 # Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

## Presentation on theme: "Foundations of Cryptography Lecture 4 Lecturer: Moni Naor."— Presentation transcript:

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor

Recap of last week’s lecture Ultimate or Universal One-way functions The many time identification problem – Specification and solutions Functions that are one-way on their iterates The Rabin function

The authentication problem one-time version Alice would want to send a message m  {0,1} n to Bob They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

Specification of the Problem Alice and Bob communicate through a channel N Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m  {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

Authentication using hash functions Suppose that – H= {h| h: {0,1} n → {0,1} k } is a family of functions – Alice and Bob share a random function h  H –To authenticate message m  {0,1} n Alice sends (m,h(m)) –When receiving (m’,z) Bob computes h(m’) and compares to z RIf equal, moves register R to m’ R NIf not equal, register R stays in N What properties do we require from H –hard to guess h(m’) - at most ε But clearly not sufficient: one-time pad. –hard to guess h(m’) even after seeing h(m) - at most ε Should be true for any m’ –Short representation for h - must have small log|H| –Easy to compute h(m) given h and m

Universal hash functions Given that for h  H we have h: {0,1} n → {0,1} k we know that ε≥2 -k A family where this is an equality is called universal 2 Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called Strongly Universal 2 or pair-wise independent if: – for all m 1, m 2  {0,1} n and y 1, y 2  {0,1} k we have Prob[h(m 1 ) = y 1 and h(m 2 ) = y 2 ] = 2 -2k Where the probability is over a randomly chosen h  H In particular Prob[h(m 2 ) = y 2 | h(m 1 ) = y 1 ] = 2 -k Theorem : when a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k

Constructing universal hash functions The linear polynomial construction: fix a finite field F of size at least the message space 2 n –Could be either GF[2 n ] or GF[P] for some prime P ≥ 2 n The family H of functions h: F → F i s defined as H= {h a,b (m) = a∙m + b | a, b  F} Claim : the family above is strongly universal 2 Proof: for every m 1, m 2, y 1, y 2  F there are unique a, b  F such that a∙m 1 +b = y 1 a∙m 2 +b = y 2 Size: each h  H represented by 2n bits

Constructing universal hash functions The inner product construction: fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= l ∙ k Treat each message m  {0,1} n as a (l+1) -vector over F where the first entry is 1. Denote by (m 0, m 1, …,m l ) The family H of functions h: F l → F i s defined by all vectors (l+1) -vector H= {h a (m)= ∑ i=0 l a i ∙m i | a 0, a 1, …,a l  F} Claim : the family above is strongly universal 2 Proof: for every (m 0, m 1, …,m l ), (m’ 0, m’ 1, …,m’ l ) y 1, y 2  F there are there same number (and non-zero) of solutions to ∑ i=0 l a i ∙m i = y 1 ∑ i=0 l a i ∙m’ i = y 2 Size: each h  H represented by n+k bits

Lower bound on size of strongly universal hash functions Theorem : let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Theorem : see N. Alon and J. Spencer, The Probabilistic Method Chapter 15 on derandomization, proposition 2.3

An almost perfect solution By allowing ε to be slightly larger than 2 -k we can get much smaller families Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called δ- Universal 2 if for all m 1, m 2  {0,1} n where m 1 ≠ m 2 we have Prob[h(m 1 ) = h(m 2 ) ] ≤ δ Properties: Strongly-universal 2 implies 2 -k - Universal 2 Opposite not true: the function h(x)=x …

An almost perfect solution Idea : combine a family of δ- Universal 2 functions H 1 = {h| {0,1} n → {0,1} k } with a Strongly Universal 2 family H 2 = {h| {0,1} k → {0,1} k } Consider the family H where each h  H is {0,1} n → {0,1} k and is defined by h 1  H 1 and h 2  H 2 h(x) = h 2 (h 1 (x)) As before Alice sends m, h(m) Claim : probability of cheating is at most δ + 2 -k Proof: when Eve sends m’, y’ we must have m ≠ m ‘ but either –y’ =h(m), which means that Eve succeeds with probability at most δ + 2 -k Collision in h 1 Or in h 2 Or –y’ ≠ h(m) which means that Eve succeeds with probability at most 2 -k Collision in h 2 Size: each h  H represented by log |H 1 |+ log |H 2 |

Constructing almost universal hash functions The polynomial evaluation construction {0,1} n → {0,1} k : fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= l ∙ k Treat each (non-zero) message m  {0,1} n as a degree (l-1) - polynomial over F. Denote by P m The family H of functions h: F l → F is defined by all elements in F : H= {h x (m)= P m (x)| x  F} Claim : the family above is δ- Universal 2 for δ= (l-1)/2 k Proof: the maximum number of points where two different degree (l-1) polynomials agree is l-1 Size: each h  H represented by k bits m

Composing universal hash functions Concatenation Let H where each h  H is {0,1} n → {0,1} k be a family of δ- Universal 2 functions Consider the family H’ where each h’  H’ is {0,1} 2n → {0,1} 2k and where h’(x 1,x 2 ) = h(x 1 ), h(x 2 ) for some h  H Claim : the family above is δ- Universal 2 Proof: let x 1, x 2 and x’ 1, x’ 2 be a pair of inputs. If x 1 ≠ x’ 1 collision must occur in first part h(x 1 )=h( x’ 1 ) Else, x 2 ≠ x’ 2 and collision must occur in second part h(x 2 )=h( x’ 2 ) In either case the probability is at most δ

Composing universal hash functions Composition Let H 1 = {h| h:{0,1} n 1 → {0,1} n 2 } with H 2 = {h| h: {0,1} n 2 → {0,1} n 3 } be families of δ- Universal 2 functions Consider the family H where each h  H is {0,1} n 1 → {0,1} n 3 is defined by h 1  H 1 and h 2  H 2 h(x) = h 2 (h 1 (x)) Claim : the family above is 2 δ- Universal 2 Proof: the collision must occur either at the first hash function or the second hash function. Each event happens with probability at most δ and we apply the union bound n2n2 n1n1 n3n3

The Tree Construction h1h1 h2h2 h3h3 Let n= l ∙ k and let each h i : {0,1} 2k → {0,1} k be chosen independently from H a δ -Universal family, then result is a family of functions {0,1} n → {0,1} k which is tδ - Universal where t is the number of levels in the tree Size: t log |H| m

Homework Given ε,n what is the number of bits needed to specify an authentication scheme? Bonus : Can interaction help? –Can the number of shared secret bits be smaller than in a unidirectional scheme –Can the number of shared bits depend on ε only?

What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack As before: complexity to the rescue