introduction to modern cryptography benny chorbchor/crypto07/crypto8.pdf · introduction to modern...
TRANSCRIPT
![Page 1: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/1.jpg)
Introduction to Modern Cryptography
Benny Chor
RSA: Review and PropertiesFactoring Algorithms
Trapdoor One Way FunctionsPKC Based on Discrete Logs (Elgamal)
Signature Schemes
Lecture 8
Tel-Aviv University
4 March 2008 (slightly revised 22 March)
![Page 2: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/2.jpg)
Square Roots of 1 Z∗pq (reminder)
• in Z∗p , 1 has two square roots: 1 and p− 1.
• in Z∗q , 1 has two square roots: 1 and q − 1.
• What about the square roots of 1 in Z∗pq?
• y2 = 1 (mod pq) iff y2 = 1 (mod p) and y2 = 1 (mod q).
• So y = ±1 (mod p) and y = ±1 (mod q).
• This gives rise to four systems of modular equations
1. y = 1 (mod p) and y = 1 (mod q).2. y = −1 (mod p) and y = −1 (mod q).3. y = 1 (mod p) and y = −1 (mod q).4. y = −1 (mod p) and y = 1 (mod q).
• The solution to (1) is y1 = 1.
• The solution to (2) is y2 = pq − 1 = −1 (mod p).
• The solutions to (3) and (4) are obtained using the Chinese remainder
theorem. Denote them by y3 and y4 = pq − y3 = −y3 (mod p).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 3: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/3.jpg)
General Square Roots in Z∗pq
In general, the square roots of z2 are any of the four square roots of 1(mod pq), multiplied by z. Specifically, the four square roots of z2 inZ∗pq are
1. z1 = z,
2. z2 = −z = pq − z,
3. z3 = y3 ·z mod pq,
4. z4 = y4 ·z = −z3 mod pq.
• It is not hard to see that more than four square roots of any ofz2 in Z∗pq imply more than two square roots in Z∗p or in Z∗q , acontradiction.
• Thus every square in Z∗pq has exactly four square roots.
• The mapping x→ x2 mod pq is a four to one mapping.
• So the number of quadratic residues in Z∗pq is (p− 1)(q − 1)/4.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 4: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/4.jpg)
The RSA Public Key Cryptosystem (reminder)
• Bob’s private information: two large primes p, q.
• Public information: Their product, m = p·q. An integer e that isrelatively prime to φ(m) = (p− 1)·(q − 1).
• More private information: An integer d that is relatively prime toφ(m) = (p− 1)·(q − 1) and satisfies d·e = 1 mod φ(m).
• Messages P are elements in Zm, namely numbers in[1, . . . ,m− 1]. Almost surely they are relatively prime to m.
• To encrypt P , compute C = P e (mod m), and send C to Bob.
• To decrypt C, Bob computes Cd = P d·e = P (mod m).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 5: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/5.jpg)
RSA and Factoring
• If Eve could factor pq, she obtains all private information of Bob.
• Hence breaking RSA cannot be harder than factoring.
• How hard is it to compute the secret key, d, from the publicinformation m, e?
• Recall d·e = 1 (mod φ(m)), so d·e− 1 = C ·(p− 1)(q − 1) forsome unknown, positive integer C.
• If Eve can find d, then she can easily computeh = ed− 1 = C(p− 1)(q − 1).
• Note that computing (p− 1)(q − 1) from h = C(p− 1)(q − 1)seems to require factoring.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 6: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/6.jpg)
RSA and Factoring (2)
• Eve holds h = C(p− 1)(q − 1), but not C or (p− 1)(q − 1).
• Miller has shown that under ERH, such multiple C(p− 1)(q − 1)enables factoring m.
• If we are willing to use randomization (a la Rabin), we can dowithout the ERH.
• This may sound mysterious, but in fact you already know this(even though you do not know that you know, etc.).
• Let h = 2k ·r, with r odd.
• Since h is a multiple of (p− 1)(q − 1), for any b ∈ Z∗pq we have
bh = 1 (mod pq).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 7: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/7.jpg)
RSA and Factoring (3)
• Let h = 2k ·r, with r odd.
• Since h is a multiple of (p− 1)(q − 1), for any b ∈ Z∗pq we have
bh = 1 (mod pq).
• We compute the k+ 1 powers of b, bh/2k, bh/2k−1
, . . . , bh, in Z∗pq.
• If for some i, bh/2i 6= ±1 but bh/2i−1= 1, then bh/2i
is a squareroot of 1 that is not ±1.
• In this case gcd(bh/2i ± 1, pq) gives either p or q.
• Such small b can be found under ERH.
• Alternatively, there are many such b’s, so can find one if pickingat random.
• Note that this does not imply that “breaking” RSA is equivalentto factoring – just that recovering d is equivalent to factoring.
• See a small example in Maple (next slide).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 8: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/8.jpg)
RSA and Factoring – Maple example
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 9: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/9.jpg)
Properties (and Weaknesses) of “Textbook RSA”
• Deterministic encryption, thus easy to identify repetitions (likeECB mode encryption).
• RSA is multiplicative: E(P1 ·P2) = E(P1)·E(P2).
• Thus RSA encryption is not a pseudo random function on Zpq.
• It also implies volnurability to chosen ciphertext attacks(whether or not this is a real threat can be debated).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 10: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/10.jpg)
Random Padding (aka ”Salting”) of RSA
• Padding the message by a block of random bits: Suppose thelength of pq is n bits. Use ` bits for the message P , concatenatewith n− ` random bits string, r: E(r ◦P ) = (r ◦P )e (mod pq).
• Padding reduces the information rate, but increases security. Itcan be shown that if n− ` is very large, then padded RSA isresistant to chosen plaintext attack.
• Of course for security to hold, pad must be random. Choosingr = hello world, or any other fixed text, is not a good practice.
• For protection against chosen ciphertext attack, a combinationof fixed and random padding was proposed by RSA labs: Let Pbe a ` bit long message. Pad and encrypt by(00000000 ◦ 00000010 ◦ r ◦ 00000000 ◦ P )e (mod pq).
• Fixed parts of pad intended to foil multiplication attacks.
• Unfortunately, some chosen ciphertext attacks were later found.Still, scheme is being used.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 11: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/11.jpg)
Real World Usage of RSA
(1) Key exchange.
(2) Digital signatures.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 12: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/12.jpg)
RSA as a One Way Trapdor Function
Easy: x −→ xe = y (mod pq) (e is known).
Hard: y −→ yd = x (mod pq) (d is unknown).
Easy with trapdoor information: y −→ yd = x (mod pq)(when d is known).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 13: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/13.jpg)
Trapdor One Way Functions
• Informal Definition: f : D → R is a trap-door one way functionif there is a trap-door s such that:
I Without knowledge of s, the function f is a one way function.I Given s, inverting the function f is easy.
• Example: the function fg,p(x) = gx (mod p) is not a trap-doorone way function.
• Example: RSA is a trap-door one way function.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 14: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/14.jpg)
General Remark on Public Key Cryptosystems
• PKCs are order of magnitude slower than private key systems.Hence used mainly to exchange keys or signing.
• Under suitable complexity assumptions, PKC are secure,provided we can trust the association of keys with users.
• If I were tricked to send a message using what I think is thepublic key of Esau, but Jacob (a well known trickster) is the onethat can decipher it, then I may be in trouble.
Isaac rejecting Esau, by Giotto di Bondone,
13-14th centuries, Assissi, Italy.
• To achieve secure communication without prior physical contact,have to establish (and trust) centers for distributing certificates.
• Will be discussed (soon) under “public key infrastructure”.Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 15: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/15.jpg)
Factoring Algorithms
What is the running time (worst case) of factoring algorithms? Let mbe an n bits composite. Hardest numbers to factor are the product oftwo distinct prime numbers m = pq, where both p− 1 and q− 1 havea large prime factor.A (very partial) list of algorithms:
• Trial division: O(2n/2).
• J.M. Pollard’s rho method: O(2n/4).
• Quadratic sieve algorithm: O(e(n log n)1/2).
• General number sieve algorithm: O(e(7n)1/3·log2 n).
• GNS was introduced by J.M. Pollard in 1988, and later refinedby many well-known players of the computational number theorycommunity.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 16: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/16.jpg)
Factoring Algorithms
• The general number sieve algorithm is considered the fastest ofall published, “general purpose” factoring algorithms. It wasemployed to factor RSA-200, a 663-bit number (200 decimaldigits), on May 2005. The algorithm was implemented on acluster of 80 2.2 GHz Opterons. Execution took three months.
• RSA-200 =
2799783391122132787082946763872260162107044678695542853756000992932612840010760934567105295
5360856061822351910951365788637105954482006576775098580557613579098734950144178863
178946295187237869221823983
Factors =
3532461934402770121272604978198464368671197400197625023649303468776121253679423200058547956528088349
and
7925869954478333033347085841480059687737975857364219960734330341455767872818152135381409304740185467
• We will embark upon a much more modest task: ExplainPollard’s rho method (on the board), implement it on a 2.2 GHzCore 2 Duo MacBook, using Maple, and run it to factor an85-bit number (in approximately two minutes).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 17: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/17.jpg)
Elgamal Public Key Cryptosystem
• We are now going to describe a second PKC, designed by TaherElgamal in 1985 (when he was with Netscape).
• Elgammal PKC is based on the difficulty of finding discrete logsin finite fields, and more specifically on the Diffie and Hellmankey exchange assumption.
• We will start by reviewing Diffie-Hallman, then move to Elgamal.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 18: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/18.jpg)
Diffie and Hellman Key Exchange (reminder)
• Public parameters: A large prime p (1024 bits, say) and aprimitive element g in Z∗p .
• Alice chooses at random an integer a from the interval [0..p− 2].She sends x = ga (mod p) to Bob (over the insecure channel).
• Bob chooses at random an integer b from the interval [0..p− 2].He sends y = gb (mod p) to Alice (over the insecure channel).
• Alice, holding a, computes ya = (gb)a = gba.
• Bob, holding b, computes xb = (ga)b = gba.
• Now both have the shared secret, gba.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 19: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/19.jpg)
Elgamal PKC (note resemblance to DH)• Public information: A large prime p, where p− 1 has a known
factorization and a large prime factor. Recommended to takep = 2q + 1, where q is also a prime, and p is 756 or 1024 bitslong.
I A multiplicative generator g of Z∗pI Bob publishes p, g.I Bob picks a ∈ [0..p− 2] at random.I Bob computes and publishes β = ga (mod p).
• Bob’s private information: a.• Encryption: of the message m:
I Alice picks k ∈ [0..p− 2] at random.I Alice computes gk (mod p), mβk (mod p).I Alice sends E(m) = (gk,m·βk) to Bob.
(βk “masks” m; k obviously is not made public).
• Decryption of (gk,m·βk) = (c1, c2):I Bob computes ca1 = (gk)a = (ga)k = βk (mod p).I This enables Bob to compute the multiplicative inverse of βk
mod p, β−k (even though he does not know k).I Bob now computes β−k ·c2 = m. ♠
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 20: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/20.jpg)
Properties of Elgamal Public Key Cryptosystem
• Encryption is randomized: m→ (gk,mβk).
• Alice should use a new, independent k for every encryption.
• Even if same m is sent twice, different k must be used.
• Encryption takes two modular exponentiations.
• Decryption takes one modular exponentiation.
• Ciphertext, (gk,mβk), is twice as long as plaintext m.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 21: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/21.jpg)
Properties of Elgamal Public Key Cryptosystem (2)
• Cryptosystem is vulnerable to chosen ciphertext attacks.
• Given E(m) = (c1, c2) = (gk,mβk),
• Attacker chooses a random s, computes (c1, s·c2) = (gk, s·mβk)• Attacker asks for decryption of (c1, s·c2), which equals s·m,
from which m is easily recovered.
• Cryptosystem is multiplicative. GivenE(m) = (c1, c2) = (gk,mβk), E(m′) = (c′1, c
′2) = (gk′ ,m′βk′),
can easily obtain E(m·m′) = (c1c′1, c2c′2) = (gk+k′ ,m·m′βk+k′)
(without knowing any secret information).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 22: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/22.jpg)
Does DH Key Exchange Hide All Partial Information?(reminder)
• From ga and gb, Eve could easily deduce if a and b are even orodd. The exponent arithmetic is done modulo p− 1, which iseven.
• If both a and b are odd, then ab (mod p− 1) is odd too, andgba is not a QR. If a, b, or both are even, then ab (mod p− 1)is even, so gba is a QR.
• Thus in (this original version) of DH key exchange, does leaksome partial information – specifically the QR bit of the key gba.
• Same type of partial information is leaked in Elgammalencryption.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 23: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/23.jpg)
Does Elgamal Encryption Hides All Partial Information?(reminder)
• From β = ga, Eve could easily deduce if a is even or odd.
• From gk, Eve could easily deduce if k is even or odd.
• If both a and k are odd, then ak (mod p− 1) is odd too, andβk = gak is not a QR. If a, b, or both are even, then ab(mod p− 1) is even, so gak is a QR.
• Thus from mβk = mgak, Eve can deduce if m is a QR or not aQR.
• So this type of partial information is leaked in Elgammalencryption as well. ♠
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 24: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/24.jpg)
Restricting the Message Space
• Standard fix for DH key exchange to this partial informationleakage problem: p is chosen to be of the form p = 2q + 1,where q is a prime.
• Instead of working in Z∗p , work with QR, the quadratic residuesof Z∗p .
• QR is a cyclic group with exactly q elements.
• Instead of working with a multiplicative generator g of Z∗p , workwith a multiplicative generator h of QR, the quadratic residuesof Z∗p .
• An identical fix is applicable to Elgamal PKC.
• Alice should now encode messages as quadratic residues.
• Encoding messages as QR elements is easiest if −1 is not a QRin Z∗p . We omit the details.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 25: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/25.jpg)
Signatures
http://lacourphoto.net/uploaded images/signatures1-770492.jpg
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 26: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/26.jpg)
Hand Written Signatures
• Relate an individual, through a handwritten signature, to adocument.
• Signature can be verified against a prior authenticated one,which was signed in person in a bank, in the presence of a publicnotary public, etc.
• Should be hard to forge.
• Are legally binding (convince a third party, e.g. a judge).
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes
![Page 27: Introduction to Modern Cryptography Benny Chorbchor/crypto07/Crypto8.pdf · Introduction to Modern Cryptography Benny Chor RSA: Review and Properties Factoring Algorithms Trapdoor](https://reader030.vdocument.in/reader030/viewer/2022040816/5e5fa217454b097ef233f695/html5/thumbnails/27.jpg)
Digital Signature Schemes
• Would like to achieve all features of hand written signatures,plus more.
• For example, should be able to base difficulty of forgery on somehard computational problem, not just on ineptitude of forger.
• Diffie and Hellman were first to propose such framework.
• To be continued.
Introduction to Modern Cryptography Benny ChorRSA: Review and Properties Factoring Algorithms Trapdoor One Way Functions PKC Based on Discrete Logs (Elgamal) Signature Schemes