pps

Download Report

Transcript pps

Foundations of Cryptography

Lecture 4 Lecturer: Moni Naor

Recap of last week’s lecture

• Ultimate or Universal One-way functions • The many time identification problem – Specification and solutions • Functions that are one-way on their iterates • The Rabin function

The authentication problem one-time version

• Alice to Bob would want to send a message m  {0,1} n • They want to prevent Eve from interfering – Bob should be sure that the message equal to the message m Alice sent m’ he receives is m Alice Bob

Eve

Specification of the Problem

Alice and Bob communicate through a channel Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: • Completeness: If Alice wants to send – Bob has value m m  {0,1} n and Eve does not interfere in R • Soundness: If Alice wants to send m and Eve does interfere – R is either N or m (but not m’ ≠ m ) – If Alice does not want to send a message R is N • Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: for any behavior from Eve, for any message m  {0,1} n , the probability that Bob is in state m’ ≠ m or N is at most ε

Authentication using hash functions

• Suppose that – H= {h| h: {0,1} n → {0,1} k } is a family of functions – Alice and Bob share a random function h  H – To authenticate message m  {0,1} n Alice sends (m,h(m)) – When receiving (m’,z) Bob computes h(m’) and compares to z • If equal, moves register R to m’ • If not equal, register R stays in N • What properties do we require from H – hard to guess – hard to guess h(m’) h(m’) at most ε • But clearly not sufficient: one-time pad.

even after seeing – Easy to compute h(m) given h and m h(m) - at most • Should be true for any m’ – Short representation for h - must have small log|H| ε

Universal hash functions

• Given that for h  H we have h: {0,1} n ε≥2 -k → {0,1} k we know that • A family where this is an equality is called

universal 2

Definition: a family of functions H= {h| h: {0,1} n called

Strongly Universal 2

for all m 1 , m 2  {0,1} n → {0,1} k } or

pair-wise independent

if: and y 1 , y 2  {0,1} k we have is Prob[h(m 1 ) = y 1

In particular

Prob[h(m 2 ) = y 2 and h(m 2 ) = y 2 Where the probability is over a randomly chosen | h(m 1 ) = y 1 Theorem: when a

strongly universal 2

Eve’s probability of cheating is at most 2 -k h  ] = 2 -2k ] = H 2 -k family is used in the protocol,

Constructing universal hash functions

The linear polynomial construction: • fix a finite field F of size at least the message space 2 n – Could be either GF[2 n ] or GF[P] • The family H of functions h: F for some prime P ≥ 2 n → F i s defined as H= {h a,b (m) = a∙m + b | a, b  Claim: the family above is

strongly universal 2

Proof: for every that F} m 1 , m 2 , y 1 , y 2  F there are unique a, b  a∙m 1 +b = y 1 a∙m 2 +b = y 2 F such Size: each h  H represented by 2n bits

Constructing universal hash functions

The inner product construction:

• fix a finite field F of size at least the target space 2 k – Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k • Let n= l ∙ k • Treat each message m  {0,1} n as a (l+1) -vector over F where the first entry is 1 . Denote by (m 0 , m 1 , … ,m l ) • The family H of functions h: F l → F i s defined by all vectors (l+1) -vector H= {h a (m)= ∑ i=0 l a i ∙m i Claim: the family above is

strongly universal 2

| a 0 , a 1 , … ,a l

Proof: for every

(m 0 , m 1 , … ,m l ) , (m’ ∑ i=0 l 0 a , m’ i ∙m 1 i , … ,m’ = y 1 l ) y 1 , y 2  F there are there ∑ i=0 l a i ∙m’ i = y 2  F} Size: each h  H represented by n+k bits

Lower bound on size of strongly universal hash functions

Theorem: let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Theorem: see N. Alon and J. Spencer, The Probabilistic Method Chapter 15 on derandomization, proposition 2.3

An almost perfect solution

By allowing ε to be slightly larger than 2 -k smaller families we can get much Definition: a family of functions H= {h| h: {0,1} n → {0,1} k } for all m 1 , m 2  {0,1} n where is called δ -

Universal 2

m 1 ≠ m 2 we have if Prob[h(m 1 ) = h(m 2 ) ] ≤ δ

Properties:

Strongly-universal

2

implies 2 -k -

Universal 2

• Opposite not true: the function h(x)=x …

An almost perfect solution

Idea: combine • a family of δ -

Universal 2

functions H 1 = {h| {0,1} n with • a

Strongly Universal 2

family H 2 = {h| {0,1} k Consider the family h 1  H 1 and h H 2  where each H 2 h  H is {0,1} → n → → {0,1} {0,1} k } {0,1} k k } and is defined by h(x) = h 2 (h 1 (x)) As before Alice sends m, h(m) Claim : probability of cheating is at most δ + 2 -k Proof: when Eve sends m’, y’ we must have m ≠ m ‘ but either – y’ =h(m) , which means that Eve succeeds with probability at most δ + 2 -k • Collision in h 1 Or in h 2

Or

– y’ ≠ h(m) which means that Eve succeeds with probability at most • Collision in h 2 2 -k Size: each h  H represented by log |H 1 |+ log |H 2 |

Constructing almost universal hash functions

The polynomial evaluation construction • fix a finite field F {0,1} n → {0,1} k : of size at least the target space 2 k – Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k • Let n= l ∙ k • Treat each (non-zero) message m  {0,1} n as a degree (l-1) - polynomial over F . Denote by P m m • The family H of functions h: F l H= {h x → (m)= P Claim: the family above is δ -

Universal 2

F is defined by all elements in m (x)| x  F} for δ= (l-1)/2 k Proof: the maximum number of points where two different degree (l-1) F : polynomials agree is l-1 Size: each h  H represented by k bits

Composing universal hash functions

Concatenation

Let H where each h 

Universal 2

functions H is {0,1} n → Consider the family H’ where each h’  and where {0,1} k H’ is be a family of {0,1} 2n → δ {0,1} 2k for some h  h’(x 1 ,x 2 ) = h(x 1 ), h(x 2 ) H Claim: the family above is δ -

Universal 2

Proof: let • If x • Else, h(x 1 2 ≠ x’ 1 x x 2 )=h( 1 , x ≠ x’ collision must occur in first part h(x 1 )=h( x’ 1 ) x’ 2 2 ) 2 and x’ 1 , x’ 2 be a pair of inputs.

and collision must occur in second part In either case the probability is at most δ

Composing universal hash functions

n 1

Composition

Let • H 1 = {h| h:{0,1} n 1 with • H 2 = {h| h: {0,1} n 2 be families of Consider the family and h 2  δ H

Universal

2 H →

2

{0,1} n 2 } → {0,1} n 3 functions } where each h  H is {0,1} n 1 → {0,1} n 3 n 2 n 3 is defined by h 1  H 1 h(x) = h 2 (h 1 (x)) Claim: the family above is 2 δ -

Universal 2

Proof: the collision must occur either at the first hash function or the second hash function. Each event happens with probability at most δ and we apply the union bound

The Tree Construction

m h 1 h 2 Let n= l ∙ k and let each δ -

Universal Universal

where t h i : {0,1} 2k → family, then result is a family of functions {0,1} n is the number of {0,1} k

levels

be chosen independently from H in the tree → {0,1} k a which is tδ Size: t log |H| h 3

Homework

• Given ε,n what is the number of bits needed to specify an authentication scheme?

Bonus: Can interaction help? – Can the number of shared secret bits be smaller than in a unidirectional scheme – Can the number of shared bits depend on ε only?

What about the public-key problem?

• Recall: Bob and Charlie share the set-up phase information • Is it possible to satisfy the requirements: – Completeness: If Alice wants to send m  not interfere – Bob has value m in R – Soundness: If Alice wants to send m interfere • R is either N or m (but not m’ ≠ m ) {0,1} n and Eve does and Eve and Charlie do • If Alice does not want to send a message R is N • Who chooses which m Alice will want to approve? – Adversary does. This is a

chosen message attack

• As before: complexity to the rescue