Recap of last week’s lecture• One-time signatures• UOWHFs
– Definition– Compositions– Construction from one-way permutations – Known: construction from one-way functions
General construction (n, k)-UOWHFs
• Use tree composition• Description length: k log (n/k) (n, n/2)-
descriptions of hash function– 2k bits in the example
Recall: Regeneration• If we could get a smaller public-key could be able to regenerate smaller and
sign/authenticate an unbounded number of messages– What if you had three wishes…?
Idea: use G a family of UOWHF to compress the message• Question: can we use a global g G for all nodes of the tree?• Question: how to assign messages to nodes in the tree?• What exactly are we after?
Components of a Signature Scheme• Allow Alice to publish a public key pk while keeping hidden a secret key sk
– Key generation Algorithm• Input: security parameter n, random bits• Output: pk and sk
• Given a message m Alice can produce a signature s– Signing Algorithm
• Input: pk and sk and message m (plus random bits)– Possible: also history of previous messages
• Output: s• ``Anyone” who is given pk and (m,s) can verify it
– Signature Verification Algorithm• Input: (pk, m, s)• Output: `accept’ or `reject’
– Completeness: the output of the Signing Algorithm is assigned `accept’ All algorithms should be polynomial time
Security: ``No one” who is given only pk and not sk can forge a valid (m,s) How to do define properly?
pk sk
KGA
Rigorous Specification of Security of a Scheme
Recall: To define security of a system must specify:1. The power of the adversary
– computational – access to the system
• Who chooses the message to be signed• What order
2. What constitutes a failure of the system • What is a legitimate forgery?
Existential unforgeability in signature schemes
A signature scheme is • existentially unforgeable under an • adaptive chosen message attack if any polynomial adversary A with • Access to the system: for q rounds
– adaptively choose messages mi and receive a valid signature si
• Tries to break the system: find pair (m, s) so that – m {m1, m2, … mq} But– (m,s) is a valid signature.
has probability of success at most εFor any q and 1/ε polynomial in the security parameter and for large enough n
adaptive message attack
existential forgery
Weaker notions of security• How the messages are chosen during the attack
– E.g. random messages– Non adaptively (all messages chosen in advance)
• How the challenge message is chosen– In advance, before the attack– randomly
Homework: show how to construct from a signature scheme that is
existentially unforgeable against random message attack a signature scheme that is
existentiallly unforgeable against adaptively chosen message attacks
Hint: use two schemes of the first type
Specific proposalKey generation: • generate the root
– Three sets of keys for a one-time signature scheme– A function g G from a family of UOWHF
Signing algorithm: • Traverse the tree in a BFS manner
– Generate a new triple – Sign the message using the middle part of node– Put the generated triple in the next available node in the current level
• If all nodes in current level are assigned, create a new one.– The signature consists of:
• The one-time signature on the message • The nodes along the path to the root• the one-time signatures on the hashed nodes along the path to the root
• Keep secret the private keys of all triplesVerification of signature: • Verify the one-times signature given.
triple
Size of signature:
Depth of tree ¢ triple size
When is using a single hash function sufficient?
The rule of thump of whether a global hash function g is sufficient or not is:
• Can the legitimate values hashed be chosen as a function of g
In this case the only legitimately hashed values are the triplesChosen independently of g by the signer
Note: if we want to hash the message itself (to obtain a shorter one-time signature: need a separate has function for each node
Why is tree regeneration secure
Consider the legitimate tree and a forged messageThere is the first place where the two differ
• This must occur when either:1. a forged one-time signature is produced Or2. a false child is authenticated
• Can guess the place where this happens and what happens with probability at least 1/p(n)
– If 1) happens more often: can break the one-time signature– If 2) happens more often: can break the UOWHF
Proof of Security Want to construct from the forging algorithm A which is a target collision finding for G algorithm B
Algorithm B:• Generate a random triple and output it as target x• Obtain the challenge g• Generate the public key/secret key of the scheme
– Using g as the global hash function• Run algorithm A that tries to break the signature scheme• Guess the node where the forgery occurs
– Put the triple x – If a false child is authenticated there: found a collision with x under g !
• What is the probability of success of B?The same as the simulated forging algorithm A for G divided by 2q
Claim: the probability the simulated algorithm A witnesses is the same as the real A
xg
x’
B
A
x’
Conclusion
Theorem: If families of UOWHF exist, then signature schemes existentially unforgeable under adaptive chosen message attacks exist
Corollary: If one-way permutations exist, then signature schemes existentially unforgeable under adaptive chosen message attacks exist.
Corollary: If one-time public-key identification is possible (equivalent to existence of one-way functions), then signature schemes existentially unforgeable under adaptive chosen message attacks exist.
Several other paradigms for creating secure signature schemes
• Trapdoor permutations– Protection against random attack and forgery of a random challenge
• Other forms of tree like schemes– Claw-free– Trapdoor
• Converting interactive identification schemes – If challenge is random
• Creating a random instance of a problem– Solvable if you know the trapdoor– Example: RSA
• Only analysis known: assumes an idealized random function– Black box that behaves as a random function– All users including adversary have black-box access to it but cannot see it
inside– Much debate in crypto literature
Trapdoor One-way PermutationsA collection functions with three probabilistic polynomial time algorithms• Key generation: on input n, the security parameter, and random bits,
generates two keys KP (Public) and KS (secret) and domain size D (could be 0,1n)• Forward computation: each KP defines a permutation f(KP,,¢) on D.
Given KP and x easy to compute f(KP,,x)
Hard to invert: for any PPT A given y=f(KP,,x) for a random KP (generated as above) and x 2R D, probability that A finds x is negligible
• Backward computation: given Ks easy to invert f(KP,,¢) there is an algorithm that given KP (Public) and KS (secret) and y=f(KP, x) finds x
The RSA Permutation• Public key: N=P∙Q and public exponent e s.t. e is
relatively prime to (N)=(P-1)(Q-1)
• Secret key: d s.t. d¢e = 1 mod (N) – Equivalently: factorization of N
• The permutation: RSAN,e(x) = xe mod N– The domain DN = ZN
*
• Inverting the permutation RSAN,e(-1)(y) = yd mod N
Euler's totient
The RSA Assumption: for random N (and e) for random y 2 ZN* hard to invert y
Trapdoors and Signatures
Using trapdoors `naively’:
• A signature scheme secure against random message attack for forging a random message
• Exercise: do the tree signature with trapdoors instead of UOWHFs
The Encryption problem:
• Alice would want to send a message m{0,1}n to Bob– Set-up phase is secret
• They want to prevent Eve from learning anything about the message m
Alice Bob
Eve
m
The encryption problem
• Relevant both in the shared key and in the public key setting
• Want to use many times• Also add authentication…• Other disruptions by Eve
What does `learn’ mean?• If Eve has some knowledge of m, it should remain the same
– Probability of guessing m• Min entropy of m
– Probability of guessing whether m is m0 or m1 – Probability of computing some function f of m
• Ideally: the ciphertext sent is independent of the message m – Implies all the above
• Shannon: achievable only if the entropy of the shared secret is at least as large as the message m entropy
• If no special knowledge about m: then need |m| bits• Achievable: one-time pad.
– Let rR {0,1}n – Think of r and m as elements in a group– To encrypt m send r+m– To decrypt z send m=z-r
©m
r
c
Pseudo-random generators
• Would like to stretch a short secret (seed) into a long one
• The resulting long string should be usable in any case where a long string is needed– In particular: as a one-time pad
• Important notion: IndistinguishabilityTwo probability distributions that cannot be distinguished– Statistical indistinguishability: distances between
probability distributions– New notion: computational indistinguishability
Statistical DifferenceStatistical difference between two distributions X and Y on domain D is:
(X,Y) = ½ 2 D |Pr[X=] – Pr[Y=]|
Equivalently (X,Y) = maxA µ D |Pr[X 2 A] – Pr[Y 2 A]|
Two probability sequences {Xn}nN and {Yn}nN are statistically indistinguishable if: for all polynomials p(.) and for all sufficiently large n
(X,Y) · 1/p(n)
Statistical test
Computational Indistinguishability
Definition: two sequences of distributions {Dn} and {D’n} on {0,1}n are computationally indistinguishable iffor every polynomial p(n) for every probabilistic polynomial time
adversary A for sufficiently large nIf A receives input y {0,1}n and tries to decide whether y was
generated by Dn or D’n then
|Prob[A=‘0’ | Dn ] - Prob[A=‘0’ | D’n ] | · 1/p(n)
Without restriction on probabilistic polynomial tests: equivalent to variation distance being negligible∑β {0,1}n |Prob[ Dn = β] - Prob[ D’n = β]| < 1/p(n)
advantage
Pseudo-random generatorsDefinition: a function g:{0,1}* → {0,1}* is said to be a
(cryptographic) pseudo-random generator if• It is polynomial time computable • It stretches the input |g(x)|>|x|
– Let ℓ(n) be the length of the output on inputs of length n
• If the input (seed) is random, then the output is indistinguishable from randomFor any probabilistic polynomial time adversary A that receives input y of length
ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n) for any polynomial p(n) and sufficiently large n
|Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | · 1/p(n)
Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin. J. von Neumann
g
seed
ℓ(n)
x
Pseudo-random generatorsDefinition: a function g:{0,1}* → {0,1}* is said to be a
(cryptographic) pseudo-random generator if• It is polynomial time computable • It stretches the input (seed): g(x)|>|x|
– denote by ℓ(n) the length of the output on inputs of length n• If the seed is random the output is indistinguishable from random
For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n) for any polynomial p(n) and sufficiently large n
|Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | · 1/p(n)
Important issues: • Why is the adversary bounded by polynomial time?• Why is the indistinguishability not perfect?
Construction of pseudo-random generators
• Idea given a one-way function there is a hard decision problem hidden there
• If balanced enough: looks random • Such a problem is a hardcore predicate• Possibilities:
– Last bit– First bit– Inner product
Hardcore PredicateDefinition: for f:{0,1}* → {0,1}* we say that h:{0,1}* →
{0,1} is a hardcore predicate for f if: • h is polynomial time computable • For any probabilistic polynomial time adversary A that receives input
y=f(x) and tries to compute h(x) for any polynomial p(n) and sufficiently large n
|Prob[A(y)=h(x)] - 1/2| < 1/p(n)where the probability is over the choice x and the random coins of A
• Sources of hardcoreness: – not enough information about x
• not of interest for generating pseudo-randomness– enough information about x but hard to compute it
Homework
Assume one-way functions exist• Show that the last bit/first bit are not necessarily hardcore
predicates• Generalization: show that for any fixed function h:{0,1}*
→ {0,1} there is a one-way function f:{0,1}* → {0,1}* such that h is not a hardcore predicate of f
• Show a one-way function f such that given y=f(x) each input bit of x can be guessed with probability at least 3/4
Single bit expansion
• Let f:{0,1}n → {0,1}n be a one-way permutation
• Let h:{0,1}n → {0,1} be a hardcore predicate for f
Consider g:{0,1}n → {0,1}n+1 whereg(x)=(f(x), h(x))
Claim: g is a pseudo-random generatorProof: can use a distinguisher for g to guess h(x)
f(x), h(x)) f(x), 1-h(x))
Hardcore Predicate With Public Information
Definition: let f:{0,1}* → {0,1}* be a function. We say that h:{0,1}* x {0,1}* → {0,1} is a hardcore predicate for f if
• h(x,r) is polynomial time computable • For any probabilistic polynomial time adversary A that receives input
y=f(x) and public randomness r and tries to compute h(x,r) for any polynomial p(n) and sufficiently large n
|Prob[A(y,r)=h(x,r)] -1/2| < 1/p(n)
where the probability is over the choice y of r and the random coins of A
Alternative view: can think of the public randomness as modifying the one-way function f: f’(x,r)=f(x),r.
From single bit expansion to many bit expansion
• Can make r and f(m)(x) public – But not any other internal state
• Can make m as large as needed
x f(x) h(x,r)
OutputInternal Configuration
r
f(2)(x)
f(3)(x)
Input
h(f(x),r)
h(f (2)(x),r)
h(f (m-1)(x),r)f(m)(x)
Two important techniques for showing pseudo-randomness
• Hybrid argument
• Next-bit prediction and pseudo-randomness
Hybrid argument
To prove that two distributions D and D’ are indistinguishable: • suggest a collection of distributions
D= D0, D1,… Dk =D’
If D and D’ can be distinguished, then there is a pair Di and Di+1 that can be distinguished.Advantage ε in distinguishing between D and D’ means advantage
ε/k between some Di and Di+1
Use a distinguisher for the pair Di and Di+1 to derive a contradiction
Next-bit TestDefinition: a function g:{0,1}* → {0,1}* is said to pass the next bit
test if:• It is polynomial time computable • It stretches the input |g(x)|>|x|
– denote by ℓ(n) the length of the output on inputs of length n• If the input (seed) is random, then the output passes the next-bit test
For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that is a predictor: receives the first i bits of y= g(x) and tries to guess the next bit, for any polynomial p(n) and sufficiently large n
|Prob[A(yi,y2,…, yi) = yi+1] – 1/2 | < 1/p(n)
Theorem: a function g:{0,1}* → {0,1}* passes the next bit test ifand only if it is a pseudo-random generator
Sources
• Goldreich’s Foundations of Cryptography, volumes 1 and 2
• Goldwasser, Micali and Rivest, A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks, SIAM J. on Computing, 1988.
Homework
• Show that the existence of UOWHFs implies the existence of one-way functions
• Show that there are family of UOWHFs of which are not collision intractable
• Show that if the (n, βn)-subset sum assumption holds for β<1, then the corresponding subset function defines a family of UOWHFs – You may use the fact that for m=βn for most a1, a2 ,…, an
{0,…2m -1} the distribution of T=∑ i S ai is close to uniform, when S is random.
Top Related