Lecturer: Moni Naor

Foundations of Cryptography

Lecture 4: One-time Signatures, UOWHFs

Recap of last week’s lecture• Functions that are one-way one their iterates• The one-time authentication problem • The hash based protocol

– Strongly Universal Hash functions• Definition and Constructions

– δ-Universal2 hash functions• Their application in authentication• Polynomial Constructions • Composition and tree

The authentication problem:computational public-key version

• Alice would want to send a message m {0,1}n to Bob or to Charlie– Set-up phase is public

• They want to prevent Eve from interfering – Bob should be sure that the message m’ he receives is

equal to the message m Alice sentAlice Bob

Eve

m

Specification of the Problem (old)Alice and Bob communicate through a channelBob has an external register R N N (no message) ⋃ {0,1}n Eve completely controls the channelRequirements:• Completeness: If Alice wants to send m {0,1}n and Eve does not

interfere – Bob has value m in RR • Soundness: If Alice wants to send m and Eve does interfere

– RR is either NN or m (but not m’ ≠m )– If Alice does not want to send a message RR is NN

Since this is a generalization of the identification problem – must use shared secrets and probability or complexity

Probabilistic version:• for any behavior from Eve, for any message m {0,1}n, the probability

that Bob is in state m’ ≠m or NN is at most ε

What about the public-key problem?• Recall: Bob and Charlie share the set-up phase information• Is it possible to satisfy the requirements:

– Completeness: If Alice wants to send m {0,1}n and Eve does not interfere – Bob has value m in register RR

– Soundness: If Alice wants to send m and Eve and Charlie do interfere

• RR is either NN or m (but not m’ ≠m )– Existential forgery

• If Alice does not want to send a message RR is NN • Who chooses which m Alice will want to approve?

– Adversary does. This is a chosen message attack• When is m’ chosen – might be after authentication on m seen

• As before: complexity to the rescue

A one-time public-key authenticationLet f: {0,1}n → {0,1}n be a one-way function

– Adversaries run times is bounded by polynomial timeTo sign/authenticate a single bit message• Setup phase:

– Alice chooses a random pair {x0, x1 {0,1}n } and– Computes y0 = f(x0) and y1 = f(x1) – Gives Bob and Charlie (y0 ,y1 )

• When Alice wants to approve m{0,1} – she sends (m, xm ) • If Bob gets any symbols on channel – call them (m,z); computes f(z) and compares to ym

– If equal moves to state m– If not equal, moves permanently to state NN

• Why is it secure?• What about n–bit messages?

– Alice prepares a set of n pairs and opens the appropriate ones • Since this is noninteractive, Bob can convince Charlie that Alice approved message

m– Non repudiation from Alice

Signing n–bit messages

f(x10) f(x1

1) f(x20) f(x2

1) f(xn0) f(xn

1)

Public key

Message

1 0 10

Lamport’s Scheme

Security of the Scheme

Theorem: If there is an Adversary AA that • chooses a message m {0,1}n for Alice to legitimately

authenticate• forges a message m’ ≠ mwith probability at least ε Then there is an Adversary BB that • can break the function f with probability at least ε/2n • operates in time roughly the same as AA

Proof:

Size of the public key• The size of the public key

– Let f: {0,1}k → {0,1}k be a one-way function– to be able to sign an n-bit message need 2nk bits of public key.

• Preparing a public key takes– 2n evaluations of the one-way function and – 2nk bits of public key.

Homework: Suggest a tradeoff with more evaluations but fewer bits in the public key.– Hint: you may assume that you have functions that are one-way

on their iterates

Regeneration• If we could get a smaller public-key could be able to regenerate

smaller and sign/authenticate an unbounded number of messages– What if you had three wishes…?

• Idea: use hashing to compress the new public-key • What about universal hashing ?

– Problem: both m and m’ are chosen in advance in universal hashing – Must use computational hardness somewhere

Possible definitions

• A function g:{0,1}2n → {0,1}n where it is hard to find m’ ≠ m but g(m)=g(m’)

• Problems: – not good for non-uniform models– hard to connect to other assumptions

• Want a family of functions from which one is selected

• Use the advantage we have: the target is known

Possible definitions• A family of functions

G={g|g:{0,1}n → {0,1}h(n)}Such that• Easy to sample g from G and g G has succinct description• Given (n, g, x) easy to compute g(x) • h(n) < n

• Hard to find collisions: Alternative 1 – any collision– Given n and g G hard to find x, x’ {0,1}n where

x ≠ x’ but g(x)=g(x’) – Sometimes called collision intractable– hard to connect to other assumptionsAlternative 2 – target collision– Given (n,g,x) hard to find x’ {0,1}n where

x ≠ x’ but g(x)=g(x’)

Universal One-Way Hash functionsUOWHFs

• When/how is the target x chosen?• Independently of g but want to work for any possible x

– First x is selected by adversary, then g G is selected at random• Technical point: let ℓ1 , ℓ2 :{0,1}* → {0,1}* be functions mapping n to input and

output sizes. We assume – ℓ1 (n) > ℓ2 (n) and – both are bounded by polynomials in n

Definition: A family of functions G= ⋃n=1∞ Gn where Gn ={g|g:{0,1}ℓ1(n)

→{0,1}}ℓ2(n)} is called (ℓ1 , ℓ2 )-universal one-way hash if:

• Given n easy to sample random g from Gn and g Gn has description polynomial in n• Given (n, g, x) easy to compute g(x) • Hard to find target collisions: no polynomial time adversary can on input n

– generate x {0,1}ℓ1(n)

– given a random g Gn find x’ {0,1}ℓ1(n) wherex ≠ x’ but g(x) = g(x’)

succeed with non-negligible probability for sufficiently large n

Homework

• Show that the existence of UOWHFs implies the existence of one-way functions

• Show that there are family of UOWHFs of which are not collision intractable

• Show that if the (n, βn)-subset sum assumption holds for β<1, then the corresponding subset function defines a family of UOWHFs – You may use the fact that for m=βn for most a1, a2 ,…, an

{0,…2m -1} the distribution of T=∑ i S ai is close to uniform, when S is random.

Composing UOWHFsConcatenationLet G be be a (ℓ1 , ℓ2 )- family of UOWHFsConsider the (2ℓ1 , 2ℓ2 )- family G’ where each g’ G’ is defined by a function gG

and where g’(x1 ,x2) = g(x1 ), g(x2)

Claim: the family above is (2ℓ1 , 2ℓ2 )- family of Universal One-way Hash functions

Proof: let the adversary choose x1, x2 as the target and let x’1, x’2 be the colliding value

• If x1 ≠ x’1 found a collision with x1 i.e. g(x1)=g(x’1)• If x2 ≠ x’2 found a collision with x2 i.e. g(x2)=g(x’2)• Guess which case b {0,1} will occur

– correct with probability ½ and – output xb as the target collision

Running time – similar. Probability of success at least ½ of G’

Composing UOWHFs

Composition

Let • G1 be a (ℓ1, ℓ2 )-family of UOWHFs

• G2 be a (ℓ2, ℓ3)-family of UOWHFs

Consider the family G which is a (ℓ1, ℓ3 )-family and where each g G is defined by g1 G1 and g2 G2

g(x) = g2(g1(x))

Claim: the family above is a (ℓ1, ℓ3 )-family of UOWHFs

Proof: the collision must occur either at the first hash function or the second hash function…

ℓ2

ℓ1

ℓ3

Composing UOWHFs

Proof:• If collision in first phase more frequently Can break G1

– Use target x given by adversary as targetfor G1

• If collision in second phase occurs more frequently Can break G2

– Take target x given by adversary, choose g1R G1 and set z = g1(x) as target for G2

– Given g2 G2 give adversary g = g1, g2

– Key point: can choose the g1 in the target phase

ℓ2

ℓ1

ℓ3

The Tree Construction

g1

g2

g3

Let n= 2 ∙ l ∙ k. and t= log n/k. Each gi is chosen independently from G. The result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF Size of representation: t log |G| where t is the number of levels in the tree

m

Let G be a (2k,k)-UOWHF

Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal

– Want to match each image of the one-way functions with another random image

• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly

Universal2 family • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function Consider the (n, n-1 )-family G where each g G is

defined by h H

g(x) = chopn-1(h(f(x)))

Pair-wise independent permutations Definition: a family of permutations (1-1 functions)

H= {h| h: {0,1}n → {0,1}n } is called Strongly Universal2 or pair-wise independent if:

– for all x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 and y1 ≠ y2 we have

Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1)Where the probability is over a randomly chosen hH

The same as in truly random permutations

In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1)Construction: let F be a finite field F (e.g. GF[2n])

H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }

New condition

Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal

– Want to match each image of the one-way functions with another random image

• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2

family of permutations • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function

– E.g. chopping last bit of input

Consider the (n, n-1)-family G where each g G is defined by h

H

g(x) = chopn-1(h(f(x)))

Proof of Security Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f

Algorithm B:• Input: y=f(z) to invert, • Run algorithm A to get target x• Find random h H such that

chopn-1(h(y))= chopn-1(h(f(x))) and give corresponding g as a challenge to A

– Why does such an h exist and how to find it?• If A finds x’ such that g(x’)=g(x) then

chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y)) and y=f(x’) since h is 1-1What is the probability of success of B?

The same as the simulated collision algorithm A for G

Claim: the probability the simulated algorithm A witnesses is the same as the real A

x

gx’

y=f(z)

B

A

x’

Why does such an h exist and how to find it? chopn-1(h(y))= chopn-1(h(f(x)))

• Choose random w{0,1}n

• let w’ be such that chopn-1(w)=chopn-1(w’)• Want h(y)=w and h(f(x))=w’• Such an h should exist from pair-wise independence• Easy to find and unique for

H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }

• Open problem(?): what happens to the security of the construction if H does not have the property

Distribution of simulated A vs. real A

The difference between the simulated and real A:• Real A gets g defined by random hH• Simulated A chooses x and gets g defined by

– Choosing random z{0,1}n and computing y=f(z) • y is uniform in {0,1}n from f being a permutation

– Choosing random w{0,1}n and finding random hH such that h(y)=w and h(f(x))=w’

– Since both random y and random w are random the result is a random hH

Simulated A and real A witness the same distribution

The probability that B inverts is the same as A finding a collision

What about the reverse combination• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of

permutations Consider the (n, n-1)-family G where each g G is defined by h H

g(x) = chopn-1(f(h(x)))

Is it a UOWHF?

Not necessarily: if • h is easy to invert and • f does not affect the last bit

– not contradictory to either being one-way or a permutationThen easy to find collisions: any x the that x’ collides under h will also

collide under g

From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs

• Idea: composition.• What happens to the security of the scheme?

– The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n

Sources• Chapter on signatures in Goldreich’s

Foundations of Cryptography, volume 2• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html

• Papers:– Universal Hashing:

• Carter & Wegman, Wegman and Carter, JCSS 1979, 1981– UOWHF: Naor & Yung

• www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html

Homework

• Given ε,n what is the number of bits needed to specify an authentication scheme?

• Bonus: Can interaction help? – Can the number of shared secret bits be smaller than in

a unidirectional scheme– Can the number of shared bits depend on ε only?

What about the public-key problem?

• Recall: Bob and Charlie share the set-up phase information• Is it possible to satisfy the requirements:

– Completeness: If Alice wants to send m {0,1}n and Eve does not interfere – Bob has value m in RR

– Soundness: If Alice wants to send m and Eve and Charlie do interfere

• RR is either NN or m (but not m’ ≠m )• If Alice does not want to send a message RR is NN • Who chooses which m Alice will want to approve?

– Adversary does. This is a chosen message attack

• As before: complexity to the rescue