Transcript Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs Lecturer: Moni Naor Recap of last week’s lecture • Functions that are one-way one their.

Foundations of Cryptography
Lecture 4: One-time Signatures, UOWHFs
Lecturer: Moni Naor
Recap of last week’s lecture
• Functions that are one-way one their iterates
• The one-time authentication problem
• The hash based protocol
– Strongly Universal Hash functions
• Definition and Constructions
– δ-Universal2 hash functions
• Their application in authentication
• Polynomial Constructions
• Composition and tree
The authentication problem:
computational public-key version
• Alice would want to send a message m  {0,1}n
to Bob or to Charlie
– Set-up phase is public
• They want to prevent Eve from interfering
– Bob should be sure that the message m’ he receives is
equal to the message m Alice sent
m
Alice
Eve
Bob
Specification of the Problem (old)
Alice and Bob communicate through a channel
Bob has an external register R  N (no message) ⋃ {0,1}n
Eve completely controls the channel
Requirements:
• Completeness: If Alice wants to send m  {0,1}n and Eve does not interfere
– Bob has value m in R
• Soundness: If Alice wants to send m and Eve does interfere
– R is either N or m (but not m’ ≠m )
– If Alice does not want to send a message R is N
Since this is a generalization of the identification problem – must use shared
secrets and probability or complexity
Probabilistic version:
• for any behavior from Eve, for any message m  {0,1}n, the probability that
Bob is in state m’ ≠m or N is at most ε
What about the public-key problem?
• Recall: Bob and Charlie share the set-up phase information
• Is it possible to satisfy the requirements:
– Completeness: If Alice wants to send m  {0,1}n and Eve does
not interfere – Bob has value m in register R
– Soundness: If Alice wants to send m and Eve and Charlie do
interfere
• R is either N or m (but not m’ ≠m )
– Existential forgery
• If Alice does not want to send a message R is N
• Who chooses which m Alice will want to approve?
– Adversary does. This is a chosen message attack
• When is m’ chosen – might be after authentication on m seen
• As before: complexity to the rescue
A one-time public-key authentication
Let f: {0,1}n → {0,1}n be a one-way function
– Adversaries run times is bounded by polynomial time
To sign/authenticate a single bit message
• Setup phase:
•
•
– Alice chooses a random pair {x0, x1 {0,1}n } and
– Computes y0 = f(x0) and y1 = f(x1)
– Gives Bob and Charlie (y0 ,y1 )
When Alice wants to approve m{0,1} – she sends (m, xm )
If Bob gets any symbols on channel – call them (m,z);
computes f(z) and compares to ym
– If equal moves to state m
– If not equal, moves permanently to state N
•
•
Why is it secure?
What about n–bit messages?
– Alice prepares a set of n pairs and opens the appropriate ones
•
Since this is noninteractive, Bob can convince Charlie that Alice approved message m
– Non repudiation from Alice
Signing n–bit messages
Public key
f(x10) f(x11) f(x20) f(x21)
f(xn0) f(xn1)
Message
1 0
Lamport’s Scheme
0
1
Security of the Scheme
Theorem: If there is an Adversary A that
• chooses a message m  {0,1}n for Alice to legitimately
authenticate
• forges a message m’ ≠ m
with probability at least ε
Then there is an Adversary B that
• can break the function f with probability at least ε/2n
• operates in time roughly the same as A
Proof:
Size of the public key
• The size of the public key
– Let f: {0,1}k → {0,1}k be a one-way function
– to be able to sign an n-bit message need 2nk bits of public key.
• Preparing a public key takes
– 2n evaluations of the one-way function
and
– 2nk bits of public key.
Homework: Suggest a tradeoff with more evaluations but
fewer bits in the public key.
– Hint: you may assume that you have functions that are one-way
on their iterates
Regeneration
• If we could get a smaller public-key could be able to regenerate
smaller and sign/authenticate an unbounded number of messages
– What if you had three wishes…?
• Idea: use hashing to compress the new public-key
• What about universal hashing ?
– Problem: both m and m’ are chosen in advance in universal hashing
– Must use computational hardness somewhere
Possible definitions
• A function g:{0,1}2n → {0,1}n where it is hard to
find m’ ≠ m but g(m)=g(m’)
• Problems:
– not good for non-uniform models
– hard to connect to other assumptions
• Want a family of functions from which one is
selected
• Use the advantage we have: the target is known
Possible definitions
• A family of functions
G={g|g:{0,1}n → {0,1}h(n)}
Such that
• Easy to sample g from G and g  G has succinct description
• Given (n, g, x) easy to compute g(x)
•
h(n) < n
• Hard to find collisions:
Alternative 1 – any collision
– Given n and g  G hard to find x, x’  {0,1}n where
x ≠ x’ but g(x)=g(x’)
– Sometimes called collision intractable
– hard to connect to other assumptions
Alternative 2 – target collision
– Given (n,g,x) hard to find x’  {0,1}n where
x ≠ x’ but g(x)=g(x’)
Universal One-Way Hash functions
UOWHFs
•
•
•
When/how is the target x chosen?
Independently of g but want to work for any possible x
– First x is selected by adversary, then g  G is selected at random
Technical point: let ℓ1 , ℓ2 :{0,1}* → {0,1}* be functions mapping n to input and output
sizes. We assume
– ℓ1 (n) > ℓ2 (n) and
– both are bounded by polynomials in n
∞
Definition: A family of functions G= ⋃n=1 Gn where Gn ={g|g:{0,1}ℓ1(n) →{0,1}}ℓ2(n)} is called
(ℓ1 , ℓ2 )-universal one-way hash if:
• Given n easy to sample random g from Gn and g  Gn has description polynomial in n
• Given (n, g, x) easy to compute g(x)
• Hard to find target collisions: no polynomial time adversary can on input n
– generate x  {0,1}ℓ1(n)
– given a random g  Gn find x’  {0,1}ℓ1(n) where
x ≠ x’ but g(x) = g(x’)
succeed with non-negligible probability for sufficiently large n
Homework
• Show that the existence of UOWHFs implies the existence of
one-way functions
• Show that there are family of UOWHFs of which are not
collision intractable
• Show that if the (n, βn)-subset sum assumption holds for
β<1, then the corresponding subset function defines a family
of UOWHFs
– You may use the fact that for m=βn for most a1, a2 ,…, an
{0,…2m -1} the distribution of T=∑ i S ai is close to uniform,
when S is random.
Composing UOWHFs
Concatenation
Let G be be a (ℓ1 , ℓ2 )- family of UOWHFs
Consider the (2ℓ1 , 2ℓ2 )- family G’ where each g’  G’ is defined by a function gG
and where
g’(x1 ,x2) = g(x1 ), g(x2)
Claim: the family above is (2ℓ1 , 2ℓ2 )- family of Universal One-way Hash functions
Proof: let the adversary choose x1, x2 as the target and let x’1, x’2 be the colliding value
• If x1 ≠ x’1 found a collision with x1 i.e. g(x1)=g(x’1)
• If x2 ≠ x’2 found a collision with x2 i.e. g(x2)=g(x’2)
• Guess which case b  {0,1} will occur
– correct with probability ½ and
– output xb as the target collision
Running time – similar.
Probability of success at least ½ of G’
Composing UOWHFs
ℓ1
Composition
ℓ2
Let
• G1 be a (ℓ1, ℓ2 )-family of UOWHFs
ℓ3
• G2 be a (ℓ2, ℓ3)-family of UOWHFs
Consider the family G which is a (ℓ1, ℓ3 )-family and where
each g G is defined by g1  G1 and g2  G2
g(x) = g2(g1(x))
Claim: the family above is a (ℓ1, ℓ3 )-family of UOWHFs
Proof: the collision must occur either at the first hash function or
the second hash function…
Composing UOWHFs
ℓ1
Proof:
• If collision in first phase more frequently
Can break G1
– Use target x given by adversary as target
for G1
• If collision in second phase occurs more frequently
Can break G2
ℓ2
ℓ3
– Take target x given by adversary, choose g1R G1 and set z = g1(x)
as target for G2
– Given g2  G2 give adversary g = g1, g2
– Key point: can choose the g1 in the target phase
The Tree Construction
m
g1
g2
Let G be a (2k,k)-UOWHF
Let n= 2 ∙ l ∙ k. and t= log n/k. Each gi is chosen independently from G.
The result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF
Size of representation: t log |G| where t is the number of levels in the tree
g3
Constructing (n, n-1)-UOWHFs
• Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another
random image
• Let f :{0,1}n → {0,1}n be a one-way permutation
• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly
Universal2 family
• Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function
Consider the (n, n-1 )-family G where each g G is
defined by h H
g(x) = chopn-1(h(f(x)))
Pair-wise independent permutations
Definition: a family of permutations (1-1 functions)
H= {h| h: {0,1}n → {0,1}n }
is called Strongly Universal2 or pair-wise independent if:
– for all x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 and
y1 ≠ y2 we have
Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1)
Where the probability is over a randomly chosen hH
The same as in truly random permutations
In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1)
Construction: let F be a finite field F (e.g. GF[2n])
H= {ha,b(x) = a∙x + b | a, b  F, a ≠ 0 }
New condition
Constructing (n, n-1)-UOWHFs
• Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another random
image
• Let f :{0,1}n → {0,1}n be a one-way permutation
• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of
permutations
• Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function
– E.g. chopping last bit of input
Consider the (n, n-1)-family G where each g G is defined by h H
g(x) = chopn-1(h(f(x)))
Proof of Security
Want to construct from algorithm A which is target collision finding for G
an inversion algorithm B for f
Algorithm B:
• Input: y=f(z) to invert,
• Run algorithm A to get target x
• Find random h  H such that
chopn-1(h(y))= chopn-1(h(f(x)))
and give corresponding g as a challenge to A
– Why does such an h exist and how to find it?
B
If A finds x’ such that g(x’)=g(x) then
chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y))
and y=f(x’) since h is 1-1
What is the probability of success of B?
•
y=f(z)
x
A
g
x’
x’
The same as the simulated collision algorithm A for G
Claim: the probability the simulated algorithm A witnesses is the same as the real A
Why does such an h exist and how to find it?
chopn-1(h(y))= chopn-1(h(f(x)))
•
•
•
•
•
Choose random w{0,1}n
let w’ be such that chopn-1(w)=chopn-1(w’)
Want h(y)=w and h(f(x))=w’
Such an h should exist from pair-wise independence
Easy to find and unique for
H= {ha,b(x) = a∙x + b | a, b  F, a ≠ 0 }
• Open problem(?): what happens to the security of the
construction if H does not have the property
Distribution of simulated A vs. real A
The difference between the simulated and real A:
• Real A gets g defined by random hH
• Simulated A chooses x and gets g defined by
– Choosing random z{0,1}n and computing y=f(z)
• y is uniform in {0,1}n from f being a permutation
– Choosing random w{0,1}n and finding random hH such that
h(y)=w and h(f(x))=w’
– Since both random y and random w are random the result is a
random hH
Simulated A and real A witness the same distribution
The probability that B inverts is the same as A finding a collision
What about the reverse combination
Let f :{0,1}n → {0,1}n be a one-way permutation
Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of
permutations
Consider the (n, n-1)-family G where each g G is defined by h H
g(x) = chopn-1(f(h(x)))
•
•
Is it a UOWHF?
Not necessarily: if
• h is easy to invert
and
• f does not affect the last bit
– not contradictory to either being one-way or a permutation
Then easy to find collisions: any x the that x’ collides under h will also
collide under g
From (n, n-1)-UOWHFs to (n, n/2)UOWHFs
• Idea: composition.
• What happens to the security of the scheme?
– The probability of inverting f given a collision finding
algorithm for H may be small by a factor of 2/n
Sources
• Chapter on signatures in Goldreich’s
Foundations of Cryptography, volume 2
• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html
• Papers:
– Universal Hashing:
• Carter & Wegman, Wegman and Carter, JCSS 1979, 1981
– UOWHF: Naor & Yung
• www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html
Homework
• Given ε,n what is the number of bits needed to
specify an authentication scheme?
• Bonus: Can interaction help?
– Can the number of shared secret bits be smaller than in
a unidirectional scheme
– Can the number of shared bits depend on ε only?
What about the public-key problem?
• Recall: Bob and Charlie share the set-up phase information
• Is it possible to satisfy the requirements:
– Completeness: If Alice wants to send m  {0,1}n and Eve does
not interfere – Bob has value m in R
– Soundness: If Alice wants to send m and Eve and Charlie do
interfere
• R is either N or m (but not m’ ≠m )
• If Alice does not want to send a message R is N
• Who chooses which m Alice will want to approve?
– Adversary does. This is a chosen message attack
• As before: complexity to the rescue