You are on page 1of 12

# EE 418: Network Security and Cryptography

Homework 5
Assigned: Wednesday, November 23, 2016, Due: Tuesday, December 6, 2016
Instructor: Tamara Bonaci
Department of Electrical Engineering
University of Washington, Seattle

Problem 1
Consider the following modification of the Schnorr digital signature scheme. The keys are given by K =
{(q, ↵, a, ) : ⌘ ↵a (mod p)} where (q, ↵, ) comprise the public key and a is the private key. Given a
message x, we compute the signature of x to be

= x ⇥ ↵k (mod q)
= k+a (mod q) (1)

where k is a randomly chosen number. In other words, we start with the standard Schnorr scheme and then
use multiplication rather than a hash for . How is verification done using this revised scheme?

Solution: To verify a signature generated using this Modified Schnorr Signature scheme, we exponentiate
↵ , and check whether the obtained result is equal to · · x 1 ,:
1
↵ = · ·x (2)

Let’s analyze ↵ , to show that the proposed verification scheme is indeed valid:

↵ = ↵k+↵ = ↵k · ↵a = ↵k · (↵a ) = ↵k · = ·x 1
(3)

Expression ↵k = ·x 1
comes from equation (1), and is valid because q is a prime number.

Problem 2
Consider the following digital signature scheme. The public key is given by (q, ↵, ), where q is a prime
number, ↵ is a primitive root of q, and is an integer satisfying < q. The private key is equal to a, for
some positive integer a < q satisfying ⌘ ↵a (mod q).
To sign a message m, compute y = h(m), the hash of the message. Assume that gcd(y, q 1) = 1 (if this
is not the case, append a random string to m and recompute the hash. Repeat the process until a message
m is found satisfying gcd(y, q 1) = 1). Then calculate z such that yz ⌘ a (mod (q 1)). The signature of
the message is ↵z . To verify the signature, a user verifies that = (↵z )y (mod q).
(a) Show that this scheme works. That is, show that the verification process produces an equality if the
signature is valid.
(b) Show that the scheme is unacceptable by describing a simple technique for forging a users signature on
an arbitrary message.

1
Solution:

(a) In order to show that the verification process in the proposed scheme produces an equality if the
y
signature is valid, let’s analyze the expression (↵z ) :
y
(↵z ) (mod q) = ↵yz (mod q)
a+ (q 1)
= ↵ (mod q) = ↵a · ↵ (q 1)
(mod q) (4)
= ↵a · ↵q 1
(mod q)
a
= ↵ (mod q) = (5)

Equation (4) comes from using the remainder theorem to express the fact that yz ⌘ a (mod q 1)
and equation (5) from using the Fermat’s Little theorem, which states that x (p) ⌘ 1 (mod p), where
p is a prime number.
(b) To show that the proposed signature scheme is not valid, we need to show that an attacker can forge
a signature for some arbitrary message m̂.
After choosing a message m̂, an attacker first computes the hash of such a message ŷ = h(m̂). His
next step is to compute the multiplicative inverse of the obtained hash ŷ 1 (mod q). Due to the fact
1
that q is a prime number, such an inverse will always exist. An attacker then outputs (m̂, ŷ ) as his
message-signature pair. Obtained signature will pass the verification test, since:
⇣ 1
⌘ŷ 1
ŷ ŷ ŷ
(mod q) = (mod q) = (mod q) (6)

Equation (6) proves that an attacker is able to forge a valid signature for an arbitrary message.
Therefore, the proposed signature scheme is not valid.

## Problem 3 (Stinson 7.2)

Suppose I implement the ElGamal Signature Scheme with p = 31847, ↵ = 5 and = 26379. Write a
computer program which does the following:

## (a) Verify the signature (20679, 11082) on the message x = 20543.

(b) Determine my private key, a, by solving an instance of the Discrete Logarithm problem.
(c) Then determine the random value k used in signing the message x, without solving an instance of the
DiscreteLogarithm problem.

2
Solution:

(a) A Matlab function that verifies the signature of some message x, signed using ElGamal Signature
Scheme is called ElGamal signatureVerification, and its code is given below. Using the provided
Matlab function, we verify the signature ( , ) = (20679, 11082) of the message x = 20543, signed with
the ElGamal Signature Scheme with public keys given as p = 31847, ↵ = 5, = 26379. We obtain
↵x = 20688, = 12575, = 21455 and finally · = 20688. Therefore we conclude that a given
signature is valid for the message x.

(b) Matlab function that computes a private key a, given a public key (p, ↵, ) is called shanks, and
its code is given below. The provided function solves an instance of the discrete logarithm problem
a = log↵ = using the Shanks algorithm. For the public key (p = 31847, ↵ = 5, = 26379), we obtain
a = 7973.

(c) Function that finds a random number k, 1  k  p 1, used in generating an ElGamal signa-
ture of a message m without solving an instance of a discrete logarithm problem is called ElGa-
mal findRandom, and its code given below as well. Using the provided function on message
x = 20543, whose signature is given as ( , ) = (20679, 11082), with parameters of the ElGamal
Signature Scheme p = 31847, ↵ = 5, = 26379 and private key a = 7973, we obtain k = 19387.

## 1 f u n c t i o n [ v e r i f i e d ] = E l G a m a l s i g n a t u r e V e r i f i c a t i o n ( p , alpha , beta , message ,

gamma , d e l t a )
%E l G a m a l s i g n a t u r e V e r i f i c a t i o n v e r i f i e s t h e s i g n a t u r e o f t h e message ,
%s i g n e d u s i n g ElGamal S i g n a t u r e Scheme
%INPUTS :
6 %1 . ( p , alpha , b e t a ) p u b l i c key i n t h e ElGama p u b l i c key scheme
%2 . message
%3 . (gamma , d e l t a ) s i g n a t u r e o f t h e message
%OUTPUTS:
%1 . v e r i f i e d r e t u r n s ’ v e r i f i e d ’ i f the s i g n a t u r e i s valid , ’ i n v a l i d
11 %s i g n a t u r e ’ o t h e r w i s e

## verified = ’ Invalid signature ’ ;

%%V e r i f i c a t i o n
16 a l p h a x = s q u a r e a n d m u l t i p l y ( alpha , message , p ) ;
beta gamma = s q u a r e a n d m u l t i p l y ( beta , gamma , p ) ;
gamma delta = s q u a r e a n d m u l t i p l y (gamma , d e l t a , p ) ;

## v e r a u x = mod( beta gamma ⇤ gamma delta , p ) ;

21
i f ( v e r a u x == a l p h a x )
verified = ’ Verified ’ ;
end

1 f u n c t i o n [ a ] = s h a n k s ( alpha , beta , n )
%Shanks s o l v e s a d i s c r e t e l o g a r i t h m a = l o g a l p h a ( b e t a ) (mod n ) problem
%u s i n g s h a n k s a l g o r i t h m .
%INPUTS :
%1 . a l p h a basis
6 %2 . b e t a exponent
%3 . n = p h i ( p ) = ( p 1) , where p i s a prime number
%OUTPUT:
%1 . a s o l u t i o n o f t h e d i s c r e t e l o g a r i t h m problem

11
%%I n i t i a l i z a t i o n
a = 0;
m = c e i l ( sqrt (n) ) ;

16 %A u x i l i a r y c a l c u l a t i o n : a l p h a ˆm (mod n )
x = s q u a r e a n d m u l t i p l y ( alpha , (m) , ( n + 1 ) ) ;

3
%F i r s t l i s t
f o r j = 1 :m
21 L1 unsorted ( j , : ) = [ j , square and multiply (x , j 1, ( n + 1 ) ) ] ;
end

L1 = s o r t r o w s ( L 1 u n s o r t e d , 2 ) ;

26 f o r j = 1 :m
L2 aux = s q u a r e a n d m u l t i p l y ( alpha , j 1 , ( n + 1 ) ) ;
[ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( L2 aux , ( n + 1 ) ) ;
L2 unsorted ( j , : ) = [ j , square and multiply ( beta ⇤ inverse , 1 , (n + 1) ) ] ;
end
31
L2 = s o r t r o w s ( L 2 u n s o r t e d , 2 ) ;

%%F i n d i n g t h e p a i r with i d e n t i c a l s e c o n d c o o r d i n a t e
f o r j = 1 :m
36 f o r i = 1 :m
i f ( L1 ( j , 2 ) == L2 ( i , 2 ) )
a = mod ( (m⇤ ( L1 ( j , 1 ) 1) + ( L2 ( i , 1 ) 1) ) , n ) ;
break ;
end
41 end
end

## f u n c t i o n [ k ] = ElGamal findRandomK ( p , alpha , beta , a , message , gamma , d e l t a )

%ElGamal findRandomK g i v e n p r i v a t e key , f u n c t i o n f i n d s random p a r a m e t e r k ,
used i n s i g n i n g
3 %message x u s i n g ElGamal S i g n a t u r e Scheme w i t h o u t s o l v i n g an i n s t a n c e o f
%D i s c r e t e Logarithm problem
%INPTUS :
%1 . ( p , alpha , b e t a ) p u b l i c key
%2 . a p r i v a t e key
8 %3 . message s i g n e d message
%4 . (gamma , d e l t a ) s i g n a t u r e o f message
%OUTPUT:
%1 . k random p a r a m e t e r k

13
% m = a ⇤gamma k⇤ d e l t a (mod ( p 1) ) > k = (m a ⇤gamma) ⇤ d e l t a ˆ( 1) (mod ( p
1) )

k = 0;
aux = mod ( ( message a ⇤gamma) , ( p 1) ) ;
18
% Check gcd ( d e l t a , ( p 1) )
i f ( gcd ( d e l t a , ( p 1) ) == 1 )
[ r , i n v e r s e d e l t a , t ] = e x t e n d e d E u c l i d e a n ( d e l t a , ( p 1) ) ;
k = mod ( ( aux ⇤ i n v e r s e d e l t a ) , ( p 1) )
23 else
d = gcd ( d e l t a , ( p 1) ) ;
d e l t a p r i m e = d e l t a /d ;
p p r i m e = ( p 1)/d ;
m prime = aux /d ;
28
[ r , i n v e r s e , t ] = extendedEuclidean ( delta prime , p prime ) ;
k p r i m e = mod ( ( m prime ⇤ i n v e r s e ) , p p r i m e ) ;

f o r i =1:d
33 k = k prime + i ⇤ p prime ;
b e t a a u x = s q u a r e a n d m u l t i p l y ( alpha , k , p )
i f ( b e t a a u x == gamma)
break ;
end
38 end

4
end

## Problem 4 (Stinson, Problem 7.3)

Suppose that Alice is using the ElGamal Signature Scheme. In order to save time in generating the random
numbers k that are used in signing messages, Alice chooses an initial random value k0 and then signs the
i-th message using the value ki = k0 + 2i (mod (p 1)) (therefore ki = ki 1 + 2 (mod (p 1)) for all i 1).
(a) Suppose that Bob observes two consecutive signed messages, say (xi , sig(xi , ki )) and xi+1 , sig(xi+1 , ki+1 ).
Describe how Bob can easily compute Alice’s secret key, a, given this information, without solving an
instance of the Discrete Logarithm problem. (Note that the value of i does not have to be known for
the attack to succeed.)
(b) Suppose that the parameters of the scheme are p = 28703, ↵ = 5 and = 11339 and two messages
observed by Bob are:

## xi = 12000, sig(xi , ki ) = (26530, 19862)

xi+1 = 24567, sig(xi+1 , ki+1 ) = (3081, 7604)

## Find the value of a using the attack described in part (a).

5
Solution:

(a) (a) To show how Bob can easily compute Alice’s private key a, let’s recall the ElGamal Signature
Scheme:

= ↵k (mod p)
1
= (m a )k (mod (p 1)) (7)

## Since k2 = k1 + 2 (mod (p 1)), using the remainder theorem, we can write:

k2 = k1 + 2 + (p 1) (8)

After receiving two consecutive pairs message-signature from Alice, Bob can therefore write:

1 = ↵ k1 (mod p)
1 = (m1 a 1 )k1 1 (mod (p 1)) (9)
⇣ ⌘
2 = ↵ k2 (mod p) = ↵k1 +2+ (p 1)
(mod p) = ↵2 · ↵k1 · ↵(p 1)
(mod p) = ↵2 · ↵k1 (mod p)

## 2 = (m2 a 2 )k2 1 (mod (p 1)) (10)

From equation (9), after multiplication with k1 , it follows that a 1 = m1 1 k1 . Using obtained
expression for a 1 , equation (10) can be rewritten as:

## 2 k2 = (m2 a 2) (mod (p 1))

2 (k1 + 2) = (m2 a↵2 1) (mod (p 1))
2
2 (k1 + 2) = (m2 ↵ [m1 k1 1 ]) (mod (p 1))
2 2
k1 ( 2 ↵ 1) = (m2 ↵ m1 2 2) (mod (p 1)) (11)

From equation (11), Bob obtains the value of k1 in the following way: he first checks whether gcd(( 2
↵2 1 ), (p 1)) = 1. If that is the case, then the multiplicative inverse of ( 2 ↵2 1 ) (mod (p 1)) exists,
and Bob finds k1 simply by multiplying equation (11) with the multiplicative inverse of ( 2 ↵2 1 )
(mod (p 1)).
Otherwise, Bob divides (p 1), ( 2 ↵2 1 ) and (m2 ↵2 m1 2 2 ) by gcd(( 2 ↵2 1 ), (p 1)) = d, d > 1,
and obtains the following equation:

( 2 ↵2 1 ) (m2 ↵2 m1 2 2) (p 1)
k1 = (mod ) (12)
d d d
( ↵2 1) p 1
which he then solves for k10 by multiplying it with the multiplicative inverse of 2
d (mod d ).
Random parameter k1 is therefore found as:
p 1
k1 = k10 + i( ) (mod p), 0  i  d (13)
d
Bob next finds a unique value of k1 by finding i for which 1 = ↵ k1 .
Once Bob has obtained k1 , he finds Alice’s private key from equation:

## a 1 = (m1 1 k1 ) (mod (p 1)) (14)

Similar to the case of k1 , Bob again checks whether d = gcd( 1 , (p 1)) = 1. If d = 1, he finds Alice’s
private key by multiplying equation (14) with the multiplicative inverse of 1 (mod (p 1)).

6
Solution:

If d > 1, Bob divides 1 , (p 1) and (m1 1 k1 ) with d and obtains the following equation:

1 (m1 1 k1 ) (p 1)
a = (mod ) (15)
d d d
p 1
He then obtains a by multiplying equation (15) with the multiplicative inverse of 1
d (mod d ).
Finally, he obtains Alice’s private key a as follows:
p 1
a = a0 + i ,0  i  d (16)
d
A unique solution for a is obtained by finding i such that = ↵a .
(b) A Matlab function that finds Alice’s private key, after obtaining two consecutive message-signature
pairs from Alice is called ElGamal findingPrivateKey, and its code is given below.

## 1 f u n c t i o n [ a , k ] = E l G a m a l f i n d i n g P r i v a t e K e y ( p , alpha , beta , m1 , m2 , gamma1 , d e l t a 1 , gamma2 ,

delta2 )
%E l G a m a l f i n d i n g P r i v a t e Key f u n c t i o n f i n d s a p r i v a t e key used t o s i g n
%two d i f f e r e n t m e s s a g e s m1 and m2 , s i g n e d u s i n g ElGamal S i g n a t u r e Scheme ,
%where s e c r e t random p a r a m e t e r k i s g e n e r a t e d by t h e f o l l o w i n g e q u a t i o n :
% k ( i +1) = k ( i ) + 2 (mod ( p 1) )
6 %INPUTS :
%1 . ( p , alpha , b e t a ) p u b l i c key
%2 . m1 , m2 messages
%3 . ( gamma1 , d e l t a 1 ) s i g n a t u r e o f t h e f i r s t message
%4 . ( gamma2 , d e l t a 2 ) s i g n a t u r e o f t h e s e c o n d message
11 %OUTPUTS:
%1 . a p r i v a t e key
%2 . k p r i v a t e ( random ) number k

16 %IDEA :
%k i [ d e l t a ( i +1) d e l t a i ⇤ a l p h a ˆ 2 ] = x ( i +1) x i ⇤ a l p h a ˆ2 2⇤ d e l t a ( i +1)

a = 0;
k = 0;
21
%% I n i t
a = 0;
k = 0;

26 d e l t a = mod ( ( d e l t a 2 a l p h a ⇤ a l p h a ⇤ d e l t a 1 ) , ( p 1) ) ;
m = mod ( ( m2 a l p h a ⇤ a l p h a ⇤m1 2⇤ d e l t a 2 ) , ( p 1) ) ;

d = gcd ( d e l t a , ( p 1) ) ;

## 31 %Check gcd ( ( d e l t a ( i +1) d e l t a i ⇤ a l p h a ˆ 2 ) , p 1)

i f ( d == 1 )
[ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( d e l t a , ( p 1) ) ;
k = mod(m⇤ i n v e r s e , ( p 1) ) ;
else
36 p p r i m e = ( p 1)/d ;
d e l t a p r i m e = d e l t a /d ;
m prime = m/d ;

[ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( d e l t a p r i m e , ( p 1) ) ;
41
k p r i m e = mod ( ( m prime ⇤ i n v e r s e ) , p p r i m e ) ;

f o r i =0:d
k = k prime + i ⇤ p prime ;
46 gamma1 aux = s q u a r e a n d m u l t i p l y ( alpha , k , p ) ;

7
i f ( gamma1 aux == gamma1 )
break ;
end
end
51 end

%F i n d i n g s e c r e t key
%IDEA : a ⇤ gamma i = x i k i⇤delta i

## 56 %Check gcd ( gamma i , p 1)

d = gcd ( gamma1 , p 1) ;
i f ( d == 1 )
[ r , i n v e r s e , t ] = e x t e n d e d E u c l i e d a n ( gamma1 , ( p 1) ) ;
a = mod ( ( i n v e r s e ⇤ (m1 k⇤ d e l t a 1 ) ) , ( p 1) ) ;
61 else
p p r i m e = ( p 1)/d ;
x p r i m e = (m1 k⇤ d e l t a 1 ) /d ;
gamma prime = gamma1/d ;

66 [ r , i n v e r s e , t ] = e x t e n d e d E u c l i d e a n ( gamma prime , p p r i m e ) ;

a p r i m e = mod ( ( x p r i m e ⇤ i n v e r s e ) , p p r i m e ) ;

f o r i =0:d
71 a = a prime + i ⇤ p prime ;
b e t a a u x = s q u a r e a n d m u l t i p l y ( alpha , a , p )
i f ( b e t a a u x == b e t a )
break ;
end
76 end
end

## Problem 5 (Stinson, Problem 7.5)

(a) A signature in the ElGamal Signature Scheme or the DSA is not allowed to have = 0. Show that if a
messages were signed with a “signature” in which = 0, it would be easy for an adversary to compute
the secret key, a.
(b) A signature in the DSA is not allowed ti have = 0. Show that if a “signature” in which = 0 is known,
then the value of k used in that “signature” can be determined. Given that value of k, show that it is
now possible to forge a signature for any desired message (i.e. selective forgery can be carried out.)

8
Solution:

## (a) ElGamal Signature Scheme

In the ElGamal Signature Scheme, a signature of a message x is defined by the following set of equations:

= ↵k (mod p)
1
= (x a )k (mod (p 1))
signK (x, k) = ( , ) (17)

## If, for a message x, we obtain signature ( , 0), then it follows:

1
= (x a )k (mod q) ⌘ 0 (mod (p 1)) (18)

## Equation (18) is satisfied when:

1
(p 1)|k or
(p 1)|(x a ) (19)

If the first condition is satisfied, i.e. (p 1)|k 1 , then k 1 would not be a valid multiplicative inverse
of k (mod (p 1)), since there does not exist an integer k 2 Zp 1 such that k · 0 = 1 (mod (p 1)).
We therefore only consider the second condition, when (p 1)|(x a ).
In order to find the private key a, we use the reminder theorem to rewrite the given condition as
follows:
x a = µ(p 1), µ 2 Z (20)
Equation (20) can be rewritten as follows:
1
a = (x µ(p 1)) , µ2Z (21)

From equation (21), a unique private key a is found by finding µ such that ↵a = .

DSA
In DSA, a signature of a message x is defined by the following set of equations:

## = (↵k (mod p)) (mod q)

1
= (SHA-1(x) + a )k (mod q)
signK (x, k) = ( , ) (22)

## If, for a message x, we obtain the signature ( , 0), then it follows:

1
(SHA-1(x) + a )k ⌘0 (mod q) (23)

## Equation (23) is satisfied when:

1
q|k or
q|(SHA-1(x) + a ) (24)

Similarly to the case of the ElGamal Signature Scheme, if q|k 1 , then k 1 would not be a valid
multiplicative inverse of k (mod q), since there does not exist an integer k 2 Zq such that k · 0 = 1
(mod q). We therefore only consider the second condition, when q|(SHA-1(x) + a ). Again, using the
remainder theorem, given condition can be rewritten as:

(SHA-1(x) + a ) = µq (25)

## a = (µq SHA-1(x)) 1 (26)

9
A unique private key a is found from equation (26) by finding µ such that ↵a = .
Solution:

(b) If a signature of the message x, signed using DSA, is equal to (0, ), then it follows:

## 0⌘ = (↵k (mod p)) (mod q)

1
= SHA-1(x)k (mod q) (27)

## Knowing that q is a prime number, from equation (28), we obtain k as follows:

1
k= (SHA-1(x)) (mod q) (29)

Now, choosing an arbitrary message y 6= x, an attacker can calculate SHA-1(y), and use the calculated
hash to find a valid signature for the forged message:
1
= SHA-1(y)k (mod q) (30)

New forged signature is equal to (0, ), with defined by equation (30). A pair (y, (0, )) represents a
valid message-signature pair and proves that an attacker is able to forge a signature for any message
of his choice.

## Problem 6 (Stinson, Problem 7.8)

We showed that using the same value k to sign two messages in the ElGamal Signature Scheme allows the
scheme to be broken (i.e. an adversary can determine the secret key without solving an instance of the
Discrete Logarithm problem). Show how similar attacks can be carried out for the Schnorr Signature
Scheme and the DSA scheme.

10
Solution:
The Schnorr Signature Scheme
If a sender decides to use the same value of k to sign two messages x1 and x2 :

## x1 : 1 = h(x1 ||↵k ) (mod p)

1 = k+a 1 (mod q) (31)

## x2 : 2 = h(x2 ||↵k ) (mod p)

2 = k+a 2 (mod q)
(32)

## by combining the equations (31) and (32), we can write:

1 2 = a( 1 2) (mod q) (33)

In order to determine the private key a, we first calculate gcd (( 1 2 ), q). If gcd (( 1 2 ), q) = 1, and
then find the private key using the following equation:
1
a=( 1 2 )( 1 2) (mod q) (34)

0 1 2
=
d
0 1 2
=
d
q
q0 =
d
(35)

## and define a new equation:

a0 0
= 0
(mod q 0 ) (36)
Parameter a0 is now found as:
a0 = 0 0 1
(mod q 0 ) (37)
From equation (37), the private key is found as follows:

## A unique solution of a is found by finding i, such that = ↵a .

DSA
If a sender decides to sign two messages x1 and x2 using the same value of the random parameter k:

## x1 : = (↵k (mod p)) (mod q)

1
1 = (SHA-1(x1 ) + a )k (mod q) (39)

## x2 : = (↵k (mod p)) (mod q)

1
2 = (SHA-1(x2 ) + a )k (mod q) (40)

## ( 1 2 )k = SHA-1(x1 ) SHA-1(x2 ) (mod q) (41)

11
Solution: In order to find the private key a, we first compute gcd (( 1 2 ), q). If gcd (( 1 2 ), q) = 1,
and then we find the value of the random parameter k as follows:
1
k = [SHA-1(x1 ) SHA-1(x2 )]( 1 2) (mod q) (42)

## If gcd (( 1 2 ), q) = d, d > 1, we define the following parameters:

0 1 2
=
d
[SHA-1(x1 ) SHA-1(x2 )]
x0 =
d
0 q
q = (43)
d
and define a new equation:
k0 0
= x0 (mod q 0 ) (44)
0
Using parameters (43), we find the solution of k as follows:

k0 = 0 1 0
x (mod q 0 ) (45)

From equation (45) we find the value of the random parameter k as follows:
0 1 0
k= x + iq 0 (mod q), 0  i  (d 1) (46)

## Since q is a prime number, from equation (46), we compute a as:

1
a=( 1 k) · 1 (mod q) (48)

12