Post on 20-Dec-2015
Lecturer: Moni Naor
Foundations of Cryptography
Lecture 4: One-time Signatures, UOWHFs
Recap of last week’s lecture• Functions that are one-way one their iterates• The one-time authentication problem • The hash based protocol
– Strongly Universal Hash functions• Definition and Constructions
– δ-Universal2 hash functions• Their application in authentication• Polynomial Constructions • Composition and tree
The authentication problem:computational public-key version
• Alice would want to send a message m {0,1}n to Bob or to Charlie– Set-up phase is public
• They want to prevent Eve from interfering – Bob should be sure that the message m’ he receives is
equal to the message m Alice sentAlice Bob
Eve
m
Specification of the Problem (old)Alice and Bob communicate through a channelBob has an external register R N N (no message) ⋃ {0,1}n Eve completely controls the channelRequirements:• Completeness: If Alice wants to send m {0,1}n and Eve does not
interfere – Bob has value m in RR • Soundness: If Alice wants to send m and Eve does interfere
– RR is either NN or m (but not m’ ≠m )– If Alice does not want to send a message RR is NN
Since this is a generalization of the identification problem – must use shared secrets and probability or complexity
Probabilistic version:• for any behavior from Eve, for any message m {0,1}n, the probability
that Bob is in state m’ ≠m or NN is at most ε
What about the public-key problem?• Recall: Bob and Charlie share the set-up phase information• Is it possible to satisfy the requirements:
– Completeness: If Alice wants to send m {0,1}n and Eve does not interfere – Bob has value m in register RR
– Soundness: If Alice wants to send m and Eve and Charlie do interfere
• RR is either NN or m (but not m’ ≠m )– Existential forgery
• If Alice does not want to send a message RR is NN • Who chooses which m Alice will want to approve?
– Adversary does. This is a chosen message attack• When is m’ chosen – might be after authentication on m seen
• As before: complexity to the rescue
A one-time public-key authenticationLet f: {0,1}n → {0,1}n be a one-way function
– Adversaries run times is bounded by polynomial timeTo sign/authenticate a single bit message• Setup phase:
– Alice chooses a random pair {x0, x1 {0,1}n } and– Computes y0 = f(x0) and y1 = f(x1) – Gives Bob and Charlie (y0 ,y1 )
• When Alice wants to approve m{0,1} – she sends (m, xm ) • If Bob gets any symbols on channel – call them (m,z); computes f(z) and compares to ym
– If equal moves to state m– If not equal, moves permanently to state NN
• Why is it secure?• What about n–bit messages?
– Alice prepares a set of n pairs and opens the appropriate ones • Since this is noninteractive, Bob can convince Charlie that Alice approved message
m– Non repudiation from Alice
Signing n–bit messages
f(x10) f(x1
1) f(x20) f(x2
1) f(xn0) f(xn
1)
Public key
Message
1 0 10
Lamport’s Scheme
Security of the Scheme
Theorem: If there is an Adversary AA that • chooses a message m {0,1}n for Alice to legitimately
authenticate• forges a message m’ ≠ mwith probability at least ε Then there is an Adversary BB that • can break the function f with probability at least ε/2n • operates in time roughly the same as AA
Proof:
Size of the public key• The size of the public key
– Let f: {0,1}k → {0,1}k be a one-way function– to be able to sign an n-bit message need 2nk bits of public key.
• Preparing a public key takes– 2n evaluations of the one-way function and – 2nk bits of public key.
Homework: Suggest a tradeoff with more evaluations but fewer bits in the public key.– Hint: you may assume that you have functions that are one-way
on their iterates
Regeneration• If we could get a smaller public-key could be able to regenerate
smaller and sign/authenticate an unbounded number of messages– What if you had three wishes…?
• Idea: use hashing to compress the new public-key • What about universal hashing ?
– Problem: both m and m’ are chosen in advance in universal hashing – Must use computational hardness somewhere
Possible definitions
• A function g:{0,1}2n → {0,1}n where it is hard to find m’ ≠ m but g(m)=g(m’)
• Problems: – not good for non-uniform models– hard to connect to other assumptions
• Want a family of functions from which one is selected
• Use the advantage we have: the target is known
Possible definitions• A family of functions
G={g|g:{0,1}n → {0,1}h(n)}Such that• Easy to sample g from G and g G has succinct description• Given (n, g, x) easy to compute g(x) • h(n) < n
• Hard to find collisions: Alternative 1 – any collision– Given n and g G hard to find x, x’ {0,1}n where
x ≠ x’ but g(x)=g(x’) – Sometimes called collision intractable– hard to connect to other assumptionsAlternative 2 – target collision– Given (n,g,x) hard to find x’ {0,1}n where
x ≠ x’ but g(x)=g(x’)
Universal One-Way Hash functionsUOWHFs
• When/how is the target x chosen?• Independently of g but want to work for any possible x
– First x is selected by adversary, then g G is selected at random• Technical point: let ℓ1 , ℓ2 :{0,1}* → {0,1}* be functions mapping n to input and
output sizes. We assume – ℓ1 (n) > ℓ2 (n) and – both are bounded by polynomials in n
Definition: A family of functions G= ⋃n=1∞ Gn where Gn ={g|g:{0,1}ℓ1(n)
→{0,1}}ℓ2(n)} is called (ℓ1 , ℓ2 )-universal one-way hash if:
• Given n easy to sample random g from Gn and g Gn has description polynomial in n• Given (n, g, x) easy to compute g(x) • Hard to find target collisions: no polynomial time adversary can on input n
– generate x {0,1}ℓ1(n)
– given a random g Gn find x’ {0,1}ℓ1(n) wherex ≠ x’ but g(x) = g(x’)
succeed with non-negligible probability for sufficiently large n
Homework
• Show that the existence of UOWHFs implies the existence of one-way functions
• Show that there are family of UOWHFs of which are not collision intractable
• Show that if the (n, βn)-subset sum assumption holds for β<1, then the corresponding subset function defines a family of UOWHFs – You may use the fact that for m=βn for most a1, a2 ,…, an
{0,…2m -1} the distribution of T=∑ i S ai is close to uniform, when S is random.
Composing UOWHFsConcatenationLet G be be a (ℓ1 , ℓ2 )- family of UOWHFsConsider the (2ℓ1 , 2ℓ2 )- family G’ where each g’ G’ is defined by a function gG
and where g’(x1 ,x2) = g(x1 ), g(x2)
Claim: the family above is (2ℓ1 , 2ℓ2 )- family of Universal One-way Hash functions
Proof: let the adversary choose x1, x2 as the target and let x’1, x’2 be the colliding value
• If x1 ≠ x’1 found a collision with x1 i.e. g(x1)=g(x’1)• If x2 ≠ x’2 found a collision with x2 i.e. g(x2)=g(x’2)• Guess which case b {0,1} will occur
– correct with probability ½ and – output xb as the target collision
Running time – similar. Probability of success at least ½ of G’
Composing UOWHFs
Composition
Let • G1 be a (ℓ1, ℓ2 )-family of UOWHFs
• G2 be a (ℓ2, ℓ3)-family of UOWHFs
Consider the family G which is a (ℓ1, ℓ3 )-family and where each g G is defined by g1 G1 and g2 G2
g(x) = g2(g1(x))
Claim: the family above is a (ℓ1, ℓ3 )-family of UOWHFs
Proof: the collision must occur either at the first hash function or the second hash function…
ℓ2
ℓ1
ℓ3
Composing UOWHFs
Proof:• If collision in first phase more frequently Can break G1
– Use target x given by adversary as targetfor G1
• If collision in second phase occurs more frequently Can break G2
– Take target x given by adversary, choose g1R G1 and set z = g1(x) as target for G2
– Given g2 G2 give adversary g = g1, g2
– Key point: can choose the g1 in the target phase
ℓ2
ℓ1
ℓ3
The Tree Construction
g1
g2
g3
Let n= 2 ∙ l ∙ k. and t= log n/k. Each gi is chosen independently from G. The result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF Size of representation: t log |G| where t is the number of levels in the tree
m
Let G be a (2k,k)-UOWHF
Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another random image
• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly
Universal2 family • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function Consider the (n, n-1 )-family G where each g G is
defined by h H
g(x) = chopn-1(h(f(x)))
Pair-wise independent permutations Definition: a family of permutations (1-1 functions)
H= {h| h: {0,1}n → {0,1}n } is called Strongly Universal2 or pair-wise independent if:
– for all x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 and y1 ≠ y2 we have
Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1)Where the probability is over a randomly chosen hH
The same as in truly random permutations
In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1)Construction: let F be a finite field F (e.g. GF[2n])
H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }
New condition
Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another random image
• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2
family of permutations • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function
– E.g. chopping last bit of input
Consider the (n, n-1)-family G where each g G is defined by h
H
g(x) = chopn-1(h(f(x)))
Proof of Security Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f
Algorithm B:• Input: y=f(z) to invert, • Run algorithm A to get target x• Find random h H such that
chopn-1(h(y))= chopn-1(h(f(x))) and give corresponding g as a challenge to A
– Why does such an h exist and how to find it?• If A finds x’ such that g(x’)=g(x) then
chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y)) and y=f(x’) since h is 1-1What is the probability of success of B?
The same as the simulated collision algorithm A for G
Claim: the probability the simulated algorithm A witnesses is the same as the real A
x
gx’
y=f(z)
B
A
x’
Why does such an h exist and how to find it? chopn-1(h(y))= chopn-1(h(f(x)))
• Choose random w{0,1}n
• let w’ be such that chopn-1(w)=chopn-1(w’)• Want h(y)=w and h(f(x))=w’• Such an h should exist from pair-wise independence• Easy to find and unique for
H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }
• Open problem(?): what happens to the security of the construction if H does not have the property
Distribution of simulated A vs. real A
The difference between the simulated and real A:• Real A gets g defined by random hH• Simulated A chooses x and gets g defined by
– Choosing random z{0,1}n and computing y=f(z) • y is uniform in {0,1}n from f being a permutation
– Choosing random w{0,1}n and finding random hH such that h(y)=w and h(f(x))=w’
– Since both random y and random w are random the result is a random hH
Simulated A and real A witness the same distribution
The probability that B inverts is the same as A finding a collision
What about the reverse combination• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of
permutations Consider the (n, n-1)-family G where each g G is defined by h H
g(x) = chopn-1(f(h(x)))
Is it a UOWHF?
Not necessarily: if • h is easy to invert and • f does not affect the last bit
– not contradictory to either being one-way or a permutationThen easy to find collisions: any x the that x’ collides under h will also
collide under g
From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs
• Idea: composition.• What happens to the security of the scheme?
– The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n
Sources• Chapter on signatures in Goldreich’s
Foundations of Cryptography, volume 2• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html
• Papers:– Universal Hashing:
• Carter & Wegman, Wegman and Carter, JCSS 1979, 1981– UOWHF: Naor & Yung
• www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html
Homework
• Given ε,n what is the number of bits needed to specify an authentication scheme?
• Bonus: Can interaction help? – Can the number of shared secret bits be smaller than in
a unidirectional scheme– Can the number of shared bits depend on ε only?
What about the public-key problem?
• Recall: Bob and Charlie share the set-up phase information• Is it possible to satisfy the requirements:
– Completeness: If Alice wants to send m {0,1}n and Eve does not interfere – Bob has value m in RR
– Soundness: If Alice wants to send m and Eve and Charlie do interfere
• RR is either NN or m (but not m’ ≠m )• If Alice does not want to send a message RR is NN • Who chooses which m Alice will want to approve?
– Adversary does. This is a chosen message attack
• As before: complexity to the rescue