1. Foundations of Cryptography Lecture 8 Lecturer: Moni Naor

2. Recap of lecture 6 (three weeks ago) The one-time signature scheme from one-way function (`Lamport’) The idea of regeneration Signature schemes Notions of security

3. What Is A Signature Scheme Allow Alice to publish a public key pk while keeping hidden a secret key sk – Key generation Algorithm Input: security parameter n,random bits Output: pk and sk Given a message m Alice can produce a signature s – Signing Algorithm Input: pk and sk and message m ( plus random bits) –Possible also history of previous messages Output: s ``Anyone” who is given pk and (m,s) can verify it – Signature Verification Algorithm Input: (pk, m, s) Output: `accept’ or `reject’ –The output of the Signing Algorithm is assigned `accept’ All algorithms should be polynomial time Security: ``No one” who is given only pk and not sk can forge a valid (m,s) How to do define properly?

4. Rigorous Specification of Security of a Scheme Recall: To define security of a system must specify: 1.The power of the adversary –computational –access to the system Who chooses the message to be signed What order 2.What constitute a failure of the system What is a legitimate forgery?

5. Existential unforgeability in signature schemes A signature scheme is existentially unforgeable under an adaptive message attack if any polynomial adversary A with Access to the system: for q rounds –adaptively choose messages m i and receive a valid signature s i Tries to break the system: find ( m,s) so that –m  {m 1, m 2, … m q } But – (m,s) is a valid signature. has probability of success at most ε For any q and 1/ ε polynomial in the security parameter and for large enough n adaptive message attack existentially forgery

6. Weaker notions of security How the messages are chosen during the attack –E.g. random messages –Non adaptively (all messages chosen in advance) How the challenge message is chosen –In advance, before the attack –randomly

7. Recall: Regeneration If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages –What if you had three wishes…? Idea: use G a family of UOWHF to compress the message Question: can we use a global one g  G for all nodes of the tree? Question: how to assign messages to nodes in the tree? What exactly are we after? Answered!

8. Specific proposal Key generation : generate the root –Three keys for a one-time signature scheme –A function g  G from a family of UOWHF Signing algorithm: Traverse the tree in a BFS manner –Generate a new triple (three keys for one-time signatures) –Sign the message using the middle part of node –Pt the generated triple in the next available node in the current level If all nodes in current level are assigned, create a new one. –The signature consists of: The one-time signature on the message The nodes along the path to the root the one-time signatures on the hashed nodes along the path to the root Keep secret the private keys of all triples Signing verification: Verify the one-times signature given.

9. When is using a single hash function sufficient The rule of thump of whether a global hash function g is sufficient or not is: Can the legitimate values hashed be chosen as a function of g In this case the only legitimately hashed values are the triples Chosen independently of g Note : if we want to hash the message itself (to obtain a shorter one-time signature need a separate has function for each node

10. Why is tree regeneration secure Consider the legitimate tree and a forged message There is the first place where the two differ This must occur when either: 1. a forged one-time signature is produced Or 2. a false child is authenticated Can guess the place where this happens and what happens with probability at least 1/p(n) –If 1) happens more often: can break the one-time signature –If 2) happens more often: can break the UOWHF

11. Proof of Security Want to construct from the forging algorithm A which is a target collision finding for G algorithm B Algorithm B : Generate a random triple and output as target x Obtain the challenge g Generate the public key/secret key of the scheme –Using g as the global hash function Run algorithm A that tries to break the signature scheme Guess the node where the forgery occurs –Put the triple x –If a false child is authenticated then found a collision with x under g What is the probability of success of B ? The same as the simulated forging algorithm A for G divided by 2q Claim : the probability the simulated algorithm A witnesses is the same as the real A x g x’ B A

12. Conclusion Theorem : If families of UOWHF exist, then signature schemes existentially unforgeable under adaptive chosen message attacks exist Corollary : If one-way permutations exist, then signature schemes existentially unforgeable under adaptive chosen message attacks exist. Corollary : If one-time public-key identification is possible (equivalent to existence of one-way functions), then signature schemes existentially unforgeable under adaptive chosen message attacks exist.

13. Several other paradigms for creating secure signature schemes Trapdoor permutations –Protection against random attack and forgery of a random challenge Other forms of tree like schemes –Claw-free –Trapdoor Converting interactive identification schemes –If challenge is random Creating a random instance of a problem –Solvable if you know the trapdoor –Example: RSA Only analysis known: assumes an idealized random function –Black box that behaves as a random function –All users including adversary have black-box access to it but cannot see it inside –Much debate in crypto literature

14. The Encryption problem: Alice would want to send a message m  {0,1} n to Bob –Set-up phase is secret They want to prevent Eve from learning anything about the message Alice Bob Eve m

15. The encryption problem Relevant both in the shared key and in the secret key setting Want to use many times Also add authentication… Other disruptions by Eve

16. What does `learn’ mean? If Eve has some knowledge of m should remain the same –Probability of guessing m Min entropy of m –Probability of guess whether m is m 0 or m 1 –Probability of computing some function f of m Ideally: the message sent is a independent of the message m –Implies all the above Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy If no special knowledge about m –then |m| Achievable: one-time pad. –Let r  R {0,1} n –Think of r and m as elements in a group –To encrypt m send r+m –To decrypt z send m=z-r

17. Pseudo-random generators Would like to stretch a short secret (seed) into a long one The resulting long string should be usable in any case where a long string is needed –In particular: as a one-time pad Important notion: Indistinguishability Two probability distributions that cannot be distinguished –Statistical indistinguishability: distances between probability distributions –New notion: computational indistinguishability

18. Pseudo-random generators Definition : a function g:{0,1} * → {0,1}* is said to be a (cryptographic) pseudo- random generator if It is polynomial time computable It stretches the input g(x)|>|x| – denote by ℓ(n) the length of the output on inputs of length n If the input is random the output is indistinguishable from random For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1} ℓ(n) for any polynomial p(n) and sufficiently large n |Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| y  R {0,1} ℓ(n) ] | < 1/p(n) Important issues: Why is the adversary bounded by polynomial time? Why is the indistinguishability not perfect?

19. Construction of pseudo-random generators Idea given a one-way function there is a hard decision problem hidden there If balanced enough: looks random Such a problem is a hardcore predicate Possibilities: –Last bit –First bit –Inner product

20. Homework Assume one-way functions exist Show that the last bit/first bit are not necessarily hardcore predicates Generalization: show that for any fixed function h:{0,1} * → {0,1} there is a one-way function f:{0,1} * → {0,1} * such that h is not a hardcore predicate of f Show a one-way function f such that given y=f(x) each input bit of x can be guessed with probability at least 3/4

21. Sources Goldreich’s Foundations of Cryptography, volume 1