Foundations of Cryptography Lecture 6

1
Foundations of CryptographyLecture 6

• Lecturer Moni Naor

2
Recap of last weeks lecture

• The one-time signature scheme from one-way
  function (Lamport)
• The idea of regeneration
• Strongly Universal One-Way Hash
• Definition and Constructions
• Combining
• concatenation
• Composition
• Tree composition

3
The Tree Construction
m
g1
g2
g3
Let G be a (2k,k)-UOWHF
Let n 2 l k. and t log n/k. Each gi is
chosen independently from G. The result is a
family of functions 0,1n ? 0,1k which is
(n,k)-UOWHF Size of representation t log G
where t is the number of levels in the tree
4
Pair-wise independent permutations

• Definition a family of permutations (1-1
  functions)
• H h h 0,1n ? 0,1n
• is called Strongly Universal2 or pair-wise
  independent if
• for all x1, x2 ?0,1n and y1, y2 ?0,1n where
  x1 ? x2 wand y1 ? y2 we have
• Probh(x1) y1 and h(x2) y2 1/2n
  1/(2n-1)
• Where the probability is over a randomly chosen
  h? H
• The same as in truly random permutations
• In particular Probh(x2) y2 h(x1) y1
  1/(2n-1)
• Construction let F be a finite field F (e.g.
  GF2n)
• H ha,b(x) ax b a, b ? F, a ? 0

5
Constructing (n, n-1)-UOWHFs

• Idea Combine one-way with universal
• Want to match each image of the one-way functions
  with another random image
• Let f 0,1n ? 0,1n be a one-way permutation
• Let H hh0,1n ? 0,1n be a Strongly
  Universal2 family of permutations
• Let chopn-1 0,1n ? 0,1n-1 be a 2-to-1
  function
• E.g. chopping last bit of input
• Consider the (n, n-1)-family G where each g? G
  is defined by h? H
• g(x) chopn-1(h(f(x)))

6
Proof of Security
yf(z)

• Want to construct from algorithm A which is
  target collision finding for G
• an inversion algorithm B for f
• Algorithm B
• Input yf(z) to invert,
• Run algorithm A to get target x
• Find random h ? H such that
• chopn-1(h(y)) chopn-1(h(f(x)))
• and give corresponding g as a challenge to
  A
• Why does such an h exist and how to find it?
• If A finds x such that g(x)g(x) then
• chopn-1(h(f(x))) chopn-1(h(f(x)))
  chopn-1(h(y))
• and yf(x) since h is 1-1
• What is the probability of success of B?
• The same as the simulated collision algorithm A
  for G
• Claim the probability the simulated algorithm A
  witnesses is the same as the real A

B
x
A
g
x
x
7
Why does such an h exist and how to find it?
chopn-1(h(y)) chopn-1(h(f(x)))

• Choose random w?0,1n
• let w be such that chopn-1(w)chopn-1(w)
• Want h(y)w and h(f(x))w
• Such an h should exist from pair-wise
  independence
• Easy to find and unique for
• H ha,b(x) ax b a, b ? F, a ? 0
• Open problem(?) what happens to the security of
  the construction if H does not have the property

8
Distribution of simulated A vs. real A

• The difference between the simulated and real A
• Real A gets g defined by random h?H
• Simulated A chooses x and gets g defined by
• Choosing random z?0,1n and computing yf(z)
• y is uniform in 0,1n from f being a permutation
• Choosing random w?0,1n and finding random h?H
  such that h(y)w and h(f(x))w
• Since both random y and random w are random the
  result is a random h?H
• Simulated A and real A witness the same
  distribution
• The probability that B inverts is the same as A
  finding a collision

9
What about the reverse combination

• Let f 0,1n ? 0,1n be a one-way permutation
• Let H hh0,1n ? 0,1n be a Strongly
  Universal2 family of permutations
• Consider the (n, n-1)-family G where each g? G
  is defined by h? H
• g(x) chopn-1(f(h(x)))
• Is it a UOWHF?
• Not necessarily if
• h is easy to invert
• and
• f does not affect the last bit
• not contradictory to either being one-way or a
  permutation
• Then easy to find collisions any x the that x
  collides under h will also collide under g

10
From (n, n-1)-UOWHFs to (n, n/2)-UOWHFs

• Idea composition.
• What happens to the security of the scheme?
• The probability of inverting f given a collision
  finding algorithm for H may be small by a factor
  of 2/n

11
General construction (n, k)-UOWHFs

• Use tree composition
• Description length k log (n/k) (n,
  n/2)-descriptions of hash function
• 2k bits in the example

12
Recall Regeneration

• If we could get a smaller public-key could be
  able to regenerate smaller and sign/authenticate
  an unbounded number of messages
• What if you had three wishes?
• Idea use G a family of UOWHF to compress the
  message
• Question can we use a global one g ? G for all
  nodes of the tree?
• Question how to assign messages to nodes in the
  tree?
• What exactly are we after?

13
Signature Scheme

• Allow Alice to publish a public key pk while
  keeping hidden a secret key sk
• Key generation Algorithm
• Input security parameter n ,random bits
• Output pk and sk
• Given a message m Alice can produce a signature s
• Signing Algorithm
• Input pk and sk and message m ( plus random
  bits)
• Possible also history of previous messages
• Output s
• Anyone who is given pk and (m,s) can verify it
• Signature Verification Algorithm
• Input (pk, m, s)
• Output accept or reject
• Completeness the output of the Signing Algorithm
  is assigned accept
• All algorithms should be polynomial time
• Security No one who is given only pk and not
  sk can forge a valid (m,s)
• How to do define properly?

14
Rigorous Specification of Security of a Scheme

• Recall To define security of a system must
  specify
• The power of the adversary
• computational
• access to the system
• Who chooses the message to be signed
• What order
• What constitute a failure of the system
• What is a legitimate forgery?

15
Existential unforgeability in signature schemes

• A signature scheme is
• existentially unforgeable
• under an
• adaptive message attack
• if
• any polynomial adversary A with
• Access to the system for q rounds
• adaptively choose messages mi and receive a valid
  signature si
• Tries to break the system find (m,s) so that
• m ?m1, m2, mq
• But
• (m,s) is a valid signature.
• has probability of success at most e
• For any q and 1/e polynomial in the security
  parameter and for large enough n

adaptive message attack
existential forgery
16
Weaker notions of security

• How the messages are chosen during the attack
• E.g. random messages
• Non adaptively (all messages chosen in advance)
• How the challenge message is chosen
• In advance, before the attack
• randomly
• Homework show how to construct from a signature
  scheme
• that is
• existentially unforgeable against random message
  attack
• a signature scheme that is
• existentiallly unforgeable against adaptively
  chosen message attacks
• Hint use two schemes of the first type

17
Sources

• Chapter on signatures in Goldreichs Foundations
  of Cryptography, volume 2 (unpublished)
• www.wisdom.weizmann.ac.il/oded/foc-vol2.html
• Papers
• Existentially Unforgeability
• Goldwasser, Micali and Rivest, Siam J Computing,
  1988
• Using UOWHF Naor Yung
• www.wisdom.weizmann.ac.il/naor/PAPERS/uowhf_abs.h
  tml