Foundations of Cryptography
Lecture 6
Lecturer: Moni Naor
Recap of last week’s lecture
• The one-time signature scheme from one-way
function (`Lamport’)
• The idea of regeneration
• Strongly Universal One-Way Hash
– Definition and Constructions
• Combining
– concatenation
– Composition
– Tree composition
The Tree Construction
m
g1
g2
Let G be a (2k,k)-UOWHF
Let n= 2 ∙ l ∙ k. and t= log n/k. Each gi is chosen independently from G.
The result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF
Size of representation: t log |G| where t is the number of levels in the tree
g3
Pair-wise independent permutations
Definition: a family of permutations (1-1 functions)
H= {h| h: {0,1}n → {0,1}n }
is called Strongly Universal2 or pair-wise independent if:
– for all x1, x2 {0,1}n and y1, y2 {0,1}n where x1 ≠ x2 wand
y1 ≠ y2 we have
Prob[h(x1) = y1 and h(x2) = y2 ] = 1/2n ∙ 1/(2n-1)
Where the probability is over a randomly chosen h H
The same as in truly random permutations
In particular Prob[h(x2) = y2 | h(x1) = y1 ] = 1/(2n-1)
Construction: let F be a finite field F (e.g. GF[2n])
H= {ha,b(x) = a∙x + b | a, b  F, a ≠ 0 }
Constructing (n, n-1)-UOWHFs
• Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another random
image
• Let f :{0,1}n → {0,1}n be a one-way permutation
• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of
permutations
• Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function
– E.g. chopping last bit of input
Consider the (n, n-1)-family G where each g G is defined by h H
g(x) = chopn-1(h(f(x)))
Proof of Security
Want to construct from algorithm A which is target collision finding for G
an inversion algorithm B for f
Algorithm B:
• Input: y=f(z) to invert,
• Run algorithm A to get target x
• Find random h  H such that
chopn-1(h(y))= chopn-1(h(f(x)))
and give corresponding g as a challenge to A
y=f(z)
B
x
A
– Why does such an h exist and how to find it?
If A finds x’ such that g(x’)=g(x) then
chopn-1(h(f(x))) = chopn-1(h(f(x’))) = chopn-1(h(y))
and y=f(x’) since h is 1-1
What is the probability of success of B?
•
The same as the simulated collision algorithm A for G
Claim: the probability the simulated algorithm A witnesses is the same as the real A
g
x’
x’
Why does such an h exist and how to find it?
chopn-1(h(y))= chopn-1(h(f(x)))
•
•
•
•
•
Choose random w{0,1}n
let w’ be such that chopn-1(w)=chopn-1(w’)
Want h(y)=w and h(f(x))=w’
Such an h should exist from pair-wise independence
Easy to find and unique for
H= {ha,b(x) = a∙x + b | a, b  F, a ≠ 0 }
• Open problem(?): what happens to the security of the
construction if H does not have the property
Distribution of simulated A vs. real A
The difference between the simulated and real A:
• Real A gets g defined by random hH
• Simulated A chooses x and gets g defined by
– Choosing random z{0,1}n and computing y=f(z)
• y is uniform in {0,1}n from f being a permutation
– Choosing random w{0,1}n and finding random hH such that
h(y)=w and h(f(x))=w’
– Since both random y and random w are random the result is a
random hH
Simulated A and real A witness the same distribution
The probability that B inverts is the same as A finding a
collision
What about the reverse combination
Let f :{0,1}n → {0,1}n be a one-way permutation
Let H = {h|h:{0,1}n → {0,1}n} be a Strongly Universal2 family of
permutations
Consider the (n, n-1)-family G where each g G is defined by h H
g(x) = chopn-1(f(h(x)))
•
•
Is it a UOWHF?
Not necessarily: if
• h is easy to invert
and
• f does not affect the last bit
– not contradictory to either being one-way or a permutation
Then easy to find collisions: any x the that x’ collides under h will also collide under g
From (n, n-1)-UOWHFs to (n, n/2)UOWHFs
• Idea: composition.
• What happens to the security of the scheme?
– The probability of inverting f given a collision finding
algorithm for H may be small by a factor of 2/n
General construction (n, k)-UOWHFs
• Use tree composition
• Description length: k log (n/k) (n, n/2)descriptions of hash function
– 2k bits in the example
Recall: Regeneration
•
If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an
unbounded number of messages
–
•
•
•
•
What if you had three wishes…?
Idea: use G a family of UOWHF to compress the message
Question: can we use a global one g  G for all nodes of the tree?
Question: how to assign messages to nodes in the tree?
What exactly are we after?
Signature Scheme
•
Allow Alice to publish a public key pk while keeping hidden a secret key sk
– Key generation Algorithm
•
• Input: security parameter n ,random bits
• Output: pk and sk
Given a message m Alice can produce a signature s
– Signing Algorithm
• Input: pk and sk and message m ( plus random bits)
– Possible: also history of previous messages
•
• Output: s
``Anyone” who is given pk and (m,s) can verify it
– Signature Verification Algorithm
• Input: (pk, m, s)
• Output: `accept’ or `reject’
– Completeness: the output of the Signing Algorithm is assigned `accept’
All algorithms should be polynomial time
Security: ``No one” who is given only pk and not sk can forge a valid (m,s)
How to do define properly?
Rigorous Specification of Security of a
Scheme
Recall: To define security of a system must specify:
1. The power of the adversary
–
–
computational
access to the system
•
•
Who chooses the message to be signed
What order
2. What constitute a failure of the system
•
What is a legitimate forgery?
Existential unforgeability in signature
schemes
A signature scheme is
• existentially unforgeable
under an
• adaptive message attack
if
any polynomial adversary A with
• Access to the system: for q rounds
adaptive message attack
– adaptively choose messages mi and receive a valid signature si
• Tries to break the system: find (m,s) so that
– m {m1, m2, … mq}
But
– (m,s) is a valid signature.
has probability of success at most ε
existential forgery
For any q and 1/ε polynomial in the security parameter and for large enough n
Weaker notions of security
•
How the messages are chosen during the attack
– E.g. random messages
– Non adaptively (all messages chosen in advance)
•
How the challenge message is chosen
– In advance, before the attack
– randomly
Homework: show how to construct from a signature scheme
that is
existentially unforgeable against random message attack
a signature scheme that is
existentiallly unforgeable against adaptively chosen message attacks
Hint: use two schemes of the first type
Sources
• Chapter on signatures in Goldreich’s Foundations
of Cryptography, volume 2 (unpublished)
• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html
• Papers:
– Existentially Unforgeability
• Goldwasser, Micali and Rivest, Siam J Computing, 1988
– Using UOWHF: Naor & Yung
• www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html