Title: Foundations of Cryptography Lecture 6
1Foundations of CryptographyLecture 6
2Recap of last weeks lecture
- The one-time signature scheme from one-way
function (Lamport) - The idea of regeneration
- Strongly Universal One-Way Hash
- Definition and Constructions
- Combining
- concatenation
- Composition
- Tree composition
3The Tree Construction
m
g1
g2
g3
Let G be a (2k,k)-UOWHF
Let n 2 l k. and t log n/k. Each gi is
chosen independently from G. The result is a
family of functions 0,1n ? 0,1k which is
(n,k)-UOWHF Size of representation t log G
where t is the number of levels in the tree
4Pair-wise independent permutations
- Definition a family of permutations (1-1
functions) - H h h 0,1n ? 0,1n
- is called Strongly Universal2 or pair-wise
independent if - for all x1, x2 ?0,1n and y1, y2 ?0,1n where
x1 ? x2 wand y1 ? y2 we have - Probh(x1) y1 and h(x2) y2 1/2n
1/(2n-1) - Where the probability is over a randomly chosen
h? H - The same as in truly random permutations
- In particular Probh(x2) y2 h(x1) y1
1/(2n-1) - Construction let F be a finite field F (e.g.
GF2n) - H ha,b(x) ax b a, b ? F, a ? 0
5Constructing (n, n-1)-UOWHFs
- Idea Combine one-way with universal
- Want to match each image of the one-way functions
with another random image - Let f 0,1n ? 0,1n be a one-way permutation
- Let H hh0,1n ? 0,1n be a Strongly
Universal2 family of permutations - Let chopn-1 0,1n ? 0,1n-1 be a 2-to-1
function - E.g. chopping last bit of input
-
- Consider the (n, n-1)-family G where each g? G
is defined by h? H - g(x) chopn-1(h(f(x)))
6Proof of Security
yf(z)
- Want to construct from algorithm A which is
target collision finding for G - an inversion algorithm B for f
- Algorithm B
- Input yf(z) to invert,
- Run algorithm A to get target x
- Find random h ? H such that
- chopn-1(h(y)) chopn-1(h(f(x)))
- and give corresponding g as a challenge to
A - Why does such an h exist and how to find it?
- If A finds x such that g(x)g(x) then
- chopn-1(h(f(x))) chopn-1(h(f(x)))
chopn-1(h(y)) - and yf(x) since h is 1-1
- What is the probability of success of B?
- The same as the simulated collision algorithm A
for G - Claim the probability the simulated algorithm A
witnesses is the same as the real A
B
x
A
g
x
x
7Why does such an h exist and how to find it?
chopn-1(h(y)) chopn-1(h(f(x)))
- Choose random w?0,1n
- let w be such that chopn-1(w)chopn-1(w)
- Want h(y)w and h(f(x))w
- Such an h should exist from pair-wise
independence - Easy to find and unique for
- H ha,b(x) ax b a, b ? F, a ? 0
- Open problem(?) what happens to the security of
the construction if H does not have the property
8Distribution of simulated A vs. real A
- The difference between the simulated and real A
- Real A gets g defined by random h?H
- Simulated A chooses x and gets g defined by
- Choosing random z?0,1n and computing yf(z)
- y is uniform in 0,1n from f being a permutation
- Choosing random w?0,1n and finding random h?H
such that h(y)w and h(f(x))w - Since both random y and random w are random the
result is a random h?H - Simulated A and real A witness the same
distribution - The probability that B inverts is the same as A
finding a collision
9What about the reverse combination
- Let f 0,1n ? 0,1n be a one-way permutation
- Let H hh0,1n ? 0,1n be a Strongly
Universal2 family of permutations - Consider the (n, n-1)-family G where each g? G
is defined by h? H - g(x) chopn-1(f(h(x)))
- Is it a UOWHF?
- Not necessarily if
- h is easy to invert
- and
- f does not affect the last bit
- not contradictory to either being one-way or a
permutation - Then easy to find collisions any x the that x
collides under h will also collide under g
10From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs
- Idea composition.
- What happens to the security of the scheme?
- The probability of inverting f given a collision
finding algorithm for H may be small by a factor
of 2/n
11General construction (n, k)-UOWHFs
- Use tree composition
- Description length k log (n/k) (n,
n/2)-descriptions of hash function - 2k bits in the example
12Recall Regeneration
- If we could get a smaller public-key could be
able to regenerate smaller and sign/authenticate
an unbounded number of messages - What if you had three wishes?
- Idea use G a family of UOWHF to compress the
message - Question can we use a global one g ? G for all
nodes of the tree? - Question how to assign messages to nodes in the
tree? - What exactly are we after?
13Signature Scheme
- Allow Alice to publish a public key pk while
keeping hidden a secret key sk - Key generation Algorithm
- Input security parameter n ,random bits
- Output pk and sk
- Given a message m Alice can produce a signature s
- Signing Algorithm
- Input pk and sk and message m ( plus random
bits) - Possible also history of previous messages
- Output s
- Anyone who is given pk and (m,s) can verify it
- Signature Verification Algorithm
- Input (pk, m, s)
- Output accept or reject
- Completeness the output of the Signing Algorithm
is assigned accept - All algorithms should be polynomial time
- Security No one who is given only pk and not
sk can forge a valid (m,s) - How to do define properly?
14Rigorous Specification of Security of a Scheme
- Recall To define security of a system must
specify - The power of the adversary
- computational
- access to the system
- Who chooses the message to be signed
- What order
- What constitute a failure of the system
- What is a legitimate forgery?
15Existential unforgeability in signature schemes
- A signature scheme is
- existentially unforgeable
- under an
- adaptive message attack
- if
- any polynomial adversary A with
- Access to the system for q rounds
- adaptively choose messages mi and receive a valid
signature si - Tries to break the system find (m,s) so that
- m ?m1, m2, mq
- But
- (m,s) is a valid signature.
- has probability of success at most e
- For any q and 1/e polynomial in the security
parameter and for large enough n
adaptive message attack
existential forgery
16Weaker notions of security
- How the messages are chosen during the attack
- E.g. random messages
- Non adaptively (all messages chosen in advance)
- How the challenge message is chosen
- In advance, before the attack
- randomly
- Homework show how to construct from a signature
scheme - that is
- existentially unforgeable against random message
attack - a signature scheme that is
- existentiallly unforgeable against adaptively
chosen message attacks - Hint use two schemes of the first type
17Sources
- Chapter on signatures in Goldreichs Foundations
of Cryptography, volume 2 (unpublished) - www.wisdom.weizmann.ac.il/oded/foc-vol2.html
- Papers
- Existentially Unforgeability
- Goldwasser, Micali and Rivest, Siam J Computing,
1988 - Using UOWHF Naor Yung
- www.wisdom.weizmann.ac.il/naor/PAPERS/uowhf_abs.h
tml -