod m ) . Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 5 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 6 / 53 ElGamal Signature Scheme ElGamal Signature Scheme ElGamal Example: Set-Up ElGamal Example: Signature Generation Suppose Alice wishes to sign the message M = “Hi there” . She selects k = 213; note that gcd(213 , 466) = 1. Binary exponentiation yields r ≡ 2 213 ≡ 29 (mod 467). Let p = 467, and set g = 2 which is a primitive root modulo 467. Choose the secret key x = 127. Suppose our hash function yields H (“Hi there” � 29) = 100. Using binary exponentiation, one obtains y ≡ 2 127 ≡ 132 (mod 467). Alice needs to solve So consider an ElGamal user Alice with 213 s ≡ 100 − 127 · 29 ≡ 145 (mod 466) . public key (467 , 2 , 132) private key { 127 } . First solve 213 z ≡ 1 (mod 466) for z using the Extended Euclidean Algorithm, obtaining z ≡ 431 (mod 466). Then s ≡ 145 · 431 ≡ 51 (mod 466). The signature to “Hi there” is ( r , s ) = (29 , 51). Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 7 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 8 / 53

ElGamal Signature Scheme ElGamal Signature Scheme ElGamal Example: Signature Verification Security of ElGamal Signatures ElGamal is GMR-secure in the ROM assuming that H takes on random values and computing discrete logarithms modulo p is hard. Formally, one shows that the DLP reduces to existential forgery, i.e. that an algorithm for producing existential forgeries can be used To verify this signature, first note that r = 29 < 467. Then compute to solve the DLP. v 1 ≡ 132 29 · 29 51 ≡ 189 (mod 467) If H ( M � r ) is replaced by H ( M ) in step 3 of the signature generation, then a universal forgery attack is possible. and v 2 ≡ 2 100 ≡ 189 (mod 467). So v 1 = v 2 = 189. More exactly, if an attacker intercepts a signature ( r , s ) to a message m , he can forge a signature ( R , S ) to an arbitrary message M . The resulting R satisfies 0 ≤ R ≤ p ( p − 1). This attack can be foiled by verifying that r < p and rejecting signatures where r exceeds p . Better to include r in the hash though. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 9 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 10 / 53 ElGamal Signature Scheme ElGamal Signature Scheme Security of ElGamal Signatures, cont. Other DLP Based Signature Schemes Digital Signature Algorithm (DSA) — variation of ElGamal with short signatures, standardized by NIST in 1994 under the name Digital The public parameter g must be chosen verifiably at random (eg. publish Signature Standard (FIPS 186) PRNG, seed, and algorithm used) in order to ensure that g is a primitive Feige-Fiat-Shamir — security based on computing square roots root of p modulo pq Guillou-Quisquater — security based on the RSA problem of If the same value of k is used to sign two messages, k and the private key computing e -th roots modulo pq x can be computed with high probability. A description of DSA can be found on the “handouts” page and in Section 8.4.2 of Stinson-Paterson. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 11 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 12 / 53

Odds and Ends on Public Key Crypto Odds and Ends on Public Key Crypto Elliptic Curve Cryptography Quantum Resistant Cryptography AKA post-quantum cryptography Proposed in 1985 independently by N. Koblitz and V. Miller We have elliptic curve versions of Diffie-Hellman, El Gamal All PKCs currently in use can be broken on a quantum computer: encryption, El Gamal signatures/DSA and others (no RSA though) Shor’s algorithm (1997) is an efficient quantum algorithm for integer Very strong setting for public key cryptography: factorization; also extracts discrete logs and elliptic curve discrete logs Fast arithmetic (addition of points) Very secure: DLP seems to be much harder than the DLP in Z ∗ NIST is currently running a post-quantum crypto competition for public p Very small keys (e.g. compared to RSA) key encryption, key agreement and signature schemes; see http://csrc.nist.gov/groups/ST/post-quantum-crypto NIST’s Recommendations for security level bit sizes (SP 800-57 part 1): Five main underlying mathematical frameworks: Security level (block cipher) 80 112 128 192 256 Lattices (also used in homomorphic encryption , e.g. cloud computing) Hash function size 160 224 256 384 512 Codes Elliptic curve group size 160 224 256 384 512 Hash functions RSA modulus 1024 2048 3072 8192 15360 Isogenies on supersingular elliptic curves Binary multivariate equations (“Oil & Vinegar”) Gray security levels now obsolete, considered too small. Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 13 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 14 / 53 Odds and Ends on Public Key Crypto Cryptography in Real Life Quantum Cryptography Crypto — From Drawing Board to Real Life Quantum cryptography designs and analyzes cryptographic schemes whose security resides in the laws of quantum mechanics (e.g. Heisenberg’s End User uncertainty principle), rather than some computationally difficult math Administration problem Implementation Can do information theoretically secure cryptographic key agreement (Bennett & Brassard 1984) – current distance records around 400 km Cryptographic Protocol Difficult to implement (signal degradation) and susceptible to physical Cryptographic Primitive attacks Unknown how to do authentication Most real-life problems happen at the top three levels. Stay tuned for more on quantum computing (Shor’s algorithm) and quantum crypto in Janet’s lecture on Wednesday April 15. We need to start thinking about practical cryptography ! Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 15 / 53 Renate Scheidler (University of Calgary) CPSC 418/MATH 318 Week 11 16 / 53