Foundations of Cryptography

Lecture 6

Lecturer: Moni Naor

Recap of last week’s lecture

• The one-time signature scheme from one-way function (`Lamport’)

• The idea of regeneration• Strongly Universal One-Way Hash

– Definition and Constructions• Combining

– concatenation– Composition– Tree composition

The Tree Construction

g1

g2

g3

Let n= 2 ∙ l ∙ k. and t= log n/k. Each gi is chosen independently from G. The result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF Size of representation: t log |G| where t is the number of levels in the tree

m

Let G be a (2k,k)-UOWHF

Pair-wise independent permutations Definition: a family of permutations (1-1 functions)

H= {h| h: {0,1}n → {0,1}n } is called Strongly Universal2 or pair-wise independent if:

– for all x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 wand y1 ≠ y2 we have

Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1)Where the probability is over a randomly chosen h H

The same as in truly random permutations

In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1)Construction: let F be a finite field F (e.g. GF[2n])

H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }

Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal

– Want to match each image of the one-way functions with another random image

• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2

family of permutations • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function

– E.g. chopping last bit of input

Consider the (n, n-1)-family G where each g G is defined by h

H

g(x) = chopn-1(h(f(x)))

Proof of Security Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f

Algorithm B:• Input: y=f(z) to invert, • Run algorithm A to get target x• Find random h H such that

chopn-1(h(y))= chopn-1(h(f(x))) and give corresponding g as a challenge to A

– Why does such an h exist and how to find it?• If A finds x’ such that g(x’)=g(x) then

chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y)) and y=f(x’) since h is 1-1What is the probability of success of B?

The same as the simulated collision algorithm A for G Claim: the probability the simulated algorithm A witnesses is the same as the real A

x

gx’

y=f(z)

B

A

x’

Why does such an h exist and how to find it? chopn-1(h(y))= chopn-1(h(f(x)))

• Choose random w{0,1}n

• let w’ be such that chopn-1(w)=chopn-1(w’)• Want h(y)=w and h(f(x))=w’• Such an h should exist from pair-wise independence• Easy to find and unique for

H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }

• Open problem(?): what happens to the security of the construction if H does not have the property

Distribution of simulated A vs. real A

The difference between the simulated and real A:• Real A gets g defined by random hH• Simulated A chooses x and gets g defined by

– Choosing random z{0,1}n and computing y=f(z) • y is uniform in {0,1}n from f being a permutation

– Choosing random w{0,1}n and finding random hH such that h(y)=w and h(f(x))=w’

– Since both random y and random w are random the result is a random hH

Simulated A and real A witness the same distributionThe probability that B inverts is the same as A finding a

collision

What about the reverse combination• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of

permutations Consider the (n, n-1)-family G where each g G is defined by h H

g(x) = chopn-1(f(h(x)))

Is it a UOWHF?

Not necessarily: if • h is easy to invert and • f does not affect the last bit

– not contradictory to either being one-way or a permutationThen easy to find collisions: any x the that x’ collides under h will also collide under

g

From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs

• Idea: composition.• What happens to the security of the scheme?

– The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n

General construction (n, k)-UOWHFs

• Use tree composition• Description length: k log (n/k) (n, n/2)-

descriptions of hash function– 2k bits in the example

Recall: Regeneration

• If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages

– What if you had three wishes…?

• Idea: use G a family of UOWHF to compress the message• Question: can we use a global one g G for all nodes of the tree?• Question: how to assign messages to nodes in the tree?• What exactly are we after?

Signature Scheme• Allow Alice to publish a public key pk while keeping hidden a secret key sk

– Key generation Algorithm• Input: security parameter n ,random bits• Output: pk and sk

• Given a message m Alice can produce a signature s– Signing Algorithm

• Input: pk and sk and message m ( plus random bits)– Possible: also history of previous messages

• Output: s• ``Anyone” who is given pk and (m,s) can verify it

– Signature Verification Algorithm• Input: (pk, m, s)• Output: `accept’ or `reject’

– Completeness: the output of the Signing Algorithm is assigned `accept’

All algorithms should be polynomial time

Security: ``No one” who is given only pk and not sk can forge a valid (m,s) How to do define properly?

Rigorous Specification of Security of a Scheme

Recall: To define security of a system must specify:1. The power of the adversary

– computational – access to the system

• Who chooses the message to be signed• What order

2. What constitute a failure of the system • What is a legitimate forgery?

Existential unforgeability in signature schemes

A signature scheme is • existentially unforgeable under an • adaptive message attack if any polynomial adversary A with • Access to the system: for q rounds

– adaptively choose messages mi and receive a valid signature si

• Tries to break the system: find (m,s) so that – m {m1, m2, … mq} But– (m,s) is a valid signature.

has probability of success at most εFor any q and 1/ε polynomial in the security parameter and for large enough n

adaptive message attack

existential forgery

Weaker notions of security• How the messages are chosen during the attack

– E.g. random messages– Non adaptively (all messages chosen in advance)

• How the challenge message is chosen– In advance, before the attack– randomly

Homework: show how to construct from a signature scheme that is

existentially unforgeable against random message attack a signature scheme that is

existentiallly unforgeable against adaptively chosen message attacks

Hint: use two schemes of the first type

Sources

• Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 (unpublished)

• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html

• Papers:– Existentially Unforgeability

• Goldwasser, Micali and Rivest, Siam J Computing, 1988

– Using UOWHF: Naor & Yung • www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html