1. Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators
Lecturer: Moni Naor

2. Recap of last week’s lecture
One-time signatures
UOWHFs
Definition
Compositions
Construction from one-way permutations
Known: construction from one-way functions

3. General construction (n, k)-UOWHFs
Use tree composition
Description length: k log (n/k) (n, n/2)-descriptions of hash function
2k bits in the example

4. Recall: Regeneration
If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages
What if you had three wishes…?
Idea: use G a family of UOWHF to compress the message
Question: can we use a global g  G for all nodes of the tree?
Question: how to assign messages to nodes in the tree?
What exactly are we after?

5. Components of a Signature Scheme
Allow Alice to publish a public key pk while keeping hidden a secret key sk
Key generation Algorithm
Input: security parameter n, random bits
Output: pk and sk
Given a message m Alice can produce a signature s
Signing Algorithm
Input: pk and sk and message m (plus random bits)
Possible: also history of previous messages
Output: s
``Anyone” who is given pk and (m,s) can verify it
Signature Verification Algorithm
Input: (pk, m, s)
Output: `accept’ or `reject’
Completeness: the output of the Signing Algorithm is assigned `accept’
All algorithms should be polynomial time
Security: ``No one” who is given only pk and not sk can forge a valid (m,s)
How to do define properly?
KGA pk sk

6. Rigorous Specification of Security of a Scheme
Recall: To define security of a system must specify:
The power of the adversary
computational
access to the system
Who chooses the message to be signed
What order
What constitutes a failure of the system
What is a legitimate forgery?

7. Existential unforgeability in signature schemes
A signature scheme is
existentially unforgeable
under an
adaptive chosen message attack if
any polynomial adversary A with
Access to the system: for q rounds
adaptively choose messages mi and receive a valid signature si
Tries to break the system: find pair (m, s) so that
m {m1, m2, … mq}
But
(m,s) is a valid signature.
has probability of success at most ε
For any q and 1/ε polynomial in the security parameter and for large enough n
adaptive message attack
existential forgery

8. Weaker notions of security
How the messages are chosen during the attack
E.g. random messages
Non adaptively (all messages chosen in advance)
How the challenge message is chosen
In advance, before the attack
randomly
Homework: show how to construct from a signature scheme
that is
existentially unforgeable against random message attack
a signature scheme that is
existentiallly unforgeable against adaptively chosen message attacks
Hint: use two schemes of the first type

9. Specific proposal Key generation: generate the root Signing algorithm:
Three sets of keys for a one-time signature scheme
A function g  G from a family of UOWHF
Signing algorithm:
Traverse the tree in a BFS manner
Generate a new triple
Sign the message using the middle part of node
Put the generated triple in the next available node in the current level
If all nodes in current level are assigned, create a new one.
The signature consists of:
The one-time signature on the message
The nodes along the path to the root
the one-time signatures on the hashed nodes along the path to the root
Keep secret the private keys of all triples
Verification of signature:
Verify the one-times signature given.
triple
Size of signature:
Depth of tree ¢ triple size

10. When is using a single hash function sufficient?
The rule of thump of whether a global hash function g is sufficient or not is:
Can the legitimate values hashed be chosen as a function of g
In this case the only legitimately hashed values are the triples
Chosen independently of g by the signer
Note: if we want to hash the message itself (to obtain a shorter one-time signature:
need a separate has function for each node

11. Why is tree regeneration secure
Consider the legitimate tree and a forged message
There is the first place where the two differ
This must occur when either:
a forged one-time signature is produced Or
a false child is authenticated
Can guess the place where this happens and what happens with probability at least 1/p(n)
If 1) happens more often: can break the one-time signature
If 2) happens more often: can break the UOWHF

12. Proof of Security
Want to construct from the forging algorithm A which is a target collision finding for G
algorithm B
Algorithm B:
Generate a random triple and output it as target x
Obtain the challenge g
Generate the public key/secret key of the scheme
Using g as the global hash function
Run algorithm A that tries to break the signature scheme
Guess the node where the forgery occurs
Put the triple x
If a false child is authenticated there: found a collision with x under g !
What is the probability of success of B?
The same as the simulated forging algorithm A for G divided by 2q
Claim: the probability the simulated algorithm A witnesses is the same as the real A x B g A x’ x’

13. Conclusion
Theorem: If families of UOWHF exist, then signature schemes existentially unforgeable under adaptive chosen message attacks exist
Corollary: If one-way permutations exist, then signature schemes existentially unforgeable under adaptive chosen message attacks exist.
Corollary: If one-time public-key identification is possible (equivalent to existence of one-way functions), then signature schemes existentially unforgeable under adaptive chosen message attacks exist.

14. Several other paradigms for creating secure signature schemes
Trapdoor permutations
Protection against random attack and forgery of a random challenge
Other forms of tree like schemes
Claw-free
Trapdoor
Converting interactive identification schemes
If challenge is random
Creating a random instance of a problem
Solvable if you know the trapdoor
Example: RSA
Only analysis known: assumes an idealized random function
Black box that behaves as a random function
All users including adversary have black-box access to it but cannot see it inside
Much debate in crypto literature

15. Trapdoor One-way Permutations
A collection functions with three probabilistic polynomial time algorithms
Key generation: on input n, the security parameter, and random bits, generates two keys
KP (Public) and KS (secret) and domain size D (could be 0,1n)
Forward computation: each KP defines a permutation f(KP,,¢) on D.
Given KP and x easy to compute f(KP,,x)
Hard to invert: for any PPT A given y=f(KP,,x) for a random KP (generated as above) and x 2R D, probability that A finds x is negligible
Backward computation: given Ks easy to invert f(KP,,¢)
there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x

16. The RSA Permutation
Public key: N=P∙Q and public exponent e s.t. e is relatively prime to (N)=(P-1)(Q-1)
Secret key: d s.t. d¢e = 1 mod (N)
Equivalently: factorization of N
The permutation: RSAN,e(x) = xe mod N
The domain DN = ZN*
Inverting the permutation RSAN,e(-1)(y) = yd mod N
Euler's totient
The RSA Assumption: for random N (and e) for random y 2 ZN* hard to invert y

17. Trapdoors and Signatures
Using trapdoors `naively’:
A signature scheme secure against random message attack for forging a random message
Exercise: do the tree signature with trapdoors instead of UOWHFs

18. The Encryption problem:
Alice would want to send a message m{0,1}n to Bob
Set-up phase is secret
They want to prevent Eve from learning anything about the message m m
Alice
Bob
Eve

19. The encryption problem
Relevant both in the shared key and in the public key setting
Want to use many times
Also add authentication…
Other disruptions by Eve

20. What does `learn’ mean? ©
If Eve has some knowledge of m, it should remain the same
Probability of guessing m
Min entropy of m
Probability of guessing whether m is m0 or m1
Probability of computing some function f of m
Ideally: the ciphertext sent is independent of the message m
Implies all the above
Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy
If no special knowledge about m: then need |m| bits
Achievable: one-time pad.
Let rR {0,1}n
Think of r and m as elements in a group
To encrypt m send r+m
To decrypt z send m=z-r m r c

21. Pseudo-random generators
Would like to stretch a short secret (seed) into a long one
The resulting long string should be usable in any case where a long string is needed
In particular: as a one-time pad
Important notion: Indistinguishability
Two probability distributions that cannot be distinguished
Statistical indistinguishability: distances between probability distributions
New notion: computational indistinguishability

22. Statistical Difference
Statistical difference between two distributions X and Y on domain D is:
(X,Y) = ½  2 D |Pr[X=] – Pr[Y=]|
Equivalently
(X,Y) = maxA µ D |Pr[X 2 A] – Pr[Y 2 A]|
Two probability sequences {Xn}nN and {Yn}nN are statistically indistinguishable if: for all polynomials p(.) and for all sufficiently large n
(X,Y) · 1/p(n)
Statistical test

23. Computational Indistinguishability
Make the test A into a polynomial time computable one

24. Computational Indistinguishability
Definition: two sequences of distributions {Dn} and {D’n} on {0,1}n are computationally indistinguishable if
for every polynomial p(n) for every probabilistic polynomial time adversary A for sufficiently large n
If A receives input y  {0,1}n and tries to decide whether y was generated by Dn or D’n then
|Prob[A=‘0’ | Dn ] - Prob[A=‘0’ | D’n ] | · 1/p(n)
Without restriction on probabilistic polynomial tests: equivalent to variation distance being negligible
∑β  {0,1}n |Prob[ Dn = β] - Prob[ D’n = β]| < 1/p(n)
advantage

25. Pseudo-random generators
Definition: a function g:{0,1}* → {0,1}* is said to be a (cryptographic) pseudo-random generator if
It is polynomial time computable
It stretches the input |g(x)|>|x|
Let ℓ(n) be the length of the output on inputs of length n
If the input (seed) is random, then the output is indistinguishable from random
For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n) for any polynomial p(n) and sufficiently large n
|Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | · 1/p(n) x
seed g
ℓ(n)
Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin J. von Neumann

26. Pseudo-random generators
Definition: a function g:{0,1}* → {0,1}* is said to be a (cryptographic) pseudo-random generator if
It is polynomial time computable
It stretches the input (seed): g(x)|>|x|
denote by ℓ(n) the length of the output on inputs of length n
If the seed is random the output is indistinguishable from random
For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n) for any polynomial p(n) and sufficiently large n
|Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | · 1/p(n)
Important issues:
Why is the adversary bounded by polynomial time?
Why is the indistinguishability not perfect?

27. Construction of pseudo-random generators
Idea given a one-way function there is a hard decision problem hidden there
If balanced enough: looks random
Such a problem is a hardcore predicate
Possibilities:
Last bit
First bit
Inner product

28. |Prob[A(y)=h(x)] - 1/2| < 1/p(n)
Hardcore Predicate
Definition: for f:{0,1}* → {0,1}* we say that h:{0,1}* → {0,1} is a hardcore predicate for f if:
h is polynomial time computable
For any probabilistic polynomial time adversary A that receives input y=f(x) and tries to compute h(x) for any polynomial p(n) and sufficiently large n
|Prob[A(y)=h(x)] - 1/2| < 1/p(n)
where the probability is over the choice x and the random coins of A
Sources of hardcoreness:
not enough information about x
not of interest for generating pseudo-randomness
enough information about x but hard to compute it

29. Homework Assume one-way functions exist
Show that the last bit/first bit are not necessarily hardcore predicates
Generalization: show that for any fixed function h:{0,1}* → {0,1} there is a one-way function f:{0,1}* → {0,1}* such that h is not a hardcore predicate of f
Show a one-way function f such that given y=f(x) each input bit of x can be guessed with probability at least 3/4

30. Single bit expansion Let f:{0,1}n → {0,1}n be a one-way permutation
Let h:{0,1}n → {0,1} be a hardcore predicate for f
Consider g:{0,1}n → {0,1}n+1 where
g(x)=(f(x), h(x))
Claim: g is a pseudo-random generator
Proof: can use a distinguisher for g to guess h(x)
f(x), h(x))
f(x), 1-h(x))

31. Hardcore Predicate With Public Information
Definition: let f:{0,1}* → {0,1}* be a function. We say that h:{0,1}* x {0,1}* → {0,1} is a hardcore predicate for f if
h(x,r) is polynomial time computable
For any probabilistic polynomial time adversary A that receives input y=f(x) and public randomness r and tries to compute h(x,r) for any polynomial p(n) and sufficiently large n
|Prob[A(y,r)=h(x,r)] -1/2| < 1/p(n)
where the probability is over the choice y of r and the random coins of A
Alternative view: can think of the public randomness as modifying the one-way function f: f’(x,r)=f(x),r.

32. From single bit expansion to many bit expansion
Internal Configuration
Input
Output r x
f(x)
h(x,r)
h(f(x),r)
f(2)(x)
f(3)(x)
h(f (2)(x),r)
f(m)(x)
h(f (m-1)(x),r)
Can make r and f(m)(x) public
But not any other internal state
Can make m as large as needed

33. Two important techniques for showing pseudo-randomness
Hybrid argument
Next-bit prediction and pseudo-randomness

34. Hybrid argument
To prove that two distributions D and D’ are indistinguishable:
suggest a collection of distributions
D= D0, D1,… Dk =D’
If D and D’ can be distinguished, then there is a pair Di and Di+1 that can be distinguished.
Advantage ε in distinguishing between D and D’ means advantage ε/k between some Di and Di+1
Use a distinguisher for the pair Di and Di+1 to derive a contradiction

35. |Prob[A(yi,y2,…, yi) = yi+1] – 1/2 | < 1/p(n)
Next-bit Test
Definition: a function g:{0,1}* → {0,1}* is said to pass the next bit test if:
It is polynomial time computable
It stretches the input |g(x)|>|x|
denote by ℓ(n) the length of the output on inputs of length n
If the input (seed) is random, then the output passes the next-bit test
For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that is a predictor: receives the first i bits of y= g(x) and tries to guess the next bit, for any polynomial p(n) and sufficiently large n
|Prob[A(yi,y2,…, yi) = yi+1] – 1/2 | < 1/p(n)
Theorem: a function g:{0,1}* → {0,1}* passes the next bit test if
and only if it is a pseudo-random generator

36. Sources Goldreich’s Foundations of Cryptography, volumes 1 and 2
Goldwasser, Micali and Rivest, A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks, SIAM J. on Computing, 1988.

37. Homework
Show that the existence of UOWHFs implies the existence of one-way functions
Show that there are family of UOWHFs of which are not collision intractable
Show that if the (n, βn)-subset sum assumption holds for β<1, then the corresponding subset function defines a family of UOWHFs
You may use the fact that for m=βn for most a1, a2 ,…, an {0,…2m -1} the distribution of T=∑ i S ai is close to uniform, when S is random.