Download presentation

Presentation is loading. Please wait.

Published byGiles Brett Montgomery Modified over 5 years ago

1
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor

2
Recap of last week’s lecture Ultimate or Universal One-way functions The many time identification problem – Specification and solutions Functions that are one-way on their iterates The Rabin function

3
The authentication problem one-time version Alice would want to send a message m {0,1} n to Bob They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

4
Specification of the Problem Alice and Bob communicate through a channel N Bob has an external register R N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

5
Authentication using hash functions Suppose that – H= {h| h: {0,1} n → {0,1} k } is a family of functions – Alice and Bob share a random function h H –To authenticate message m {0,1} n Alice sends (m,h(m)) –When receiving (m’,z) Bob computes h(m’) and compares to z RIf equal, moves register R to m’ R NIf not equal, register R stays in N What properties do we require from H –hard to guess h(m’) - at most ε But clearly not sufficient: one-time pad. –hard to guess h(m’) even after seeing h(m) - at most ε Should be true for any m’ –Short representation for h - must have small log|H| –Easy to compute h(m) given h and m

6
Universal hash functions Given that for h H we have h: {0,1} n → {0,1} k we know that ε≥2 -k A family where this is an equality is called universal 2 Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called Strongly Universal 2 or pair-wise independent if: – for all m 1, m 2 {0,1} n and y 1, y 2 {0,1} k we have Prob[h(m 1 ) = y 1 and h(m 2 ) = y 2 ] = 2 -2k Where the probability is over a randomly chosen h H In particular Prob[h(m 2 ) = y 2 | h(m 1 ) = y 1 ] = 2 -k Theorem : when a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k

7
Constructing universal hash functions The linear polynomial construction: fix a finite field F of size at least the message space 2 n –Could be either GF[2 n ] or GF[P] for some prime P ≥ 2 n The family H of functions h: F → F i s defined as H= {h a,b (m) = a∙m + b | a, b F} Claim : the family above is strongly universal 2 Proof: for every m 1, m 2, y 1, y 2 F there are unique a, b F such that a∙m 1 +b = y 1 a∙m 2 +b = y 2 Size: each h H represented by 2n bits

8
Constructing universal hash functions The inner product construction: fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= l ∙ k Treat each message m {0,1} n as a (l+1) -vector over F where the first entry is 1. Denote by (m 0, m 1, …,m l ) The family H of functions h: F l → F i s defined by all vectors (l+1) -vector H= {h a (m)= ∑ i=0 l a i ∙m i | a 0, a 1, …,a l F} Claim : the family above is strongly universal 2 Proof: for every (m 0, m 1, …,m l ), (m’ 0, m’ 1, …,m’ l ) y 1, y 2 F there are there same number (and non-zero) of solutions to ∑ i=0 l a i ∙m i = y 1 ∑ i=0 l a i ∙m’ i = y 2 Size: each h H represented by n+k bits

9
Lower bound on size of strongly universal hash functions Theorem : let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Theorem : see N. Alon and J. Spencer, The Probabilistic Method Chapter 15 on derandomization, proposition 2.3

10
An almost perfect solution By allowing ε to be slightly larger than 2 -k we can get much smaller families Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called δ- Universal 2 if for all m 1, m 2 {0,1} n where m 1 ≠ m 2 we have Prob[h(m 1 ) = h(m 2 ) ] ≤ δ Properties: Strongly-universal 2 implies 2 -k - Universal 2 Opposite not true: the function h(x)=x …

11
An almost perfect solution Idea : combine a family of δ- Universal 2 functions H 1 = {h| {0,1} n → {0,1} k } with a Strongly Universal 2 family H 2 = {h| {0,1} k → {0,1} k } Consider the family H where each h H is {0,1} n → {0,1} k and is defined by h 1 H 1 and h 2 H 2 h(x) = h 2 (h 1 (x)) As before Alice sends m, h(m) Claim : probability of cheating is at most δ + 2 -k Proof: when Eve sends m’, y’ we must have m ≠ m ‘ but either –y’ =h(m), which means that Eve succeeds with probability at most δ + 2 -k Collision in h 1 Or in h 2 Or –y’ ≠ h(m) which means that Eve succeeds with probability at most 2 -k Collision in h 2 Size: each h H represented by log |H 1 |+ log |H 2 |

12
Constructing almost universal hash functions The polynomial evaluation construction {0,1} n → {0,1} k : fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= l ∙ k Treat each (non-zero) message m {0,1} n as a degree (l-1) - polynomial over F. Denote by P m The family H of functions h: F l → F is defined by all elements in F : H= {h x (m)= P m (x)| x F} Claim : the family above is δ- Universal 2 for δ= (l-1)/2 k Proof: the maximum number of points where two different degree (l-1) polynomials agree is l-1 Size: each h H represented by k bits m

13
Composing universal hash functions Concatenation Let H where each h H is {0,1} n → {0,1} k be a family of δ- Universal 2 functions Consider the family H’ where each h’ H’ is {0,1} 2n → {0,1} 2k and where h’(x 1,x 2 ) = h(x 1 ), h(x 2 ) for some h H Claim : the family above is δ- Universal 2 Proof: let x 1, x 2 and x’ 1, x’ 2 be a pair of inputs. If x 1 ≠ x’ 1 collision must occur in first part h(x 1 )=h( x’ 1 ) Else, x 2 ≠ x’ 2 and collision must occur in second part h(x 2 )=h( x’ 2 ) In either case the probability is at most δ

14
Composing universal hash functions Composition Let H 1 = {h| h:{0,1} n 1 → {0,1} n 2 } with H 2 = {h| h: {0,1} n 2 → {0,1} n 3 } be families of δ- Universal 2 functions Consider the family H where each h H is {0,1} n 1 → {0,1} n 3 is defined by h 1 H 1 and h 2 H 2 h(x) = h 2 (h 1 (x)) Claim : the family above is 2 δ- Universal 2 Proof: the collision must occur either at the first hash function or the second hash function. Each event happens with probability at most δ and we apply the union bound n2n2 n1n1 n3n3

15
The Tree Construction h1h1 h2h2 h3h3 Let n= l ∙ k and let each h i : {0,1} 2k → {0,1} k be chosen independently from H a δ -Universal family, then result is a family of functions {0,1} n → {0,1} k which is tδ - Universal where t is the number of levels in the tree Size: t log |H| m

16
Homework Given ε,n what is the number of bits needed to specify an authentication scheme? Bonus : Can interaction help? –Can the number of shared secret bits be smaller than in a unidirectional scheme –Can the number of shared bits depend on ε only?

17
What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m {0,1} n and Eve does not interfere – Bob has value m in R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack As before: complexity to the rescue

Similar presentations

© 2020 SlidePlayer.com Inc.

All rights reserved.

To make this website work, we log user data and share it with processors. To use this website, you must agree to our Privacy Policy, including cookie policy.

Ads by Google