Professional Documents
Culture Documents
Homework 5
Assigned: Wednesday, November 23, 2016, Due: Tuesday, December 6, 2016
Instructor: Tamara Bonaci
Department of Electrical Engineering
University of Washington, Seattle
Problem 1
Consider the following modification of the Schnorr digital signature scheme. The keys are given by K =
{(q, ↵, a, ) : ⌘ ↵a (mod p)} where (q, ↵, ) comprise the public key and a is the private key. Given a
message x, we compute the signature of x to be
= x ⇥ ↵k (mod q)
= k+a (mod q) (1)
where k is a randomly chosen number. In other words, we start with the standard Schnorr scheme and then
use multiplication rather than a hash for . How is verification done using this revised scheme?
Solution: To verify a signature generated using this Modified Schnorr Signature scheme, we exponentiate
↵ , and check whether the obtained result is equal to · · x 1 ,:
1
↵ = · ·x (2)
Let’s analyze ↵ , to show that the proposed verification scheme is indeed valid:
↵ = ↵k+↵ = ↵k · ↵a = ↵k · (↵a ) = ↵k · = ·x 1
(3)
Expression ↵k = ·x 1
comes from equation (1), and is valid because q is a prime number.
Problem 2
Consider the following digital signature scheme. The public key is given by (q, ↵, ), where q is a prime
number, ↵ is a primitive root of q, and is an integer satisfying < q. The private key is equal to a, for
some positive integer a < q satisfying ⌘ ↵a (mod q).
To sign a message m, compute y = h(m), the hash of the message. Assume that gcd(y, q 1) = 1 (if this
is not the case, append a random string to m and recompute the hash. Repeat the process until a message
m is found satisfying gcd(y, q 1) = 1). Then calculate z such that yz ⌘ a (mod (q 1)). The signature of
the message is ↵z . To verify the signature, a user verifies that = (↵z )y (mod q).
(a) Show that this scheme works. That is, show that the verification process produces an equality if the
signature is valid.
(b) Show that the scheme is unacceptable by describing a simple technique for forging a users signature on
an arbitrary message.
1
Solution:
(a) In order to show that the verification process in the proposed scheme produces an equality if the
y
signature is valid, let’s analyze the expression (↵z ) :
y
(↵z ) (mod q) = ↵yz (mod q)
a+ (q 1)
= ↵ (mod q) = ↵a · ↵ (q 1)
(mod q) (4)
= ↵a · ↵q 1
(mod q)
a
= ↵ (mod q) = (5)
Equation (4) comes from using the remainder theorem to express the fact that yz ⌘ a (mod q 1)
and equation (5) from using the Fermat’s Little theorem, which states that x (p) ⌘ 1 (mod p), where
p is a prime number.
(b) To show that the proposed signature scheme is not valid, we need to show that an attacker can forge
a signature for some arbitrary message m̂.
After choosing a message m̂, an attacker first computes the hash of such a message ŷ = h(m̂). His
next step is to compute the multiplicative inverse of the obtained hash ŷ 1 (mod q). Due to the fact
1
that q is a prime number, such an inverse will always exist. An attacker then outputs (m̂, ŷ ) as his
message-signature pair. Obtained signature will pass the verification test, since:
⇣ 1
⌘ŷ 1
ŷ ŷ ŷ
(mod q) = (mod q) = (mod q) (6)
Equation (6) proves that an attacker is able to forge a valid signature for an arbitrary message.
Therefore, the proposed signature scheme is not valid.
2
Solution:
(a) A Matlab function that verifies the signature of some message x, signed using ElGamal Signature
Scheme is called ElGamal signatureVerification, and its code is given below. Using the provided
Matlab function, we verify the signature ( , ) = (20679, 11082) of the message x = 20543, signed with
the ElGamal Signature Scheme with public keys given as p = 31847, ↵ = 5, = 26379. We obtain
↵x = 20688, = 12575, = 21455 and finally · = 20688. Therefore we conclude that a given
signature is valid for the message x.
(b) Matlab function that computes a private key a, given a public key (p, ↵, ) is called shanks, and
its code is given below. The provided function solves an instance of the discrete logarithm problem
a = log↵ = using the Shanks algorithm. For the public key (p = 31847, ↵ = 5, = 26379), we obtain
a = 7973.
(c) Function that finds a random number k, 1 k p 1, used in generating an ElGamal signa-
ture of a message m without solving an instance of a discrete logarithm problem is called ElGa-
mal findRandom, and its code given below as well. Using the provided function on message
x = 20543, whose signature is given as ( , ) = (20679, 11082), with parameters of the ElGamal
Signature Scheme p = 31847, ↵ = 5, = 26379 and private key a = 7973, we obtain k = 19387.
%%V e r i f i c a t i o n
16 a l p h a x = s q u a r e a n d m u l t i p l y ( alpha , message , p ) ;
beta gamma = s q u a r e a n d m u l t i p l y ( beta , gamma , p ) ;
gamma delta = s q u a r e a n d m u l t i p l y (gamma , d e l t a , p ) ;
1 f u n c t i o n [ a ] = s h a n k s ( alpha , beta , n )
%Shanks s o l v e s a d i s c r e t e l o g a r i t h m a = l o g a l p h a ( b e t a ) (mod n ) problem
%u s i n g s h a n k s a l g o r i t h m .
%INPUTS :
%1 . a l p h a basis
6 %2 . b e t a exponent
%3 . n = p h i ( p ) = ( p 1) , where p i s a prime number
%OUTPUT:
%1 . a s o l u t i o n o f t h e d i s c r e t e l o g a r i t h m problem
11
%%I n i t i a l i z a t i o n
a = 0;
m = c e i l ( sqrt (n) ) ;
16 %A u x i l i a r y c a l c u l a t i o n : a l p h a ˆm (mod n )
x = s q u a r e a n d m u l t i p l y ( alpha , (m) , ( n + 1 ) ) ;
3
%F i r s t l i s t
f o r j = 1 :m
21 L1 unsorted ( j , : ) = [ j , square and multiply (x , j 1, ( n + 1 ) ) ] ;
end
L1 = s o r t r o w s ( L 1 u n s o r t e d , 2 ) ;
26 f o r j = 1 :m
L2 aux = s q u a r e a n d m u l t i p l y ( alpha , j 1 , ( n + 1 ) ) ;
[ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( L2 aux , ( n + 1 ) ) ;
L2 unsorted ( j , : ) = [ j , square and multiply ( beta ⇤ inverse , 1 , (n + 1) ) ] ;
end
31
L2 = s o r t r o w s ( L 2 u n s o r t e d , 2 ) ;
%%F i n d i n g t h e p a i r with i d e n t i c a l s e c o n d c o o r d i n a t e
f o r j = 1 :m
36 f o r i = 1 :m
i f ( L1 ( j , 2 ) == L2 ( i , 2 ) )
a = mod ( (m⇤ ( L1 ( j , 1 ) 1) + ( L2 ( i , 1 ) 1) ) , n ) ;
break ;
end
41 end
end
13
% m = a ⇤gamma k⇤ d e l t a (mod ( p 1) ) > k = (m a ⇤gamma) ⇤ d e l t a ˆ( 1) (mod ( p
1) )
k = 0;
aux = mod ( ( message a ⇤gamma) , ( p 1) ) ;
18
% Check gcd ( d e l t a , ( p 1) )
i f ( gcd ( d e l t a , ( p 1) ) == 1 )
[ r , i n v e r s e d e l t a , t ] = e x t e n d e d E u c l i d e a n ( d e l t a , ( p 1) ) ;
k = mod ( ( aux ⇤ i n v e r s e d e l t a ) , ( p 1) )
23 else
d = gcd ( d e l t a , ( p 1) ) ;
d e l t a p r i m e = d e l t a /d ;
p p r i m e = ( p 1)/d ;
m prime = aux /d ;
28
[ r , i n v e r s e , t ] = extendedEuclidean ( delta prime , p prime ) ;
k p r i m e = mod ( ( m prime ⇤ i n v e r s e ) , p p r i m e ) ;
f o r i =1:d
33 k = k prime + i ⇤ p prime ;
b e t a a u x = s q u a r e a n d m u l t i p l y ( alpha , k , p )
i f ( b e t a a u x == gamma)
break ;
end
38 end
4
end
5
Solution:
(a) (a) To show how Bob can easily compute Alice’s private key a, let’s recall the ElGamal Signature
Scheme:
= ↵k (mod p)
1
= (m a )k (mod (p 1)) (7)
k2 = k1 + 2 + (p 1) (8)
After receiving two consecutive pairs message-signature from Alice, Bob can therefore write:
1 = ↵ k1 (mod p)
1 = (m1 a 1 )k1 1 (mod (p 1)) (9)
⇣ ⌘
2 = ↵ k2 (mod p) = ↵k1 +2+ (p 1)
(mod p) = ↵2 · ↵k1 · ↵(p 1)
(mod p) = ↵2 · ↵k1 (mod p)
From equation (9), after multiplication with k1 , it follows that a 1 = m1 1 k1 . Using obtained
expression for a 1 , equation (10) can be rewritten as:
From equation (11), Bob obtains the value of k1 in the following way: he first checks whether gcd(( 2
↵2 1 ), (p 1)) = 1. If that is the case, then the multiplicative inverse of ( 2 ↵2 1 ) (mod (p 1)) exists,
and Bob finds k1 simply by multiplying equation (11) with the multiplicative inverse of ( 2 ↵2 1 )
(mod (p 1)).
Otherwise, Bob divides (p 1), ( 2 ↵2 1 ) and (m2 ↵2 m1 2 2 ) by gcd(( 2 ↵2 1 ), (p 1)) = d, d > 1,
and obtains the following equation:
( 2 ↵2 1 ) (m2 ↵2 m1 2 2) (p 1)
k1 = (mod ) (12)
d d d
( ↵2 1) p 1
which he then solves for k10 by multiplying it with the multiplicative inverse of 2
d (mod d ).
Random parameter k1 is therefore found as:
p 1
k1 = k10 + i( ) (mod p), 0 i d (13)
d
Bob next finds a unique value of k1 by finding i for which 1 = ↵ k1 .
Once Bob has obtained k1 , he finds Alice’s private key from equation:
Similar to the case of k1 , Bob again checks whether d = gcd( 1 , (p 1)) = 1. If d = 1, he finds Alice’s
private key by multiplying equation (14) with the multiplicative inverse of 1 (mod (p 1)).
6
Solution:
If d > 1, Bob divides 1 , (p 1) and (m1 1 k1 ) with d and obtains the following equation:
1 (m1 1 k1 ) (p 1)
a = (mod ) (15)
d d d
p 1
He then obtains a by multiplying equation (15) with the multiplicative inverse of 1
d (mod d ).
Finally, he obtains Alice’s private key a as follows:
p 1
a = a0 + i ,0 i d (16)
d
A unique solution for a is obtained by finding i such that = ↵a .
(b) A Matlab function that finds Alice’s private key, after obtaining two consecutive message-signature
pairs from Alice is called ElGamal findingPrivateKey, and its code is given below.
16 %IDEA :
%k i [ d e l t a ( i +1) d e l t a i ⇤ a l p h a ˆ 2 ] = x ( i +1) x i ⇤ a l p h a ˆ2 2⇤ d e l t a ( i +1)
a = 0;
k = 0;
21
%% I n i t
a = 0;
k = 0;
26 d e l t a = mod ( ( d e l t a 2 a l p h a ⇤ a l p h a ⇤ d e l t a 1 ) , ( p 1) ) ;
m = mod ( ( m2 a l p h a ⇤ a l p h a ⇤m1 2⇤ d e l t a 2 ) , ( p 1) ) ;
d = gcd ( d e l t a , ( p 1) ) ;
[ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( d e l t a p r i m e , ( p 1) ) ;
41
k p r i m e = mod ( ( m prime ⇤ i n v e r s e ) , p p r i m e ) ;
f o r i =0:d
k = k prime + i ⇤ p prime ;
46 gamma1 aux = s q u a r e a n d m u l t i p l y ( alpha , k , p ) ;
7
i f ( gamma1 aux == gamma1 )
break ;
end
end
51 end
%F i n d i n g s e c r e t key
%IDEA : a ⇤ gamma i = x i k i⇤delta i
66 [ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( gamma prime , p p r i m e ) ;
a p r i m e = mod ( ( x p r i m e ⇤ i n v e r s e ) , p p r i m e ) ;
f o r i =0:d
71 a = a prime + i ⇤ p prime ;
b e t a a u x = s q u a r e a n d m u l t i p l y ( alpha , a , p )
i f ( b e t a a u x == b e t a )
break ;
end
76 end
end
8
Solution:
= ↵k (mod p)
1
= (x a )k (mod (p 1))
signK (x, k) = ( , ) (17)
If the first condition is satisfied, i.e. (p 1)|k 1 , then k 1 would not be a valid multiplicative inverse
of k (mod (p 1)), since there does not exist an integer k 2 Zp 1 such that k · 0 = 1 (mod (p 1)).
We therefore only consider the second condition, when (p 1)|(x a ).
In order to find the private key a, we use the reminder theorem to rewrite the given condition as
follows:
x a = µ(p 1), µ 2 Z (20)
Equation (20) can be rewritten as follows:
1
a = (x µ(p 1)) , µ2Z (21)
From equation (21), a unique private key a is found by finding µ such that ↵a = .
DSA
In DSA, a signature of a message x is defined by the following set of equations:
Similarly to the case of the ElGamal Signature Scheme, if q|k 1 , then k 1 would not be a valid
multiplicative inverse of k (mod q), since there does not exist an integer k 2 Zq such that k · 0 = 1
(mod q). We therefore only consider the second condition, when q|(SHA-1(x) + a ). Again, using the
remainder theorem, given condition can be rewritten as:
(SHA-1(x) + a ) = µq (25)
(b) If a signature of the message x, signed using DSA, is equal to (0, ), then it follows:
Now, choosing an arbitrary message y 6= x, an attacker can calculate SHA-1(y), and use the calculated
hash to find a valid signature for the forged message:
1
= SHA-1(y)k (mod q) (30)
New forged signature is equal to (0, ), with defined by equation (30). A pair (y, (0, )) represents a
valid message-signature pair and proves that an attacker is able to forge a signature for any message
of his choice.
10
Solution:
The Schnorr Signature Scheme
If a sender decides to use the same value of k to sign two messages x1 and x2 :
1 2 = a( 1 2) (mod q) (33)
In order to determine the private key a, we first calculate gcd (( 1 2 ), q). If gcd (( 1 2 ), q) = 1, and
then find the private key using the following equation:
1
a=( 1 2 )( 1 2) (mod q) (34)
0 1 2
=
d
0 1 2
=
d
q
q0 =
d
(35)
DSA
If a sender decides to sign two messages x1 and x2 using the same value of the random parameter k:
11
Solution: In order to find the private key a, we first compute gcd (( 1 2 ), q). If gcd (( 1 2 ), q) = 1,
and then we find the value of the random parameter k as follows:
1
k = [SHA-1(x1 ) SHA-1(x2 )]( 1 2) (mod q) (42)
0 1 2
=
d
[SHA-1(x1 ) SHA-1(x2 )]
x0 =
d
0 q
q = (43)
d
and define a new equation:
k0 0
= x0 (mod q 0 ) (44)
0
Using parameters (43), we find the solution of k as follows:
k0 = 0 1 0
x (mod q 0 ) (45)
From equation (45) we find the value of the random parameter k as follows:
0 1 0
k= x + iq 0 (mod q), 0 i (d 1) (46)
12