178 lines
12 KiB
TeX
178 lines
12 KiB
TeX
\documentclass[a4paper,12pt]{article}
|
|
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage[T1]{fontenc}
|
|
\usepackage[margin=1in]{geometry}
|
|
\usepackage{amssymb}
|
|
\usepackage{amsmath}
|
|
\usepackage{enumitem}
|
|
\usepackage{csquotes}
|
|
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
|
|
|
|
\title{Applied Cryptography -- Assignment 3}
|
|
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
|
|
\date{May 11, 2022}
|
|
|
|
\begin{document}
|
|
|
|
\maketitle
|
|
|
|
\section*{Exercise 1}
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item We know that $C_2$ is uniformly distributed because this algorithm uses the multiplicative group of $\mathbb{Z}^{*}_p$ with order $p - 1$. If $k$ is truly randomly chosen from $< p-1$, then $y^k = g^{kx}$ is uniformly distributed in $\mathbb{Z}^{*}_p$. Multiplication with $M$ will still hold that it is uniformly distributed, because $M$ is also part of the group.
|
|
\item The decryption of the cryptosystem works in the following way:
|
|
|
|
\[ M\leftarrow g^{kx}\cdot g^{-kx}\cdot M \]
|
|
|
|
In order for an attacker to be able to invert a ciphertext, he must therefore be able to calculate the value $g^{kx}$. Since $g$, $g^k$ and $g^x$ are known to the attacker and $g^{kx}$ is unknown, it is an instantiation of the CDH problem. Assuming that the CDH is hard, the probability that an attacker can invert the cryptosystem is not negligible. The cryptosystem is thus \textsf{OW-CPA} secure.
|
|
|
|
\item From the slides, we know that $C = M^e_1 \cdot M^e_2$. For this algorithm we can express this in $C = g^{xk} \cdot M$. We perform the man-in-the-middle attack:\\
|
|
$c = C/i^e, i \in \{1,2,...2^{l/2}\}$. If $c$ is not in the group of generator $g$, we have found $M$
|
|
|
|
\item Malice knows $C_1$ and $C_2$ after she has intercepted the ciphertext pair. She can then choose a random $R\xleftarrow{\$}\mathbb{Z}^*_N$ and computes $C'\leftarrow C_2\cdot R$. She will now send $(C_1,C')$ to Alice who decrypts the message and obtains $MR$. Because Malice chose $R$ earlier, she now has access to the original plaintext message $M$.
|
|
\end{enumerate}
|
|
|
|
\section*{Exercise 2}
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item The steps to calculate the signature pair $(r,s)$ are as follows:
|
|
\begin{enumerate}[label=\arabic*.]
|
|
\item Choose a random $k\xleftarrow{\$}\mathbb{Z}_{p-1}$.
|
|
\item Compute $r\leftarrow g^k\mod p$.
|
|
\item Compute $s\leftarrow (M-xr)k^{-1}\mod (p-1)$.
|
|
\item If $s = 0$, go to 1.
|
|
\end{enumerate}
|
|
|
|
\item An existential forgery can be made as follows:
|
|
\begin{enumerate}[label=\arabic*.]
|
|
\item Choose a random $k\xleftarrow{\$}\mathbb{Z}_{p-1}$.
|
|
\item Calculate $r\leftarrow g^ky\mod p$.
|
|
\item Calculate $s\leftarrow -r\mod (p-1)$.
|
|
\item The tuple $(r,s)$ is a valid forgery for the message $M = ks\mod (p-1)$.
|
|
\end{enumerate}
|
|
\end{enumerate}
|
|
|
|
\section*{Exercise 3}
|
|
|
|
The modified Pedersen bit commitment scheme is computationally binding and perfectly hiding. The proof for the binding property is by contradiction. Assuming that the commitment is not binding, i.e., we can create a second identical commitment with a different bit $B$ as follows:
|
|
\[ \mathsf{Comm}(pk,B,R_0) = \mathsf{Comm}(pk,1-B,R_1) = g^{R_0}\cdot h^{B+R_0} = g^{R_1}\cdot h^{1-B+R_1} \]
|
|
then \[ \log_g h = \frac{R_0-R_1}{R_0+R_1+1} \]
|
|
which contradicts with the assumption that $\log_g h$ is unknown to the parties and implies that the discrete logarithm problem is not hard. Therefore, the modified Pedersen bit commitment scheme is computationally binding.
|
|
|
|
The commitment scheme is (perfectly?) hiding because ...
|
|
|
|
\section*{Exercise 4}
|
|
A sigma-protocol is a three move protocol that satisfies the properties of completeness, special soundness and special honest verifier ZK. The protocol described in this exercise is a three move protocol. To see if this protocol is complete, we can rewrite the check $g^{z_1}_1 g^{z_2}_2 \stackrel{?}{=} ah^{ch}$ at the verifier:\\
|
|
\begin{align*}
|
|
g^{z_1}_1 g^{z_2}_2 &= ah^{ch} \text{ (mod }p) \\
|
|
g^{z_1}_1 g^{z_2}_2 &= g^{r1}_1 g^{r2}_2 \cdot (g^{w_1}_1 g^{w_2}_2)^{\text{ch}} \text{ (mod }p) \\
|
|
g^{z_1}_1 g^{z_2}_2 &= g^{r1}_1 g^{r2}_2 \cdot g^{\text{ch}w_1}_1 g^{\text{ch}w_2}_2 \text{ (mod }p) \\
|
|
g^{z_1}_1 g^{z_2}_2 &= g^{r1+\text{ch}w_1}_1 g^{r2+\text{ch}w_2}_2 \text{ (mod }p) \\
|
|
\end{align*}
|
|
From this we can see that $g^{z_1}_1 = g^{r1+\text{ch}w_1}_1 \rightarrow z_1 = r_1 + \text{ch}w_1$ and $g^{z_2}_2 = g^{r2+\text{ch}w_2}_2 \rightarrow z_2 = r_2 + \text{ch}w_2$. Since the prover and verifier can correctly execute the calculation and protocol, it is complete.\\\\
|
|
To prove that is has special soundness, we check if there is a way to retrieve sk ($w_1, w_2$) with non-negligible probability using two transcripts with the same commitment and different challenge:\\
|
|
\begin{align*}
|
|
z_1 - z_1' &= r_1 + \text{ch}w_1 - r_1 + \text{ch}'w_1 \\
|
|
z_1 - z_1' &= \text{ch}w_1 + \text{ch}'w_1 \\
|
|
z_1 - z_1' &= w_1(\text{ch} + \text{ch}') \\
|
|
\frac{z_1 - z_1'}{\text{ch} + \text{ch}'} &= w_1 \text{ and respectively }
|
|
\frac{z_2 - z_2'}{\text{ch} + \text{ch}'} = w_2
|
|
\end{align*}
|
|
$w_1$ and $w_2$ can be extracted with probability 1.\\
|
|
For honest verifier (Special HVZK), the distributions of the real transcripts and the simulated transcripts are the same. A valid transcript occurs with probability 1/2q for this protocol because two values are calculated. From this, we can say this is a $\Sigma$-protocol
|
|
|
|
\section*{Exercise 5}
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item The two secrets $R$ and $R'$ are the same because $R = [a]Q = [a][b]G$ and $R' = [b]P = [b][a]G$. Due to the commutative property, it does not matter if the point $G$ was first added to itself $a$ times and then $b$ times or first $b$ times and then $a$ times, that is $[a][b]G = [b][a]G$.
|
|
\item
|
|
\begin{enumerate}[label=\roman*.]
|
|
\item The command \texttt{E.cardinality()} shows the cardinality of $E(\mathbb{F}_p)$ to be 19.
|
|
\item The command \texttt{G.order()} gives 19. This is a good generator because the order of the point is the same as the curve's cardinality.
|
|
\item Alice's public key can be obtained with the command \texttt{P = 6*G} and $P = (16,13)$.
|
|
\item The shared secret $R = (10,11)$.
|
|
\item Bob's secret key is $b = 9$ because $[9](16,13) = (10,11)$, which is again the shared secret $R= (10,11)$.
|
|
\end{enumerate}
|
|
\item
|
|
\begin{enumerate}[label=\roman*.]
|
|
\item The value of $n/q = 8$, which is the cofactor. This factor should ideally be 1, but 4 and 8 are also generally accepted. This value implies that the generator can only generate an eighth of the curve's points, but it is sufficient because the prime order is large enough.
|
|
\item Our public key is \scriptsize
|
|
\begin{align*}
|
|
Px &= 37048414743519733025193263783831109212639304451100804104094977507780325771837 \\
|
|
Py &= 7948348303373633531074340512410840174332123202786516445812187645996223942543
|
|
\end{align*}
|
|
\normalsize
|
|
\item The shared secret is \scriptsize
|
|
\begin{align*}
|
|
Rx &= 12694057863029409910518855127562537703457904794426889564008604777220378465981 \\
|
|
Ry &= 13554456243083127232280450417120767460444645552951962238781744328587077080733
|
|
\end{align*}
|
|
\normalsize
|
|
\end{enumerate}
|
|
\end{enumerate}
|
|
|
|
\section*{Exercise 6}
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item Taking step c) from the verifying process:
|
|
\begin{align*}
|
|
X &= u_1G + u_2Q \\
|
|
X &= u_1G + u_2dG \\
|
|
X &= G(u_1+u_2d) \\
|
|
X &= G(hs^{-1} + rs^{-1}d) \\
|
|
X &= Gs^{-1}(h+rd) \\
|
|
X &= G((h+rd)k^{-1})^{-1}(h+rd) \\
|
|
X &= G(h+rd)^{-1}k(h+rd) \\
|
|
X &= kG
|
|
\end{align*}
|
|
The end result corresponds to the verification step e) where the first coordinate of $X$ is compared to the first coordinate of $kG$ calculated in step a) of the signing process. Therefore, ECDSA is correct for valid signatures.
|
|
|
|
\item The missing value $s$ for the signature $(r,s)$ can be calculated with $s = (h+ar)\cdot k^{-1}$ where $h$ is the hash of the message, $a$ Alice's secret, $r$ the previously calculated value and $k$ a random element of the field. The \texttt{int(k)} is necessary because \texttt{Fq.random\_element()} returns a ring object in Sage and multiplication with the elliptic curve point field $G$ is not defined. We thus get for the signature: \footnotesize
|
|
\begin{align*}
|
|
r &= 5080577922972882666513496014001877803493172471854768672263945088855495166288 \\
|
|
s &= 2637073733489748487924358892773309827435174182541522647977484900993507962816
|
|
\end{align*}
|
|
\normalsize
|
|
\item \footnotesize
|
|
\begin{align*}
|
|
r &= 1937039209107375661240824524720359737526758893291527738179502027465721858973 \\
|
|
s &= 2378717659329096634003140914832681825704082798955072152387029183634726006141 \\
|
|
u_1 &= 2911255932974061329969560309874680588580402019356170911152661181249118748824 \\
|
|
u_2 &= 2007528059246574562394093177126027656604930319942217580674640487635635869328 \\
|
|
x_1 &= 16411050363771900089187197650806348219240991612051342950183403904036630360951 \\
|
|
y_1 &= 20675209945797904937674417570524604472445689810721811044409633748696176799258
|
|
\end{align*}
|
|
\normalsize
|
|
It is the case that $x_1\mod q\equiv r$ and the signature is therefore valid.
|
|
\item If we know that both signatures have been created with the same $k$, we know that the relation between $s_1$ and $s_2$ is the difference between the two message hashes divided by $k$.
|
|
\begin{align*}
|
|
s_1 &= \frac{h_1+dR}{k}\quad\text{with } r_1=r_2=R \\
|
|
s_2 &= \frac{h_2+dR}{k}\quad\text{with } r_1=r_2=R \\
|
|
k &= \frac{h_1+dR}{s_1} = \frac{h_2+dR}{s_2} \\
|
|
k &= \frac{h_1-h_2}{s_1-s_2} \\
|
|
s_1-s_2 &= \frac{h_1-h_2}{k}
|
|
\end{align*}
|
|
|
|
\item The security of the signature is compromised once we know that the signer used the same $k$ for multiple signatures. Knowing this, it is possible to solve the equation from (d) for $d$ (the private key) and since all the other inputs are known, the private key is easily calculated.
|
|
\begin{align*}
|
|
k &= \frac{h_1+dR}{s_1} = \frac{h_2+dR}{s_2}\quad\text{with } r_1=r_2=R \\
|
|
\frac{h_1+dR}{s_1} &= \frac{h_2+dR}{s_2} \\
|
|
s_2h_1 + s_2dR &= s_1h_2 + s_1dR \\
|
|
s_2h_1 - s_1h_2 &= dR(s_1-s_2) \\
|
|
d &= (s_2h_1-s_1h_2)\cdot (R(s_1-s_2))^{-1}
|
|
\end{align*}
|
|
|
|
\item We take the same values for $r$, $s$, $u_1$ and $u_2$ from c). We then compute $X = \mathsf{int}(u_1)\cdot G + \mathsf{int}(u_2)\cdot Q_{oh no}$ and obtain $X = (x_1,y_1)$:
|
|
\footnotesize
|
|
\begin{align*}
|
|
x_1 &= 16411050363771900089187197650806348219240991612051342950183403904036630360951 \\
|
|
y_1 &= 20675209945797904937674417570524604472445689810721811044409633748696176799258
|
|
\end{align*}
|
|
\normalsize
|
|
Here we can already see that $x_1$ is the same as in c) and $x_1\mod q$ is therefore again the same as $r$ and the signature is valid.
|
|
\item The point $T$ is special because it has a very low order of 8. Multiplying $T$ by 8 will thus result in the identity element. If the normal point $Q_b$ and the special point $T$ are added and multiplied by 8, the result is the same as just multiplying the normal point $Q_b$ by 8. The point $T$ does not contribute to the end result.
|
|
|
|
The point $Q_{oh no}$ works as a public key because it is simply the next point in the subgroup generated by the generator $G$. The secret is just one step bigger.
|
|
\item Monero uses key images for spent outputs to determine if the output had already been spent before. The point $Q_b$ is used to create a key image for an unspent output and the transaction is submitted to the chain. The signature will verify correctly and the transaction is accepted. An attacker can use the second point $Q_{oh no}$ to construct a different key image for the same (seemingly) unspent output. Since the key image is also valid and verifies correctly, the transaction will again be accepted, allowing the adversary to double spend.
|
|
\item
|
|
\end{enumerate}
|
|
|
|
\end{document}
|