Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Slides:



Advertisements
Similar presentations
Foundations of Cryptography Lecture 1 Lecturer: Moni Naor.
Advertisements

Lecturer: Moni Naor Weizmann Institute of Science
Lecturer: Moni Naor Weizmann Institute of Science
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Tight Bounds for Unconditional Authentication Protocols in the Moni Naor Gil Segev Adam Smith Weizmann Institute of Science Israel Modeland Shared KeyManual.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
NON-MALLEABLE EXTRACTORS AND SYMMETRIC KEY CRYPTOGRAPHY FROM WEAK SECRETS Yevgeniy Dodis and Daniel Wichs (NYU) STOC 2009.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
Lecturer: Moni Naor Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Lecturer: Moni Naor Foundations of Cryptography Lecture 11: Security of Encryption Schemes.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Lecturer: Moni Naor Weizmann Institute of Science
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Lecturer: Moni Naor Weizmann Institute of Science
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 9: Pseudo-Random Functions and Permutations.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Lecturer: Moni Naor Foundations of Cryptography Lecture 3: One-way on its Iterates, Authentication.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
On necessary and sufficient cryptographic assumptions: the case of memory checking Lecture 3 : Memory Checking, Consecutive Messages Protocols and Learning.
Foundations of Cryptography Rahul Jain CS6209, Jan – April 2011
8. Data Integrity Techniques
Bob can sign a message using a digital signature generation algorithm
The RSA Algorithm Rocky K. C. Chang, March
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography Lecture 8 Stefan Dziembowski
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2013 Nitesh Saxena.
Cryptography Lecture 9 Stefan Dziembowski
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
1 Reasoning about Concrete Security in Protocol Proofs A. Datta, J.Y. Halpern, J.C. Mitchell, R. Pucella, A. Roy.
Alternative Wide Block Encryption For Discussion Only.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Chapter 9 Public Key Cryptography and RSA. Private-Key Cryptography traditional private/secret/single key cryptography uses one key shared by both sender.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Prepared by Dr. Lamiaa Elshenawy
Umans Complexity Theory Lectures Lecture 7b: Randomization in Communication Complexity.
Jonathan Katz University of Maryland Andrew Lindell Aladdin Knowledge Systems and Bar-Ilan University 04/08/08 CRYP-108 Aggregate Message- Authentication.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.
CS555Spring 2012/Topic 151 Cryptography CS 555 Topic 15: HMAC, Combining Encryption & Authentication.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Data Integrity / Data Authentication. Definition Authentication (Signature) algorithm - A Verification algorithm - V Authentication key – k Verification.
Cryptography and Network Security Chapter 13
Digital Signature Schemes and the Random Oracle Model
Hash Functions Motivation Hash Functions: collision, pre-images SHA-1
One Way Functions Motivation Complexity Theory Review, Motivation
Presentation transcript:

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor

Recap of last week’s lecture The one-time authentication problem The hash based protocol Strongly Universal Hash functions –Definition and Constructions δ- Universal 2 hash functions –There application in authentication –Polynomial Constructions –Composition and tree

The hardest case of the subset problem ( n,m )-subset sum assumption: for any probabilistic polynomial time algorithm for uniformly chosen a 1, a 2,…, a n  R {0,…2 m - 1} and S ⊆ {1,...,n} given T=∑ i  S a i and a 1, a 2,…, a n the probability of finding S’ ⊆ {1,...,n} such that ∑ i  S’ a i = T mod 2 m is negligible Show that the hardest case is when n=m –If there is some function g such that for m=g(n) the (n,g(n))- subset sum assumption holds, then the (n,n)- subset sum assumption holds Idea: chop the problem to make it square Important point: for any T the expected number of solutions S to T =∑ i  S a i mod 2 n is 1 –Expectation is over random a 1, a 2,…, a n  R {0,…2 n - 1} –Expected number of collisions with S is about 1

The authentication problem: computational public-key version Alice would want to send a message m  {0,1} n to Bob or to Charlie –Set-up phase is public They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

Specification of the Problem (old) Alice and Bob communicate through a channel N Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m  {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in register R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) – Existential forgery RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack When is m’ chosen – might be after authentication on m seen As before: complexity to the rescue

A one-time public-key authentication problem Let f: {0,1} n → {0,1} n be a one-way one-way function –Adversaries run times is bounded by polynomial time To sign/authenticate a single bit message Setup phase: –Alice chooses a random pair {x 0, x 1  {0,1} n } and –Computes y 0 = f(x 0 ) and y 1 = f(x 1 ) –Gives Bob and Charlie (y 0,y 1 ) When Alice wants to approve m  {0,1} – she sends (m, x m ) If Bob gets any symbols on channel – call them (b,z) ; compute f(z) and compares to y m –If equal moves to state m N –If not equal, moves permanently to state N Why is it secure? What about n –bit messages? –Alice prepares a set of n pairs and opens the appropriate ones Since this is noninteractive, Bob can convince Charlie that Alice approved message m – Non repudiation from Alice

Signing n –bit messages f(x 1 0 )f(x 1 1 )f(x 2 0 )f(x 2 1 )f(x n 0 )f(x n 1 ) Public key Message 1 010

Security of the Scheme A Theorem: If there is an Adversary A that chooses a message m  {0,1} n for Alice to legitimately authenticate forges a message m’ ≠ m with probability at least ε B Then there is an Adversary B that can break the function f with probability at least ε/n Aoperates in time roughly the same as A Proof: Homework

Size of the public key The size of the public key – to be able to sign an n- bit message need 2n 2 bits of public key. Preparing a public key takes – n evaluations of the one-way functions and –2n 2 bits of public key. Homework : Suggest a tradeoff with more evaluation but fewer bits in the public key. – Hint : you may assume that you have functions that are one-way on their iterates

Regeneration If we could get a smaller public-key could be able to regenerate smaller and sign/authenticate an unbounded number of messages –What if you had three wishes…? Idea: use hashing to compress the message What about universal hashing ? –Problem: both m and m’ are chosen in advance in universal hashing –Must use computational hardness somewhere

Possible definitions A function g:{0,1} 2n → {0,1} n where it is hard to find m’ ≠ m but g(m)=g(m’) Problems: –not good for non-uniform models –hard to connect to other assumptions Want a family of functions from which one is selected Use the advantage we have: the target is known

Possible definitions A family of functions G={g|g:{0,1} n → {0,1} h(n) } Such that Easy to sample g from G and g  G has succinct description Given (n, g, x) easy to compute g(x) h(n) < n Hard to find collisions: Alternative 1 – any collision –Given n and g  G hard to find x, x’  {0,1} n where x ≠ x’ but g(x)=g(x’) –Sometimes called collision intractable –hard to connect to other assumptions Alternative 2 – target collision –Given (n,g,x) hard to find x’  {0,1} n where x ≠ x’ but g(x)=g(x’)

Universal One-Way Hash functions UOWHFs When/how is the target x chosen? Independently of g but want to work for any possible x – First x is selected by adversary, then g  G is selected at random Technical point: let ℓ 1, ℓ 2 :{0,1} * → {0,1}* be function mapping n to input and output sizes. We assume –ℓ 1 (n) < ℓ 2 (n) and –both are bounded by polynomials in n Definition : A family of functions G= ⋃ n=1 ∞ G n where G n ={g|g:{0,1} ℓ 1 (n) → {0,1}} ℓ 2 (n) } is called (ℓ 1, ℓ 2 )- universal one-way hash if: Given n easy to sample random g from G n and g  G n has description polynomial in n Given (n, g, x) easy to compute g(x) Hard to find target collisions: no polynomial time adversary can on input n –generate x  {0,1} ℓ 1 (n) –given a random g  G n find x’  {0,1} n where x ≠ x’ but g(x)=g(x’) succeed with non-negligible probability for sufficiently large n

Homework Show that the existence of UOWHF s implies the existence of one-way functions Show that there are family of UOWHF s of which are not collision intractable Show that if the (n, βn )- subset sum assumption holds, then the corresponding subset function defines a family of UOWHF s

Composing UOWHFs Concatenation Let G be be a (ℓ 1, ℓ 2 )- family Universal One-way Hash functions Consider the (2ℓ 1, 2ℓ 2 )- family G’ where each g’  G’ is defined by a function g  G and where g’(x 1,x 2 ) = g(x 1 ), g(x 2 ) Claim : the family above is (2ℓ 1, 2ℓ 2 )- family of Universal One-way Hash functions Proof: let the adversary choose x 1, x 2 as the target and let x’ 1, x’ 2 be the colliding value If x 1 ≠ x’ 1 found a collision with x 1 g(x 1 )=g( x’ 1 ) If x 2 ≠ x’ 2 found a collision with x 2 g(x 2 )=g( x’ 2 ) Guess which case b  {0,1} will occur –correct with probability ½ and –output x b as the target collision Running time – similar. Probability of success at least ½ of G’

Composing UOWHFs Composition Let G 1 be a (ℓ 1, ℓ 2 )- family of UOWHF s G 2 be a (ℓ 2, ℓ 3 )- family of UOWHF s Consider the family G which is a (ℓ 1, ℓ 3 )- family and where each g  G is defined by g 1  G 1 and g 2  G 2 g(x) = g 2 (g 1 (x)) Claim : the family above is a (ℓ 1, ℓ 3 )- family of UOWHF s Proof: the collision must occur either at the first hash function or the second hash function… ℓ2ℓ2 ℓ1ℓ1 ℓ3ℓ3

The Tree Construction g1g1 g2g2 g3g3 Let n= l ∙ k and let each g i be chosen independently from G a (2k,k)- UOWHF family, then result is a family of functions {0,1} n → {0,1} k which is (n,k)- UOWHF Size: t log |G| where t is the number of levels in the tree m

Constructing (n, n-1)- UOWHF s Idea: Combine one-way with universal –Want to match each image of the one-way functions with another random image Let f :{0,1} n → {0,1} n be a one-way permutation Let H = {h|h:{0,1} n → {0,1} n } be a Strongly Universal 2 family Let chop n-1 :{0,1} n → {0,1} n-1 be a 2-to-1 function Consider the (n, n-1 )- family G where each g  G is defined by h  H g(x) = chop n-1 (h(f(x)))

Sources Chapter on signatures in Goldreich’s Foundations of Cryptography, volume 2 (unpublished) Papers: –Universal Hashing: Carter & Wegman, Wegman and Carter, JCSS 1979, 1981 –UOWHF: Naor & Yung