Foundations of Cryptography Lecture 5 Lecturer: Moni Naor

Recap of last week’s lecture The one-time authentication problem The hash based protocol Strongly Universal Hash functions –Definition and Constructions δ- Universal 2 hash functions –There application in authentication –Polynomial Constructions –Composition and tree

The hardest case of the subset problem ( n,m )-subset sum assumption: for any probabilistic polynomial time algorithm for uniformly chosen a 1, a 2,…, a n  R {0,…2 m - 1} and S ⊆ {1,...,n} given T=∑ i  S a i and a 1, a 2,…, a n the probability of finding S’ ⊆ {1,...,n} such that ∑ i  S’ a i = T mod 2 m is negligible Show that the hardest case is when n=m –If there is some function g such that for m=g(n) the (n,g(n))- subset sum assumption holds, then the (n,n)- subset sum assumption holds Idea: chop the problem to make it square Important point: for any T the expected number of solutions S to T =∑ i  S a i mod 2 n is 1 –Expectation is over random a 1, a 2,…, a n  R {0,…2 n - 1} –Expected number of collisions with S is about 1

The authentication problem: computational public-key version Alice would want to send a message m  {0,1} n to Bob or to Charlie –Set-up phase is public They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

Specification of the Problem (old) Alice and Bob communicate through a channel N Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m  {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in register R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) – Existential forgery RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack When is m’ chosen – might be after authentication on m seen As before: complexity to the rescue

A one-time public-key authentication problem Let f: {0,1} n → {0,1} n be a one-way one-way function –Adversaries run times is bounded by polynomial time To sign/authenticate a single bit message Setup phase: –Alice chooses a random pair {x 0, x 1  {0,1} n } and –Computes y 0 = f(x 0 ) and y 1 = f(x 1 ) –Gives Bob and Charlie (y 0,y 1 ) When Alice wants to approve m  {0,1} – she sends (m, x m ) If Bob gets any symbols on channel – call them (b,z) ; compute f(z) and compares to y m –If equal moves to state m N –If not equal, moves permanently to state N Why is it secure? What about n –bit messages? –Alice prepares a set of n pairs and opens the appropriate ones Since this is noninteractive, Bob can convince Charlie that Alice approved message m – Non repudiation from Alice

Signing n –bit messages f(x 1 0 )f(x 1 1 )f(x 2 0 )f(x 2 1 )f(x n 0 )f(x n 1 ) Public key Message 1 010

Security of the Scheme A Theorem: If there is an Adversary A that chooses a message m  {0,1} n for Alice to legitimately authenticate forges a message m’ ≠ m with probability at least ε B Then there is an Adversary B that can break the function f with probability at least ε/n Aoperates in time roughly the same as A Proof: Homework

Size of the public key The size of the public key – to be able to sign an n- bit message need 2n 2 bits of public key. Preparing a public key takes – n evaluations of the one-way functions and –2n 2 bits of public key. Homework : Suggest a tradeoff with more evaluation but fewer bits in the public key. – Hint : you may assume that you have functions that are one-way on their iterates

Regeneration If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages –What if you had three wishes…? Idea: use hashing to compress the message What about universal hashing ? –Problem: both m and m’ are chosen in advance in universal hashing –Must use computational hardness somewhere

Possible definitions A function g:{0,1} 2n → {0,1} n where it is hard to find m’ ≠ m but g(m)=g(m’) Problems: –not good for non-uniform models –hard to connect to other assumptions Want a family of functions from which one is selected Use the advantage we have: the target is known

Possible definitions A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find collisions: Alternative 1 – any collision –Given n and g  G hard to find x, x’  {0,1} n where x ≠ x’ but g(x)=g(x’) –Sometimes called collision intractable –hard to connect to other assumptions Alternative 2 – target collision –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’)

Universal One-Way Hash functions UOWHFs When/how is the target x chosen? Independently of g but want to work for any possible x – First x is selected by adversary, then g  G is selected at random Technical point: let ℓ 1, ℓ 2 :{0,1} * → {0,1}* be function mapping n to input and output sizes. We assume –ℓ 1 (n) < ℓ 2 (n) and –both are bounded by polynomials in n Definition : A family of functions G= ⋃ n=1 ∞ G n where G n ={g|g:{0,1} ℓ 1 (n) → {0,1}} ℓ 2 (n) } is called (ℓ 1, ℓ 2 )- universal one-way hash if: Given n easy to sample random g from G n and g  G n has description polynomial in n Given (n, g, x) easy to compute g(x) Hard to find target collisions: no polynomial time adversary can on input n –generate x  {0,1} ℓ 1 (n) –given a random g  G n find x’  {0,1} n where x ≠ x’ but g(x)=g(x’) succeed with non-negligible probability for sufficiently large n

Homework Show that the existence of UOWHF s implies the existence of one-way functions Show that there are family of UOWHF s of which are not collision intractable Show that if the (n, βn )- subset sum assumption holds, then the corresponding subset function defines a family of UOWHF s

Composing UOWHFs Concatenation Let G be be a (ℓ 1, ℓ 2 )- family Universal One-way Hash functions Consider the (2ℓ 1, 2ℓ 2 )- family G’ where each g’  G’ is defined by a function g  G and where g’(x 1,x 2 ) = g(x 1 ), g(x 2 ) Claim : the family above is (2ℓ 1, 2ℓ 2 )- family of Universal One-way Hash functions Proof: let the adversary choose x 1, x 2 as the target and let x’ 1, x’ 2 be the colliding value If x 1 ≠ x’ 1 found a collision with x 1 g(x 1 )=g( x’ 1 ) If x 2 ≠ x’ 2 found a collision with x 2 g(x 2 )=g( x’ 2 ) Guess which case b  {0,1} will occur –correct with probability ½ and –output x b as the target collision Running time – similar. Probability of success at least ½ of G’

Composing UOWHFs Composition Let G 1 be a (ℓ 1, ℓ 2 )- family of UOWHF s G 2 be a (ℓ 2, ℓ 3 )- family of UOWHF s Consider the family G which is a (ℓ 1, ℓ 3 )- family and where each g  G is defined by g 1  G 1 and g 2  G 2 g(x) = g 2 (g 1 (x)) Claim : the family above is a (ℓ 1, ℓ 3 )- family of UOWHF s Proof: the collision must occur either at the first hash function or the second hash function… ℓ2ℓ2 ℓ1ℓ1 ℓ3ℓ3

The Tree Construction g1g1 g2g2 g3g3 Let n= l ∙ k and let each g i be chosen independently from G a (2k,k)- UOWHF family, then result is a family of functions {0,1} n → {0,1} k which is (n,k)- UOWHF Size: t log |G| where t is the number of levels in the tree m

Constructing (n, n-1)- UOWHF s Idea: Combine one-way with universal –Want to match each image of the one-way functions with another random image Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family Let chop n-1 :{0,1} n → {0,1} n-1 be a 2-to-1 function Consider the (n, n-1 )- family G where each g  G is defined by h  H g(x) = chop n-1 (h(f(x)))

Sources Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 (unpublished) Papers: –Universal Hashing: Carter & Wegman, Wegman and Carter, JCSS 1979, 1981 –UOWHF: Naor & Yung