Lecturer: Moni Naor Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication

Recap of last week’s lecture One-way functions are essential to the two guard identification problem. –Important idea: simulation Examples of one-way functions –Subset sum, discrete log, factoring Weak one-way functions –Constructing strong one-way functions from weak one-way functions –Important ideas: hardness amplification; reduction Universal/Ultimate one-way function –Robust combiners

Identification - many times Alice would want to send an `approve’ message to Bob many times. They want to prevent Eve from interfering –Bob should be sure that Alice indeed approved each time. How to specify? Alice Bob Eve

Specification of the Problem Alice and Bob communicate through a channel C Bob has an external counter C (# of times Alice approved) Eve completely controls the channel Requirements: CIf Alice wants to approve and Eve does not interfere – Bob increases the counter C CThe number of times Alice approves is a bound the value of counter C CIf Alice wants to approve and Eve does interfere - no requirements from the counter C until there is a quiescent period – A time that Alice wants to approve and Eve does not interfere Not the only possible specification! Can mandate that an approval was sent since the last time counter increased

Solution to the many time identification problem Let k be an upper bound on the number of identifications If Alice and Bob share in the setup phase k passwords Each time Alice want to identify she sends the next unused password. Bob compare with the next password on the list Can they do it with sharing less than k passwords?

Solution to the identification problem Assume that – f is a one-way function –Let k be an upper bound on the number of identifications Setup phase: Alice chooses x  {0,1} n, computes y=f (k) (x) and gives Bob y –Denote y i =f (k-i) (x) When Alice wants to approve the i th time – she sends special symbol $ followed by i and y i =f (k-i) (x) Bob stores x If Bob gets a $ followed by symbols on channel –denote them (j,z) ; C –Compare j to C +1 reject if not equal –Check whether z=f (k-j) (x) CIf equal moves counter C to state j+1

Is it secure? Need care in choosing f Should be difficult to invert any one of the iterated instances of f

One-way on its iterates A function f: {0,1} n → {0,1} n is called one-way on its iterates, if f is a polynomial-time computable function for every probabilistic polynomial-time algorithm A, every polynomial p( ¢ ), and all sufficiently large n ’s: for all k ≤ p(n) Prob[A[f (k) (x)]  f -1 (f (k) (x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1} n and the probability is also over the internal coin flips of A From homework: not all one-way functions are one-way on their iterates Every one-way permutation is one-way on its iterates Subset sum function one-way on its iterates –If it one-way then it is one-way of its iterates If you start at a random point and iterate – still random

Example: the squaring function (Rabin) f(x,N)= (x 2 mod N,N) Quadratic residue mod a prime: If s and r satisfy s=r 2 mod P then s is called a quadratic residue modulo P If P is a prime then: – s=r 2 mod P has exactly two solutions mod P if 0<s<P. Can denote +/-r – quadratic residues: multiplicative subgroup with (P-1)/2 elements. –If P=1 mod 4 then -1 is a quadratic residue mod P. Both square-roots are either quadratic residues or non residues –If P=3 mod 4 then -1 is a non-quadratic residue mod P. one square-roots is a quadratic residue, the other not. Squaring mod P is a permutation on the quadratic residues! Computing square-roots: if r=s (p+1)/4 mod P square, then r 2 =s (p+1)/2 =s∙s (p-1)/2 = +/- s mod P If N=P∙Q then s is a quadratic residue modulo N if and only it is a quadratic residue for both P and Q If N=P∙Q where P,Q = 3 mod 4 - called Blum Integers –Each quadratic residue has 4 square-roots –Exactly one of which is quadratic residue in itself –Squaring mod N is a permutation on the quadratic residues!

Finding Square-roots and factoring are equivalent If know the factorization of N=P∙Q, then can compute square-roots If there is a procedure that computes square-roots correctly for non-negligible fraction – can boost it –Random self reducibility If we know (r,t) such that – s=r 2 =t 2 mod N –r =t mod P –r ≠ t mod Q Then we can factor by computing GCD(t-r,N) Homework: show how to use a square-root computing routine to factor while preserving the probability of success.

A one-way on its iterates function To fully specify the function – need a starting procedure for generating – N=P∙Q where P,Q=3 mod 4 –Easy to specify given deterministic primality testing (even probabilistic is sufficient) density of primes –A quadratic residue mod N Easy by generating a random square Resulting function – one-way on its iterates

Security of scheme If scheme can be broken: There is the first time where Eve sent a false value z as y i By the specification of the protocol: –If Eve substitutes a true value y i with her own z – she is caught Hence first false z is also an attempt to forge: Alice approved only i-1 times but Eve convinced Bob to accepts i times If probability of breaking is at least 1/p(n) There is a j ≤ k where Eve does this with probability at least 1/kp(n) Important idea: Existence of a large step Two possible evil actions: Substitute a correct value Invent a value, forge

…Security of scheme For this j can break the (k-j) th iterate of f with probability at least 1/kp(n) – Given y j =f (k-j) (x) compute y=f (j) (y j ) and simulate the adversary for j rounds –Adversary sees exactly the same distribution as in real life Forging at step j must be done by inverting y j Hence probability adversary succeeds in forgery at step j is at least 1/kp(n)

Problems with the scheme Need to know an upper bound k on the number of identifications Need to perform work proportional to k before first identification (what if it flops) Total work (in all k sessions) by Alice: O(k 2 ) –For Bob, if stores last value: O(k) –If Alice stores all k values y j : total work (in all k sessions) only O(k) – Homework : how can Alice store O(log k) values and perform amortized O(log k) work More problems: –need to maintain state, both Alice and Bob (in addition to the counter) –What happens when there are two verifiers

Possible Pitfalls If Bob does not check from scratch compute z=f (k-j) (x) then: Eve might substitute y j with a value z which she can invert in subsequent sessions. –If possible to find “ easy siblings ” could be dangerous –Homework: show that there is a function f that is One-way on its iterates Given x it is easy to find x' such that f(x)=f(x’) and it is easy to invert f on x’

Question Is it possible to have a protocol based on a function that it one-way on its iterates without bob maintaining a state?

Want a scheme with unlimited use If we have a function that only Alice can compute but both Bob and Charlie can verify Alice can compute for session number i the value f(i) Problem: interleaving of verifiers – can replay Solution: challenge response –Verifier chooses a random nonce r and asks to see f(r) To be continued!

The authentication problem one-time version Alice would want to send a message m  {0,1} n to Bob They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

Specification of the Problem Alice and Bob communicate through a channel N Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m  {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

Authentication using hash functions Suppose that – H= {h| h: {0,1} n → {0,1} k } is a family of functions – Alice and Bob share a random function h  H –To authenticate message m  {0,1} n Alice sends (m,h(m)) –When receiving (m’,z) Bob computes h(m’) and compares to z RIf equal, moves register R to m’ R NIf not equal, register R stays in N What properties do we require from H –hard to guess h(m’) - at most ε But clearly not sufficient: one-time pad. –hard to guess h(m’) even after seeing h(m) - at most ε Should be true for any m’ –Short representation for h - must have small log|H| –Easy to compute h(m) given h and m

Universal hash functions Given that for h  H we have h: {0,1} n → {0,1} k we know that ε≥2 -k A family where this is an equality is called universal 2 Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called Strongly Universal 2 or pair-wise independent if: – for all m 1, m 2  {0,1} n and y 1, y 2  {0,1} k we have Prob[h(m 1 ) = y 1 and h(m 2 ) = y 2 ] = 2 -2k Where the probability is over a randomly chosen h  H In particular Prob[h(m 2 ) = y 2 | h(m 1 ) = y 1 ] = 2 -k Theorem : when a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k

Constructing universal hash functions The linear polynomial construction: fix a finite field F of size at least the message space 2 n –Could be either GF[2 n ] or GF[P] for some prime P ≥ 2 n The family H of functions h: F → F i s defined as H= {h a,b (m) = a∙m + b | a, b  F} Claim : the family above is strongly universal 2 Proof: for every m 1 ≠m 2, y 1, y 2  F there are unique a, b  F such that a∙m 1 +b = y 1 a∙m 2 +b = y 2 Size: each h  H represented by 2n bits

Constructing universal hash functions The inner product construction: fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= ℓ ∙ k Treat each message m  {0,1} n as an (ℓ +1) -vector over F where the first entry is 1. Denote by (m 0, m 1, …,m ℓ ) The family H of functions h: F ℓ → F defined by all (ℓ+1) -vectors a=(a 0, a 1, …,a ℓ ) H= {h a (m)= ∑ i=0 ℓ a i ∙m i | a 0, a 1, …,a ℓ  F} Claim : the family above is strongly universal 2 Proof: for every (m 0, m 1, …,m l ), (m’ 0, m’ 1, …,m’ l ) y 1, y 2  F there are the same number of solutions to ∑ i=0 ℓ a i ∙m i = y 1 ∑ i=0 ℓ a i ∙m’ i = y 2 Size: each h  H represented by n+k bits

Lower bound on size of strongly universal hash functions Theorem : let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Theorem : see N. Alon and J. Spencer, The Probabilistic Method Chapter 15 on derandomization, proposition 2.3

An almost perfect solution By allowing ε to be slightly larger than 2 -k we can get much smaller families Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called δ- Universal 2 if for all m 1, m 2  {0,1} n where m 1 ≠ m 2 we have Prob[h(m 1 ) = h(m 2 ) ] ≤ δ Properties: Strongly-universal 2 implies 2 -k - Universal 2 Opposite not true: the function h(x)=x …

An almost perfect solution Idea : combine a family of δ- Universal 2 functions H 1 = {h| {0,1} n → {0,1} k } with a Strongly Universal 2 family H 2 = {h| {0,1} k → {0,1} k } Consider the family H where each h  H is {0,1} n → {0,1} k and is defined by h 1  H 1 and h 2  H 2 h(x) = h 2 (h 1 (x)) As before Alice sends m, h(m) Claim : probability of cheating is at most δ + 2 -k Proof: when Eve sends m’, y’ we must have m ≠ m ‘ but either –y’ = h(m), which means that Eve succeeds with probability at most δ + 2 -k Collision in h 1 Or in h 2 Or –y’ ≠ h(m) which means that Eve succeeds with probability at most 2 -k Collision in h 2 Size: each h  H represented by log |H 1 |+ log |H 2 |

Constructing almost universal hash functions The polynomial evaluation construction {0,1} n → {0,1} k : fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= ℓ∙ k Treat each (non-zero) message m  {0,1} n as a degree (l-1) - polynomial over F. Denote by P m The family H of functions h: F ℓ → F is defined by all elements in F : H= {h x (m)= P m (x)| x  F} Claim : the family above is δ- Universal 2 for δ= (ℓ-1)/2 k Proof: the maximum number of points where two different degree (ℓ-1) polynomials agree is ℓ-1 Size: each h  H represented by k bits m

Composing universal hash functions Concatenation Let H where each h  H is {0,1} n → {0,1} k be a family of δ- Universal 2 functions Consider the family H’ where each h’  H’ is {0,1} 2n → {0,1} 2k and where h’(x 1,x 2 ) = h(x 1 ), h(x 2 ) for some h  H Claim : the family above is δ- Universal 2 Proof: let x 1, x 2 and x’ 1, x’ 2 be a pair of inputs. If x 1 ≠ x’ 1 collision must occur in first part h(x 1 )=h( x’ 1 ) Else, x 2 ≠ x’ 2 and collision must occur in second part h(x 2 )=h( x’ 2 ) In either case the probability is at most δ

Composing universal hash functions Composition Let H 1 = {h| h:{0,1} n 1 → {0,1} n 2 } with H 2 = {h| h: {0,1} n 2 → {0,1} n 3 } be families of δ- Universal 2 functions Consider the family H where each h  H is {0,1} n 1 → {0,1} n 3 is defined by h 1  H 1 and h 2  H 2 h(x) = h 2 (h 1 (x)) Claim : the family above is 2 δ- Universal 2 Proof: the collision must occur either at the first hash function or the second hash function. Each event happens with probability at most δ and we apply the union bound n2n2 n1n1 n3n3

The Tree Construction h1h1 h2h2 h3h3 Set n= ℓ ∙k. E ach h i :{0,1} 2k → {0,1} k is chosen independently from a δ - Universal family H. The result is a family of functions {0,1} n → {0,1} k which is tδ - Universal t is the number of levels in the tree Size: t log |H| m Can construct functions from huge domains

Homework Given ε,n what is the number of bits needed to specify an authentication scheme? Bonus : Can interaction help? –Can the number of shared secret bits be smaller than in a unidirectional scheme –Can the number of shared bits depend on ε only?

What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack As before: complexity to the rescue