Lecturer: Moni Naor Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication.

Slides:



Advertisements
Similar presentations
1+eps-Approximate Sparse Recovery Eric Price MIT David Woodruff IBM Almaden.
Advertisements

Foundations of Cryptography Lecture 1 Lecturer: Moni Naor.
Lecturer: Moni Naor Weizmann Institute of Science
Lecturer: Moni Naor Weizmann Institute of Science
Sublinear Algorithms … Lecture 23: April 20.
Foundations of Cryptography Lecture 3 Lecturer: Moni Naor.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Short course on quantum computing Andris Ambainis University of Latvia.
7. Asymmetric encryption-
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006
Great Theoretical Ideas in Computer Science.
Session 4 Asymmetric ciphers.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Seminar in Foundations of Privacy Gil Segev Message Authentication in the Manual Channel Model.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Foundations of Cryptography Lecture 5: Signatures and pseudo-random generators Lecturer: Moni Naor.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Introduction to Modern Cryptography Homework assignments.
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie.
Chapter 7-1 Signature Schemes.
Lecturer: Moni Naor Weizmann Institute of Science
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Introduction to Modern Cryptography, Lecture 7/6/07 Zero Knowledge and Applications.
Lecturer: Moni Naor Weizmann Institute of Science
Introduction to Modern Cryptography, Lecture 9 More about Digital Signatures and Identification.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
Lecturer: Moni Naor Foundations of Cryptography Lecture 3: One-way on its Iterates, Authentication.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
8. Data Integrity Techniques
The RSA Algorithm Rocky K. C. Chang, March
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Cryptography Lecture 8 Stefan Dziembowski
Complexity Theory Lecture 2 Lecturer: Moni Naor. Recap of last week Computational Complexity Theory: What, Why and How Overview: Turing Machines, Church-Turing.
Digital Signatures A primer 1. Why public key cryptography? With secret key algorithms Number of key pairs to be generated is extremely large If there.
Fall 2004/Lecture 201 Cryptography CS 555 Lecture 20-b Zero-Knowledge Proof.
Cryptography Lecture 9 Stefan Dziembowski
CS151 Complexity Theory Lecture 13 May 11, Outline proof systems interactive proofs and their power Arthur-Merlin games.
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Zero-knowledge proof protocols 1 CHAPTER 12: Zero-knowledge proof protocols One of the most important, and at the same time very counterintuitive, primitives.
15-499Page :Algorithms and Applications Cryptography I – Introduction – Terminology – Some primitives – Some protocols.
Identity based signature schemes by using pairings Parshuram Budhathoki Department of Mathematical Science FAU 02/21/2013 Cyber Security Seminar, FAU.
Great Theoretical Ideas In Computer Science Anupam GuptaCS Fall 2006 Lecture 15Oct 17, 2006Carnegie Mellon University Algebraic Structures: Groups,
Complexity 24-1 Complexity Andrei Bulatov Interactive Proofs.
COM 5336 Lecture 8 Digital Signatures
1 4.1 Hash Functions and Data Integrity A cryptographic hash function can provide assurance of data integrity. ex: Bob can verify if y = h K (x) h is a.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Topic 36: Zero-Knowledge Proofs
Probabilistic Algorithms
Hash Functions Motivation Hash Functions: collision, pre-images SHA-1
One Way Functions Motivation Complexity Theory Review, Motivation
Public-Key Cryptography Quadratic Residues and „Rabin Lock“
Presentation transcript:

Lecturer: Moni Naor Foundations of Cryptography Lecture 3: One-way on its iterates, Authentication

Recap of last week’s lecture One-way functions are essential to the two guard identification problem. –Important idea: simulation Examples of one-way functions –Subset sum, discrete log, factoring Weak one-way functions –Constructing strong one-way functions from weak one-way functions –Important ideas: hardness amplification; reduction Universal/Ultimate one-way function –Robust combiners

Identification - many times Alice would want to send an `approve’ message to Bob many times. They want to prevent Eve from interfering –Bob should be sure that Alice indeed approved each time. How to specify? Alice Bob Eve

Specification of the Problem Alice and Bob communicate through a channel C Bob has an external counter C (# of times Alice approved) Eve completely controls the channel Requirements: CIf Alice wants to approve and Eve does not interfere – Bob increases the counter C CThe number of times Alice approves is a bound the value of counter C CIf Alice wants to approve and Eve does interfere - no requirements from the counter C until there is a quiescent period – A time that Alice wants to approve and Eve does not interfere Not the only possible specification! Can mandate that an approval was sent since the last time counter increased

Solution to the many time identification problem Let k be an upper bound on the number of identifications If Alice and Bob share in the setup phase k passwords Each time Alice want to identify she sends the next unused password. Bob compare with the next password on the list Can they do it with sharing less than k passwords?

Solution to the identification problem Assume that – f is a one-way function –Let k be an upper bound on the number of identifications Setup phase: Alice chooses x  {0,1} n, computes y=f (k) (x) and gives Bob y –Denote y i =f (k-i) (x) When Alice wants to approve the i th time – she sends special symbol $ followed by i and y i =f (k-i) (x) Bob stores x If Bob gets a $ followed by symbols on channel –denote them (j,z) ; C –Compare j to C +1 reject if not equal –Check whether z=f (k-j) (x) CIf equal moves counter C to state j+1

Is it secure? Need care in choosing f Should be difficult to invert any one of the iterated instances of f

One-way on its iterates A function f: {0,1} n → {0,1} n is called one-way on its iterates, if f is a polynomial-time computable function for every probabilistic polynomial-time algorithm A, every polynomial p( ¢ ), and all sufficiently large n ’s: for all k ≤ p(n) Prob[A[f (k) (x)]  f -1 (f (k) (x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1} n and the probability is also over the internal coin flips of A From homework: not all one-way functions are one-way on their iterates Every one-way permutation is one-way on its iterates Subset sum function one-way on its iterates –If it one-way then it is one-way of its iterates If you start at a random point and iterate – still random

Example: the squaring function (Rabin) f(x,N)= (x 2 mod N,N) Quadratic residue mod a prime: If s and r satisfy s=r 2 mod P then s is called a quadratic residue modulo P If P is a prime then: – s=r 2 mod P has exactly two solutions mod P if 0<s<P. Can denote +/-r – quadratic residues: multiplicative subgroup with (P-1)/2 elements. –If P=1 mod 4 then -1 is a quadratic residue mod P. Both square-roots are either quadratic residues or non residues –If P=3 mod 4 then -1 is a non-quadratic residue mod P. one square-roots is a quadratic residue, the other not. Squaring mod P is a permutation on the quadratic residues! Computing square-roots: if r=s (p+1)/4 mod P square, then r 2 =s (p+1)/2 =s∙s (p-1)/2 = +/- s mod P If N=P∙Q then s is a quadratic residue modulo N if and only it is a quadratic residue for both P and Q If N=P∙Q where P,Q = 3 mod 4 - called Blum Integers –Each quadratic residue has 4 square-roots –Exactly one of which is quadratic residue in itself –Squaring mod N is a permutation on the quadratic residues!

Finding Square-roots and factoring are equivalent If know the factorization of N=P∙Q, then can compute square-roots If there is a procedure that computes square-roots correctly for non-negligible fraction – can boost it –Random self reducibility If we know (r,t) such that – s=r 2 =t 2 mod N –r =t mod P –r ≠ t mod Q Then we can factor by computing GCD(t-r,N) Homework: show how to use a square-root computing routine to factor while preserving the probability of success.

A one-way on its iterates function To fully specify the function – need a starting procedure for generating – N=P∙Q where P,Q=3 mod 4 –Easy to specify given deterministic primality testing (even probabilistic is sufficient) density of primes –A quadratic residue mod N Easy by generating a random square Resulting function – one-way on its iterates

Security of scheme If scheme can be broken: There is the first time where Eve sent a false value z as y i By the specification of the protocol: –If Eve substitutes a true value y i with her own z – she is caught Hence first false z is also an attempt to forge: Alice approved only i-1 times but Eve convinced Bob to accepts i times If probability of breaking is at least 1/p(n) There is a j ≤ k where Eve does this with probability at least 1/kp(n) Important idea: Existence of a large step Two possible evil actions: Substitute a correct value Invent a value, forge

…Security of scheme For this j can break the (k-j) th iterate of f with probability at least 1/kp(n) – Given y j =f (k-j) (x) compute y=f (j) (y j ) and simulate the adversary for j rounds –Adversary sees exactly the same distribution as in real life Forging at step j must be done by inverting y j Hence probability adversary succeeds in forgery at step j is at least 1/kp(n)

Problems with the scheme Need to know an upper bound k on the number of identifications Need to perform work proportional to k before first identification (what if it flops) Total work (in all k sessions) by Alice: O(k 2 ) –For Bob, if stores last value: O(k) –If Alice stores all k values y j : total work (in all k sessions) only O(k) – Homework : how can Alice store O(log k) values and perform amortized O(log k) work More problems: –need to maintain state, both Alice and Bob (in addition to the counter) –What happens when there are two verifiers

Possible Pitfalls If Bob does not check from scratch compute z=f (k-j) (x) then: Eve might substitute y j with a value z which she can invert in subsequent sessions. –If possible to find “ easy siblings ” could be dangerous –Homework: show that there is a function f that is One-way on its iterates Given x it is easy to find x' such that f(x)=f(x’) and it is easy to invert f on x’

Question Is it possible to have a protocol based on a function that it one-way on its iterates without bob maintaining a state?

Want a scheme with unlimited use If we have a function that only Alice can compute but both Bob and Charlie can verify Alice can compute for session number i the value f(i) Problem: interleaving of verifiers – can replay Solution: challenge response –Verifier chooses a random nonce r and asks to see f(r) To be continued!

The authentication problem one-time version Alice would want to send a message m  {0,1} n to Bob They want to prevent Eve from interfering –Bob should be sure that the message m’ he receives is equal to the message m Alice sent Alice Bob Eve m

Specification of the Problem Alice and Bob communicate through a channel N Bob has an external register R  N (no message) ⋃ {0,1} n Eve completely controls the channel Requirements: R Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R Soundness : If Alice wants to send m and Eve does interfere –RN –R is either N or m (but not m’ ≠ m ) RN –If Alice does not want to send a message R is N Since this is a generalization of the identification problem – must use shared secrets and probability or complexity Probabilistic version: N for any behavior from Eve, for any message m  {0,1} n, the probability that Bob is in state m’ ≠ m or N is at most ε

Authentication using hash functions Suppose that – H= {h| h: {0,1} n → {0,1} k } is a family of functions – Alice and Bob share a random function h  H –To authenticate message m  {0,1} n Alice sends (m,h(m)) –When receiving (m’,z) Bob computes h(m’) and compares to z RIf equal, moves register R to m’ R NIf not equal, register R stays in N What properties do we require from H –hard to guess h(m’) - at most ε But clearly not sufficient: one-time pad. –hard to guess h(m’) even after seeing h(m) - at most ε Should be true for any m’ –Short representation for h - must have small log|H| –Easy to compute h(m) given h and m

Universal hash functions Given that for h  H we have h: {0,1} n → {0,1} k we know that ε≥2 -k A family where this is an equality is called universal 2 Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called Strongly Universal 2 or pair-wise independent if: – for all m 1, m 2  {0,1} n and y 1, y 2  {0,1} k we have Prob[h(m 1 ) = y 1 and h(m 2 ) = y 2 ] = 2 -2k Where the probability is over a randomly chosen h  H In particular Prob[h(m 2 ) = y 2 | h(m 1 ) = y 1 ] = 2 -k Theorem : when a strongly universal 2 family is used in the protocol, Eve’s probability of cheating is at most 2 -k

Constructing universal hash functions The linear polynomial construction: fix a finite field F of size at least the message space 2 n –Could be either GF[2 n ] or GF[P] for some prime P ≥ 2 n The family H of functions h: F → F i s defined as H= {h a,b (m) = a∙m + b | a, b  F} Claim : the family above is strongly universal 2 Proof: for every m 1 ≠m 2, y 1, y 2  F there are unique a, b  F such that a∙m 1 +b = y 1 a∙m 2 +b = y 2 Size: each h  H represented by 2n bits

Constructing universal hash functions The inner product construction: fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= ℓ ∙ k Treat each message m  {0,1} n as an (ℓ +1) -vector over F where the first entry is 1. Denote by (m 0, m 1, …,m ℓ ) The family H of functions h: F ℓ → F defined by all (ℓ+1) -vectors a=(a 0, a 1, …,a ℓ ) H= {h a (m)= ∑ i=0 ℓ a i ∙m i | a 0, a 1, …,a ℓ  F} Claim : the family above is strongly universal 2 Proof: for every (m 0, m 1, …,m l ), (m’ 0, m’ 1, …,m’ l ) y 1, y 2  F there are the same number of solutions to ∑ i=0 ℓ a i ∙m i = y 1 ∑ i=0 ℓ a i ∙m’ i = y 2 Size: each h  H represented by n+k bits

Lower bound on size of strongly universal hash functions Theorem : let H= {h| h: {0,1} n → {0,1} } be a family of pair-wise independent functions. Then |H| is Ω(2 n ) More precisely, to obtain a d -wise independence family |H| should be Ω(2 n └ d/2 ┘ ) Theorem : see N. Alon and J. Spencer, The Probabilistic Method Chapter 15 on derandomization, proposition 2.3

An almost perfect solution By allowing ε to be slightly larger than 2 -k we can get much smaller families Definition : a family of functions H= {h| h: {0,1} n → {0,1} k } is called δ- Universal 2 if for all m 1, m 2  {0,1} n where m 1 ≠ m 2 we have Prob[h(m 1 ) = h(m 2 ) ] ≤ δ Properties: Strongly-universal 2 implies 2 -k - Universal 2 Opposite not true: the function h(x)=x …

An almost perfect solution Idea : combine a family of δ- Universal 2 functions H 1 = {h| {0,1} n → {0,1} k } with a Strongly Universal 2 family H 2 = {h| {0,1} k → {0,1} k } Consider the family H where each h  H is {0,1} n → {0,1} k and is defined by h 1  H 1 and h 2  H 2 h(x) = h 2 (h 1 (x)) As before Alice sends m, h(m) Claim : probability of cheating is at most δ + 2 -k Proof: when Eve sends m’, y’ we must have m ≠ m ‘ but either –y’ = h(m), which means that Eve succeeds with probability at most δ + 2 -k Collision in h 1 Or in h 2 Or –y’ ≠ h(m) which means that Eve succeeds with probability at most 2 -k Collision in h 2 Size: each h  H represented by log |H 1 |+ log |H 2 |

Constructing almost universal hash functions The polynomial evaluation construction {0,1} n → {0,1} k : fix a finite field F of size at least the target space 2 k –Could be either GF[2 k ] or GF[P] for some prime P ≥ 2 k Let n= ℓ∙ k Treat each (non-zero) message m  {0,1} n as a degree (l-1) - polynomial over F. Denote by P m The family H of functions h: F ℓ → F is defined by all elements in F : H= {h x (m)= P m (x)| x  F} Claim : the family above is δ- Universal 2 for δ= (ℓ-1)/2 k Proof: the maximum number of points where two different degree (ℓ-1) polynomials agree is ℓ-1 Size: each h  H represented by k bits m

Composing universal hash functions Concatenation Let H where each h  H is {0,1} n → {0,1} k be a family of δ- Universal 2 functions Consider the family H’ where each h’  H’ is {0,1} 2n → {0,1} 2k and where h’(x 1,x 2 ) = h(x 1 ), h(x 2 ) for some h  H Claim : the family above is δ- Universal 2 Proof: let x 1, x 2 and x’ 1, x’ 2 be a pair of inputs. If x 1 ≠ x’ 1 collision must occur in first part h(x 1 )=h( x’ 1 ) Else, x 2 ≠ x’ 2 and collision must occur in second part h(x 2 )=h( x’ 2 ) In either case the probability is at most δ

Composing universal hash functions Composition Let H 1 = {h| h:{0,1} n 1 → {0,1} n 2 } with H 2 = {h| h: {0,1} n 2 → {0,1} n 3 } be families of δ- Universal 2 functions Consider the family H where each h  H is {0,1} n 1 → {0,1} n 3 is defined by h 1  H 1 and h 2  H 2 h(x) = h 2 (h 1 (x)) Claim : the family above is 2 δ- Universal 2 Proof: the collision must occur either at the first hash function or the second hash function. Each event happens with probability at most δ and we apply the union bound n2n2 n1n1 n3n3

The Tree Construction h1h1 h2h2 h3h3 Set n= ℓ ∙k. E ach h i :{0,1} 2k → {0,1} k is chosen independently from a δ - Universal family H. The result is a family of functions {0,1} n → {0,1} k which is tδ - Universal t is the number of levels in the tree Size: t log |H| m Can construct functions from huge domains

Homework Given ε,n what is the number of bits needed to specify an authentication scheme? Bonus : Can interaction help? –Can the number of shared secret bits be smaller than in a unidirectional scheme –Can the number of shared bits depend on ε only?

What about the public-key problem? Recall: Bob and Charlie share the set-up phase information Is it possible to satisfy the requirements: R – Completeness : If Alice wants to send m  {0,1} n and Eve does not interfere – Bob has value m in R – Soundness : If Alice wants to send m and Eve and Charlie do interfere RNR is either N or m (but not m’ ≠ m ) RNIf Alice does not want to send a message R is N Who chooses which m Alice will want to approve? –Adversary does. This is a chosen message attack As before: complexity to the rescue