Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs."— Presentation transcript:

1 Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs

2 Recap of last week’s lecture Functions that are one-way one their iterates The one-time authentication problem The hash based protocol – Strongly Universal Hash functions Definition and Constructions –δ- Universal 2 hash functions Their application in authentication Polynomial Constructions Composition and tree

3 The authentication problem: computational public-key version Alice would want to send a message m  {0,1} n to Bob or to Charlie –Set-up phase is public They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

4 Specification of the Problem (old) Alice and Bob communicate through a channel N Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m  {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

5 What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in register R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) – Existential forgery RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack When is m’ chosen – might be after authentication on m seen As before: complexity to the rescue

6 A one-time public-key authentication Let f: {0,1} n → {0,1} n be a one-way function –Adversaries run times is bounded by polynomial time To sign/authenticate a single bit message Setup phase: –Alice chooses a random pair {x 0, x 1  {0,1} n } and –Computes y 0 = f(x 0 ) and y 1 = f(x 1 ) –Gives Bob and Charlie (y 0,y 1 ) When Alice wants to approve m  {0,1} – she sends (m, x m ) If Bob gets any symbols on channel – call them (m,z) ; computes f(z) and compares to y m –If equal moves to state m N –If not equal, moves permanently to state N Why is it secure? What about n –bit messages? –Alice prepares a set of n pairs and opens the appropriate ones Since this is noninteractive, Bob can convince Charlie that Alice approved message m – Non repudiation from Alice

7 Signing n –bit messages f(x 1 0 )f(x 1 1 )f(x 2 0 )f(x 2 1 )f(x n 0 )f(x n 1 ) Public key Message 1 010 Lamport’s Scheme

8 Security of the Scheme A Theorem: If there is an Adversary A that chooses a message m  {0,1} n for Alice to legitimately authenticate forges a message m’ ≠ m with probability at least ε B Then there is an Adversary B that can break the function f with probability at least ε/2n Aoperates in time roughly the same as A Proof:

9 Size of the public key The size of the public key –Let f: {0,1} k → {0,1} k be a one-way function – to be able to sign an n- bit message need 2nk bits of public key. Preparing a public key takes – 2n evaluations of the one-way function and –2nk bits of public key. Homework : Suggest a tradeoff with more evaluations but fewer bits in the public key. – Hint : you may assume that you have functions that are one-way on their iterates

10 Regeneration If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages –What if you had three wishes…? Idea: use hashing to compress the new public-key What about universal hashing ? –Problem: both m and m’ are chosen in advance in universal hashing –Must use computational hardness somewhere

11 Possible definitions A function g:{0,1} 2n → {0,1} n where it is hard to find m’ ≠ m but g(m)=g(m’) Problems: –not good for non-uniform models –hard to connect to other assumptions Want a family of functions from which one is selected Use the advantage we have: the target is known

12 Possible definitions A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find collisions: Alternative 1 – any collision –Given n and g  G hard to find x, x’  {0,1} n where x ≠ x’ but g(x)=g(x’) –Sometimes called collision intractable –hard to connect to other assumptions Alternative 2 – target collision –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’)

13 Universal One-Way Hash functions UOWHFs When/how is the target x chosen? Independently of g but want to work for any possible x – First x is selected by adversary, then g  G is selected at random Technical point: let ℓ 1, ℓ 2 :{0,1} * → {0,1}* be functions mapping n to input and output sizes. We assume –ℓ 1 (n) > ℓ 2 (n) and –both are bounded by polynomials in n Definition : A family of functions G= ⋃ n=1 ∞ G n where G n ={g|g:{0,1} ℓ 1 (n) → {0,1}} ℓ 2 (n) } is called (ℓ 1, ℓ 2 )- universal one-way hash if: Given n easy to sample random g from G n and g  G n has description polynomial in n Given (n, g, x) easy to compute g(x) Hard to find target collisions: no polynomial time adversary can on input n –generate x  {0,1} ℓ 1 (n) –given a random g  G n find x’  {0,1} ℓ 1 (n) where x ≠ x’ but g(x) = g(x’) succeed with non-negligible probability for sufficiently large n

14 Homework Show that the existence of UOWHF s implies the existence of one-way functions Show that there are family of UOWHF s of which are not collision intractable Show that if the (n, βn )- subset sum assumption holds for β<1, then the corresponding subset function defines a family of UOWHF s –You may use the fact that for m=βn for most a 1, a 2,…, a n  {0,…2 m - 1} the distribution of T=∑ i  S a i is close to uniform, when S is random.

15 Composing UOWHFs Concatenation Let G be be a (ℓ 1, ℓ 2 )- family of UOWHF s Consider the (2ℓ 1, 2ℓ 2 )- family G’ where each g’  G’ is defined by a function g  G and where g’(x 1,x 2 ) = g(x 1 ), g(x 2 ) Claim : the family above is (2ℓ 1, 2ℓ 2 )- family of Universal One-way Hash functions Proof: let the adversary choose x 1, x 2 as the target and let x’ 1, x’ 2 be the colliding value If x 1 ≠ x’ 1 found a collision with x 1 i.e. g(x 1 )=g( x’ 1 ) If x 2 ≠ x’ 2 found a collision with x 2 i.e. g(x 2 )=g( x’ 2 ) Guess which case b  {0,1} will occur –correct with probability ½ and –output x b as the target collision Running time – similar. Probability of success at least ½ of G’

16 Composing UOWHFs Composition Let G 1 be a (ℓ 1, ℓ 2 )- family of UOWHF s G 2 be a (ℓ 2, ℓ 3 )- family of UOWHF s Consider the family G which is a (ℓ 1, ℓ 3 )- family and where each g  G is defined by g 1  G 1 and g 2  G 2 g(x) = g 2 (g 1 (x)) Claim : the family above is a (ℓ 1, ℓ 3 )- family of UOWHF s Proof: the collision must occur either at the first hash function or the second hash function… ℓ2ℓ2 ℓ1ℓ1 ℓ3ℓ3

17 Composing UOWHFs Proof: If collision in first phase more frequently Can break G 1 –Use target x given by adversary as target for G 1 If collision in second phase occurs more frequently Can break G 2 –Take target x given by adversary, choose g 1  R G 1 and set z = g 1 (x) as target for G 2 –Given g 2  G 2 give adversary g = g 1, g 2 –Key point: can choose the g 1 in the target phase ℓ2ℓ2 ℓ1ℓ1 ℓ3ℓ3

18 The Tree Construction g1g1 g2g2 g3g3 Let n= 2 ∙ l ∙ k. and t= log n/k. Each g i is chosen independently from G. The result is a family of functions {0,1} n → {0,1} k which is (n,k)- UOWHF Size of representation: t log |G| where t is the number of levels in the tree m Let G be a (2k,k)- UOWHF

19 Constructing (n, n-1)- UOWHF s Idea: Combine one-way with universal –Want to match each image of the one-way functions with another random image Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family Let chop n-1 :{0,1} n → {0,1} n-1 be a 2-to-1 function Consider the (n, n-1 )- family G where each g  G is defined by h  H g(x) = chop n-1 (h(f(x)))

20 Pair-wise independent permutations Definition : a family of permutations (1-1 functions) H= {h| h: {0,1} n → {0,1} n } is called Strongly Universal 2 or pair-wise independent if: – for all x 1, x 2  {0,1} n and y 1, y 2  {0,1} n where x 1 ≠ x 2 and y 1 ≠ y 2 we have Prob[h(x 1 ) = y 1 and h(x 2 ) = y 2 ] = 1/ 2 n ∙ 1/( 2 n -1) Where the probability is over a randomly chosen h  H The same as in truly random permutations In particular Prob[h(x 2 ) = y 2 | h(x 1 ) = y 1 ] = 1/( 2 n -1) Construction: let F be a finite field F (e.g. GF[2 n ] ) H= {h a,b (x) = a∙x + b | a, b  F, a ≠ 0 } New condition

21 Constructing (n, n-1)- UOWHF s Idea: Combine one-way with universal –Want to match each image of the one-way functions with another random image Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family of permutations Let chop n-1 :{0,1} n → {0,1} n-1 be a 2-to-1 function –E.g. chopping last bit of input Consider the (n, n-1)- family G where each g  G is defined by h  H g(x) = chop n-1 (h(f(x)))

22 Proof of Security Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f Algorithm B : Input: y=f(z) to invert, Run algorithm A to get target x Find random h  H such that chop n-1 (h(y))= chop n-1 (h(f(x))) and give corresponding g as a challenge to A – Why does such an h exist and how to find it? If A finds x’ such that g(x’)=g(x) then chop n-1 (h(f(x))) = chop n-1 (h(f(x’))) = chop n-1 (h(y)) and y=f(x’) since h is 1-1 What is the probability of success of B ? The same as the simulated collision algorithm A for G Claim : the probability the simulated algorithm A witnesses is the same as the real A x g x’ y=f(z) B A x’

23 Why does such an h exist and how to find it? chop n-1 (h(y))= chop n-1 (h(f(x))) Choose random w  {0,1} n let w’ be such that chop n-1 (w)=chop n-1 (w’) Want h(y)=w and h(f(x))=w’ Such an h should exist from pair-wise independence Easy to find and unique for H= {h a,b (x) = a∙x + b | a, b  F, a ≠ 0 } Open problem(?): what happens to the security of the construction if H does not have the property

24 Distribution of simulated A vs. real A The difference between the simulated and real A: Real A gets g defined by random h  H Simulated A chooses x and gets g defined by –Choosing random z  {0,1} n and computing y=f(z) y is uniform in {0,1} n from f being a permutation –Choosing random w  {0,1} n and finding random h  H such that h(y)=w and h(f(x))=w’ – Since both random y and random w are random the result is a random h  H Simulated A and real A witness the same distribution The probability that B inverts is the same as A finding a collision

25 What about the reverse combination Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family of permutations Consider the (n, n-1)- family G where each g  G is defined by h  H g(x) = chop n-1 (f(h(x))) Is it a UOWHF? Not necessarily: if h is easy to invert and f does not affect the last bit –not contradictory to either being one-way or a permutation Then easy to find collisions: any x the that x’ collides under h will also collide under g

26 From (n, n-1)- UOWHF s to (n, n/2)- UOWHF s Idea: composition. What happens to the security of the scheme? –The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n

27 Sources Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 www.wisdom.weizmann.ac.il/~oded/foc-vol2.html Papers: –Universal Hashing: Carter & Wegman, Wegman and Carter, JCSS 1979, 1981 –UOWHF: Naor & Yung www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.htmlwww.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs

28 Homework Given ε,n what is the number of bits needed to specify an authentication scheme? Bonus : Can interaction help? –Can the number of shared secret bits be smaller than in a unidirectional scheme –Can the number of shared bits depend on ε only?

29 What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack As before: complexity to the rescue

Download ppt "Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs."

Similar presentations

Foundations of Cryptography Lecture 1 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 1 Lecturer: Moni Naor.
Lecturer: Moni Naor Weizmann Institute of Science

Lecturer: Moni Naor Weizmann Institute of Science
Lecturer: Moni Naor Weizmann Institute of Science

Lecturer: Moni Naor Weizmann Institute of Science
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model.

Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.

Similar presentations

Ads by Google