1. Foundations of Cryptography Lecture 3 Lecturer: Moni Naor

2. Recap of last weeks lecture One-way functions are essential to the two guard identification problem. –Important idea: simulation Examples of one-way functions –Subset sum, discrete log, factoring Weak one-way functions –Constructing strong one-way functions from weak one-way functions –Important idea: reduction –Finish the two repetition case from lecture 2

3. Is there an ultimate one-way function? If f 1 :{0,1} * {0,1} * and f 2 :{0,1} * {0,1} * are guaranteed to: –Be polynomial time computable –At least one of them is one-way. then can construct a function g:{0,1} * {0,1} * which is one-way: g(x 1, x 2 )= (f 1 (x 1 ),f 2 (x 2 )) If an 5n 2 time one-way function is guaranteed to exist, can construct an O(n 2 log n) one-way function g : – Idea: enumerate Turing Machine and make sure they run 5n 2 steps g(x 1, x 2,…, x log (n) )=M 1 (x 1 ), M 2 (x 2 ), …, M log n (x log (n) ) If a one-way function is guaranteed to exist, then there exists a 5n 2 time one-way: – Idea: concentrate on the prefix 1/p(n)

4. Conclusions Be careful what you wish for Problem with resulting one-way function: –Cannot learn about behavior on large inputs from small inputs –Whole rational of considering asymptotics is eroded Construction does not work for non-uniform one- way functions

5. Homework Show that if probabilistic one-way functions exist then so do deterministic ones

6. Identification - many times Alice would want to send an `approve message to Bob many times. They want to prevent Eve from interfering –Bob should be sure that Alice indeed approved each time. How to specify? Alice Bob Eve

7. Specification of the Problem Alice and Bob communicate through a channel C Bob has an external counter C (# of times Alice approved) Eve completely controls the channel Requirements: CIf Alice wants to approve and Eve does not interfere – Bob increases the counter C CThe number of times Alice approves is a bound the value of counter C CIf Alice wants to approve and Eve does interfere - no requirements from the counter C until there is a quiescent period – A time that Alice wants to approve and Eve does not interfere Not the only possible specification! Can mandate that an approval was sent since the last time counter increased

8. Solution to the password problem Assume that – f: {0,1} n {0,1} n is a (t,ε) one-way function –Adversaries run times is bounded by t –Let k be an upper bound on the number of identifications Setup phase: Alice chooses x {0,1} n, computes y=f (k) (x) and gives Bob and Charlie y When Alice wants to approve the i th time – she sends special symbol $ followed by i and y i =f (k-i) (x) If Bob gets a $ followed any symbols on channel – call them (j,z) ; compute y=f (j) (z) and compare to y C –If equal moves counter C to state j C –If not equal do nothing to counter C

9. Is it secure? Need care in choosing f Should be difficult to invert any one of the iterated instances of f

10. One-way on its iterates A function f: {0,1} n {0,1} n is called one-way on its iterates, if f is a polynomial-time computable function for every probabilistic polynomial-time algorithm A, every polynomial p(.), and all sufficiently large n s and all k p(n) Prob[A[f (k) (x)] f -1 (f (k) (x)) ] 1/p(n) Where x is chosen uniformly in {0,1} n and the probability is also over the internal coin flips of A From homework: not all one-way functions are one-way on their iterates Every one-way permutation is one-way on its iterates Subset sum function one-way on its iterates

11. Example: the squaring function (Rabin) f(x,N)= (x 2 mod N,N) Quadratic residue mod a prime: If s and r satisfy s=r 2 mod P then s is called a quadratic residue modulo P If P is a prime then: – s=r 2 mod P has exactly two solutions mod P if 0<s<P. Can denote +/-r – quadratic residues: multiplicative subgroup with (P-1)/2 elements. –If P=1 mod 4 then -1 is a quadratic residue mod P. Both square-roots are either quadratic residues or non residues –If P=3 mod 4 then -1 is a non-quadratic residue mod P. one square-roots is a quadratic residue, the other not. Squaring mod P is a permutation on the quadratic residues! Computing square-roots: if r=s (p+1)/4 mod P square, then r 2 =s (p+1)/2 =ss (p-1)/2 = +/- s mod P If N=PQ then s is a quadratic residue modulo N if and only it is a quadratic residue for both P and Q If N=PQ where P,Q=3 mod 4 - called Blum Integers –Each quadratic residue has 4 square-roots –Exactly one of which is quadratic residue in itself –Squaring mod N is a permutation on the quadratic residues!

12. Finding Square-roots and factoring are equivalent If know the factorization of N=PQ, then can compute square-roots If there is a procedure that computes square-roots correctly for non- negligible fraction – can boost it –Random self reducibility If we know (r,t) such that – s=r 2 =t 2 mod N –r =t mod P –r t mod Q Then we can factor by computing GCD(t-r,N) Homework: show how to use a square-root computing routine to factor while preserving the probability of success.

13. A one-way on its iterates function To fully specify the function – need a starting procedure for generating – N=PQ where P,Q=3 mod 4 –Easy to specify given deterministic primality testing (even probabilistic is sufficient) density of primes –A quadratic residue mod N Easy by generating a random square Resulting function – one-way on its iterates

14. Security of scheme If scheme can be broken then there is a j k where when Alice approved only j-1 times Eve convinced Bob to accepts j times with probability at least 1/kp(n) For this j can break the (k-j) th iterate of f with probability at least 1/kp(n) – Given y j =f (k-j) (x) compute y=f (j) (y j ) and simulate the adversary for j rounds –Adversary sees exactly the same distribution as in real life Hence probability adversary succeeds in forgery at step j (i.e. inverts y j ) is at least 1/kp(n)

15. Problems with the scheme Need to know an upper bound k on the number of identifications Need to perform work proportional to k before first identification (what if it flops) Total work (in all k sessions) by Alice: O(k 2 ) –For Bob, if stores last value: O(k) –If Alice stores all k values y j : total work (in all k sessions) only O(k) – Homework : how can Alice store O(log k) values and perform amortized O(log k) work More problems: –need to maintain state. –Synchronization if both Bob and Charlie interleave as verifiers and the sum of their counters should be the number of times Alice identified.

16. Want a scheme with unlimited use If we have a function that only Alice can compute but both Bob and Charlie can verify Alice can compute for session number i the value f(i) Problem: interleaving of verifiers – can replay Solution: challenge response –Verifier chooses a random nonce r and asks to see f(r)