Upload
amie-lawson
View
212
Download
0
Embed Size (px)
Citation preview
Foundations of Cryptography
Lecture 6
Lecturer: Moni Naor
Recap of last week’s lecture
• The one-time signature scheme from one-way function (`Lamport’)
• The idea of regeneration• Strongly Universal One-Way Hash
– Definition and Constructions• Combining
– concatenation– Composition– Tree composition
The Tree Construction
g1
g2
g3
Let n= 2 ∙ l ∙ k. and t= log n/k. Each gi is chosen independently from G. The result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF Size of representation: t log |G| where t is the number of levels in the tree
m
Let G be a (2k,k)-UOWHF
Pair-wise independent permutations Definition: a family of permutations (1-1 functions)
H= {h| h: {0,1}n → {0,1}n } is called Strongly Universal2 or pair-wise independent if:
– for all x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 wand y1 ≠ y2 we have
Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1)Where the probability is over a randomly chosen h H
The same as in truly random permutations
In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1)Construction: let F be a finite field F (e.g. GF[2n])
H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }
Constructing (n, n-1)-UOWHFs • Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another random image
• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2
family of permutations • Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function
– E.g. chopping last bit of input
Consider the (n, n-1)-family G where each g G is defined by h
H
g(x) = chopn-1(h(f(x)))
Proof of Security Want to construct from algorithm A which is target collision finding for G an inversion algorithm B for f
Algorithm B:• Input: y=f(z) to invert, • Run algorithm A to get target x• Find random h H such that
chopn-1(h(y))= chopn-1(h(f(x))) and give corresponding g as a challenge to A
– Why does such an h exist and how to find it?• If A finds x’ such that g(x’)=g(x) then
chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y)) and y=f(x’) since h is 1-1What is the probability of success of B?
The same as the simulated collision algorithm A for G Claim: the probability the simulated algorithm A witnesses is the same as the real A
x
gx’
y=f(z)
B
A
x’
Why does such an h exist and how to find it? chopn-1(h(y))= chopn-1(h(f(x)))
• Choose random w{0,1}n
• let w’ be such that chopn-1(w)=chopn-1(w’)• Want h(y)=w and h(f(x))=w’• Such an h should exist from pair-wise independence• Easy to find and unique for
H= {ha,b(x) = a∙x + b | a, b F, a ≠ 0 }
• Open problem(?): what happens to the security of the construction if H does not have the property
Distribution of simulated A vs. real A
The difference between the simulated and real A:• Real A gets g defined by random hH• Simulated A chooses x and gets g defined by
– Choosing random z{0,1}n and computing y=f(z) • y is uniform in {0,1}n from f being a permutation
– Choosing random w{0,1}n and finding random hH such that h(y)=w and h(f(x))=w’
– Since both random y and random w are random the result is a random hH
Simulated A and real A witness the same distributionThe probability that B inverts is the same as A finding a
collision
What about the reverse combination• Let f :{0,1}n → {0,1}n be a one-way permutation• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of
permutations Consider the (n, n-1)-family G where each g G is defined by h H
g(x) = chopn-1(f(h(x)))
Is it a UOWHF?
Not necessarily: if • h is easy to invert and • f does not affect the last bit
– not contradictory to either being one-way or a permutationThen easy to find collisions: any x the that x’ collides under h will also collide under
g
From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs
• Idea: composition.• What happens to the security of the scheme?
– The probability of inverting f given a collision finding algorithm for H may be small by a factor of 2/n
General construction (n, k)-UOWHFs
• Use tree composition• Description length: k log (n/k) (n, n/2)-
descriptions of hash function– 2k bits in the example
Recall: Regeneration
• If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages
– What if you had three wishes…?
• Idea: use G a family of UOWHF to compress the message• Question: can we use a global one g G for all nodes of the tree?• Question: how to assign messages to nodes in the tree?• What exactly are we after?
Signature Scheme• Allow Alice to publish a public key pk while keeping hidden a secret key sk
– Key generation Algorithm• Input: security parameter n ,random bits• Output: pk and sk
• Given a message m Alice can produce a signature s– Signing Algorithm
• Input: pk and sk and message m ( plus random bits)– Possible: also history of previous messages
• Output: s• ``Anyone” who is given pk and (m,s) can verify it
– Signature Verification Algorithm• Input: (pk, m, s)• Output: `accept’ or `reject’
– Completeness: the output of the Signing Algorithm is assigned `accept’
All algorithms should be polynomial time
Security: ``No one” who is given only pk and not sk can forge a valid (m,s) How to do define properly?
Rigorous Specification of Security of a Scheme
Recall: To define security of a system must specify:1. The power of the adversary
– computational – access to the system
• Who chooses the message to be signed• What order
2. What constitute a failure of the system • What is a legitimate forgery?
Existential unforgeability in signature schemes
A signature scheme is • existentially unforgeable under an • adaptive message attack if any polynomial adversary A with • Access to the system: for q rounds
– adaptively choose messages mi and receive a valid signature si
• Tries to break the system: find (m,s) so that – m {m1, m2, … mq} But– (m,s) is a valid signature.
has probability of success at most εFor any q and 1/ε polynomial in the security parameter and for large enough n
adaptive message attack
existential forgery
Weaker notions of security• How the messages are chosen during the attack
– E.g. random messages– Non adaptively (all messages chosen in advance)
• How the challenge message is chosen– In advance, before the attack– randomly
Homework: show how to construct from a signature scheme that is
existentially unforgeable against random message attack a signature scheme that is
existentiallly unforgeable against adaptively chosen message attacks
Hint: use two schemes of the first type
Sources
• Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 (unpublished)
• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html
• Papers:– Existentially Unforgeability
• Goldwasser, Micali and Rivest, Siam J Computing, 1988
– Using UOWHF: Naor & Yung • www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html