1. Foundations of Cryptography Lecture 6 Lecturer: Moni Naor

2. Recap of last week’s lecture The one-time signature scheme from one-way function (`Lamport’) The idea of regeneration Strongly Universal One-Way Hash –Definition and Constructions Combining –concatenation –Composition –Tree composition

3. The Tree Construction g1g1 g2g2 g3g3 Let n= 2 ∙ l ∙ k. and t= log n/k. Each g i is chosen independently from G. The result is a family of functions {0,1} n → {0,1} k which is (n,k)- UOWHF Size of representation: t log |G| where t is the number of levels in the tree m Let G be a (2k,k)-UOWHF

4. Pair-wise independent permutations Definition : a family of permutations (1-1 functions) H= {h| h: {0,1} n → {0,1} n } is called Strongly Universal 2 or pair-wise independent if: – for all x 1, x 2  {0,1} n and y 1, y 2  {0,1} n where x 1 ≠ x 2 wand y 1 ≠ y 2 we have Prob[h(x 1 ) = y 1 and h(x 2 ) = y 2 ] = 1/ 2 n ∙ 1/( 2 n -1) Where the probability is over a randomly chosen h  H The same as in truly random permutations In particular Prob[h(x 2 ) = y 2 | h(x 1 ) = y 1 ] = 1/( 2 n -1) Construction: let F be a finite field F (e.g. GF[2 n ] ) H= {h a,b (x) = a∙x + b | a, b  F, a ≠ 0 }

5. Constructing (n, n-1)- UOWHF s Idea: Combine one-way with universal –Want to match each image of the one-way functions with another random image Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family of permutations Let chop n-1 :{0,1} n → {0,1} n-1 be a 2-to-1 function –E.g. chopping last bit of input Consider the (n, n-1)- family G where each g  G is defined by h  H g(x) = chop n-1 (h(f(x)))

6. Proof of Security Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f Algorithm B : Input: y=f(z) to invert, Run algorithm A to get target x Find random h  H such that chop n-1 (h(y))= chop n-1 (h(f(x))) and give corresponding g as a challenge to A – Why does such an h exist and how to find it? If A finds x’ such that g(x’)=g(x) then chop n-1 (h(f(x))) = chop n-1 (h(f(x’))) = chop n-1 (h(y)) and y=f(x’) since h is 1-1 What is the probability of success of B ? The same as the simulated collision algorithm A for G Claim : the probability the simulated algorithm A witnesses is the same as the real A x g x’ y=f(z) B A x’

7. Why does such an h exist and how to find it? chop n-1 (h(y))= chop n-1 (h(f(x))) Choose random w  {0,1} n let w’ be such that chop n-1 (w)=chop n-1 (w’) Want h(y)=w and h(f(x))=w’ Such an h should exist from pair-wise independence Easy to find and unique for H= {h a,b (x) = a∙x + b | a, b  F, a ≠ 0 } Open problem(?): what happens to the security of the construction if H does not have the property

8. Distribution of simulated A vs. real A The difference between the simulated and real A: Real A gets g defined by random h  H Simulated A chooses x and gets g defined by –Choosing random z  {0,1} n and computing y=f(z) y is uniform in {0,1} n from f being a permutation –Choosing random w  {0,1} n and finding random h  H such that h(y)=w and h(f(x))=w’ – Since both random y and random w are random the result is a random h  H Simulated A and real A witness the same distribution The probability that B inverts is the same as A finding a collision

9. What about the reverse combination Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family of permutations Consider the (n, n-1)- family G where each g  G is defined by h  H g(x) = chop n-1 (f(h(x))) Is it a UOWHF? Not necessarily: if h is easy to invert and f does not affect the last bit –not contradictory to either being one-way or a permutation Then easy to find collisions: any x the that x’ collides under h will also collide under g

10. From (n, n-1)- UOWHF s to (n, n/2)- UOWHF s Idea: composition. What happens to the security of the scheme? –The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n

11. General construction (n, k)- UOWHF s Use tree composition Description length: k log (n/k) (n, n/2)- descriptions of hash function –2k bits in the example

12. Recall: Regeneration If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages –What if you had three wishes…? Idea: use G a family of UOWHF to compress the message Question: can we use a global one g  G for all nodes of the tree? Question: how to assign messages to nodes in the tree? What exactly are we after?

13. Signature Scheme Allow Alice to publish a public key pk while keeping hidden a secret key sk – Key generation Algorithm Input: security parameter n,random bits Output: pk and sk Given a message m Alice can produce a signature s – Signing Algorithm Input: pk and sk and message m ( plus random bits) –Possible: also history of previous messages Output: s ``Anyone” who is given pk and (m,s) can verify it – Signature Verification Algorithm Input: (pk, m, s) Output: `accept’ or `reject’ –Completeness: the output of the Signing Algorithm is assigned `accept’ All algorithms should be polynomial time Security: ``No one” who is given only pk and not sk can forge a valid (m,s) How to do define properly?

14. Rigorous Specification of Security of a Scheme Recall: To define security of a system must specify: 1.The power of the adversary –computational –access to the system Who chooses the message to be signed What order 2.What constitute a failure of the system What is a legitimate forgery?

15. Existential unforgeability in signature schemes A signature scheme is existentially unforgeable under an adaptive message attack if any polynomial adversary A with Access to the system: for q rounds –adaptively choose messages m i and receive a valid signature s i Tries to break the system: find ( m,s) so that –m  {m 1, m 2, … m q } But – (m,s) is a valid signature. has probability of success at most ε For any q and 1/ ε polynomial in the security parameter and for large enough n adaptive message attack existential forgery

16. Weaker notions of security How the messages are chosen during the attack –E.g. random messages –Non adaptively (all messages chosen in advance) How the challenge message is chosen –In advance, before the attack –randomly Homework : show how to construct from a signature scheme that is existentially unforgeable against random message attack a signature scheme that is existentiallly unforgeable against adaptively chosen message attacks Hint: use two schemes of the first type

17. Sources Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 (unpublished) www.wisdom.weizmann.ac.il/~oded/foc-vol2.html Papers: –Existentially Unforgeability Goldwasser, Micali and Rivest, Siam J Computing, 1988 –Using UOWHF: Naor & Yung www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.htmlwww.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs