Download presentation

Presentation is loading. Please wait.

Published byJakobe Hopewell Modified over 2 years ago

1
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor

2
Recap of last week’s lecture The one-time authentication problem The hash based protocol Strongly Universal Hash functions –Definition and Constructions δ- Universal 2 hash functions –There application in authentication –Polynomial Constructions –Composition and tree

3
The hardest case of the subset problem ( n,m )-subset sum assumption: for any probabilistic polynomial time algorithm for uniformly chosen a 1, a 2,…, a n R {0,…2 m - 1} and S ⊆ {1,...,n} given T=∑ i S a i and a 1, a 2,…, a n the probability of finding S’ ⊆ {1,...,n} such that ∑ i S’ a i = T mod 2 m is negligible Show that the hardest case is when n=m –If there is some function g such that for m=g(n) the (n,g(n))- subset sum assumption holds, then the (n,n)- subset sum assumption holds Idea: chop the problem to make it square Important point: for any T the expected number of solutions S to T =∑ i S a i mod 2 n is 1 –Expectation is over random a 1, a 2,…, a n R {0,…2 n - 1} –Expected number of collisions with S is about 1

4
The authentication problem: computational public-key version Alice would want to send a message m {0,1} n to Bob or to Charlie –Set-up phase is public They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

5
Specification of the Problem (old) Alice and Bob communicate through a channel N Bob has an external register R N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

6
What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m {0,1} n and Eve does not interfere – Bob has value m in register R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) – Existential forgery RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack When is m’ chosen – might be after authentication on m seen As before: complexity to the rescue

7
A one-time public-key authentication problem Let f: {0,1} n → {0,1} n be a one-way one-way function –Adversaries run times is bounded by polynomial time To sign/authenticate a single bit message Setup phase: –Alice chooses a random pair {x 0, x 1 {0,1} n } and –Computes y 0 = f(x 0 ) and y 1 = f(x 1 ) –Gives Bob and Charlie (y 0,y 1 ) When Alice wants to approve m {0,1} – she sends (m, x m ) If Bob gets any symbols on channel – call them (b,z) ; compute f(z) and compares to y m –If equal moves to state m N –If not equal, moves permanently to state N Why is it secure? What about n –bit messages? –Alice prepares a set of n pairs and opens the appropriate ones Since this is noninteractive, Bob can convince Charlie that Alice approved message m – Non repudiation from Alice

8
Signing n –bit messages f(x 1 0 )f(x 1 1 )f(x 2 0 )f(x 2 1 )f(x n 0 )f(x n 1 ) Public key Message 1 010

9
Security of the Scheme A Theorem: If there is an Adversary A that chooses a message m {0,1} n for Alice to legitimately authenticate forges a message m’ ≠ m with probability at least ε B Then there is an Adversary B that can break the function f with probability at least ε/n Aoperates in time roughly the same as A Proof: Homework

10
Size of the public key The size of the public key – to be able to sign an n- bit message need 2n 2 bits of public key. Preparing a public key takes – n evaluations of the one-way functions and –2n 2 bits of public key. Homework : Suggest a tradeoff with more evaluation but fewer bits in the public key. – Hint : you may assume that you have functions that are one-way on their iterates

11
Regeneration If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages –What if you had three wishes…? Idea: use hashing to compress the message What about universal hashing ? –Problem: both m and m’ are chosen in advance in universal hashing –Must use computational hardness somewhere

12
Possible definitions A function g:{0,1} 2n → {0,1} n where it is hard to find m’ ≠ m but g(m)=g(m’) Problems: –not good for non-uniform models –hard to connect to other assumptions Want a family of functions from which one is selected Use the advantage we have: the target is known

13
Possible definitions A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find collisions: Alternative 1 – any collision –Given n and g G hard to find x, x’ {0,1} n where x ≠ x’ but g(x)=g(x’) –Sometimes called collision intractable –hard to connect to other assumptions Alternative 2 – target collision –Given (n,g,x) hard to find x’ {0,1} n where x ≠ x’ but g(x)=g(x’)

14
Universal One-Way Hash functions UOWHFs When/how is the target x chosen? Independently of g but want to work for any possible x – First x is selected by adversary, then g G is selected at random Technical point: let ℓ 1, ℓ 2 :{0,1} * → {0,1}* be function mapping n to input and output sizes. We assume –ℓ 1 (n) < ℓ 2 (n) and –both are bounded by polynomials in n Definition : A family of functions G= ⋃ n=1 ∞ G n where G n ={g|g:{0,1} ℓ 1 (n) → {0,1}} ℓ 2 (n) } is called (ℓ 1, ℓ 2 )- universal one-way hash if: Given n easy to sample random g from G n and g G n has description polynomial in n Given (n, g, x) easy to compute g(x) Hard to find target collisions: no polynomial time adversary can on input n –generate x {0,1} ℓ 1 (n) –given a random g G n find x’ {0,1} n where x ≠ x’ but g(x)=g(x’) succeed with non-negligible probability for sufficiently large n

15
Homework Show that the existence of UOWHF s implies the existence of one-way functions Show that there are family of UOWHF s of which are not collision intractable Show that if the (n, βn )- subset sum assumption holds, then the corresponding subset function defines a family of UOWHF s

16
Composing UOWHFs Concatenation Let G be be a (ℓ 1, ℓ 2 )- family Universal One-way Hash functions Consider the (2ℓ 1, 2ℓ 2 )- family G’ where each g’ G’ is defined by a function g G and where g’(x 1,x 2 ) = g(x 1 ), g(x 2 ) Claim : the family above is (2ℓ 1, 2ℓ 2 )- family of Universal One-way Hash functions Proof: let the adversary choose x 1, x 2 as the target and let x’ 1, x’ 2 be the colliding value If x 1 ≠ x’ 1 found a collision with x 1 g(x 1 )=g( x’ 1 ) If x 2 ≠ x’ 2 found a collision with x 2 g(x 2 )=g( x’ 2 ) Guess which case b {0,1} will occur –correct with probability ½ and –output x b as the target collision Running time – similar. Probability of success at least ½ of G’

17
Composing UOWHFs Composition Let G 1 be a (ℓ 1, ℓ 2 )- family of UOWHF s G 2 be a (ℓ 2, ℓ 3 )- family of UOWHF s Consider the family G which is a (ℓ 1, ℓ 3 )- family and where each g G is defined by g 1 G 1 and g 2 G 2 g(x) = g 2 (g 1 (x)) Claim : the family above is a (ℓ 1, ℓ 3 )- family of UOWHF s Proof: the collision must occur either at the first hash function or the second hash function… ℓ2ℓ2 ℓ1ℓ1 ℓ3ℓ3

18
The Tree Construction g1g1 g2g2 g3g3 Let n= l ∙ k and let each g i be chosen independently from G a (2k,k)- UOWHF family, then result is a family of functions {0,1} n → {0,1} k which is (n,k)- UOWHF Size: t log |G| where t is the number of levels in the tree m

19
Constructing (n, n-1)- UOWHF s Idea: Combine one-way with universal –Want to match each image of the one-way functions with another random image Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family Let chop n-1 :{0,1} n → {0,1} n-1 be a 2-to-1 function Consider the (n, n-1 )- family G where each g G is defined by h H g(x) = chop n-1 (h(f(x)))

20
Sources Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 (unpublished) www.wisdom.weizmann.ac.il/~oded/foc-vol2.html Papers: –Universal Hashing: Carter & Wegman, Wegman and Carter, JCSS 1979, 1981 –UOWHF: Naor & Yung www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.htmlwww.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs

Similar presentations

OK

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on grease lubrication for o-rings Ppt on digital television technology Ppt on windows mobile operating system Ppt on 9/11 conspiracy theory facts Ppt on life in 2050 Ppt on information technology in india Ppt on natural disasters in india Ppt on low level languages Ppt on biotechnology in india Ppt on soil pollution in india