1 / 32

Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication

Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication. Lecturer: Moni Naor. Recap of last week’s lecture. One-way functions are essential to the two guard identification problem. Important idea: simulation Examples of one-way functions

jillhernandez
Télécharger la présentation

Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of CryptographyLecture 3: One-way on its iterates, Authentication Lecturer:Moni Naor

  2. Recap of last week’s lecture • One-way functions are essential to the two guard identification problem. • Important idea: simulation • Examples of one-way functions • Subset sum, discrete log , factoring • Weak one-way functions • Constructing strong one-way functions from weak one-way functions • Important ideas: hardness amplification; reduction • Universal/Ultimate one-way function • Robust combiners

  3. Identification - many times • Alice would want to send an `approve’ message to Bob many times. • They want to prevent Eve from interfering • Bob should be sure that Alice indeed approved each time. How to specify? Alice Bob Eve

  4. Specification of the Problem Alice and Bob communicate through a channel Bob has an external counter C (# of times Alice approved) Eve completely controls the channel Requirements: • If Alice wants to approve and Eve does not interfere – Bob increases the counter C • The number of times Alice approves is a bound the value of counter C • If Alice wants to approve and Eve does interfere - no requirements from the counter C until there is a quiescent period • A time that Alice wants to approve and Eve does not interfere Not the only possible specification! Can mandate that an approval was sent since the last time counter increased

  5. Solution to the many time identification problem Let k be an upper bound on the number of identifications • If Alice and Bob share in the setup phase k passwords • Each time Alice want to identify she sends the next unused password. • Bob compare with the next password on the list Can they do it with sharing less than k passwords?

  6. Solution to the identification problem • Assume that • f is a one-way function • Let k be an upper bound on the number of identifications • Setup phase: Alice chooses x{0,1}n, computes y=f(k)(x) and gives Bob y • Denote yi=f(k-i)(x) When Alice wants to approve the ith time – she sends special symbol $ followed by i and yi=f(k-i)(x) • Bob stores x • If Bob gets a $ followed by symbols on channel • denote them (j,z); • Compare j toC+1 reject if not equal • Check whether z=f(k-j)(x) • If equal moves counter C to state j+1

  7. Is it secure? • Need care in choosing f • Should be difficult to invert any one of the iterated instances off

  8. One-way on its iterates A function f: {0,1}n → {0,1}n is called one-way on its iterates, if • f is a polynomial-time computable function • for every probabilistic polynomial-time algorithm A, every polynomial p(¢), and all sufficiently large n’s: for all k ≤ p(n) Prob[A[f(k)(x)] f-1(f (k)(x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A • From homework: not all one-way functions are one-way on their iterates • Every one-way permutation is one-way on its iterates • Subset sum function one-way on its iterates • If it one-way then it is one-way of its iterates If you start at a random point and iterate – still random

  9. Example: the squaring function (Rabin)f(x,N)= (x2 mod N,N) Quadratic residue mod a prime: • If s and r satisfy s=r2 mod P then s is called a quadratic residue modulo P • If P is a prime then: • s=r2 mod P has exactly two solutions mod P if 0<s<P. Can denote +/-r • quadratic residues: multiplicative subgroup with (P-1)/2 elements. • If P=1 mod 4 then -1 is a quadratic residue mod P. • Both square-roots are either quadratic residues or non residues • If P=3 mod 4 then -1 is a non-quadratic residue mod P. • one square-roots is a quadratic residue, the other not. • Squaring mod P is a permutation on the quadratic residues! • Computing square-roots: if r=s(p+1)/4 mod P square, then r2=s(p+1)/2 =s∙s(p-1)/2= +/- s mod P • If N=P∙Q then s is a quadratic residue modulo N if and only it is a quadratic residue for both P and Q • If N=P∙Q where P,Q = 3 mod 4 - called Blum Integers • Each quadratic residue has 4 square-roots • Exactly one of which is quadratic residue in itself • Squaring mod N is a permutation on the quadratic residues!

  10. Finding Square-roots and factoring are equivalent • If know the factorization of N=P∙Q, then can compute square-roots • If there is a procedure that computes square-roots correctly for non-negligible fraction – can boost it • Random self reducibility • If we know (r,t) such that • s=r2 =t2 mod N • r =tmod P • r ≠tmod Q Then we can factor by computing GCD(t-r,N) • Homework: show how to use a square-root computing routine to factor while preserving the probability of success.

  11. A one-way on its iterates function • To fully specify the function – need a starting procedure for generating • N=P∙Qwhere P,Q=3 mod 4 • Easy to specify given • deterministic primality testing (even probabilistic is sufficient) • density of primes • A quadratic residue mod N • Easy by generating a random square • Resulting function – one-way on its iterates

  12. Security of scheme • Two possible evil actions: • Substitute a correct value • Invent a value, forge If scheme can be broken: • There is the first time where Eve sent a false value z as yi By the specification of the protocol: • If Eve substitutes a true value yi with her own z – she is caught Hence first false z is also an attempt to forge: Alice approved only i-1 times but Eve convinced Bob to accepts i times If probability of breaking is at least 1/p(n) • There is a j ≤ k where Eve does this with probability at least 1/kp(n) Important idea: Existence of a large step

  13. …Security of scheme For this j can break the (k-j)th iterate of f with probability at least 1/kp(n) • Given yj=f(k-j)(x)compute y=f(j)(yj ) and simulate the adversary for j rounds • Adversary sees exactly the same distribution as in real life • Forging at step j must be done by inverting yj • Hence probability adversary succeeds in forgery at step j is at least 1/kp(n)

  14. Problems with the scheme • Need to know an upper bound k on the number of identifications • Need to perform work proportional to k before first identification (what if it flops) • Total work (in all k sessions) by Alice: O(k2) • For Bob, if stores last value: O(k) • If Alice stores all k values yj: total work (in all k sessions) only O(k) • Homework: how can Alice store O(log k) values and perform amortized O(log k) work • More problems: • need to maintain state, both Alice and Bob (in addition to the counter) • What happens when there are two verifiers

  15. Possible Pitfalls If Bob does not check from scratch compute z=f(k-j)(x) then: • Eve might substitute yj with a value z which she can invert in subsequent sessions. • If possible to find “easy siblings” could be dangerous • Homework: show that there is a function f that is • One-way on its iterates • Given x it is easy to find x' such that f(x)=f(x’) and it is easy to invert f on x’

  16. Question • Is it possible to have a protocol based on a function that it one-way on its iterates without bob maintaining a state?

  17. Want a scheme with unlimited use If we have a function that only Alice can compute but both Bob and Charlie can verify • Alice can compute for session number i the value f(i) • Problem: interleaving of verifiers – can replay • Solution: challenge response • Verifier chooses a random nonce r and asks to see f(r) To be continued!

  18. The authentication problemone-time version • Alice would want to send a message m {0,1}n to Bob • They want to prevent Eve from interfering • Bob should be sure that the message m’ he receives is equal to the message mAlice sent m Alice Bob Eve

  19. Specification of the Problem Alice and Bob communicate through a channel Bob has an external register R N (no message) ⋃ {0,1}n Eve completely controls the channel Requirements: • Completeness: If Alice wants to send m {0,1}nand Eve does not interfere – Bob has value m in R • Soundness: If Alice wants to send m and Eve does interfere • R is either N or m (but not m’ ≠m) • If Alice does not want to send a message R is N Sincethis is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: • for any behavior from Eve, for any message m {0,1}n, the probability that Bob is in state m’ ≠ m or N is at mostε

  20. Authentication using hash functions • Suppose that • H= {h| h: {0,1}n → {0,1}k } is a family of functions • Alice and Bob share a random function h H • To authenticate message m {0,1}nAlice sends (m,h(m)) • When receiving (m’,z) Bob computes h(m’) and compares to z • If equal, moves register R to m’ • If not equal, register R stays in N • What properties do we require fromH • hard to guess h(m’) - at mostε • But clearly not sufficient: one-time pad. • hard to guess h(m’) even after seeing h(m) - at mostε • Should be true for anym’ • Short representation for h - must have small log|H| • Easy to compute h(m) given h and m

  21. Universal hash functions • Given that for hHwe have h: {0,1}n → {0,1}k we know that ε≥2-k • A family where this is an equality is called universal2 Definition: a family of functions H= {h| h: {0,1}n → {0,1}k } is called Strongly Universal2or pair-wise independent if: • for allm1, m2 {0,1}nand y1, y2 {0,1}kwe have Prob[h(m1) = y1 and h(m2) = y2 ] = 2-2k Where the probability is over a randomly chosen hH In particular Prob[h(m2) = y2 | h(m1) = y1 ] = 2-k Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

  22. Constructing universal hash functions The linear polynomial construction: • fix a finite field F of size at least the message space 2n • Could be either GF[2n] or GF[P] for some prime P ≥ 2n • The family H of functions h: F→ F is defined as H= {ha,b(m) = a∙m + b | a, b  F} Claim: the family above is strongly universal2 Proof: for everym1≠m2,y1, y2 F there are uniquea, b  F such that a∙m1+b = y1 a∙m2+b = y2 Size: each hH represented by 2n bits

  23. Constructing universal hash functions The inner product construction: • fix a finite field F of size at least the target space 2k • Could be either GF[2k] or GF[P] for some prime P ≥ 2k • Let n= ℓ ∙ k • Treat each message m{0,1}nas an (ℓ +1)-vector over F where the first entry is 1. Denote by (m0, m1, … ,mℓ) • The family H of functions h: Fℓ → F defined by all (ℓ+1)-vectors a=(a0, a1, … ,aℓ) H= {ha(m)= ∑i=0ℓ ai ∙mi | a0, a1, … ,aℓ F} Claim: the family above is strongly universal2 Proof: for every (m0, m1, … ,ml) , (m’0, m’1, … ,m’l) y1, y2 F there are the same number of solutions to ∑i=0ℓ ai ∙mi = y1 ∑i=0ℓ ai ∙m’i = y2 Size: each hH represented byn+k bits

  24. Lower bound on size of strongly universal hash functions Theorem: let H= {h| h: {0,1}n → {0,1}} be a family of pair-wise independent functions. Then |H| is Ω(2n) More precisely, to obtain a d-wise independence family |H| should be Ω(2n└d/2┘) Theorem: see N. Alon and J. Spencer, The Probabilistic Method Chapter 15 on derandomization, proposition 2.3

  25. An almost perfect solution By allowing ε to be slightly larger than 2-k we can get much smaller families Definition: a family of functions H= {h| h: {0,1}n → {0,1}k } is called δ-Universal2if for allm1, m2 {0,1}nwhere m1≠ m2we have Prob[h(m1) = h(m2) ] ≤ δ Properties: • Strongly-universal2 implies 2-k -Universal2 • Opposite not true: the functionh(x)=x…

  26. An almost perfect solution Idea: combine • a family of δ-Universal2 functions H1= {h| {0,1}n → {0,1}k } with • a Strongly Universal2 family H2= {h| {0,1}k → {0,1}k } Consider the family H where each h  H is {0,1}n → {0,1}k and is defined by h1H1 and h2 H2 h(x) = h2(h1(x)) As before Alice sends m, h(m) Claim : probability of cheating is at most δ + 2-k Proof: when Eve sends m’, y’ we must have m ≠ m‘ but either • y’ = h(m), which means that Eve succeeds with probability at most δ + 2-k • Collision in h1 Or in h2 Or • y’ ≠ h(m) which means that Eve succeeds with probability at most 2-k • Collision in h2 Size: each hH represented by log |H1 |+ log |H2|

  27. Constructing almost universal hash functions The polynomial evaluation construction {0,1}n → {0,1}k : • fix a finite field F of size at least the target space 2k • Could be either GF[2k] or GF[P] for some prime P ≥ 2k • Let n= ℓ∙ k • Treat each (non-zero) message m{0,1}nas a degree (l-1)- polynomial over F. Denote by Pm • The family H of functions h: Fℓ → F is defined by all elements in F: H= {hx (m)= Pm (x)| x  F} Claim: the family above is δ-Universal2 for δ= (ℓ-1)/2k Proof: the maximum number of points where two different degree (ℓ-1) polynomials agree is ℓ-1 Size: each hH represented by k bits m

  28. Composing universal hash functions Concatenation Let H where each h  H is {0,1}n → {0,1}k be a family of δ-Universal2 functions Consider the family H’ where each h’  H’ is {0,1}2n → {0,1}2k and where h’(x1 ,x2) = h(x1 ), h(x2) for some h  H Claim: the family above is δ-Universal2 Proof: let x1, x2 and x’1, x’2 be a pair of inputs. • If x1≠ x’1 collision must occur in first part h(x1)=h(x’1) • Else, x2≠ x’2 and collision must occur in second part h(x2)=h(x’2) In either case the probability is at most δ

  29. Composing universal hash functions n1 Composition Let • H1= {h| h:{0,1}n1 → {0,1}n2} with • H2= {h| h: {0,1}n2 → {0,1}n3} be families of δ-Universal2 functions Consider the family H where each h  H is {0,1}n1 → {0,1}n3 is defined by h1H1 and h2 H2 h(x) = h2(h1(x)) Claim: the family above is 2δ-Universal2 Proof: the collision must occur either at the first hash function or the second hash function. Each event happens with probability at most δand we apply the union bound n2 n3

  30. The Tree Construction m h1 h2 h3 • Set n=ℓ∙k. Eachhi:{0,1}2k → {0,1}kis chosen independently from a δ-Universal family H. • The result is a family of functions{0,1}n → {0,1}kwhich istδ-Universal • t is the number of levels in the tree • Size:t log |H| Can construct functions from huge domains

  31. Homework • Given ε,n what is the number of bits needed to specify an authentication scheme? • Bonus: Can interaction help? • Can the number of shared secret bits be smaller than in a unidirectional scheme • Can the number of shared bits depend on ε only?

  32. What about the public-key problem? • Recall: Bob and Charlie share the set-up phase information • Is it possible to satisfy the requirements: • Completeness: If Alice wants to send m {0,1}nand Eve does not interfere – Bob has value m in R • Soundness: If Alice wants to send m and Eve and Charlie do interfere • R is either N or m (but not m’ ≠m) • If Alice does not want to send a message R is N • Who chooses which m Alice will want to approve? • Adversary does. This is a chosen message attack • As before: complexity to the rescue

More Related