Task 1- Digital Signature Algorithm - DSA

The digital signature algorithm (DSA) was adopted in 1994 as a signature standard by the U.S. Government. Its security is based on the difficulty of the discrete logarithm problem in a large subgroup of the multiplicative group Z^∗_p.

1. To generate keys, each user does the following:

• pick a prime p such that p - 1 has a prime factor q.
• select a random integer h, 1 < h < p - 1, and such that h^(p-1/q) mod p > 1; let g = h^(p-1/q) mod p;
• select a random integer x, 0 < x < q, and compute y = g^x mod p;
• the user's public key is (p, q, g, y); the user's private key is x.

2. The following steps make up a digital signature algorithm where A signs a message that is to be sent to B:

• signature generation: to sign a message m, A does the following:

- choose a random integer k, 0 < k < q;

- compute k^-1 mod q;

- compute r = (g^k mod p) mod q;

- compute s = k^-1(m + xr) (mod q);

//for simplicity we consider m ∈ Z_q

- send the signature (r, s) along with message m to B.

3. signature verification:  B does the following:

• look up A's public key (p, q, g, y);
• compute w = s^-1 mod q;
• compute u₁ = mw mod q and u₂ = rw mod q;
• compute v = ((g^u1 y^u2) mod p) mod q;
• accept the signature only if v = r.

In this assignment, you are to implement a GP program (which should be called 'dsa.gp' which performs Digital Signature Algorithm as described above. The program must have the following functions:

• Keygen(x, y): a function to produce the DSA parameters: (p, q, g, y, x) as described above. The output of this function is (p, q, g, y, x).
• Sign(m): a function to sign a message m using the secret key x.
• Verify(m, r, s): a function to verify a message m with the signature (r, s). A signature is acceptable if the v = r as described above.

Task 2 - PARTIAL COLLISION OF SHA1

SHA-1 is a commonly used cryptographic hash function. It produces 20-byte (160-bit) hash value. We learnt in the lecture that a good hash function should be collision-resistant, meaning that it is difficult to find two different messages m and mt such that H(m) = H(m').

SHA-1 has been widely used in many standardized digital signature schemes, such as the Digital Signature Algorithm (DSA). If the hash function is not collision-resistant, then it will directly affect the security of the digital signature scheme.

In this task, we assume a simplified version of SHA-1, named SSHA-1, is used for hashing. SSHA- 1 only outputs the first 4 bytes (32 bits) of SHA-1 when hashing a message, and you are asked to find two different messages which produce the same 32 bits hash output. It is required that both messages MUST contain your UOW login ID. An online SHA1 generator: https://www.sha1-online.com/ would allow you to check your answer easily.

Write a C/C++ or JAVA program to accomplish the task. Your program should output the two messages and their hash values (should be the same). In this task, you are allowed to use any existing free source code for SHA1 (but make sure the code produces the correct output). If you are using JAVA, you are also allowed to directly invoke the SHA1 function in the JAVA library.

Task 3 - Protocol Design

In this section, you are to design a cryptographic protocol which is secure to help Alice, Bob and Charlie.  Alice, Bob and Charlie have the following problem. They want to know the sum of all of their ages, but they do not want to reveal their age to each other. Note that collusion attack is assumed not to happen here (e.g., Alice is trying to collude with Bob to cheat Charlie).  Devise a secure protocol to allow them to conduct what they would like to do.

Task 4 - Cryptanalysis

Let Enc be an encryption algorithm based on a one-way function F , and r a shared secret key between the sender and the receiver. Enc works as follows:

1. Compute K = F (r)||F (2r)||F (3r)||F (4r)|| · · ·;

2. For a message M, the ciphertext is computed as M ⊕ K (i.e., one-time pad). Assume that each block F (ir)(i = 1, 2, ...) has the same length, and an eavesdropper knows the function F but not the secret key r.

(a) Suppose F is defined as F (x) = g^x mod p where p is a 1024-bit prime (i.e. each block F (ir) has 1024 bits) and g is a generator of Z^∗_p. Assume that the discrete logarithm problem is hard in the group Z^∗_p, and the secret key r is chosen randomly from Zp-1. Show that the eavesdropper can decrypt the whole message once after obtaining the public parameters (g, p) and the first 1024 bits of a plaintext-ciphertext pair.

(b) Suppose F is the RSA function, that is F (x) = x^e mod n where n is 1024-bit long. Assume the RSA problem is hard in the group Z^∗_p, and r is chosen randomly from Z^∗_n. Show that the eavesdropper can decrypt the whole message once after obtaining (n, e) and the first 1024 bits of a plaintext-ciphertext pair.