EE 595 (PMP) Introduction to Security and Privacy Homework 4 Assigned: Monday, February 12, 2017, Due: Sunday, March 5, 2017 Instructor: Tamara Bonaci Department of Electrical Engineering University of Washington, Seattle

Problem 1 Consider the following digital signature scheme. The public key is given by (q, α, β), where q is a prime number, α is a primitive root of q, and β is an integer satisfying β < q. The private key is equal to a, for some positive integer a < q satisfying β ≡ αa (mod q). To sign a message m, compute y = h(m), the hash of the message. Assume that gcd(y, q − 1) = 1 (if this is not the case, append a random string to m and recompute the hash. Repeat the process until a message m is found satisfying gcd(y, q − 1) = 1). Then calculate z such that yz ≡ a (mod (q − 1)). The signature of the message is αz. To verify the signature, a user verifies that β = (αz)y (mod q). Show that the scheme is unacceptable by describing a simple technique for forging a user’s signature on an arbitrary message.

Solution: To show that the proposed signature scheme is not valid, we need to show that an attacker can forge a signature for some arbitrary messagem ˆ . After choosing a messagem ˆ , an attacker first computes the hash of such a messagey ˆ = h(m ˆ ). His next step is to compute the multiplicative inverse of the obtained hashy ˆ−1 (mod q). Due to the fact that q is a prime −1 number, such an inverse will always exist. An attacker then outputs (m, ˆ βyˆ ) as his message-signature pair. Obtained signature will pass the verification test, since:

 −1 yˆ −1 βyˆ (mod q) = βyˆ yˆ (mod q) = β (mod q) (1)

Equation (1) proves that an attacker is able to forge a valid signature for an arbitrary message. Therefore, the proposed signature scheme is not valid.

Problem 2 Suppose that Alice is using the ElGamal Signature Scheme. In order to save time in generating the random numbers k that are used in signing messages, Alice chooses an initial random value k0 and then signs the i-th message using the value ki = k0 + 2i (mod (p − 1)) (therefore ki = ki−1 + 2 (mod (p − 1)) for all i ≥ 1).

(a) Suppose that Bob observes two consecutive signed messages, say (xi, sig(xi, ki)) and xi+1, sig(xi+1, ki+1). Describe how Bob can easily compute Alice’s secret key, a, given this information, without solving an instance of the Discrete Logarithm problem. (Note that the value of i does not have to be known for the attack to succeed.) (b) Suppose that the parameters of the scheme are p = 28703, α = 5 and β = 11339 and two messages observed by Bob are:

xi = 12000, sig(xi, ki) = (26530, 19862)

xi+1 = 24567, sig(xi+1, ki+1) = (3081, 7604)

Find the value of a using the attack described in part (a).

1 Solution:

(a) To show how Bob can easily compute Alice’s private key a, let’s recall the ElGamal Signature Scheme:

γ = αk (mod p) δ = (m − aγ)k−1 (mod (p − 1)) (2)

Since k2 = k1 + 2 (mod (p − 1)), using the remainder theorem, we can write:

k2 = k1 + 2 + λ(p − 1) (3)

After receiving two consecutive pairs message-signature from Alice, Bob can therefore write:

k1 γ1 = α (mod p) −1 δ1 = (m1 − aγ1)k1 (mod (p − 1)) (4)  λ k2 k1+2+λ(p−1) 2 k1 (p−1) 2 k1 γ2 = α (mod p) = α (mod p) = α · α · α (mod p) = α · α (mod p) −1 δ2 = (m2 − aγ2)k2 (mod (p − 1)) (5)

From equation (4), after multiplication with k1, it follows that aγ1 = m1 − δ1k1. Using the obtained expression for aγ1, equation (5) can be rewritten as:

δ2k2 = (m2 − aγ2) (mod (p − 1)) 2 δ2(k1 + 2) = (m2 − aα γ1) (mod (p − 1)) 2 δ2(k1 + 2) = (m2 − α [m1 − k1δ1]) (mod (p − 1)) 2 2 k1(δ2 − α δ1) = (m2 − α m1 − 2δ2) (mod (p − 1)) (6)

From equation (6), Bob obtains the value of k1 in the following way: he first checks whether gcd((δ2 − 2 2 α δ1), (p − 1)) = 1. If that is the case, then the multiplicative inverse of (δ2 − α δ1) (mod (p − 1)) 2 exists, and Bob finds k1 simply by multiplying equation (6) with the multiplicative inverse of (δ2 −α δ1) (mod (p − 1)). 2 2 2 Otherwise, Bob divides (p−1), (δ2 −α δ1) and (m2 −α m1 −2δ2) by gcd((δ2 −α δ1), (p−1)) = d, d > 1, and obtains the following equation:

(δ − α2δ ) (m − α2m − 2δ ) (p − 1) k 2 1 = 2 1 2 (mod ) (7) 1 d d d

2 0 (δ2−α δ1) p−1 which he then solves for k1 by multiplying it with the multiplicative inverse of d (mod d ). Random parameter k1 is therefore found as: p − 1 k = k0 + i( ) (mod p), 0 ≤ i ≤ d (8) 1 1 d

k1 Bob next finds a unique value of k1 by finding i for which γ1 = α .

Once Bob has obtained k1, he finds Alice’s private key from equation:

aγ1 = (m1 − δ1k1) (mod (p − 1)) (9)

Similar to the case of k1, Bob again checks whether d = gcd(γ1, (p − 1)) = 1. If d = 1, he finds Alice’s private key by multiplying equation (9) with the multiplicative inverse of γ1 (mod (p − 1)).

2 Solution:

If d > 1, Bob divides γ1, (p − 1) and (m1 − δ1k1) with d and obtains the following equation:

γ (m − δ k ) (p − 1) a 1 = 1 1 1 (mod ) (10) d d d

γ1 p−1 He then obtains a by multiplying equation (10) with the multiplicative inverse of d (mod d ). Finally, he obtains Alice’s private key a as follows: p − 1 a = a0 + i , 0 ≤ i ≤ d (11) d A unique solution for a is obtained by finding i such that β = αa. (b) A Matlab function that finds Alice’s private key, after obtaining two consecutive message-signature pairs from Alice is called ElGamal findingPrivateKey, and its code is given below.

function [a, k] = ElGamal findingPrivateKey(p, alpha, beta, m1, m2, gamma1, delta1, gamma2, delta2) %ElGamal findingPrivate Key − function findsa private key used to sign %two different messages m1 and m2, signed using ElGamal Signature Scheme, %where secret random parameterk is generated by the following equation: %k (i+1)=k (i)+2(mod(p −1)) %INPUTS: %1.(p, alpha, beta) − public key %2. m1, m2 − messages %3.(gamma1, delta1) − signature of the first message %4.(gamma2, delta2) − signature of the second message %OUTPUTS: %1.a − private key %2.k − private(random) numberk

%IDEA: %k i[delta (i+1) − delta i*alphaˆ2]=x (i+1) x i*alphaˆ2 −2*delta (i+1)

a = 0; k = 0;

%% Init a = 0; k = 0;

delta = mod((delta2 − alpha*alpha*delta1), (p−1)); m = mod((m2 − alpha*alpha*m1 − 2*delta2), (p−1));

d = gcd(delta, (p−1));

%Check gcd((delta (i+1)−delta i*alphaˆ2),p −1) if(d == 1) [r, inverse, t] = extendedEuclidean(delta, (p−1)); k = mod(m*inverse, (p−1)); else p prime = (p−1)/d; delta prime = delta/d; m prime = m/d;

[r, inverse, t] = extendedEuclidean(delta prime, (p−1));

k prime = mod((m prime*inverse), p prime);

for i=0:d k = k prime + i*p prime; gamma1 aux = square and multiply(alpha, k, p);

3 if(gamma1 aux == gamma1) break; end end end

%Finding secret key %IDEA:a *gamma i=x i − k i*delta i

%Check gcd(gamma i,p −1) d = gcd(gamma1, p−1); if(d == 1) [r, inverse, t] = extendedEucliedan(gamma1, (p−1)); a = mod((inverse*(m1 − k*delta1)), (p−1)); else p prime = (p−1)/d; x prime = (m1 − k*delta1)/d; gamma prime = gamma1/d;

[r, inverse, t] = extendedEuclidean(gamma prime, p prime);

a prime = mod((x prime*inverse), p prime);

for i=0:d a = a prime + i*p prime; beta aux = square and multiply(alpha, a, p) if(beta aux == beta) break; end end end

Problem 3 Valentine’s day is approaching, so Edward is writing a love letter to Bella. He would like to make sure that Bella knows with certainty that the beautiful words that she will be reading are from him, and that nobody has altered them en route to Bella. Bella proposes that they use digital signatures to ensure that. More specifically, she proposes that they use one of the possible modifications of the ElGamal digital signature, referred to as the Twilight ElGamal Digital Signatures. The Twilight ElGamal Digital Signatures has the same key generation as the original ElGamal Digital Signature, which means that Bella generates the public key PKA and private key SKA as follows: 1. Bella generates a large prime p and an integer α satisfying 1 ≤ α < (p − 1). Number α must be a primitive element.

2. Bella then generates an integer a with 1 ≤ a < (p − 1), and computes β = αa mod p.

3. Bella’s public key i PKA = (p, α, β), an her private key is SKA = a. Bella publishes PKA, and keeps SKA as a secret.

Edward generates his (public key, private key) pair, (PKE,SKE) in a similar fashion. The Twilight ElGamal Digital Signature differs, however, in the signing and the verification phases.

(a) Assume that Edward generates a random number k such that 1 ≤ k ≤ (p − 2) and gcd (k, p − 1) = 1, and then computes:

r = αk (mod p) s = am + kr (mod p − 1)

4 Show that the verification: αs = (αa)mrr (mod p) is a valid verification procedure. (b) Assume again that Edward generates a random number k such that 1 ≤ k ≤ (p−2) and gcd (k, p − 1) = 1, and then computes:

r = αk (mod p) s = a−1(m − kr) (mod p − 1)

Show that the verification: αm = (αa)srr (mod p) is a valid verification procedure.

Solution: (a) To show that for the proposed Twilight ElGamal Digital Signature verification, given as:

αs = (αa)mrr (mod p) (12)

is a valid verification scheme, let’s start from the definition of r component:

r = αk (mod p) (13)

Combining equations (12) and (13), we can write:

αs = (αa)m(αk)r (mod p) = αamαkr (mod p) = αam+kr (mod p) = αs (mod p) (14)

(b) Again, to show that the proposed Twilight ElGamal Digital Signature verification, given as:

αs = (αa)mrr (mod p) (15)

is a valid verification, let’s recall the definition of components s:

s = a−1(m − kr) (mod p − 1) (16)

Combining equations (15) and (16), we can write:

−1 −1 αm = (αa)a (m−kr)rr (mod p) = (αa·a (m−kr))rr (mod p) = (α(m−kr))rr (mod p) (17)

To make the right-hand side of equation (17) equal to its left-hand side, we next recall the definition of r component: r = αk (mod p) (18) Combining equations (17) and (18), we can now write:

αm = (α(m−kr))(αk)r (mod p) = (α(m−kr))αkr (mod p) = αm−kr+kr (mod p) = αm (mod p) (19)

Problem 4 Bob, Ted, Carol and Alice want to agree on a common key (cryptographic key, that is). They publicly choose a large prime p and a primitive root α. They privately choose numbers b, t, c, a, respectively. Describe a

5 protocol that allows them to securely compute (in doing so, please ignore the man-in-the-middle attack):

K := αbtca (mod p)

Solution: The given problem is the modification of the Diffie-Hellman key exchange problem, in which two communicating parties, Alice and Bob, agree upon a shared secret key, KAB, by doing the following:

• Choose a large prime p and its corresponding primitive root, α,

a • Alice chooses secret integer a and computes a message βa = α (mod p),

b • Similarly, Bob chooses secret integer b and computes a message βb = α (mod p)

• Alice and Bob exchange message βa and βb, and

b a • Upon receiving the corresponding message, both parties can compute the shared secret key as βa = βb , using the secret integer available to them.

When four parties are communicating, messages used to establish the shared secret key Kbcta, are exchanged between the communicating parties in three iterations. In each iteration, the communicating parties are something new getting a step closer to establishing a shared secret key, Kbtca, by obtaining the component α needed so that in the last step each person can raise the received αsomething new to the secret component that they posses in order to get the whole key. The modified protocol proceeds as follows:

• Bob, Ted, Carol and Alice choose a large prime p and its corresponding primitive root, α. • Bob chooses a secret number b, Ted a secret number t, Carol a secret number c, and Alice a secret number a.

• The First Iteration: – Bob sends message αb (mod p) to Ted. – Ted sends message αt (mod p) to Carol. – Carol sends message αc (mod p) to Alice. – Alice sends message αa (mod p) to Bob.

• The Second Iteration: – Bob sends message αba (mod p) to Ted. – Ted sends message αtb (mod p) to Carol. – Carol sends message αct (mod p) to Alice. – Alice sends message αac (mod p) to Bob.

• The Third Iteration: – Bob sends message αbac (mod p) to Ted. – Ted sends message αtba (mod p) to Carol. – Carol sends message αctb (mod p) to Alice. – Alice sends message αact (mod p) to Bob.

• After the third iteration of message, each person obtains the shared secret key by raising the last received message to their own secret number.

6