Foundations of Cryptography
Lecture 5
Lecturer: Moni Naor
Recap of last week’s lecture
• The one-time authentication problem
• The hash based protocol
• Strongly Universal Hash functions
– Definition and Constructions
• δ-Universal2 hash functions
– There application in authentication
– Polynomial Constructions
– Composition and tree
The hardest case of the subset problem
• (n,m)-subset sum assumption: for any probabilistic polynomial time
algorithm
• for uniformly chosen a1, a2 ,…, an R{0,…2m -1} and S⊆ {1,...,n}
• given T=∑ i S ai and a1, a2 ,…, an the probability of finding
S’⊆ {1,...,n} such that
∑
i S’ ai
= T mod 2m
is negligible
• Show that the hardest case is when n=m
– If there is some function g such that for m=g(n) the (n,g(n))- subset sum
assumption holds, then the (n,n)- subset sum assumption holds
• Idea: chop the problem to make it square
• Important point: for any T the expected number of solutions S to
T =∑ i S ai mod 2n is 1
– Expectation is over random a1, a2 ,…, an R{0,…2n -1}
– Expected number of collisions with S is about 1
The authentication problem:
computational public-key version
• Alice would want to send a message m  {0,1}n
to Bob or to Charlie
– Set-up phase is public
• They want to prevent Eve from interfering
– Bob should be sure that the message m’ he receives is
equal to the message m Alice sent
m
Alice
Eve
Bob
Specification of the Problem (old)
Alice and Bob communicate through a channel
Bob has an external register R  N (no message) ⋃ {0,1}n
Eve completely controls the channel
Requirements:
• Completeness: If Alice wants to send m  {0,1}n and Eve does not interfere
– Bob has value m in R
• Soundness: If Alice wants to send m and Eve does interfere
– R is either N or m (but not m’ ≠m )
– If Alice does not want to send a message R is N
Since this is a generalization of the identification problem – must use shared
secrets and probability or complexity
Probabilistic version:
• for any behavior from Eve, for any message m  {0,1}n, the probability that
Bob is in state m’ ≠m or N is at most ε
What about the public-key problem?
• Recall: Bob and Charlie share the set-up phase information
• Is it possible to satisfy the requirements:
– Completeness: If Alice wants to send m  {0,1}n and Eve does
not interfere – Bob has value m in register R
– Soundness: If Alice wants to send m and Eve and Charlie do
interfere
• R is either N or m (but not m’ ≠m )
– Existential forgery
• If Alice does not want to send a message R is N
• Who chooses which m Alice will want to approve?
– Adversary does. This is a chosen message attack
• When is m’ chosen – might be after authentication on m seen
• As before: complexity to the rescue
A one-time public-key authentication problem
Let f: {0,1}n → {0,1}n be a one-way one-way function
– Adversaries run times is bounded by polynomial time
To sign/authenticate a single bit message
• Setup phase:
•
•
– Alice chooses a random pair {x0, x1 {0,1}n } and
– Computes y0 = f(x0) and y1 = f(x1)
– Gives Bob and Charlie (y0 ,y1 )
When Alice wants to approve m{0,1} – she sends (m, xm )
If Bob gets any symbols on channel – call them (b,z); compute f(z) and compares
to ym
– If equal moves to state m
– If not equal, moves permanently to state N
•
•
Why is it secure?
What about n–bit messages?
– Alice prepares a set of n pairs and opens the appropriate ones
•
Since this is noninteractive, Bob can convince Charlie that Alice approved message m
– Non repudiation from Alice
Signing n–bit messages
Public key
f(x10) f(x11) f(x20) f(x21)
f(xn0) f(xn1)
Message
1 0
0
1
Security of the Scheme
Theorem: If there is an Adversary A that
• chooses a message m  {0,1}n for Alice to legitimately
authenticate
• forges a message m’ ≠ m
with probability at least ε
Then there is an Adversary B that
• can break the function f with probability at least ε/n
• operates in time roughly the same as A
Proof: Homework
Size of the public key
• The size of the public key – to be able to sign an n-bit
message need 2n2 bits of public key.
• Preparing a public key takes
– n evaluations of the one-way functions
and
– 2n2 bits of public key.
Homework: Suggest a tradeoff with more evaluation but
fewer bits in the public key.
– Hint: you may assume that you have functions that are one-way
on their iterates
Regeneration
• If we could get a smaller public-key could be able to regenerate
smaller and sign/authenticate an unbounded number of messages
– What if you had three wishes…?
• Idea: use hashing to compress the message
• What about universal hashing ?
– Problem: both m and m’ are chosen in advance in universal hashing
– Must use computational hardness somewhere
Possible definitions
• A function g:{0,1}2n → {0,1}n where it is hard to
find m’ ≠ m but g(m)=g(m’)
• Problems:
– not good for non-uniform models
– hard to connect to other assumptions
• Want a family of functions from which one is
selected
• Use the advantage we have: the target is known
Possible definitions
• A family of functions
G={g|g:{0,1}n → {0,1}h(n)}
Such that
• Easy to sample g from G and g  G has succinct description
• Given (n, g, x) easy to compute g(x)
•
h(n) < n
• Hard to find collisions:
Alternative 1 – any collision
– Given n and g  G hard to find x, x’  {0,1}n where
x ≠ x’ but g(x)=g(x’)
– Sometimes called collision intractable
– hard to connect to other assumptions
Alternative 2 – target collision
– Given (n,g,x) hard to find x’  {0,1}n where
x ≠ x’ but g(x)=g(x’)
Universal One-Way Hash functions
UOWHFs
•
•
•
When/how is the target x chosen?
Independently of g but want to work for any possible x
– First x is selected by adversary, then g  G is selected at random
Technical point: let ℓ1 , ℓ2 :{0,1}* → {0,1}* be function mapping n to input and output
sizes. We assume
– ℓ1 (n) < ℓ2 (n) and
– both are bounded by polynomials in n
∞
Definition: A family of functions G= ⋃n=1 Gn where Gn ={g|g:{0,1}ℓ1(n) →{0,1}}ℓ2(n)} is called
(ℓ1 , ℓ2 )-universal one-way hash if:
• Given n easy to sample random g from Gn and g  Gn has description polynomial in n
• Given (n, g, x) easy to compute g(x)
• Hard to find target collisions: no polynomial time adversary can on input n
– generate x  {0,1}ℓ1(n)
– given a random g  Gn find x’  {0,1}n where
x ≠ x’ but g(x)=g(x’)
succeed with non-negligible probability for sufficiently large n
Homework
• Show that the existence of UOWHFs implies the
existence of one-way functions
• Show that there are family of UOWHFs of which are
not collision intractable
• Show that if the (n, βn)-subset sum assumption
holds, then the corresponding subset function
defines a family of UOWHFs
Composing UOWHFs
Concatenation
Let G be be a (ℓ1 , ℓ2 )- family Universal One-way Hash functions
Consider the (2ℓ1 , 2ℓ2 )- family G’ where each g’  G’ is defined by a function g
 G and where
g’(x1 ,x2) = g(x1 ), g(x2)
Claim: the family above is (2ℓ1 , 2ℓ2 )- family of Universal One-way Hash functions
Proof: let the adversary choose x1, x2 as the target and let x’1, x’2 be the colliding
value
• If x1 ≠ x’1 found a collision with x1 g(x1)=g(x’1)
• If x2 ≠ x’2 found a collision with x2 g(x2)=g(x’2)
• Guess which case b  {0,1} will occur
– correct with probability ½ and
– output xb as the target collision
Running time – similar.
Probability of success at least ½ of G’
Composing UOWHFs
ℓ1
Composition
ℓ2
Let
• G1 be a (ℓ1, ℓ2 )-family of UOWHFs
ℓ3
• G2 be a (ℓ2, ℓ3)-family of UOWHFs
Consider the family G which is a (ℓ1, ℓ3 )-family and where
each g G is defined by g1  G1 and g2  G2
g(x) = g2(g1(x))
Claim: the family above is a (ℓ1, ℓ3 )-family of UOWHFs
Proof: the collision must occur either at the first hash function or
the second hash function…
The Tree Construction
m
g1
g2
g3
Let n= l ∙ k and let each gi be chosen independently from G a (2k,k)-UOWHF
family, then result is a family of functions {0,1}n → {0,1}k which is (n,k)-UOWHF
Size: t log |G| where t is the number of levels in the tree
Constructing (n, n-1)-UOWHFs
• Idea: Combine one-way with universal
– Want to match each image of the one-way functions with another
random image
• Let f :{0,1}n → {0,1}n be a one-way permutation
• Let H = {h|h:{0,1}n → {0,1}n} be a Strongly
Universal2 family
• Let chopn-1 :{0,1}n → {0,1}n-1 be a 2-to-1 function
Consider the (n, n-1 )-family G where each g G is
defined by h H
g(x) = chopn-1(h(f(x)))
Sources
• Chapter on signatures in Goldreich’s Foundations
of Cryptography, volume 2 (unpublished)
• www.wisdom.weizmann.ac.il/~oded/foc-vol2.html
• Papers:
– Universal Hashing:
• Carter & Wegman, Wegman and Carter, JCSS 1979, 1981
– UOWHF: Naor & Yung
• www.wisdom.weizmann.ac.il/~naor/PAPERS/uowhf_abs.html