CS800- Public Key Cryptography

Dr. Modi Chirag N

[email protected]
 Module-III
Public key cryptography
digital signatures, attacks
hash functions
authentication schemes
Challenge Response Protocol
Zero Knowledge proofs

03/14/2025 Chirag N. Modi 2

 Introduction
Public-key encryption-Asymmetric encryption.
in public-key encryption systems each entity A has a public key
e and a corresponding private key d.
In secure systems, the task of computing d given e is
computationally infeasible.
The public key defines an encryption transformation Ee, while
the private key defines the associated decryption
transformation Dd.
Any entity B wishing to send a message m to A obtains an
authentic copy of A’s public key e, uses the encryption
transformation to obtain the ciphertext c = Ee(m),
and transmits c to A.

03/14/2025 Chirag N. Modi 3

 Introduction
To decrypt c, A applies the decryption transformation to obtain
the original message m = Dd(c).
The public key need not be kept secret, and, in fact, may be
widely available – only its authenticity is required to guarantee
that A is indeed the only party who knows the corresponding
private key.
A primary advantage of such systems is that providing
authentic public keys is generally easier than distributing secret
keys securely, as required in symmetric key systems.
The main objective of public-key encryption is to provide
privacy or confidentiality.

03/14/2025 Chirag N. Modi 4

 Introduction
Since A’s encryption transformation is public knowledge,
public-key encryption alone does not provide data origin
authentication or data integrity.
Such assurances must be provided through use of additional
techniques, including message authentication codes and digital
signatures.
Public-key encryption schemes are typically substantially
slower than symmetric-key encryption algorithms such as DES.
For this reason, public-key encryption is most commonly used
in practice for the transport of keys subsequently used for bulk
data encryption by symmetric algorithms and other
applications including data integrity and authentication, and for
encrypting small data items such as credit card numbers and
PINs
03/14/2025 Chirag N. Modi 5
 Introduction
Public-key decryption may also provide authentication
guarantees in entity authentication and authenticated key
establishment protocols.
traditional private/secret/single key cryptography uses one
key, shared by both sender and receiver
if this key is disclosed. communications are compromised
also is symmetric, parties are equal
hence does not protect sender from receiver forging a message
and claiming it’s sent by sender (repudiation problem)
PKC- developed to address two key issues:
key distribution – how to have secure communications in general
without having to trust a KDC with your key
digital signatures – how to verify a message comes intact from the
claimed sender
03/14/2025 Chirag N. Modi 6
 Public-Key Cryptography
public-key/two-key/asymmetric cryptography involves the use
of two keys:
a public-key, which may be known by anybody, and can
be used to encrypt messages, and verify signatures
a related private-key, known only to the recipient, used
to decrypt messages, and sign (create) signatures
infeasible to determine private key from public (requires
solving a hard problem)
It is an asymmetric because those who encrypt messages or
verify signatures cannot decrypt messages or create
signatures

03/14/2025 Chirag N. Modi 7

 Public-Key Cryptography- Secrecy

03/14/2025 Chirag N. Modi 8

 Public-Key Cryptography- Authentication-Verification

03/14/2025 Chirag N. Modi 9

 SKC Vs PKC

03/14/2025 Chirag N. Modi 10

 Combining Secrecy and Authentication

03/14/2025 Chirag N. Modi 11

 Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses,
others are specific to one

03/14/2025 Chirag N. Modi 12

 Public-Key Requirements
Public-Key algorithms rely on two keys where:
it is computationally infeasible to find decryption key knowing
only algorithm & encryption key
it is computationally easy to en/decrypt messages when the
relevant (en/decrypt) key is known
either of the two related keys can be used for encryption, with
the other used for decryption (for some algorithms)
these are formidable requirements which only a few algorithms
have satisfied
need a trapdoor one-way function: one-way function has
Y = f(X) easy
X = f–1(Y) infeasible

03/14/2025 Chirag N. Modi 13

 Public-Key Requirements
a trap-door one-way function has
Y = fk(X) easy, if k and X are known
X = fk–1(Y) easy, if k and Y are known
X = fk–1(Y) infeasible, if Y known but k not known
a practical public-key scheme depends on a suitable
trap-door one-way function

03/14/2025 Chirag N. Modi 14

 RSA public-key encryption
The RSA cryptosystem, its inventors R. Rivest, A. Shamir, and L.
Adleman, is the most widely used public-key cryptosystem.
It may be used to provide both secrecy and digital signatures
and its security is based on the intractability of the integer
factorization

03/14/2025 Chirag N. Modi 15

 RSA public-key encryption
Each entity creates an RSA public key and a corresponding
private key.
Each entity A should do the following:
Generate two large random (and distinct) primes p and q,
each roughly the same size.
Compute n = pq and φ = (p − 1)(q − 1).
Select a random integer e, 1 < e < φ, such that gcd(e, φ) = 1.
Use the extended Euclidean algorithm to compute the
unique integer d, 1 < d < φ, such that ed ≡ 1 (mod φ).
A’s public key is (n, e); A’s private key is d.
The integers e and d in RSA key generation are called the
encryption exponent and the decryption exponent, respectively,
while n is called the modulus
03/14/2025 Chirag N. Modi 16
 RSA public-key encryption
B encrypts a message m for A, which A decrypts.
Encryption. B should do the following:
Obtain A’s authentic public key (n, e).
Represent the message as an integer m in the interval [0, n
− 1].
Compute c = me mod n
Send the ciphertext c to A.
Decryption. To recover plaintext m from c, A should do the
following:
Use the private key d to recover m = cd mod n.

03/14/2025 Chirag N. Modi 17

 RSA- Decryption Proof
For all the cases
med ≡ m (mod p)
med ≡ m (mod q)
Finally, since p and q are distinct primes, it follows that
med ≡ m (mod n)
and, hence, cd ≡ (me)d ≡ m (mod n)

03/14/2025 Chirag N. Modi 18

 RSA- Example
Key generation.
Entity A chooses the primes p = 2357, q = 2551, and computes
n =pq = 6012707 and φ = (p−1)(q−1) = 6007800.
A chooses e = 3674911 and, using the extended Euclidean
algorithm, finds d = 422191 such that ed ≡ 1 (mod φ).
A’s public key is the pair (n = 6012707, e = 3674911)
while A’s private key is d = 422191.
Encryption. To encrypt a message m = 5234673,
B uses an algorithm for modular exponentiation to compute
c = me mod n = 52346733674911 mod 6012707 = 3650502,
and sends this to A.
Decryption. To decrypt c, A computes cd mod n =
3650502422191 mod 6012707 = 5234673
03/14/2025 Chirag N. Modi 19
 Security of RSA-Relation to factoring
The task faced by a passive adversary is that of recovering
plaintext m from the corresponding ciphertext c, given the
public information (n, e) of the intended receiver A.
This is called the RSA problem (RSAP)
There is no efficient algorithm known for this problem.
One possible approach which an adversary could employ to
solving the RSA problem is to first factor n, and then compute φ
and d just as A did.
Once d is obtained, the adversary can decrypt any ciphertext
intended for A.

03/14/2025 Chirag N. Modi 20

 Security of RSA-Relation to factoring
Fact: The problem of computing the RSA decryption exponent d
from the public key(n, e), and the problem of factoring n, are
computationally equivalent.

03/14/2025 Chirag N. Modi 21

 Knapsack Algorithms
The first algorithm for generalized public-key encryption was
the knapsack algorithm developed by Ralph Merkle and Martin
Hellman
It could only be used for encryption, although Adi Shamir later
adapted the system for digital signatures
Knapsack algorithms get their security from the knapsack
problem, an NP-complete problem. Although this algorithm
was later found to be insecure, it is worth examining because it
demonstrates how an NP-complete problem can be used for
public-key cryptography.

03/14/2025 Chirag N. Modi 22

 Knapsack Algorithms
The knapsack problem: Given a pile of items, each with
different weights, is it possible to put some of those items into
a knapsack so that the knapsack weighs a given amount?
Given a set of values M1, M2,..., Mn , and a sum S, compute
the values of bi such that
S = b1M1 + b2M2 + ...+ bnMn
The values of bi can be either zero or one. A one indicates that
the item is in the knapsack; a zero indicates that it isn’t.
For example, the items might have weights of 1, 5, 6, 11, 14,
and 20. You could pack a knapsack that weighs 22; use weights
5, 6, and 11. You could not pack a knapsack that weighs 24. In
general, the time required to solve this problem seems to grow
exponentially with the number of items in the pile.

03/14/2025 Chirag N. Modi 23

 Knapsack Algorithms
The idea behind the Merkle-Hellman knapsack algorithm is to
encode a message as a solution to a series of knapsack
problems.
A block of plaintext equal in length to the number of items in
the pile would select the items in the knapsack (plaintext bits
corresponding to the b values), and the ciphertext would be
the resulting sum.
Plaintext: 111001 010110 000000 011000
Knapsack: 1 5 6 11 14 20
Ciphertext: 32 30 0 11

03/14/2025 Chirag N. Modi 24

 Knapsack Algorithms
The trick is that there are actually two different knapsack
problems: one solvable in linear time and the other believed
not to be.
The easy knapsack can be modified to create the hard
knapsack.
The public key is the hard knapsack, which can easily be used
to encrypt but cannot be used to decrypt messages.
The private key is the easy knapsack, which gives an easy way
to decrypt messages.
People who don’t know the private key are forced to try to
solve the hard knapsack problem.

03/14/2025 Chirag N. Modi 25

 Knapsack Algorithms
Superincreasing Knapsacks:
What is the easy knapsack problem?
If the list of weights is a superincreasing sequence, then the
resulting knapsack problem is easy to solve.
A superincreasing sequence is a sequence in which every term
is greater than the sum of all the previous terms.
For example, {1, 3, 6, 13, 27, 52} is a superincreasing sequence,
but {1, 3, 4, 9, 15, 25} is not.

03/14/2025 Chirag N. Modi 26

 Knapsack Algorithms
The solution to a superincreasing knapsack is easy to find.
Take the total weight and compare it with the largest number
in the sequence.
If the total weight is less than the number, then it is not in the
knapsack.
If the total weight is greater than or equal to the number, then
it is in the knapsack.
Reduce the weight of the knapsack by the value and move to
the next largest number in the sequence.
Repeat until finished.
If the total weight has been brought to zero, then there is a
solution.
If the total weight has not, there isn’t.
03/14/2025 Chirag N. Modi 27
 Knapsack Algorithms
For example, consider a total knapsack weight of 70 and a
sequence of weights of {2, 3, 6, 13, 27, 52}.
The largest weight, 52, is less than 70, so 52 is in the knapsack.
Subtracting 52 from 70 leaves 18.
The next weight, 27, is greater than 18, so 27 is not in the
knapsack.
The next weight, 13, is less than 18, so 13 is in the knapsack.
Subtracting 13 from 18 leaves 5.
The next weight, 6, is greater than 5, so 6 is not in the
knapsack.
Continuing this process will show that both 2 and 3 are in the
knapsack and the total weight is brought to 0, which indicates
that a solution has been found.

03/14/2025 Chirag N. Modi 28

 Knapsack Algorithms
Were this a Merkle-Hellman knapsack encryption block, the
plaintext that resulted from a ciphertext value of 70 would be
110101.
Non-superincreasing, or normal, knapsacks are hard problems;
they have no known quick algorithm.
The only known way to determine which items are in the
knapsack is to methodically test possible solutions until you
stumble on the correct one.
The fastest algorithms, taking into account the various
heuristics, grow exponentially with the number of possible
weights in the knapsack.
Add one item to the sequence of weights, and it takes twice as
long to find the solution.

03/14/2025 Chirag N. Modi 29

 Knapsack Algorithms
This is much more difficult than a superincreasing knapsack
where, if you add one more weight to the sequence, it simply
takes another operation to find the solution.
The Merkle-Hellman algorithm is based on this property.
The private key is a sequence of weights for a superincreasing
knapsack problem.
The public key is a sequence of weights for a normal knapsack
problem with the same solution.
Merkle and Hellman developed a technique for converting a
superincreasing knapsack problem into a normal knapsack
problem.
They did this using modular arithmetic.

03/14/2025 Chirag N. Modi 30

 Knapsack Algorithms
Creating the Public Key from the Private Key
To get a normal knapsack sequence, take a superincreasing
knapsack sequence, for example {2, 3, 6, 13, 27, 52}, and
multiply all of the values by a number n, mod m.
The modulus should be a number greater than the sum of all
the numbers in the sequence: for example, 105.
The multiplier should have no factors in common with the
modulus: for example, 31.
The normal knapsack sequence would then be
2 * 31 mod 105 = 62 3 * 31 mod 105 = 93
6 * 31 mod 105 = 81 13 * 31 mod 105 = 88
27 * 31 mod 105 = 102 52 * 31 mod 105 = 37
The knapsack would then be {62, 93, 81, 88, 102, 37}.
03/14/2025 Chirag N. Modi 31
 Knapsack Algorithms
Encryption
To encrypt a binary message, first break it up into blocks equal
to the number of items in the knapsack sequence.
Then, allowing a one to indicate the item is present and a zero
to indicate that the item is absent, compute the total weights
of the knapsacks—one for every message block.
For example, if the message were 011000110101101110 in
binary, encryption using the previous knapsack:
message = 011000 110101 101110
011000 corresponds to 93 + 81 = 174
110101 corresponds to 62 + 93 + 88 + 37 = 280
101110 corresponds to 62 + 81 + 88 + 102 = 333
The ciphertext would be 174,280,333
03/14/2025 Chirag N. Modi 32
 Knapsack Algorithms
Decryption
A legitimate recipient of this message knows the private key:
the original superincreasing knapsack, as well as the values of n
and m used to transform it into a normal knapsack.
To decrypt the message, the recipient must first determine n-1
such that n(n-1 ) 1 (mod m).
Multiply each of the ciphertext values by n-1 mod m, and then
partition with the private knapsack to get the plaintext values.
In our example, the superincreasing knapsack is {2, 3, 6, 13, 27,
52}, m is equal to 105, and n is equal to 31.
The ciphertext message is 174, 280, 333.
In this case n-1 is equal to 61, so the ciphertext values must be
multiplied by 61 mod 105.
03/14/2025 Chirag N. Modi 33
 Knapsack Algorithms
174 * 61 mod 105 = 9 = 3 + 6, which corresponds to 011000
280 * 61 mod 105 = 70 = 2 + 3 + 13 + 52, which corresponds to
110101
333 * 61 mod 105 = 48 = 2 + 6 + 13 + 27, which corresponds to
101110
The recovered plaintext is 011000 110101 101110.

03/14/2025 Chirag N. Modi 34

 Pohlig-Hellman
The Pohlig-Hellman encryption scheme is similar to RSA.
It is not a symmetric algorithm, because different keys are used
for encryption and decryption.
It is not a public-key scheme, because the keys are easily
derivable from each other; both the encryption and decryption
keys must be kept secret.
Like RSA,
C = Pe mod n
P = Cd mod n
Where ed  1 (mod some complicated number)

03/14/2025 Chirag N. Modi 35

 Pohlig-Hellman
Unlike RSA, n is not defined in terms of two large primes, it
must remain part of the secret key.
If someone had e and n, they could calculate d.
Without knowledge of e or d, an adversary would be forced to
calculate
e = logPC mod n
We have already seen that this is a hard problem.

03/14/2025 Chirag N. Modi 36

 Rabin public-key encryption
A desirable property of any encryption scheme is a proof that
breaking it is as difficult as solving a computational problem
that is widely believed to be difficult, such as integer
factorization or the discrete logarithm problem.
While it is widely believed that breaking the RSA encryption
scheme is as difficult as factoring the modulus n, no such
equivalence has been proven.
The Rabin public-key encryption scheme was the first example
of a provably secure public-key encryption scheme – the
problem faced by a passive adversary of recovering plaintext
from some given ciphertext is computationally equivalent to
factoring.

03/14/2025 Chirag N. Modi 37

 Rabin public-key encryption
Breaking a cryptographic scheme is not necessarily equivalent
to solving the underlying mathematically hard problems.
Rabin’s scheme is a counter example of it.
If we know the factorization of N, then we can convert the RSA
function and anybody can not invert it without knowing p and
q,
i.e, RSA problem is polynomially reduced to factoring.
It is conjectured that there is no effective way except
factorization to find the e-th roots modulo N.
Rabin proposed an encryption function that could be proved to
be invertible only by someone who could factor N.

03/14/2025 Chirag N. Modi 38

 Rabin public-key encryption
Each entity creates a public key and a corresponding private
key.
Each entity A should do the following:
1. Generate two large random (and distinct) primes p and q,
each roughly the same size.
2. Compute n = pq.
3. A’s public key is n; A’s private key is (p, q).

03/14/2025 Chirag N. Modi 39

 Rabin public-key encryption
B encrypts a message m for A, which A decrypts.
Encryption. B should do the following:
Obtain A’s authentic public key n.
Represent the message as an integer m in the range {0, 1, . . . , n − 1}.
Compute c = m2 mod n.
Send the ciphertext c to A.
where n = p · q and the squaring map is 4-1.
So, Rabin finds all four square roots of a ciphertext c.
The most important fact about Rabin encryption scheme is that
it is in some sense provably secure in reductionist argument
meaning that if someone breaks the scheme and finds the
plaintext m from ciphertext c, then he is able to factor N.

03/14/2025 Chirag N. Modi 40

 Rabin public-key encryption
Decryption.
To recover plaintext m from c, A should do the following:
(a) Use Algorithm (square roots modulo n given its prime
factors p and q) to find the four square roots m1, m2, m3, and
m4 of c modulo n.
(b) The message sent was either m1, m2, m3, or m4.
A somehow decides which of these is m.

03/14/2025 Chirag N. Modi 41

 Rabin public-key encryption
Decryption.
To recover plaintext m from c, A should do the following:
(a) Use Algorithm (square roots modulo n given its prime
factors p and q) to find the four square roots m1, m2, m3, and
m4 of c modulo n.
(b) The message sent was either m1, m2, m3, or m4.
A somehow decides which of these is m.
Rabin encryption is an extremely fast operation as it only
involves a single modular squaring.
By comparison, RSA encryption with e = 3 takes one modular
multiplication and one modular squaring. Rabin decryption is
slower than encryption, but comparable in speed to RSA
decryption.

03/14/2025 Chirag N. Modi 42

 ElGamal public-key encryption
The ElGamal scheme can be used for both digital signatures
and encryption; it gets its security from the difficulty of
calculating discrete logarithms in a finite field.
To generate a key pair, first choose a prime, p, and two random
numbers, g and x, such that both g and x are less than p.
Then calculate y = gx mod p
The public key is y, g, and p. Both g and p can be shared among
a group of users.
The private key is x.

03/14/2025 Chirag N. Modi 43

 ElGamal public-key encryption
ElGamal Signatures
To sign a message, M, first choose a random number, k, such
that k is relatively prime to p - 1.
Then compute a = gk mod p and use the extended Euclidean
algorithm to solve for b in the following equation:
M = (xa + kb) mod (p - 1)
The signature is the pair: a and b.
The random value, k, must be kept secret.
To verify a signature, confirm that yaab mod p = gM mod p

03/14/2025 Chirag N. Modi 44

 ElGamal public-key encryption
Each ElGamal signature or encryption requires a new value of
k, and that value must be chosen randomly.
If Eve ever recovers a k that Alice used, she can recover Alice’s
private key, x.
If Eve ever gets two messages signed or encrypted using the
same k, even if she doesn’t know what it is, she can recover x.
For example, choose p = 11 and g = 2. Choose private key x = 8.
Calculate y = gx mod p = 28 mod 11 = 3
The public key is y = 3, g = 2, and p = 11.

03/14/2025 Chirag N. Modi 45

 ElGamal public-key encryption
To authenticate M = 5, first choose a random number k = 9.
Confirm that gcd(9, 10) = 1. Compute
a = gk mod p = 29 mod 11 = 6
and use the extended Euclidean algorithm to solve for b:
M = (ax + kb) mod (p - 1)
5 = (8 * 6 + 9 * b) mod 10
The solution is b = 3, and the signature is the pair: a = 6 and b =
3.
To verify a signature, confirm that
yaab mod p = gM mod p
36 63 mod 11 = 25 mod 11

03/14/2025 Chirag N. Modi 46

 ElGamal public-key encryption
ElGamal Encryption
A modification of ElGamal can encrypt messages.
To encrypt message M, first choose a random k, such that k is
relatively prime to p - 1.
Then compute
a = gk mod p
b = ykM mod p
The pair, a and b, is the ciphertext.
Note that the ciphertext is twice the size of the plaintext.
To decrypt a and b, compute
M = b/ax mod p

03/14/2025 Chirag N. Modi 47

 ElGamal public-key encryption
This is really the same as Diffie-Hellman key exchange, except
that y is part of the key, and the encryption is multiplied by yk.

03/14/2025 Chirag N. Modi 48

 Digital Signatures & Attacks
Digital signature of a message: a number dependent on some
secret known only to the signer, and, additionally, on the
content of the message being signed.
Signatures must be verifiable; if a dispute arises as to whether
a party signed a document (caused by either a lying signer
trying to repudiate a signature it did create, or a fraudulent
claimant), an unbiased third party should be able to resolve the
matter equitably, without requiring access to the signer’s
secret information (private key).
Digital signatures have many applications in information
security, including authentication, data integrity, and non-
repudiation.

03/14/2025 Chirag N. Modi 49

 Digital Signatures & Attacks
The first method discovered was the RSA signature scheme,
which remains today one of the most practical and versatile
techniques available.
Subsequent research has resulted in many alternative digital
signature techniques.

03/14/2025 Chirag N. Modi 50

 Digital Signatures & Attacks
A digital signature is a data string which associates a message
(in digital form) with some originating entity.
A digital signature generation algorithm (or signature
generation algorithm) is a method for producing a digital
signature.
A digital signature verification algorithm (or verification
algorithm) is a method for verifying that a digital signature is
authentic (i.e., was indeed created by the specified
entity).
A digital signature scheme (or mechanism) consists of a
signature generation algorithm and an associated verification
algorithm.

03/14/2025 Chirag N. Modi 51

 Digital Signatures & Attacks
A digital signature signing process (or procedure) consists of a
(mathematical) digital signature generation algorithm, along
with a method for formatting data into messages which can be
signed.
A digital signature verification process (or procedure) consists
of a verification algorithm, along with a method for recovering
data from the message

03/14/2025 Chirag N. Modi 52

 Digital Signatures & Attacks

(messages) M is the set of elements to which a signer can affix a digital

signature.
(signing space) MS is the set of elements to which the signature
transformations are applied. The signature transformations are not applied
directly to the set M.
(signature space) S is the set of elements associated to messages in M. These
elements are used to bind the signer to the message.
(indexing set) R is used to identify specific signing transformations.
03/14/2025 Chirag N. Modi 53
 Digital Signatures & Attacks

03/14/2025 Chirag N. Modi 54

 Digital Signatures & Attacks
Appendix requires the original message as input to the
verification algorithm.
Message recovery do not require the original message as input
to the verification algorithm. In this case, the original message
is recovered from the signature itself.
A digital signature scheme (with either message recovery or
appendix) is said to be a randomized digital signature scheme if
|R| > 1; otherwise, the digital signature scheme is said to be
deterministic.
Deterministic digital signature mechanisms can be further
subdivided into one-time signature schemes and multiple-use
schemes

03/14/2025 Chirag N. Modi 55

 Digital signature schemes with appendix
Appendix Examples: DSA, ElGamal , and Schnorr signature
schemes
Message recovery scheme Examples: RSA, Rabin, and Nyberg-
Rueppel public-key signature schemes

03/14/2025 Chirag N. Modi 56

 Attacks
The goal of an adversary is to forge signatures; that is, produce
signatures which will be accepted as those of some other
entity.
total break. An adversary is either able to compute the private
key information of the signer, or finds an efficient signing
algorithm functionally equivalent to the valid signing algorithm.
selective forgery. An adversary is able to create a valid
signature for a particular message or class of messages chosen
a priori. Creating the signature does not directly involve the
legitimate signer.

03/14/2025 Chirag N. Modi 57

 Attacks
existential forgery. An adversary is able to forge a signature for
at least one message. The adversary has little or no control
over the message whose signature is obtained, and the
legitimate signer may be involved in the deception
There are two basic attacks:
key-only attacks. In these attacks, an adversary knows only the
signer’s public key.
Message attacks. Here an adversary is able to examine
signatures corresponding either to known or chosen messages.
Message attacks can be further subdivided into three classes:
(a) known-message attack. An adversary has signatures for a
set of messages which are known to the adversary but not
chosen by him.

03/14/2025 Chirag N. Modi 58

 Attacks
(b) chosen-message attack. An adversary obtains valid
signatures from a chosen list of messages before attempting to
break the signature scheme. This attack is non-adaptive in the
sense that messages are chosen before any signatures are
seen.
(c) adaptive chosen-message attack. An adversary is allowed to
use the signer as an oracle; the adversary may request
signatures of messages which depend on the signer’s public
key and he may request signatures of messages which depend
on previously obtained signatures or messages.

03/14/2025 Chirag N. Modi 59

 DSA
DSA is a variant of the Schnorr and ElGamal signature
algorithms. The algorithm uses the following parameters:
p = a prime number L bits long, when L ranges from 512 to
1024 and is a multiple of 64. (In the original standard, the size
of p was fixed at 512 bits)
q = a prime factor of p – 1.
g = h(p-1)/q mod p, where h is any number less than p – 1 such
that h(p - 1)/q mod p is greater than 1.
x = a number less than q.
y = gx mod p.

03/14/2025 Chirag N. Modi 60

 DSA
The algorithm also makes use of a one-way hash function:
H(m).
The first three parameters, p, q, and g, are public and can be
common across a network of users.
The private key is x; the public key is y.
To sign a message, m:
(1) Alice generates a random number, k, less than q.
(2) Alice generates
r = (gk mod p) mod q
s = (k-1 (H(m) + xr)) mod q
The parameters r and s are her signature; she sends
these to Bob.

03/14/2025 Chirag N. Modi 61

 DSA
(3) Bob verifies the signature by computing
w = s-1 mod q
u1 = (H(m) * w) mod q
u2 = (rw) mod q
v = ((gu1 * yu2) mod p) mod q
If v = r, then the signature is verified.

03/14/2025 Chirag N. Modi 62

 RSA

03/14/2025 Chirag N. Modi 63

 RSA

03/14/2025 Chirag N. Modi 64

 Rabin public-key signature scheme

03/14/2025 Chirag N. Modi 65

 ElGamal signature scheme

03/14/2025 Chirag N. Modi 66

 ElGamal signature scheme

03/14/2025 Chirag N. Modi 67

 Schnorr signature scheme

03/14/2025 Chirag N. Modi 68

 Hash Functions
A hash function takes a variable sized input message and
produces a fixed-sized output.
The output is usually referred to as the hash code or the hash
value or the message digest.
For example, the SHA-512 hash function takes for input
messages of length up to 2128 bits and produces as output a
512-bit message digest (MD).
SHA stands for Secure Hash Algorithm
We can think of the hash code (or the message digest) as a fix
sized fingerprint of a variable-sized message.

03/14/2025 Chirag N. Modi 69

 Hash Functions
Message digests produced by the most commonly used hash
functions range in length from 160 to 512 bits depending on
the algorithm used.
Since a message digest depends on all the bits in the input
message, any alteration of the input message during
transmission would cause its message digest to not match with
its original message digest.
This can be used to check for forgeries, unauthorized
alterations, etc.
To see the change in the hash code produced by an innocuous
(practically invisible) change in a message,

03/14/2025 Chirag N. Modi 70

 Hash Functions

The only difference between the two messages shown above is

the extra space between the words “brown” and “fox” in the
second message.
Notice how completely different the hash codes look.
SHA-1 produces a 160 bit hash code.
It takes 40 hex characters to show the code in hex.

03/14/2025 Chirag N. Modi 71

 Different Ways To Use Hashing For Message
Authentication
There are six different ways in which you can incorporate
message hashing in a communication network.
These constitute different approaches to protect the hash value
of a message.
No authentication at the receiving end could possibly be
achieved if both the message and its hash value are accessible
to an adversary wanting to tamper with the message.

03/14/2025 Chirag N. Modi 72

 Different Ways To Use Hashing For Message
Authentication
In the symmetric-key encryption based scheme, the message
and its hash code are concatenated together to form a
composite message that is then encrypted.
The receiver decrypts the message and separates out its hash
code, which is then compared with the hash code calculated
from the received message.
The hash code provides authentication and the encryption
provides confidentiality.

03/14/2025 Chirag N. Modi 73

 Different Ways To Use Hashing For Message
Authentication
The variation: only the hash code is encrypted.
This scheme is efficient to use when confidentiality is not the
issue but message authentication is critical.
Only the receiver with access to the secret key knows the real
hash code for the message.
So the receiver can verify whether or not the message is
authentic.

03/14/2025 Chirag N. Modi 74

 Different Ways To Use Hashing For Message
Authentication
A public-key encryption version of the scheme
The hash code of the message is encrypted with the sender’s
private key.
The receiver can recover the hash code with the sender’s
public key and authenticate the message as indeed coming
from the alleged sender.
Confidentiality again is not the issue here

03/14/2025 Chirag N. Modi 75

 Different Ways To Use Hashing For Message
Authentication
If we want to add symmetric-key based confidentiality to the,
we can use the scheme shown in Figure.
This is a commonly used approach when both confidentiality
and authentication are needed

03/14/2025 Chirag N. Modi 76

 Different Ways To Use Hashing For Message
Authentication
The sender appends a secret string S, known also to the
receiver, to the message before computing its hash code.
Before checking the hash code of the received message for its
authentication, the receiver appends the same secret string S
to the message.
It would not be possible for anyone to alter such a message,
even when they have access to both the original message and
the overall hash code.

03/14/2025 Chirag N. Modi 77

 Different Ways To Use Hashing For Message
Authentication
Here, symmetric-key based confidentiality is added to the
transmission between the sender and the receiver.

03/14/2025 Chirag N. Modi 78

 When Is A Hash Function Secure?
It is computationally infeasible to find a message that
corresponds to a given hash code.
This is sometimes referred to as the one-way property of a
hash function.
It is computationally infeasible to find two different
messages that hash to the same hash code value.
This is also referred to as the strong collision resistance
property of a hash function.
A weaker form of the strong collision resistance property is that
for a given message, there should not correspond another
message with the same hash code

03/14/2025 Chirag N. Modi 79

 When Is A Hash Function Secure?
Hash functions that are not collision resistant can fall
prey to birthday attack.
If you use n bits to represent the hash code, there are
only 2n distinct hash code values.
Collision resistance refers to the likelihood that
two different messages possessing certain basic
structure so as to be meaningful will result in the
same hash code.

03/14/2025 Chirag N. Modi 80

 Simple Hash Functions
Practically all algorithms for computing the hash code
of a message view the message as a sequence of n-bit
blocks.
The message is processed one block at a time in an
iterative fashion in order to generate its hash code.
Perhaps the simplest hash function consists of starting
with the first n-bit block, XORing it bit-by-bit with the
second n-bit block, XORing the result with the next n-
bit block, and so on.
We will refer to this as the XOR hash algorithm.

03/14/2025 Chirag N. Modi 81

 Simple Hash Functions
With the XOR hash algorithm, every bit of the hash
code represents the parity at that bit position if we
look across all of the b-bit blocks.
For that reason, the hash code produced is also
known as longitudinal parity check.
The hash code generated by the XOR algorithm can be
useful as a data integrity check in the presence of
completely random transmission errors.
But, in the presence of an adversary trying to
deliberately tamper with the message content, the
XOR algorithm is useless for message authentication.

03/14/2025 Chirag N. Modi 82

 Simple Hash Functions
An adversary can modify the main message and add a
suitable bit block before the hash code so that the
final hash code remains unchanged.
let {X1, X2, . . . , Xm} be the bit blocks of a message
M, each block of size n bits. M = (X1||X2|| . . . ||Xm).

The hash code produced by the XOR algorithm can be

expressed as
∆(M) = X1 ⊕ X2 ⊕ · · · ⊕ Xm

03/14/2025 Chirag N. Modi 83

 Simple Hash Functions
An adversary can easily create a forgery of
the message by replacing X1 through Xm−1 with any
desired Y1 through Ym−1 and then replacing Xm with
an Ym that is given by
Ym= Y1 ⊕ Y2 ⊕ · · · ⊕ Ym−1 ⊕ ∆(M)
On account of the properties of the XOR operator, it is
easy to show that the hash code for Mforged = {Y1||Y2||
· · · ||Ym} will be the same as ∆(M).
Therefore, when the forged message is concatenated
with the original ∆(M), the recipient would not
suspect any foul play.

03/14/2025 Chirag N. Modi 84

 Simple Hash Functions
Another problem with the XOR algorithm for hashing is its
somewhat reduced collision resistance for structured
documents.
Ideally, one would hope that, with an n-bit hash code, any
particular message would result in a given hash code value
with a probability of 1/2n.

To increase the space of distinct hash code values available for

the different messages, a variation on the basic XOR algorithm
consists of performing a one-bit circular shift of the partial hash
code obtained after each n-bit block of the message is
processed.
This algorithm is known as the rotated-XOR algorithm (ROXR)

03/14/2025 Chirag N. Modi 85

 Simple Hash Functions
That the collision resistance of ROXR is also poor is obvious
from the fact that
we can take a message M1 along with its hash code value h1;
replace M1 by a message M2 of hash code value h2;
append a block of gibberish at the end M2 to force the hash
code value of the composite to be h1.
So even if M1 was transmitted with an encrypted h1, it does
not do us much good from the standpoint of authentication.

03/14/2025 Chirag N. Modi 86

 Hash Functions-Probability Claim
What does probability theory have to say about a randomly
produced message having A particular hash value?
Assume that we have a random message generator and that
we can calculate the hash code for each message
We are interested in whether any of the messages is going to
have its hash code equal to a particular value h
Let’s consider a pool of k messages produced randomly by the
message generator.
We pose the following question: What is the value of k so that
the pool contains at least one message whose hash code is
equal to h with probability 0.5?

03/14/2025 Chirag N. Modi 87

 Hash Functions-Probability Claim
To find k, we reason as follows:
The hash code can take on N different but equiprobable values.
Pick a message x at random from the pool of messages.
Since all N hash codes are equiprobable, the probability of
message x having its hash code equal to h is 1/N.
Since the hash code of message x either equals h or does not
equal h, the probability of the latter is 1 − 1/N
If we pick, two messages x and y randomly from the
pool, the events that the hash code of neither is equal to
h are probabilistically independent.
That implies that the probability that none of two messages
has its hash code equal to h is (1 − 1/N )2

03/14/2025 Chirag N. Modi 88

 Hash Functions-Probability Claim
Consider entire pool of k messages, it follows that the
probability that none of the messages in a pool of k messages
has its hash codes equal to h is (1 − 1/N)k
Therefore, the probability that at least one of the k messages
has its hash code equal to h is 1 − (1 − 1/N) k
The probability expression shown above can be considerably
simplified by recognizing that as a approaches 0, we can write
(1 + a)n ≈ 1 + an.
Therefore, the probability expression we derived can be
approximated by

03/14/2025 Chirag N. Modi 89

 Hash Functions-Probability Claim
So the given a pool of k randomly produced messages, the
probability there will exist at least one message in this pool
whose hash code equals the given value h is k/N.
The original question: How large should k be so that the pool of
messages contains at least one message whose hash code
equals the given value h with a probability of 0.5?
We obtain the value of k from the equation k/N = 0.5.
That is, k = 0.5N
Consider the case when we use 64 bit hash codes.
So, N = 264.
We will have to construct a pool of 263 messages so that the
pool contains at least one message whose hash code equals h
with a probability of 0.5.
03/14/2025 Chirag N. Modi 90
 Hash Functions-Probability Claim
What Is the Probability That There Exist At Least Two
Messages With the Same Hash Code?

Goal: to estimate the smallest size of a pool of randomly

selected messages so that there exist at least two messages in
the pool with the same hash code with probability 0.5.

03/14/2025 Chirag N. Modi 91

 Hash Functions-Probability Claim
“What is the probability that, in a class of 20 students,
someone else has the same birthday as yours (assuming you
are one of the 20 students)?” is very different from the
question “What is the probability that there exists at least
one pair of students in a class of 20 students with the same
birthday?”
The former question was addressed earlier.
Based on the result derived there, the probability of the
former is approximately 19/365 .
The latter question we will address here.
The probability of the latter is roughly the much larger value
(20× 19)/2/365 = 190 /365.

03/14/2025 Chirag N. Modi 92

 Hash Functions-Probability Claim
This is referred to as the birthday paradox, paradox only in the
sense that it seems counterintuitive
The birthday paradox states that given a group of 23 or more
randomly chosen people, the probability that at least two
of them will have the same birthday is more than 50%.
And if we randomly choose 60 or more people, this probability
is greater than 90%.
Given a pool of k messages, each of which has a hash code
value from N possible such values, the probability that the pool
will contain at least one pair of messages with the same hash
code is given by

03/14/2025 Chirag N. Modi 93

 Hash Functions-Probability Claim
The following reasoning establishes the above result: The
reasoning consists of figuring out :
The total number of ways, M1: we can construct a pool of k
message with no duplicate hash codes
The total number of ways, M2, we can do the same while
allowing for duplicates.
The ratio M1/M2 then gives us the probability of constructing a
pool of k messages with no duplicates.
Subtracting this from 1 yields the probability that the pool of k
messages will have at least one duplicate hash code.
Let’s first find out in how many different ways we can construct
a pool of k messages so that we are guaranteed to have no
duplicate hash codes in the pool

03/14/2025 Chirag N. Modi 94

 Hash Functions-Probability Claim
For the first message in the pool, we can choose any arbitrarily.
Since there exist only N distinct hash codes, and, therefore,
since there can only be N different messages with distinct hash
codes, there are N ways to choose the first entry for the pool.
Stated differently, there is a choice of N different candidates
for the first entry in the pool.
Having used up one hash code, for the second entry in the
pool, we can select a message corresponding to the other N −1
still available hash codes.
Having used up two distinct hash code values, for the third
entry in the pool, we can select a message corresponding to
the other N − 2 still available hash codes; and so on.

03/14/2025 Chirag N. Modi 95

 Hash Functions-Probability Claim
Therefore, the total number of ways, M1, in which we can
construct a pool of k messages with no duplications in hash
code values is

03/14/2025 Chirag N. Modi 96

 Hash Functions-Probability Claim
Let’s now try to figure out the total number of ways, M2, in
which we can construct a pool of k messages without worrying
at all about duplicate hash codes.
Reasoning as before, there are N ways to choose the first
message.
For selecting the second message, we pay no attention to the
hash code value of the first message.
There are still N ways to select the second message; and so on.
Therefore, the total number of ways we can construct a pool of
k messages without worrying about hash code duplication is

03/14/2025 Chirag N. Modi 97

 Hash Functions-Probability Claim
Therefore, if you construct a pool of k purely randomly selected
messages, the probability that this pool has no duplications in
the hash codes is

We can now make the following probabilistic inference: if you

construct a pool of k message as above, the probability that
the pool has at least one duplication in the hash code values
is

03/14/2025 Chirag N. Modi 98

 Hash Functions-Probability Claim
The probability expression can be simplified by rewriting it in
the following form:

Which is same as

03/14/2025 Chirag N. Modi 99

 Hash Functions-Probability Claim
We will now use the approximation that (1 − x) ≤ e−x for all
x ≥ 0 to make the claim that the above probability is lower
bounded by

Since 1 + 2 + 3 + . . . + (k − 1) is equal to k(k−1)/2, we can write

the following expression for the lower bound on the probability

03/14/2025 Chirag N. Modi 100

 Hash Functions-Probability Claim
So the probability that a pool of k messages will have at least
one pair with identical hash codes is always greater than the
value given by the above formula.
When k is small and N large, we can use the approximation
e−x ≈ 1 − x in the above formula and express it as

when we mentioned the birthday paradox at the beginning.

There we had k = 20 and N = 365

03/14/2025 Chirag N. Modi 101

 Hash Functions-Probability Claim
We will now estimate the size k of the pool so that the pool
contains at least one pair of messages with equal hash codes
with a probability of 0.5.
We need to solve

Simplifying, we get

03/14/2025 Chirag N. Modi 102

 Hash Functions-Probability Claim
So our final result is that if the hash code can take on a total N
different values, a pool of √N messages will contain at least one
pair of messages with the same hash code with a probability of
0.5.
So if we use an n-bit hash code, we have N = 2n.
In this case, a pool of 2n/2 randomly generated messages will
contain at least one pair of messages with the same hash code
with a probability of 0.5.
Let’s again consider the case of 64 bit hash codes. Now N = 264.
So a pool of 232 randomly generated messages will have at least
one pair with identical hash codes with a probability of 0.5.

03/14/2025 Chirag N. Modi 103

 The Birthday Attack
This attack applies to the following scenario: Say Mr. BigShot
has a dishonest assistant, Mr. Creepy, preparing contracts for
Mr. BigShot’s digital signature.
Mr. Creepy prepares the legal contract for a transaction.
Mr. Creepy then proceeds to create a large number of
variations of the legal contract without altering the legal
content of the contract and computes the hash code for each.
These variations may be constructed by mostly safe changes
such as the insertion of additional white space between some
of the words, or contraction of the same; insertion or deletion
of some of the punctuation, slight reformatting of the
document, etc.

03/14/2025 Chirag N. Modi 104

 The Birthday Attack
Next, Mr. Creepy prepares a fraudulent version of the contract.
As with the correct version, Mr. Creepy prepares a large
number of variations of this contract, using the same tactics as
with the correct version.
Now the question is: “What is the probability that the two sets
of contracts will have at least one contract each with the same
hash code?”
Let the set of variations on the correct form of the contract be
denoted {c1, c2, . . . , ck} and the set of variations on the
fraudulent contract by {f1, f2, . . . , fk}.
We need to figure out the probability that there exists at least
one pair (ci, fj) so that h(ci) = h(fj)

03/14/2025 Chirag N. Modi 105

 The Birthday Attack
If we assume that all the fraudulent contracts are truly random
vis-a-vis the correct versions of the contract, then the
probability of f1’s hash code being any one of N permissible
values is 1/N .
Therefore, the probability that the hash code h(c1) matches
the hash code h(f1) is 1/N.
Hence the probability that the hash code h(c1) does not match
the hash code h(f1) is 1 − 1/N
Extending the above reasoning to joint events, the probability
that h(c1) does not match h(f1) and h(f2) and . . ., h(fk) is

03/14/2025 Chirag N. Modi 106

 The Birthday Attack
The probability that the same holds conjunctively for all
members of the set {c1, c2, . . . , ck} would therefore be

This is the probability that there will NOT exist any hash code
matches between the two sets of contracts {c1, c2, . . . , ck} and
{f1, f2, . . . , fk}
Therefore the probability that there will exist at least one
match in hash code values between the set of correct contracts
and the set of fraudulent contracts is

03/14/2025 Chirag N. Modi 107

 The Birthday Attack
Since 1 − 1/N is always less than e−1/N ,

Now let’s pose the question: “What is the least value of k so

that the above probability is 0.5?” We obtain this value of k by
solving

03/14/2025 Chirag N. Modi 108

 The Birthday Attack
So if B is willing to generate √N versions of the both the correct
contract and the fraudulent contract, there is better than an
even chance that B will find a fraudulent version to replace the
correct version.
If n bits are used for the hash code, N = 2n.
In this case, k = 2n/2
The birthday attack consists of, as you’d expect, Mr. Creepy
getting Mr. BigShot to digitally sign a correct version of the
contract, meaning getting Mr. BigShot to encrypt the hash code
of the correct version of the contract with his private key, and
then replacing the contract by its fraudulent version that has
the same hash code value.

03/14/2025 Chirag N. Modi 109

 The Birthday Attack
This attack is called the birthday attack because the
combinatorial issues involved are the same as in the birthday
paradox
Also note that for an n-bit hash coding algorithm that has no
security flaws, the approximate value we obtained for k is = 2n/2

03/14/2025 Chirag N. Modi 110

 Cryptographically Secure Hash Functions
Most secure hash functions are based on the structure
proposed by Ralph Merkle in 1979.
This structure forms the basis of MD5, Whirlpool and the SHA
series of hash functions.
The input message is partitioned into L number of bit blocks,
each of size b bits.
If necessary, the final block is padded suitably so that it is of
the same length as others.
The final block also includes the total length of the message
whose hash function is to be computed.
This step enhances the security of the hash function since it
places an additional constraint on the counterfeit messages

03/14/2025 Chirag N. Modi 111

 Merkle’s structure

03/14/2025 Chirag N. Modi 112

 Merkle’s structure
It consists of L stages of processing, each stage processing one
of the b-bit blocks of the input message.
Each stage of the structure takes two inputs, the b bit block of
the input message meant for that stage and the n-bit output of
the previous stage
For the n-bit input, the first stage is supplied with a special n-
bit pattern called the Initialization Vector (IV)
The function f that processes the two inputs, one n bits long
and the other b bits long, to produce an n bit output is usually
called the compression function.
That is because, usually, b > n, so the output of the f function is
shorter than the length of the input message segment

03/14/2025 Chirag N. Modi 113

 Merkle’s structure
The function f itself may involve multiple rounds of processing
of the two inputs to produce an output
The precise nature of f depends on what hash algorithm is
being implemented

03/14/2025 Chirag N. Modi 114

 SHA Family of Hash Functions
SHA (Secure Hash Algorithm) refers to a family of NIST-
approved cryptographic hash functions
The most commonly used hash function from the SHA family is
SHA-1.
Despite the fact that its cryptographic security has been
demonstrated to be less than the theoretical maximum for
such an algorithm, SHA-1 continues to be widely used in many
applications and protocols that require secure and
authenticated communications.

03/14/2025 Chirag N. Modi 115

 SHA Family of Hash Functions

The algorithms SHA-256, SHA-384, and SHA-512 are collectively

referred to as SHA-2

03/14/2025 Chirag N. Modi 116

 SHA Family of Hash Functions
SHA-1 is a successor to MD5 that was a widely
used hash function.
There still exist many legacy applications that use MD5 for
calculating hash codes. E.g. SSL-TLS, IPSec
SHA-1 was cracked in the year 2005 by two different research
groups.
In one of these two demonstrations, Xiaoyun Wang,
Yiqun Lisa Yin, and Hongbo Yu demonstrated that it was
possible to come up with a collision for SHA-1 within a space of
size only 269, which was far fewer than the security level of 280
that is associated with this hash function.

03/14/2025 Chirag N. Modi 117

 Assignments
Submit detailed algorithms with suitable
diagrams for following and compare them:
1. MD5
2. SHA-160
3. SHA-256
4. SHA-384
5. SHA-512

03/14/2025 Chirag N. Modi 118

 SHA-512 Secure Hash Algorithm

03/14/2025 Chirag N. Modi 119

 SHA-512 Secure Hash Algorithm
Append Padding Bits and Length Value: This step makes
the input message an exact multiple of 1024 bits:
The length of the overall message to be hashed must be a
multiple of 1024 bits.
The last 128 bits of what gets hashed are reserved for the
message length value.
This implies that even if the original message were by chance
to be an exact multiple of 1024, you’d still need to append
another 1024-bit block at the end to make room for the 128-
bit message length integer.
Leaving aside the trailing 128 bit positions, the padding consists
of a single 1-bit followed by the required number of 0-bits.

03/14/2025 Chirag N. Modi 120

 SHA-512 Secure Hash Algorithm
The padded message is now an exact multiple of 1024 bit
blocks.
We represent it by the sequence {M1, M2, . . . , MN}, where Mi
is the 1024 bits long ith message block.
Initialize Hash Buffer with Initialization Vector: we need to
initialize the hash buffer with IV, the Initialization Vector:
We represent the hash buffer by eight 64-bit registers
For explaining the working of the algorithm, these registers
are labeled (a, b, c, d, e, f, g, h)

03/14/2025 Chirag N. Modi 121

 SHA-512 Secure Hash Algorithm
6a09e667f3bcc908
bb67ae8584caa73b
3c6ef372fe94f82b
a54ff53a5f1d36f1
510e527fade682d1
9b05688c2b3e6c1f
1f83d9abfb41bd6b
5be0cd19137e2179

Process Each 1024-bit Message Block Mi: Each message

block is taken through 80 rounds of processing.
All of this processing is represented by the module labeled f

03/14/2025 Chirag N. Modi 122

 SHA-512 Secure Hash Algorithm

03/14/2025 Chirag N. Modi 123

 SHA-512 Secure Hash Algorithm
the module f for processing the message block Mi
has two inputs: the current contents of the 512-bit hash buffer
and the 1024-bit message block.
These are fed as inputs to the first of the 80 rounds of
processing
The round based processing requires a message schedule
that consists of 80 64-bit words labeled {W0, W1, . . . , W79}.
The first sixteen of these, W0 through W15, are the sixteen
64-bit words in the 1024-bit message block Mi.
The rest of the words in the message schedule are obtained by

03/14/2025 Chirag N. Modi 124

 SHA-512 Secure Hash Algorithm

03/14/2025 Chirag N. Modi 125

 SHA-512 Secure Hash Algorithm
The ith round is fed the 64-bit message schedule word Wi and
a special constant Ki.
The constants Ki’s represent the first 64 bits of the fractional
parts of the cube roots of the first eighty prime numbers
Basically, these constants are meant to be random bit patterns
to break up any regularities in the message blocks.
How the contents of the hash buffer are processed along with
the inputs Wi and Ki is referred to as implementing the
round function.

03/14/2025 Chirag N. Modi 126

 SHA-512 Secure Hash Algorithm
The round function consists of a sequence of transpositions
and substitutions, all designed to diffuse to the maximum
extent possible the content of the input message block.
The relationship between the contents of the eight registers of
the hash buffer at the input to the ith round and the output
from this round is given by
h=g
g=f
f=e
e = d +64 T1
d=c
c=b
b=a
a = T1 +64 T2
03/14/2025 Chirag N. Modi 127
 SHA-512 Secure Hash Algorithm

03/14/2025 Chirag N. Modi 128

 SHA-512 Secure Hash Algorithm
The output of the 80th round is added to the content of the
hash buffer at the beginning of the round-based processing.
This addition is performed separately on each 64-bit word of
the output of the 80th modulo 264.
In other words, the addition is carried out separately for each
of the eight registers of the hash buffer modulo 264
After all the N message blocks have been processed, the
content of the hash buffer is the message digest

03/14/2025 Chirag N. Modi 129

 Hash Functions For Message Authentication Codes

Hash code is a fixed-size fingerprint of a variable-sized

message, so is a message authentication code (MAC)
MAC: known as a cryptographic checksum and as an
authentication tag
MAC: produced by appending a secret key to the message and
then hashing the composite message.
The resulting hash code is the MAC
More sophisticated ways of producing a MAC may involve an
iterative procedure in which a pattern derived from the key is
added to the message, the composite hashed, another pattern
derived from the key added to the hash code, the new
composite hashed again, and so on.

03/14/2025 Chirag N. Modi 130

 Hash Functions For Message Authentication Codes

Assuming a collision-resistant hash function, the original

message and its MAC can be safely transmitted over a network
without worrying that the integrity of the data may get
compromised.
A recipient with access to the key used for calculating the MAC
can verify the integrity of the message by recomputing its MAC
and comparing it with the value received.
Let’s denote the function that generates the MAC of a message
M using a secret key K by C(K, M).
That is MAC = C(K, M).
Here is a MAC function that is positively not safe

03/14/2025 Chirag N. Modi 131

 Hash Functions For Message Authentication Codes

Let {X1, X2, . . . , } be the 64-bit blocks of a message M.

That is M = (X1||X2|| . . . ||Xm). (The operator ’||’ means
concatenation.)
Let ∆(M) = X1 ⊕ X2 ⊕ · · · ⊕ Xm
We now define C(K, M) = E(K, ∆(M))
where the encryption algorithm, E(), is assumed to be DES
in the electronic codebook mode.
Assume the key length to be 56 bits.
Let’s say that an adversary can observe {M, C(K, M)}

03/14/2025 Chirag N. Modi 132

 Hash Functions For Message Authentication Codes

An adversary can easily create a forgery of the message by

replacing X1 through Xm−1 with any desired Y1 through
Ym−1 and then replacing Xm with Ym that is given by
Ym = Y1 ⊕ Y2 ⊕ · · · ⊕ Ym−1 ⊕ ∆(M)
It is easy to show that when the new message M forged =
{Y1||Y2|| · · · ||Ym} is concatenated with the original C(K,
∆(M)), the recipient would not suspect any foul play.
When the recipient calculates the MAC of the received
message using his/her secret key K, the calculated MAC would
agree with the received MAC.

03/14/2025 Chirag N. Modi 133

 Hash Functions For Message Authentication Codes

The unsafe MAC algorithm is that although a brute-force attack

to figure out the secret key K would be very expensive
(requiring around 256 encryptions of the message), it is
nonetheless ridiculously easy to replace a legitimate message
with a fraudulent one.
A commonly-used and cryptographically-secure approach for
computing MACs is known as HMAC.
It is used in the IPSec protocol (for packet-level security in
computer networks), in SSL (for transport-level security), and a
host of other applications.
The size of the MAC produced by HMAC is the same as the
size of the hash code produced by the underlying hash function
(which is typically SHA-1).

03/14/2025 Chirag N. Modi 134

 HMAC

03/14/2025 Chirag N. Modi 135

 HMAC

The message is segmented into b-bit blocks Y1, Y2, . . ..

K is the secret key to be used for producing the MAC
K+ is the secret key K padded with zeros on the left so
that the result is b bits long.
Recall, b is the length of each message block Yi.
The algorithm constructs two sequences ipad and opad,
Ipad: repeating the 00110110 sequence b/8 times
Opad: repeating 01011100 also b/8 times
The operation of HMAC is described by:

The security of HMAC depends on the security of the

underlying hash function, and, of course, on the size and the
quality of the key.
03/14/2025 Chirag N. Modi 136
 Authentication and Identification Schemes
To allow one party (the verifier) to gain assurances that the
identity of another (the claimant) is as declared, thereby
preventing impersonation.

The general setting for an identification protocol involves a

prover or claimant A and a verifier B.

The verifier is presented with, or presumes beforehand, the

purported identity of the claimant.

The goal is to corroborate that the identity of the claimant is

indeed A, i.e., to provide entity authentication

03/14/2025 Chirag N. Modi 137

 Authentication and Identification Schemes
Entity authentication is the process whereby one party is
assured (through acquisition of corroborative evidence) of the
identity of a second party involved in a protocol, and that the
second has actually participated (i.e., is active at, or
immediately prior to, the time the evidence is acquired)

03/14/2025 Chirag N. Modi 138

 Objectives
In the case of honest parties A and B, A is able to successfully
authenticate itself to B, i.e., B will complete the protocol having
accepted A’s identity.
(transferability) B cannot reuse an identification exchange with
A so as to successfully impersonate A to a third party C.
(impersonation) The probability is negligible that any party C
distinct from A, carrying out the protocol and playing the role
of A, can cause B to complete and accept A’s identity.

03/14/2025 Chirag N. Modi 139

 Basis of identification
something known. Examples include standard passwords
(sometimes used to derive a symmetric key), Personal
Identification Numbers (PINs), and the secret or private
keys.
something have. This is typically a physical accessory,
resembling a passport in function. Examples include magnetic-
striped cards, chipcards (plastic cards the size of credit cards,
containing an embedded microprocessor or integrated circuit;
also called smart cards or IC cards), and hand-held customized
calculators (password generators) which provide time-variant
passwords.
something inherent (to a human individual)

03/14/2025 Chirag N. Modi 140

 Properties of identification protocols
Reciprocity of identification. Either one or both parties may
corroborate their identities to the other, providing,
respectively, unilateral or mutual identification.
Some techniques, such as fixed-password schemes, may be susceptible
to an entity posing as a verifier simply in order to capture a claimant’s
password.
computational efficiency. The number of operations required to
execute a protocol
communication efficiency. This includes the number of passes
(message exchanges) and the bandwidth required (total
number of bits transmitted).
storage of secrets. This includes the location and method used
(e.g., software only, local disks, hardware tokens, etc.) to store
critical keying material
03/14/2025 Chirag N. Modi 141
 Properties of identification protocols
real-time involvement of a third party. Examples of third parties
include an on-line trusted third party to distribute common
symmetric keys to communicating entities for authentication
purposes; and an on-line (untrusted) directory service for
distributing public-key certificates, supported by an off-line
certification authority
nature of trust required in a third party. Examples include
trusting a third party to correctly authenticate and bind an
entity’s name to a public key; and trusting a third party with
knowledge of an entity’s private key.
nature of security guarantees. Examples include provable
security and zero-knowledge properties

03/14/2025 Chirag N. Modi 142

 Passwords (weak authentication)
Conventional password schemes involve time-invariant
passwords, which provide so-called weak authentication.
The basic idea is as follows. A password, associated with each
user (entity), is typically a string of 6 to 10 or more characters
the user is capable of committing to memory.
This serves as a shared secret between the user and system.
To gain access to a system resource, the user enters a (userid,
password) pair, and explicitly or implicitly specifies a resource;
here userid is a claim of identity, and password is the evidence
supporting the claim.
The system checks that the password matches corresponding
data it holds for that userid, and that the stated identity is
authorized to access the resource.

03/14/2025 Chirag N. Modi 143

 Passwords (weak authentication)
Demonstration of knowledge of this secret (by revealing the
password itself) is accepted by the system as corroboration of
the entity’s identity.

03/14/2025 Chirag N. Modi 144

 Fixed password schemes: techniques
Stored password files
“Encrypted” password files
Password rules
Slowing down the password mapping
Salting passwords
Passphrases

03/14/2025 Chirag N. Modi 145

 Stored password files
The most obvious approach is for the system to store user
passwords cleartext in a system password file, which is both
read- and write-protected (e.g., via operating system access
control privileges).
Upon password entry by a user, the system compares the
entered password to the password file entry for the
corresponding userid; employing no secret keys or
cryptographic primitives such as encryption, this is classified as
a non-cryptographic technique.
A drawback of this method is that it provides no protection
against privileged insiders or superusers (special userids which
have full access privileges to system files and resources).
Storage of the password file on backup media is also a security
concern, since the file contains cleartext passwords.
03/14/2025 Chirag N. Modi 146
 “Encrypted” password files
Rather than storing a cleartext user password in a (read- and
write-protected) password file, a one-way function of each user
password is stored in place of the password itself
To verify a user-entered password, the system computes the
one-way function of the entered password, and compares this
to the stored entry for the stated userid.
To preclude earlier attacks, the password file need now only be
write-protected.

03/14/2025 Chirag N. Modi 147

 Password rules
Since dictionary attacks are successful against predictable
passwords, some systems impose “password rules” to
discourage or prevent users from using “weak” passwords.
Typical password rules include a lower bound on the password
length (e.g., 8 or 12 characters); a requirement for each
password to contain at least one character from each
of a set of categories (e.g., uppercase, numeric, non-
alphanumeric); or checks that candidate passwords are not
found in on-line or available dictionaries, and are not
composed of account-related information such as userids or
substrings thereof.

03/14/2025 Chirag N. Modi 148

 Password rules
Knowing which rules are in effect, an adversary may use a
modified dictionary attack strategy taking into account the
rules, and targeting the weakest form of passwords which
nonetheless satisfy the rules.
The objective of password rules is to increase the entropy
(rather than just the length) of user passwords beyond the
reach of dictionary and exhaustive search attacks.
Entropy here refers to the uncertainty in a password ; if all
passwords are equally probable, then the entropy is maximal
and equals the base-2 logarithm of the number of possible
passwords.
Another procedural technique intended to improve password
security is password aging. A time period is defined limiting the
lifetime of each particular password (e.g., 30 or 90 days).
03/14/2025 Chirag N. Modi 149
 Slowing down the password mapping
To slow down attacks which involve testing a large number of
trial passwords, the password verification function (e.g., one-
way function) may be made more computationally intensive,
for example, by iterating a simpler function t > 1 times, with
the output of iteration i used as the input for iteration i + 1.
The total number of iterations must be restricted so as not to
impose a noticeable or unreasonable delay for legitimate users.
Also, the iterated function should be such that the iterated
mapping does not result in a final range space whose entropy is
significantly decimated.

03/14/2025 Chirag N. Modi 150

 Salting passwords
To make dictionary attacks less effective, each password, upon
initial entry, may be augmented with a t-bit random string
called a salt (it alters the “flavor” of the password) before
applying the one-way function.
Both the hashed password and the salt are recorded in the
password file.
When the user subsequently enters a password, the system
looks up the salt, and applies the one-way function to the
entered password, as altered or augmented by the salt.
The difficulty of exhaustive search on any particular user’s
password is unchanged by salting (since the salt is given in
cleartext in the password file);

03/14/2025 Chirag N. Modi 151

 Salting passwords
however, salting increases the complexity of a dictionary attack
against a large set of passwords simultaneously, by requiring
the dictionary to contain 2t variations of each trial password,
implying a larger memory requirement for storing an encrypted
dictionary, and correspondingly more time for its preparation.
Note that with salting, two users who choose the same
password have different entries in the system password file. In
some systems, it may be appropriate to use an entity’s userid
itself as salt.

03/14/2025 Chirag N. Modi 152

 Passphrases
To allow greater entropy without stepping beyond the memory
capacity of human users, passwords may be extended to
passphrases; in this case, the user types in a phrase or
sentence rather than a short “word”.
The passphrase is hashed down to a fixed-size value, which
plays the same role as a password; here, it is important that the
passphrase is not simply truncated by the system, as passwords
are in some systems.
The idea is that users can remember phrases easier than
random character sequences.
If passwords resemble English text, then since each character
contains only about 1.5 bits of entropy, a passphrase provides
greater security through increased entropy than a short
password. One drawback is the additional typing requirement.
03/14/2025 Chirag N. Modi 153
 Assignment

Analyze the working of UNIX passwords- Case study

03/14/2025 Chirag N. Modi 154

 PINs and passkeys
PINs
Two-stage authentication and password-
derived keys

03/14/2025 Chirag N. Modi 155

 PINs
Personal identification numbers (PINs) fall under the category
of fixed (time-invariant) passwords.
They are most often used in conjunction with “something
possessed”, typically a physical token such as a plastic banking
card with a magnetic stripe, or a chipcard.
To prove one’s identity as the authorized user of the token, and
gain access to the privileges associated therewith, entry of the
correct PIN is required when the token is used.
This provides a second level of security if the token is lost or
stolen.
PINs may also serve as the second level of security for entry to
buildings which have an independent first level of security
(e.g., a security guard or video camera).

03/14/2025 Chirag N. Modi 156

 PINs
For user convenience and historical reasons, PINs are typically
short (relative to fixed password schemes) and numeric, e.g., 4
to 8 digits.
To prevent exhaustive search through such a small key space
(e.g., 10 000 values for a 4-digit numeric PIN), additional
procedural constraints are necessary.
For example, some automated cash dispenser machines
accessed by banking cards confiscate a card if three incorrect
PINs are entered successively; for others, incorrect entry of a
number of successive PINs may cause the card to be “locked”
or deactivated, thereafter requiring a longer PIN (e.g., 8 digits)
for reactivation following such suspicious circumstances.

03/14/2025 Chirag N. Modi 157

 Two-stage authentication and password-
derived keys
Human users have difficulty remembering secret keys which
have sufficient entropy to provide adequate security.
Two techniques which address this issue :
When tokens are used with off-line PIN verification, a common
technique is for the PIN to serve to verify the user to the token,
while the token contains additional independent information
allowing the token to authenticate itself to the system (as a
valid token representing a legitimate user).
The user is thereby indirectly authenticated to the system by a
two-stage process.
This requires the user have possession of the token but need
remember only a short PIN, while a longer key (containing
adequate entropy) provides cryptographic security for
authentication over an unsecured link.
03/14/2025 Chirag N. Modi 158
 Two-stage authentication and password-
derived keys
A second technique is for a user password to be mapped by a
one-way hash function into a cryptographic key (e.g., a 56-bit
DES key).
Such password-derived keys are called passkeys.
The passkey is then used to secure a communications link
between the user and a system which also knows the user
password.
It should be ensured that the entropy of the user’s password is
sufficiently large that exhaustive search of the password space
is not more efficient than exhaustive search of the passkey
space (i.e., guessing passwords is not easier than guessing 56-
bit DES keys);

03/14/2025 Chirag N. Modi 159

 Two-stage authentication and password-
derived keys
An alternative to having passkeys remain fixed until the
password is changed is to keep a running sequence number on
the system side along with each user’s password, for use as
a time-variant salt communicated to the user in the clear and
incremented after each use.
A fixed per-user salt could also be used in addition to a running
sequence number.
Passkeys should be viewed as long-term keys, with use
restricted to authentication and key management (e.g., rather
than also for bulk encryption of user data).
A disadvantage of using password-derived keys is that storing
each user’s password within the system requires some
mechanism to protect the confidentiality of the stored
passwords.
03/14/2025 Chirag N. Modi 160
 One-time passwords (towards strong
authentication)
A natural progression from fixed password schemes to
challenge-response identification protocols may be observed
by considering one-time password schemes.
each password is used only once.
Such schemes are safe from passive adversaries who eavesdrop
and later attempt impersonation.
Variations include:
shared lists of one-time passwords. The user and the system
use a sequence or set of t secret passwords, (each valid for a
single authentication), distributed as a pre-shared list.
A drawback is maintenance of the shared list.

03/14/2025 Chirag N. Modi 161

 One-time passwords (towards strong
authentication)
If the list is not used sequentially, the system may check the
entered password against all remaining unused passwords.
A variation involves use of a challenge-response table, whereby
the user and the system share a table of matching challenge-
response pairs, ideally with each pair valid at most once; this
non-cryptographic technique differs from the cryptographic
challenge-response.
sequentially updated one-time passwords. Initially only a single
secret password is shared.
During authentication using password i, the user creates and
transmits to the system a new password (password i + 1)
encrypted under a key derived from password i.
This method becomes difficult if communication failures occur.

03/14/2025 Chirag N. Modi 162

 One-time passwords (towards strong
authentication)
one-time password sequences based on a one-way function.
Lamport’s one-time password scheme: This method is more
efficient (with respect to bandwidth) than sequentially updated
one-time passwords, and may be viewed as a challenge-
response protocol where the challenge is implicitly defined by
the current position within the password sequence.

03/14/2025 Chirag N. Modi 163

 Challenge-response identification (strong
authentication)
The idea of cryptographic challenge-response protocols is that
one entity (the claimant) “proves” its identity to another entity
(the verifier) by demonstrating knowledge of a secret
known to be associated with that entity, without revealing the
secret itself to the verifier during the protocol.
This is done by providing a response to a time-variant
challenge, where the response depends on both the entity’s
secret and the challenge.
The challenge is typically a number chosen by one entity
(randomly and secretly) at the outset of the protocol.

03/14/2025 Chirag N. Modi 164

 Challenge-response by symmetric-key
techniques
Challenge-response mechanisms based on symmetric-key
techniques require the claimant and the verifier to share a
symmetric key.
For closed systems with a small number of users, each pair of
users may share a key a priori; in larger systems employing
symmetric-key techniques, identification protocols often
involve the use of a trusted on-line server with which each
party shares a key.
The on-line server effectively acts like the hub of a spoked
wheel, providing a common session key to two parties each
time one requests authentication with the other.

03/14/2025 Chirag N. Modi 165

 Challenge-response by symmetric-key
techniques
1. unilateral authentication, timestamp-based:

Upon reception and decryption, B verifies that the timestamp

is acceptable, and optionally verifies the received identifier as
its own.
The identifier B here prevents an adversary from re-using the
message immediately on A, in the case that a single
bidirectional key K is used.
2. unilateral authentication, using random numbers:
To avoid reliance on timestamps, the timestamp may be
replaced by a random number, at the cost of an additional
message:

03/14/2025 Chirag N. Modi 166

 Challenge-response by symmetric-key
techniques

B decrypts the received message and checks that the random

number matches that sent in (1). Optionally, B checks that the
identifier in (2) is its own; this prevents a reflection attack in
the case of a bi-directional key K.
To prevent chosen-text attacks on the encryption scheme EK, A
may (as below) embed an additional random number in or,
alternately, the form of the challenges can be restricted; the
critical requirement is that they be non-repeating.

03/14/2025 Chirag N. Modi 167

 Challenge-response by symmetric-key
techniques
3. mutual authentication, using random numbers:

Upon reception of (2), B carries out the checks as above and, in

addition, recovers the decrypted rA for inclusion in (3). Upon
decrypting (3), A checks that both random numbers match
those used earlier.
The second random number rA in (2) serves both
as a challenge and to prevent chosen-text attacks.

03/14/2025 Chirag N. Modi 168

 Challenge-response based on (keyed)
one-way functions
The encryption algorithm in the above mechanisms may be
replaced by a one-way or nonreversible function of the shared
key and challenge, e.g., having properties similar to a MAC
This may be preferable in situations where encryption
algorithms are otherwise unavailable or undesirable
The revised three-pass challenge-response mechanism based
on a MAC hK, with actions as noted above, provides mutual
identification.

03/14/2025 Chirag N. Modi 169

 Implementation using hand-held passcode
generators
Answering a challenge in challenge-response protocols requires
some type of computing device and secure storage for long-
term keying material (e.g., a file on a trusted local disk,
perhaps secured under a local password-derived key).
For additional security, a device such as a chipcard (and
corresponding card reader) may be used for both the key
storage and response computation.
In some cases, a less expensive option is a passcode generator.

03/14/2025 Chirag N. Modi 170

 Implementation using hand-held passcode
generators
Passcode generators are hand-held devices, resembling thin
calculators in both size and display, and which provide time-
variant passwords or passcodes
The generator contains a device-specific secret key.
When a user is presented with a challenge (e.g., by a system
displaying it on a computer terminal), the challenge is keyed
into the generator.
The generator displays a passcode, computed as a function of
the secret key and the challenge; this may be either an
asymmetric function, or a symmetric function (e.g., encryption
or MAC as discussed).

03/14/2025 Chirag N. Modi 171

 Implementation using hand-held passcode
generators
The user returns the response (e.g., keys the passcode in
at his terminal), which the system verifies by comparison to an
independently computed response, using the same
information stored on the system side.
For further protection against misplaced generators, the
response may also depend on a user-entered PIN.
Simpler passcode generators omit the user keypad, and use as
an implicit challenge a time value (with a typical granularity of
one minute) defined by a timeclock loosely synchronized
automatically between the system and the passcode generator.
A more sophisticated device combines implicit synchronization
with explicit challenges, presenting an explicit challenge only
when synchronization is lost.

03/14/2025 Chirag N. Modi 172

 Implementation using hand-held passcode
generators

03/14/2025 Chirag N. Modi 173

 Implementation using hand-held passcode
generators
A drawback of systems using passcode generators is, the
requirement to provide confidentiality for user passwords
stored on the system side.

03/14/2025 Chirag N. Modi 174

 Challenge-response by public-key techniques
Challenge-response based on public-key decryption:
Identification based on PK decryption and witness. Consider the
following protocol:

B chooses a random r, computes the witness x = h(r) (x

demonstrates knowledge of r without disclosing it), and
computes the challenge e = PA(r, B). Here PA denotes the
public-key encryption (e.g., RSA) algorithm of A, and h denotes
a one-way hash function.
B sends (1) to A. A decrypts e to recover r’ and B’, computes x’
= h(r’), and quits if x’ not x (implying r’not r) or if B’ is not equal
to its own identifier B.

03/14/2025 Chirag N. Modi 175

 Challenge-response by public-key techniques
Otherwise, A sends r = r’ to B.
B succeeds with (unilateral) entity authentication of A upon
verifying the received r agrees with that sent earlier.
The use of the witness precludes chosen-text attacks.
Modified Needham-SchroederPK protocol for identification. It
provides key transport of distinct keys k1, k2 from A to B and B
to A, respectively, as well as mutual authentication.
If the key establishment feature is not required, k1 and k2 may
be omitted. With PB denoting the public-key encryption
algorithm for B (e.g., RSA), the messages in the modified
protocol for identification are then as follows:

03/14/2025 Chirag N. Modi 176

 Assignment
Analyze Challenge-response based on digital
signatures

03/14/2025 Chirag N. Modi 177

 zero-knowledge identification protocols
Disadvantage of simple password protocols: when a claimant A
(called a prover in the context of zero-knowledge protocols)
gives the verifier B her password, B can thereafter impersonate
A.
Challenge-response protocols improve on this:
A responds to B’s challenge to demonstrate knowledge of A’s secret in a
time-variant manner, providing information not directly reusable by B.
This might nonetheless reveal some partial information about the
claimant’s secret;
an adversarial verifier might also be able to strategically select
challenges to obtain responses providing such information

03/14/2025 Chirag N. Modi 178

 zero-knowledge identification protocols
Zero-knowledge (ZK) protocols are designed to address these
concerns,
Allows a prover to demonstrate knowledge of a secrete while
revealing no information whatsoever (beyond what the verifier
was able to deduce prior to the protocol run) of use to the
verifier in conveying this demonstration of knowledge to
others.
The point is that only a single bit of information need be
conveyed – namely, that the prover actually does know the
secret.
A zero-knowledge protocol allows a proof of the truth of an
assertion, while conveying no information whatsoever (this
notion can be quantified in a rigorous sense) about the
assertion itself other than its actual truth.
03/14/2025 Chirag N. Modi 179
 Interactive proof systems and zero-knowledge
protocols
The ZK protocols- interactive proof systems, wherein a prover
and verifier exchange multiple messages (challenges and
responses), typically dependent on random numbers which
they may keep secret.
The prover’s objective is to convince (prove to) the verifier the
truth of an assertion, e.g., claimed knowledge of a secret.
The verifier either accepts or rejects the proof.
The traditional mathematical notion of a proof, however, is
altered to an interactive game wherein proofs are probabilistic
rather than absolute; a proof in this context need be correct
only with bounded probability, although possibly arbitrarily
close to 1.
For this reason, an interactive proof is sometimes called a proof
by protocol.
03/14/2025 Chirag N. Modi 180
 Interactive proof systems and zero-knowledge
protocols
Interactive proofs used for identification may be formulated as
proofs of knowledge.
A possesses some secret s, and attempts to convince B it has
knowledge of s by correctly responding to queries (involving
publicly known inputs and agreed upon functions) which
require knowledge of s to answer.
Note that proving knowledge of s differs from proving
that such s exists – for example, proving knowledge of the
prime factors of n differs from proving that n is composite.
An interactive proof is said to be a proof of knowledge if it has
both the properties of completeness and soundness.

03/14/2025 Chirag N. Modi 181

 Interactive proof systems and zero-knowledge
protocols
(completeness property) An interactive proof (protocol) is
complete if, given an honest prover and an honest verifier, the
protocol succeeds with overwhelming probability (i.e., the
verifier accepts the prover’s claim).
The definition of overwhelming depends on the application,
but generally implies that the probability of failure is not of
practical significance.
(soundness property) An interactive proof (protocol) is sound if
there exists an expected polynomial-time algorithm M with the
following property:

03/14/2025 Chirag N. Modi 182

 Interactive proof systems and zero-knowledge
protocols
If a dishonest prover (impersonating A) can with non-negligible
probability successfully execute the protocol with B, then M
can be used to extract from this prover knowledge (essentially
equivalent to A’s secret) which with overwhelming probability
allows successful subsequent protocol executions.
(zero-knowledge property) A protocol which is a proof of
knowledge has the zero-knowledge property if it is simulatable
in the following sense:
There exists an expected polynomial-time algorithm (simulator)
which can produce, upon input of the assertion(s) to be proven
but without interacting with the real prover, transcripts
indistinguishable from those resulting from interaction with the
real prover.

03/14/2025 Chirag N. Modi 183

 Interactive proof systems and zero-knowledge
protocols
The zero-knowledge property implies that a prover executing
the protocol (even when interacting with a malicious verifier)
does not release any information (about its secret knowledge,
other than that the particular assertion itself is true) not
otherwise computable in polynomial time from public
information alone.

Thus, participation does not increase the chances of

subsequent impersonation.

03/14/2025 Chirag N. Modi 184

 Interactive proof systems and zero-knowledge
protocols
Fiat-Shamir identification protocol
GQ (Guillou-Quisquater) identification protocol
Schnorr identification protocol

03/14/2025 Chirag N. Modi 185

 Key-Exchange Algorithms
In next module- From Next Class

03/14/2025 Chirag N. Modi 186