Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

13.6 Exercises

Show that if someone discovers the value of $k$ $k$ used in the ElGamal signature scheme, then $a$ $a$ can also be determined if $gcd (r, p - 1)$ $gcd (r, p - 1)$ is small.
Alice signs the hash of a message. Suppose her hash function satisfies $h (x) \equiv 2^{x} (m o d 101)$ $h (x) \equiv 2^{x} (m o d 101)$ and $1 \leq h (x) \leq 100$ $1 \leq h (x) \leq 100$ for all $x$ $x$ . Suppose $m$ $m$ is a valid signed message from Alice. Give another message $m_{1}$ $m_{1}$ for which the same signature is also valid.
Alice says that she is willing to sign a petition to save koala bears. Alice’s signing algorithm uses a hash function that has an output of 60 bits (and she signs the hash of the document). Describe how Eve can trick Alice into signing a statement allowing Eve unlimited withdrawals from Alice’s bank account.
Alice uses RSA signatures (without a hash function).
1. Eve wants to produce Alice’s signature on the document $m = 123456789$ $m = 123456789$ . Why is this difficult? Explain this by saying what difficult cryptographic problem must be solved. (Do not say that it’s because Eve does not know the decryption exponent $d$ $d$ . Why isn’t there another way to produce the signature?)
2. Since part (a) is too hard for Eve, she decides to produce Alice’s valid RSA signature on a document so that the signature is $s = 112090305$ $s = 112090305$ (= Alice, when $A = 01$ $A = 01$ , $L = 12$ $L = 12$ , etc.). How does Eve find an appropriate message?
Nelson thinks he has a new version of the signature scheme. He chooses RSA parameters $n$ $n$ , $e$ $e$ , and $d$ $d$ . He signs by computing $s \equiv m^{d} (m o d n)$ $s \equiv m^{d} (m o d n)$ . The verification equation is $(s - m) (s + m) \overset{?}{=} s^{2} - m^{2}$ $(s - m) (s + m) \overset{?}{=} s^{2} - m^{2}$ .
1. Show that if Nelson correctly follows the signing procedure, or if he doesn’t, then the signature is declared valid.
2. Show that Eve can forge Nelson’s signature on any document $m$ $m$ , even though she does not know $d$ $d$ .
(The point of this exercise is that the verification equation is important. All Eve needs to do is satisfy the verification equation. She does not need to follow the prescribed procedure for producing the signature.)
Alice has a long message $m$ $m$ . She breaks $m$ $m$ into blocks of 256 bits: $m = m_{1} | | m_{2} | | \dots | | m_{N}$ $m = m_{1} | | m_{2} | | \dots | | m_{N}$ . She regards each block as a number between 0 and $2^{256} - 1$ $2^{256} - 1$ , and she signs the sum $t = m_{1} + m_{2} + \dots + m_{N}$ $t = m_{1} + m_{2} + \dots + m_{N}$ . This means her signed message is $(m, sig (t))$ $(m, sig (t))$ , where sig is the signing function. Is this a good idea? Why or why not?
Suppose that $(m, r, s)$ $(m, r, s)$ is a message signed with the ElGamal signature scheme. Choose $h$ $h$ with $gcd (h, p - 1) = 1$ $gcd (h, p - 1) = 1$ and let $r_{1} \equiv r^{h} (m o d p)$ $r_{1} \equiv r^{h} (m o d p)$ . Let $s_{1} \equiv s r_{1} h^{- 1} r^{- 1} (m o d p - 1)$ $s_{1} \equiv s r_{1} h^{- 1} r^{- 1} (m o d p - 1)$ .
1. Find a message $m_{1}$ $m_{1}$ for which $(m_{1}, r_{1}, s_{1})$ $(m_{1}, r_{1}, s_{1})$ is a valid signature.
2. This method allows Eve to forge a signature on the message $m_{1}$ $m_{1}$ . Why is it unlikely that this causes problems?
Let $p = 11$ $p = 11$ , $q = 5$ $q = 5$ , $α = 3$ $α = 3$ , and $k = 3$ $k = 3$ . Show that $(α^{k} (m o d p)) (m o d q) \neq (α^{k} (m o d q)) (m o d p)$ $(α^{k} (m o d p)) (m o d q) \neq (α^{k} (m o d q)) (m o d p)$ . This shows that the order of operations in the DSA is important.
There are many variations to the ElGamal digital signature scheme that can be obtained by altering the signing equation $s \equiv k^{- 1} (m - a r) (m o d p - 1)$ $s \equiv k^{- 1} (m - a r) (m o d p - 1)$ . Here are some variations.
1. Consider the signing equation $s \equiv a^{- 1} (m - k r) (m o d p - 1)$ $s \equiv a^{- 1} (m - k r) (m o d p - 1)$ . Show that the verification $α^{m} \equiv (α^{a})^{s} r^{r} (m o d p)$ $α^{m} \equiv (α^{a})^{s} r^{r} (m o d p)$ is a valid verification procedure.
2. Consider the signing equation $s \equiv a m + k r (m o d p - 1)$ $s \equiv a m + k r (m o d p - 1)$ . Show that the verification $α^{s} \equiv (α^{a})^{m} r^{r} (m o d p)$ $α^{s} \equiv (α^{a})^{m} r^{r} (m o d p)$ is a valid verification procedure.
3. Consider the signing equation $s \equiv a r + k m (m o d p - 1)$ $s \equiv a r + k m (m o d p - 1)$ . Show that the verification $α^{s} = (α^{a})^{r} r^{m} (m o d p)$ $α^{s} = (α^{a})^{r} r^{m} (m o d p)$ is a valid verification procedure.
Consider the following variant of the ElGamal Signature Scheme: Alice chooses a large prime $p$ $p$ , a primitive root $α$ $α$ , and a secret integer $a$ $a$ . She computes $h \equiv α^{a} (m o d p)$ $h \equiv α^{a} (m o d p)$ . The numbers $p, α, h$ $p, α, h$ are made public and $a$ $a$ is kept secret. If $m < p - 1$ $m < p - 1$ , Alice signs $m$ $m$ as follows: She chooses a random integer $k$ $k$ and computes $r \equiv α^{k} (m o d p)$ $r \equiv α^{k} (m o d p)$ , with $0 < r < p - 1$ $0 < r < p - 1$ , and $s \equiv a m - k r (m o d p - 1)$ $s \equiv a m - k r (m o d p - 1)$ . The signed message is $(m, r, s)$ $(m, r, s)$ . Bob verifies the signature by checking that $α^{s} r^{r} \equiv h^{m} (m o d p)$ $α^{s} r^{r} \equiv h^{m} (m o d p)$ . If $m \geq p - 1$ $m \geq p - 1$ , she breaks $m$ $m$ into blocks and signs each block.
1. Show that if Alice signs correctly then the verification congruence is satisfied.
2. Suppose Eve has a document $m_{1}$ $m_{1}$ and she wants to forge Alice’s signature on $m_{1}$ $m_{1}$ . That is, she wants to find $r_{1}$ $r_{1}$ and $s_{1}$ $s_{1}$ such that $(m_{1}, r_{1}, s_{1})$ $(m_{1}, r_{1}, s_{1})$ is valid. Eve chooses $r_{1} = 2015$ $r_{1} = 2015$ and tries to find a suitable $s_{1}$ $s_{1}$ . Why will it probably be hard to find $s_{1}$ $s_{1}$ ?
3. Suppose Alice has a very long message $m$ $m$ and wants to decrease the size of the signature. How can she use a hash function to do this? Explicitly give the modifications of the above equations that must be done to accomplish this.
The ElGamal signature scheme presented is weak to a type of attack known as existential forgery. Here is the basic existential forgery attack. Choose $u, v$ $u, v$ such that $gcd (v, p - 1) = 1$ $gcd (v, p - 1) = 1$ . Compute $r \equiv β^{v} α^{u} (m o d p)$ $r \equiv β^{v} α^{u} (m o d p)$ and $s \equiv - r v^{- 1} (m o d p - 1)$ $s \equiv - r v^{- 1} (m o d p - 1)$ .
1. Prove the claim that the pair $(r, s)$ $(r, s)$ is a valid signature for the message $m = s u (m o d p - 1)$ $m = s u (m o d p - 1)$ (of course, it is likely that $m$ $m$ is not a meaningful message).
2. Suppose a hash function $h$ $h$ is used and the signature must be valid for $h (m)$ $h (m)$ instead of for $m$ $m$ (so we need to have $h (m) = s u$ $h (m) = s u$ ). Explain how this scheme protects against existential forgery. That is, explain why it is hard to produce a forged, signed message by this procedure.
Alice’s RSA public key is $(n, e)$ $(n, e)$ and her private key is $d$ $d$ . Recall that a document with an RSA signature $(m, s)$ $(m, s)$ is valid if $m \equiv s^{e} (m o d n)$ $m \equiv s^{e} (m o d n)$ . Bob wants Alice to sign a document $m$ $m$ but he does not want Alice to read the document. Assume $m < n$ $m < n$ . They do the following:
1. Bob chooses a random integer $k$ $k$ with $gcd (k, n) = 1$ $gcd (k, n) = 1$ . He computes $m_{1} \equiv k^{e} m (m o d n)$ $m_{1} \equiv k^{e} m (m o d n)$ .
2. Alice signs $m_{1}$ $m_{1}$ by computing $s_{1} \equiv m_{1}^{d} (m o d n)$ $s_{1} \equiv m_{1}^{d} (m o d n)$ .
3. Bob divides $s_{1}$ $s_{1}$ by $k$ $k$ mod $n$ $n$ to obtain $s \equiv k^{- 1} s_{1} (m o d n)$ $s \equiv k^{- 1} s_{1} (m o d n)$ .
1. Show that $(m, s)$ $(m, s)$ is valid.
2. Why is it assumed that $gcd (k, n) = 1$ $gcd (k, n) = 1$ ?
Alice wants to sign a document using the ElGamal signature scheme. Suppose her random number generator is broken, so she uses $k = a$ $k = a$ in the signature scheme. How will Eve notice this and how can Eve determine the values of $k$ $k$ and $a$ $a$ (and thus break the system)?
Suppose Alice signs contracts using a 30-bit hash function $h$ $h$ (and $h$ $h$ is known to everyone). If $m$ $m$ is the contract, then $(m, s i g (h (m)))$ $(m, s i g (h (m)))$ is the signed contract (where sig is some public signature function). Eve has a file of $2^{20}$ $2^{20}$ fraudulent contracts. She finds a file with $2^{20}$ $2^{20}$ contracts with valid signatures (by Alice) on them. Describe how Eve can accomplish her goal of putting Alice’s signature on at least one fraudulent document.
1. In several cryptographic protocols, one needs to choose a prime $p$ $p$ such that $q = (p - 1) / 2$ $q = (p - 1) / 2$ is also prime. One way to do this is to choose a prime $q$ $q$ at random and then test $2 q + 1$ $2 q + 1$ for primality. Suppose $q$ $q$ is chosen to have approximately 300 decimal digits. Assume $2 q + 1$ $2 q + 1$ is a random odd integer of 300 digits. (This is not quite accurate, since $2 q + 1$ $2 q + 1$ cannot be congruent to 1 mod 3, for example. But the assumption is good enough for a rough estimate.) Show that the probability that $2 q + 1$ $2 q + 1$ is prime is approximately $1 / 345$ $1 / 345$ (use the prime number theorem, as in Section 9.3). This means that with approximately 345 random choices for the prime $q$ $q$ , you should be able to find a suitable prime $p$ $p$ .
2. In a version of the Digital Signature Algorithm, Alice needs a 256-bit prime $q$ $q$ and a 2048-bit prime $p$ $p$ such that $q | p - 1$ $q | p - 1$ . Suppose Alice chooses a random 256-bit prime $q$ $q$ and a random 1792-bit even number $k$ $k$ such that $q k + 1$ $q k + 1$ has 2048 bits. Show that the probability that $q k + 1$ $q k + 1$ is prime is approximately 1/710. This means that Alice can find a suitable $q$ $q$ and $p$ $p$ fairly quickly.
Consider the following variation of the ElGamal signature scheme. Alice chooses a large prime $p$ $p$ and a primitive root $α$ $α$ . She also chooses a function $f (x)$ $f (x)$ that, given an integer $x$ $x$ with $0 \leq x < p$ $0 \leq x < p$ , returns an integer $f (x)$ $f (x)$ with $0 \leq f (x) < p - 1$ $0 \leq f (x) < p - 1$ . (For example, $f (x) = x^{7} - 3 x + 2 (m o d p - 1)$ $f (x) = x^{7} - 3 x + 2 (m o d p - 1)$ for $0 \leq x < p$ $0 \leq x < p$ is one such function.) She chooses a secret integer $a$ $a$ and computes $β \equiv α^{a} (m o d p)$ $β \equiv α^{a} (m o d p)$ . The numbers $p, α, β$ $p, α, β$ and the function $f (x)$ $f (x)$ are made public.

Alice wants to sign a message $m$ $m$ :
1. Alice chooses a random integer $k$ $k$ with $gcd (k, p - 1) = 1$ $gcd (k, p - 1) = 1$ .
2. She computes $r \equiv α^{k} (m o d p)$ $r \equiv α^{k} (m o d p)$ .
3. She computes $s \equiv k^{- 1} (m - f (r) a) (m o d p - 1)$ $s \equiv k^{- 1} (m - f (r) a) (m o d p - 1)$ .
The signed message is $(m, r, s)$ $(m, r, s)$ .

Bob verifies the signature as follows:
1. He computes $v_{1} \equiv β^{f (r)} r^{s} (m o d p)$ $v_{1} \equiv β^{f (r)} r^{s} (m o d p)$ .
2. He computes $v_{2} \equiv α^{m} (m o d p)$ $v_{2} \equiv α^{m} (m o d p)$ .
3. If $v_{1} \equiv v_{2} (m o d p)$ $v_{1} \equiv v_{2} (m o d p)$ , he declares the signature to be valid.
1. Show that if all procedures are followed correctly, then the verification equation is true.
2. Suppose Alice is lazy and chooses the constant function satisfying $f (x) = 0$ $f (x) = 0$ for all $x$ $x$ . Show that Eve can forge a valid signature on every message $m_{1}$ $m_{1}$ (for example, give a value of $k$ $k$ and of $r$ $r$ and $s$ $s$ that will give a valid signature for the message $m_{1}$ $m_{1}$ ).
Alice wants to sign a long message $m = m_{1} | | m_{2} | | \dots | | m_{L}$ $m = m_{1} | | m_{2} | | \dots | | m_{L}$ that she has broken into blocks $m_{1}, \dots, m_{L}$ $m_{1}, \dots, m_{L}$ . She knows that signing each block $m_{i}$ $m_{i}$ individually is wasteful, so she computes $g (m) = m_{1} \oplus m_{2} \oplus \dots \oplus m_{L}$ $g (m) = m_{1} \oplus m_{2} \oplus \dots \oplus m_{L}$ and signs $g (m)$ $g (m)$ . Her signed message is $(m, s i g_{A} (g (m)))$ $(m, s i g_{A} (g (m)))$ . Suppose Eve has a message that Alice signed. How can Eve put Alice’s signature on fraudulent messages?
In some scenarios, it is necessary to have a digital document signed by multiple participants. For example, a contract issued by a company might need to be signed by both the Issuer and the Supervisor before it is valid. To accomplish this, a trusted entity chooses $n = p q$ $n = p q$ to be the product of two large, distinct primes and chooses integers $k_{1}, k_{2}, k_{3} > 1$ $k_{1}, k_{2}, k_{3} > 1$ with $k_{1} k_{2} k_{3} \equiv 1 (m o d (p - 1) (q - 1))$ $k_{1} k_{2} k_{3} \equiv 1 (m o d (p - 1) (q - 1))$ . The pair $(n, k_{1})$ $(n, k_{1})$ is given to the Issuer, the pair $(n, k_{2})$ $(n, k_{2})$ is given to the Supervisor, and the pair $(n, k_{3})$ $(n, k_{3})$ is made public.
1. Under the assumption that RSA is hard to decrypt, why should it be difficult for someone who knows at most one of $k_{1}, k_{2}$ $k_{1}, k_{2}$ to produce $s$ $s$ such that $s^{k_{3}} \equiv m (m o d n)$ $s^{k_{3}} \equiv m (m o d n)$ ?
2. Devise a procedure where the Issuer signs the contract first and gives the signed contract to the Supervisor, who then signs it in such a way that anyone can verify that the document was signed by both the Issuer and the Supervisor. Use part (a) to show why the verification convinces someone that both parties signed the contract.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 13.6 Exercises

Create new playlist

Sign In

Sign Up

Table of Contents for
13.6 Exercises