EE 418: Network Security and Cryptography Homework 5 Assigned: Wednesday, November 23, 2016, Due: Tuesday, December 6, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle
Problem 1 Consider the following modification of the Schnorr digital signature scheme. The keys are given by K = (q, ↵, a, �):� ↵a (mod p) where (q, ↵,�) comprise the public key and a is the private key. Given a message{ x, we compute⌘ the signature} of x to be
� = x ↵k (mod q) ⇥ � = k + a� (mod q) (1)
where k is a randomly chosen number. In other words, we start with the standard Schnorr scheme and then use multiplication rather than a hash for �. How is verification done using this revised scheme?
Solution: To verify a signature generated using this Modified Schnorr Signature scheme, we exponentiate � � 1 ↵ , and check whether the obtained result is equal to � � x� ,: · · � � 1 ↵ = � � x� (2) · · Let’s analyze ↵�, to show that the proposed verification scheme is indeed valid:
� k+↵� k a� k a � k � 1 � ↵ = ↵ = ↵ ↵ = ↵ (↵ ) = ↵ � = � x� � (3) · · · · k 1 Expression ↵ = � x� comes from equation (1), and is valid because q is a prime number. ·
Problem 2 Consider the following digital signature scheme. The public key is given by (q, ↵,�), where q is a prime number, ↵ is a primitive root of q, and � is an integer satisfying � 1 Solution: (a) In order to show that the verification process in the proposed scheme produces an equality if the signature is valid, let’s analyze the expression (↵z)y: (↵z)y (mod q)=↵yz (mod q) a+�(q 1) a �(q 1) = ↵ � (mod q)=↵ ↵ � (mod q) (4) · a q 1 � = ↵ ↵ � (mod q) a · = ↵ �(mod�q)=� (5) Equation (4) comes from using the remainder theorem to express the fact that yz a (mod q 1) and equation (5) from using the Fermat’s Little theorem, which states that x�(p) 1(mod⌘ p), where� p is a prime number. ⌘ (b) To show that the proposed signature scheme is not valid, we need to show that an attacker can forge a signature for some arbitrary messagem ˆ . After choosing a messagem ˆ , an attacker first computes the hash of such a messagey ˆ = h(ˆm). His 1 next step is to compute the multiplicative inverse of the obtained hashy ˆ� (mod q). Due to the fact 1 that q is a prime number, such an inverse will always exist. An attacker then outputs (m, ˆ �yˆ� ) as his message-signature pair. Obtained signature will pass the verification test, since: 1 yˆ 1 �yˆ� (mod q)=�yˆ� yˆ (mod q)=� (mod q) (6) ⇣ ⌘ Equation (6) proves that an attacker is able to forge a valid signature for an arbitrary message. Therefore, the proposed signature scheme is not valid. Problem 3 (Stinson 7.2) Suppose I implement the ElGamal Signature Scheme with p = 31847, ↵ = 5 and � = 26379. Write a computer program which does the following: (a) Verify the signature (20679, 11082) on the message x = 20543. (b) Determine my private key, a, by solving an instance of the Discrete Logarithm problem. (c) Then determine the random value k used in signing the message x, without solving an instance of the DiscreteLogarithm problem. 2 Solution: (a) A Matlab function that verifies the signature of some message x, signed using ElGamal Signature Scheme is called ElGamal signatureVerification, and its code is given below. Using the provided Matlab function, we verify the signature (�,�) = (20679, 11082) of the message x = 20543, signed with the ElGamal Signature Scheme with public keys given as p = 31847,↵ =5,� = 26379. We obtain ↵x = 20688, �� = 12575, �� = 21455 and finally �� �� = 20688. Therefore we conclude that a given signature is valid for the message x. · (b) Matlab function that computes a private key a, given a public key (p, ↵,�) is called shanks, and its code is given below. The provided function solves an instance of the discrete logarithm problem a = log↵ = � using the Shanks algorithm. For the public key (p = 31847,↵=5,� = 26379), we obtain a = 7973. (c) Function that finds a random number k, 1 k p 1, used in generating an ElGamal signa- ture of a message m without solving an instance of a� discrete logarithm problem is called ElGa- mal findRandom, and its code given below as well. Using the provided function on message x = 20543, whose signature is given as (�,�) = (20679, 11082), with parameters of the ElGamal Signature Scheme p = 31847, ↵ = 5, � = 26379 and private key a = 7973, we obtain k = 19387. 1 function [verified] = ElGamal signatureVerification(p, alpha , beta ,message, gamma ,delta) %ElGamal signatureVerification verifies the signature of the message , %signed using ElGamal Signature �Scheme %INPUTS : 6 %1. (p , alpha , beta) public key in the ElGama public key scheme %2. message � %3. (gamma , delta) signature of the message %OUTPUTS : � %1. verified returns ’ verified ’ if the signature is valid , ’ invalid � 11 %signature ’ otherwise verified = ’ Invalid signature ’ ; %%Verification 16 alpha x=squareand multiply(alpha , message , p) ; beta gamma = square and multiply(beta , gamma ,p); gamma delta = square and multiply(gamma ,delta,p); ver aux = mod(beta gamma gamma delta , p) ; ⇤ 21 if(ver aux == alpha x) verified = ’ Verified ’ ; end 1 function [a] = shanks(alpha, beta ,n) %Shanks solves a discrete logarithm a = log alpha( beta) (mod n ) problem %using shanks� algorithm . %INPUTS : %1. alpha basis � 6 %2. beta exponent %3. n = phi� ( p ) = (p 1) , where p is a prime number %OUTPUT : � %1. a solution of the discrete logarithm problem � 11 %%Initialization a=0; m= ceil( sqrt(n)) ; 16 %Auxiliary calculation : alphaˆm (mod n ) x=squareand multiply(alpha , (m), (n + 1)) ; 3 %First list for j=1:m 21 L1 unsorted(j , :) = [ j , square and multiply(x, j 1, (n + 1) ) ] ; end � L1 = sortrows ( L1 unsorted , 2) ; 26 for j=1:m L2 aux = square and multiply(alpha , j 1, (n + 1)) ; [r, inverse , t] = extendedEuclidean(L2� aux , (n + 1) ) ; L2 unsorted(j , :) = [ j , square and multiply(beta inverse , 1, (n + 1)) ]; end ⇤ 31 L2 = sortrows ( L2 unsorted , 2) ; %%Finding the pair with identical second coordinate for j=1:m 36 for i=1:m if(L1(j , 2) == L2(i , 2)) a=mod((m(L1(j , 1) 1) + (L2( i , 1) 1)) , n) ; break ; ⇤ � � end 41 end end function [k] = ElGamal findRandomK(p , alpha , beta ,a,message,gamma ,delta) %ElGamal findRandomK given private key , function finds random parameter k , used in signing � 3 %message x using ElGamal Signature Scheme without solving an instance of %Discrete Logarithm problem %INPTUS : %1. (p , alpha , beta) public key %2. a private key � � 8 %3. message signed message %4. (gamma , �delta) signature of message %OUTPUT : � %1. k random parameter k � 13 % m = a gamma k delta (mod (p 1)) > k = (m a gamma) deltaˆ( 1)(mod (p 1)⇤) � ⇤ � �� � ⇤ ⇤ � � k=0; aux = mod(( message a gamma), (p 1)) ; � ⇤ � 18 % Check gcd ( delta , (p 1)) if ( gcd(delta , (p 1)) ==� 1) [r, inverse delta� , t] = extendedEuclidean(delta , (p 1)) ; k=mod((aux inverse delta) , (p 1)) � ⇤ � 23 else d=gcd(delta , (p 1)) ; delta prime = delta/d;� p prime = (p 1)/d ; m prime = aux/d;� 28 [r, inverse , t] = extendedEuclidean(delta prime , p prime) ; k prime = mod((m prime inverse) , p prime) ; ⇤ for i=1:d 33 k=kprime + i p prime ; beta aux = square⇤ and multiply(alpha , k, p) if(beta aux == gamma) break ; end 38 end 4 end Problem 4 (Stinson, Problem 7.3) Suppose that Alice is using the ElGamal Signature Scheme. In order to save time in generating the random numbers k that are used in signing messages, Alice chooses an initial random value k0 and then signs the i-th message using the value ki = k0 +2i (mod (p 1)) (therefore ki = ki 1 +2 (mod(p 1)) for all i 1). � � � � (a) Suppose that Bob observes two consecutive signed messages, say (xi, sig(xi,ki)) and xi+1,sig(xi+1,ki+1). Describe how Bob can easily compute Alice’s secret key, a, given this information, without solving an instance of the Discrete Logarithm problem. (Note that the value of i does not have to be known for the attack to succeed.) (b) Suppose that the parameters of the scheme are p = 28703, ↵ = 5 and � = 11339 and two messages observed by Bob are: xi = 12000, sig(xi,ki) = (26530, 19862) xi+1 = 24567, sig(xi+1,ki+1) = (3081, 7604) Find the value of a using the attack described in part (a). 5 Solution: (a) (a) To show how Bob can easily compute Alice’s private key a, let’s recall the ElGamal Signature Scheme: � = ↵k (mod p) 1 � =(m a�)k� (mod (p 1)) (7) � � Since k = k +2 (mod(p 1)), using the remainder theorem, we can write: 2 1 � k = k +2+�(p 1) (8) 2 1 � After receiving two consecutive pairs message-signature from Alice, Bob can therefore write: k1 �1 = ↵ (mod p) 1 � =(m a� )k� (mod (p 1)) (9) 1 1 � 1 1 � � k k +2+�(p 1) 2 k (p 1) 2 k � = ↵ 2 (mod p)=↵ 1 � (mod p)=↵ ↵ 1 ↵ � (mod p)=↵ ↵ 1 (mod p) 2 · · · 1 � =(m a� )k� (mod (p 1)) ⇣ ⌘ (10) 2 2 � 2 2 � From equation (9), after multiplication with k , it follows that a� = m � k . Using obtained 1 1 1 � 1 1 expression for a�1, equation (10) can be rewritten as: � k =(m a� )(mod(p 1)) 2 2 2 � 2 � � (k + 2) = (m a↵2� )(mod(p 1)) 2 1 2 � 1 � � (k + 2) = (m ↵2[m k � ]) (mod (p 1)) 2 1 2 � 1 � 1 1 � k (� ↵2� )=(m ↵2m 2� )(mod(p 1)) (11) 1 2 � 1 2 � 1 � 2 � From equation (11), Bob obtains the value of k1 in the following way: he first checks whether gcd((�2 2 2 � ↵ �1), (p 1)) = 1. If that is the case, then the multiplicative inverse of (�2 ↵ �1)(mod(p 1)) exists, � � � 2 and Bob finds k1 simply by multiplying equation (11) with the multiplicative inverse of (�2 ↵ �1) (mod (p 1)). � � 2 2 2 Otherwise, Bob divides (p 1), (�2 ↵ �1) and (m2 ↵ m1 2�2) by gcd((�2 ↵ �1), (p 1)) = d, d > 1, and obtains the following� equation:� � � � � (� ↵2� ) (m ↵2m 2� ) (p 1) k 2 � 1 = 2 � 1 � 2 (mod � ) (12) 1 d d d 2 (�2 ↵ �1) p 1 which he then solves for k10 by multiplying it with the multiplicative inverse of �d (mod �d ). Random parameter k1 is therefore found as: p 1 k = k0 + i( � )(modp), 0 i d (13) 1 1 d k1 Bob next finds a unique value of k1 by finding i for which �1 = ↵ . Once Bob has obtained k1, he finds Alice’s private key from equation: a� =(m � k )(mod(p 1)) (14) 1 1 � 1 1 � Similar to the case of k1, Bob again checks whether d = gcd(�1, (p 1)) = 1. If d = 1, he finds Alice’s private key by multiplying equation (14) with the multiplicative inverse� of � (mod (p 1)). 1 � 6 Solution: If d>1, Bob divides � , (p 1) and (m � k )withd and obtains the following equation: 1 � 1 � 1 1 � (m � k ) (p 1) a 1 = 1 � 1 1 (mod � ) (15) d d d �1 p 1 He then obtains a by multiplying equation (15) with the multiplicative inverse of d (mod �d ). Finally, he obtains Alice’s private key a as follows: p 1 a = a0 + i � , 0 i d (16) d A unique solution for a is obtained by finding i such that � = ↵a. (b) A Matlab function that finds Alice’s private key, after obtaining two consecutive message-signature pairs from Alice is called ElGamal findingPrivateKey, and its code is given below. 1 function [a, k] = ElGamal findingPrivateKey(p, alpha , beta ,m1,m2,gamma1,delta1,gamma2, delta2) %ElGamal findingPrivate Key function finds a private key used to sign %two different messages m1 and� m2 , signed using ElGamal Signature Scheme , %where secret random parameter k is generated by the following equation : % k ( i +1) = k ( i ) + 2 (mod (p 1)) � 6 %INPUTS : %1. (p , alpha , beta) public key %2. m1 , m2 messages� %3. (gamma1�, delta1) signature of the first message %4. (gamma2 , delta2) � signature of the second message � 11 %OUTPUTS : %1. a private key %2. k � private ( random) number k � 16 %IDEA : %k i [ delta ( i +1) delta i alpha ˆ2] = x ( i +1) x i alphaˆ2 2 delta ( i +1) � ⇤ ⇤ � ⇤ a=0; k=0; 21 %% Init a=0; k=0; 26 delta = mod(( delta2 alpha alpha delta1) , (p 1)) ; m=mod((m2 alpha �alpha m1⇤ 2 ⇤delta2) , (p �1)) ; � ⇤ ⇤ � ⇤ � d=gcd(delta , (p 1)) ; � 31 %Check gcd (( delta ( i +1) delta i alphaˆ2) , p 1) if(d == 1) � ⇤ � [r, inverse , t] = extendedEuclidean(delta, (p 1)) ; k=mod(minverse , (p 1)) ; � else ⇤ � 36 p prime = (p 1)/d ; delta prime =� delta/d; m prime = m/d; [r, inverse , t] = extendedEuclidean(delta prime , (p 1)) ; � 41 k prime = mod((m prime inverse) , p prime) ; ⇤ for i=0:d k=kprime + i p prime ; ⇤ 46 gamma1 aux = square and multiply(alpha , k, p) ; 7 if(gamma1 aux == gamma1) break ; end end 51 end %Finding secret key %IDEA : a gamma i = x i k i delta i ⇤ � ⇤ 56 %Check gcd( gamma i , p 1) d=gcd(gamma1, p 1) ; � if(d == 1) � [r, inverse , t] = extendedEucliedan(gamma1, (p 1)) ; a=mod((inverse (m1 k delta1)) , (p 1)) ; � ⇤ � ⇤ � 61 else p prime = (p 1)/d ; x prime = (m1� k delta1)/d; gamma prime =� gamma1/d⇤ ; 66 [r, inverse , t] = extendedEuclidean(gamma prime , p prime) ; a prime = mod(( x prime inverse) , p prime) ; ⇤ for i=0:d 71 a=aprime + i p prime ; beta aux = square⇤ and multiply(alpha , a, p) if(beta aux == beta) break ; end 76 end end Problem 5 (Stinson, Problem 7.5) (a) A signature in the ElGamal Signature Scheme or the DSA is not allowed to have � = 0. Show that if a messages were signed with a “signature” in which � = 0, it would be easy for an adversary to compute the secret key, a. (b) A signature in the DSA is not allowed ti have � =0. Show that if a “signature” in which � =0isknown, then the value of k used in that “signature” can be determined. Given that value of k, show that it is now possible to forge a signature for any desired message (i.e. selective forgery can be carried out.) 8 Solution: (a) ElGamal Signature Scheme In the ElGamal Signature Scheme, a signature of a message x is defined by the following set of equations: � = ↵k (mod p) 1 � =(x a�)k� (mod (p 1)) � � signK (x, k)=(�,�) (17) If, for a message x, we obtain signature (�,0), then it follows: 1 � =(x a�)k� (mod q) 0(mod(p 1)) (18) � ⌘ � Equation (18) is satisfied when: 1 (p 1) k� or � | (p 1) (x a�) (19) � | � 1 1 If the first condition is satisfied, i.e. (p 1) k� ,thenk� would not be a valid multiplicative inverse � | of k (mod (p 1)), since there does not exist an integer k Zp 1 such that k 0=1(mod(p 1)). We therefore only� consider the second condition, when (p 21) (x� a�). · � � | � In order to find the private key a, we use the reminder theorem to rewrite the given condition as follows: x a� = µ(p 1),µ Z (20) � � 2 Equation (20) can be rewritten as follows: 1 a =(x µ(p 1))�� ,µ Z (21) � � 2 From equation (21), a unique private key a is found by finding µ such that ↵a = �. DSA In DSA, a signature of a message x is defined by the following set of equations: � =(↵k (mod p)) (mod q) 1 � = (SHA-1(x)+a�)k� (mod q) signK (x, k)=(�,�) (22) If, for a message x, we obtain the signature (�,0), then it follows: 1 (SHA-1(x)+a�)k� 0(modq) (23) ⌘ Equation (23) is satisfied when: 1 q k� or | q (SHA-1(x)+a�) (24) | 1 1 Similarly to the case of the ElGamal Signature Scheme, if q k� ,thenk� would not be a valid | multiplicative inverse of k (mod q), since there does not exist an integer k Zq such that k 0=1 (mod q). We therefore only consider the second condition, when q (SHA-1(x)+2 a�). Again, using· the remainder theorem, given condition can be rewritten as: | (SHA-1(x)+a�)=µq (25) Equation (25) can be rewritten as: 1 a =(µq SHA-1(x))�� (26) 9 � A unique private key a is found from equation (26) by finding µ such that ↵a = �. Solution: (b) If a signature of the message x, signed using DSA, is equal to (0,�), then it follows: 0 � =(↵k (mod p)) (mod q) ⌘ 1 � = SHA-1(x)k� (mod q) (27) Equation (27) can be rewritten as: �k = SHA-1(x)(modq) (28) Knowing that q is a prime number, from equation (28), we obtain k as follows: 1 k = �� (SHA-1(x)) (mod q) (29) Now, choosing an arbitrary message y = x, an attacker can calculate SHA-1(y), and use the calculated hash to find a valid signature for the forged6 message: 1 � = SHA-1(y)k� (mod q) (30) New forged signature is equal to (0,�), with � defined by equation (30). A pair (y, (0,�)) represents a valid message-signature pair and proves that an attacker is able to forge a signature for any message of his choice. Problem 6 (Stinson, Problem 7.8) We showed that using the same value k to sign two messages in the ElGamal Signature Scheme allows the scheme to be broken (i.e. an adversary can determine the secret key without solving an instance of the Discrete Logarithm problem). Show how similar attacks can be carried out for the Schnorr Signature Scheme and the DSA scheme. 10 Solution: The Schnorr Signature Scheme If a sender decides to use the same value of k to sign two messages x1 and x2: x : � = h(x ↵k)(modp) 1 1 1|| �1 = k + a�1 (mod q) (31) x : � = h(x ↵k)(modp) 2 2 2|| �2 = k + a�2 (mod q) (32) by combining the equations (31) and (32), we can write: � � = a(� � )(modq) (33) 1 � 2 1 � 2 In order to determine the private key a, we first calculate gcd ((�1 �2),q). If gcd ((�1 �2),q) = 1, and then find the private key using the following equation: � � 1 a =(� � )(� � )� (mod q) (34) 1 � 2 1 � 2 If gcd ((� � ),q)=d, d > 1, we define the following parameters: 1 � 2 �1 �2 �0 = � d �1 �2 �0 = � d q q0 = d (35) and define a new equation: a0�0 = �0 (mod q0) (36) Parameter a0 is now found as: 1 a0 = �0�0� (mod q0) (37) From equation (37), the private key is found as follows: a = a0 + iq0 (mod q), 0 i d 1 (38) � A unique solution of a is found by finding i, such that � = ↵a. DSA If a sender decides to sign two messages x1 and x2 using the same value of the random parameter k: k x1 : � =(↵ (mod p)) (mod q) 1 �1 = (SHA-1(x1)+a�)k� (mod q) (39) k x2 : � =(↵ (mod p)) (mod q) 1 �2 = (SHA-1(x2)+a�)k� (mod q) (40) Combining equations (39) and (40), we can write: (� � )k = SHA-1(x ) SHA-1(x )(modq) (41) 1 � 2 1 � 2 11 Solution: In order to find the private key a, we first compute gcd ((�1 �2),q). If gcd ((�1 �2),q) = 1, and then we find the value of the random parameter k as follows: � � 1 k = [SHA-1(x ) SHA-1(x )](� � )� (mod q) (42) 1 � 2 1 � 2 If gcd ((� � ),q)=d, d > 1, we define the following parameters: 1 � 2 �1 �2 �0 = � d [SHA-1(x1) SHA-1(x2)] x0 = � d q q0 = (43) d and define a new equation: k0�0 = x0 (mod q0) (44) Using parameters (43), we find the solution of k0 as follows: 1 k0 = �0� x0 (mod q0) (45) From equation (45) we find the value of the random parameter k as follows: 1 k = �0� x0 + iq0 (mod q), 0 i (d 1) (46) � We find the private key a using the following equation: �1 = k + a�1 (mod q) (47) Since q is a prime number, from equation (46), we compute a as: 1 a =(� k) �� (mod q) (48) 1 � · 1 12