Lecturer: Moni Naor

Foundations of Cryptography

Lecture 3: One-way on its Iterates, Authentication

Recap of last week’s lecture• One-way functions are essential to the two guard

identification problem.– Important idea: simulation

• Examples of one-way functions– Subset sum, discrete log, factoring

• Weak one-way functions– Constructing strong one-way functions from weak one-way

functions– Important ideas: hardness amplification; reduction

From Weak to Strong One-way Functions

• Given– a function f that is guaranteed to be a weak one-way

• Let p(n) be such that Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n)– can we construct a function g that is (strong) one-way?

An instance of a hardness amplification problem• Simple idea: repetition. For some polynomial q(n) define

g(x1, x2 ,…, xq(n) )=f(x1), f(x2), …, f(xq(n))

• To invert g need to succeed in inverting f in all q(n) places– If q(n) = p2(n) seems unlikely (1-1/p(n))p2(n) ≈ e-p(n) – But how to we show? Sequential repetition intuition – not a proof.

Want: Inverting g with low probability implies inverting f with high probability

• Given a machine B that inverts g want a machine B’ – operating in similar time bounds– inverts f with high probability

• Idea: given y=f(x) plug it in some place in g and generate the rest of the locations at random

z=(y, f(x2), …, f(xq(n)))• Ask machine B to invert g at point z• Probability of success should be at least (exactly) B’s Probability of

inverting g at a random point • Running B Once is not enough• How to amplify?

– Repeat while keeping y fixed– Put y at random position (or sort the inputs to g )

Proof of Amplification for Repetition of TwoConcentrate on two-repetition: g(x1, x2) = f(x1), f(x2)• Goal: show that the probability of inverting g is roughly squared the

probability of inverting f just as would be sequentially

Claim: Let (n) be a function that for some p(n) satisfies

1/p(n) ≤ (n) ≤ 1-1/p(n) Let ε(n) be any inverse polynomial function Suppose that for every polynomial time A and sufficiently large n

Prob[A[f(x)] f-1(f(x)) ] ≤ (n)

Then: for every polynomial time B and sufficiently large n

Prob[B[g(x1, x2)] g-1(g(x1, x2)) ] ≤ 2(n) + ε(n)

Proof of Amplification for Two Repetition

Given a better than 2+ε algorithm B for inverting g construct the following B’ for inverting f:

• B’(y): Inversion algorithm for f– Repeat t times

• Choose x’ at random and compute y’=f(x’)• Run B(y,y’).• Check the results• If correct: Halt with success

– Output failure

Inner loop

Helpful for constructive algorithm

Probability of Success

• Define S={y=f(x) | Prob[Inner loop successful| y ] > β}Since the choices of the x’’s are independent of each other

Prob[B’ succeeds|yS] > 1-(1- β)t

Taking t= n/β means that when yS, then almost surely B’ will succeed in inverting it

• Hence want to show that Prob[yS] > (n)– Probability is over the choice of x

The success of B• Fix the random bits of B. Define P={(y1, y2)| B succeeds on (y1,y2)}

y1

y2

P

P= P ⋂ {(y1,y2 )| y1,y2 S}

⋃ P ⋂ {(y1,y2 )| y1 S}

⋃ P ⋂ {(y1,y2 )| y2 S} Well behaved part

Want to bound P by a square

Behaves as in independent choices

S is the only success...But

Prob[B[y1, y2] g-1(y1, y2) | y1 S] ≤ β and similarly

Prob[B[y1, y2] g-1(y1, y2) | y2 S] ≤ βSo Prob[(y1, y2) P and y1,y2 S]

≥ Prob[(y1, y2) P ] - 2β

≥ 2+ ε - 2β Setting β =ε/3 we have

Prob[(y1, y2) P and y1,y2 S] ≥ 2 + ε/3

ContradictionBut Prob[(y1, y2) P and y1,y2 S]

≤ Prob[y1 S] Prob[y2 S]

= Prob2[y S]

SoProb[y S] ≥ √(α2+ ε/3) > α

Is there an ultimate one-way function?aka `universal’

Do not know: P≠NP implies the existence of one-way functions, Can we show a specific function f so that if some one-way exists, then f

is one-way?• If f1:{0,1}* → {0,1}* and f2:{0,1}* → {0,1}* are

guaranteed to:– Be polynomial time computable– At least one of them is one-way.

then can construct a function g:{0,1}* → {0,1}* which is one-way:

g(x1, x2 ) = (f1(x1),f2 (x2 ))

Robust Combiner Can generalizes to a 1-out-m combiner

The Construction• If a 5n2 time one-way function is guaranteed to exist, can

construct an O(n2 log n) one-way function g:– Idea: enumerate all Turing Machines and make sure they run at

most 5n2 steps

g(x1, x2 ,…, xlog (n) )=M1(x1), M2(x2), …, Mlog n(xlog

(n))– Eventually: get to the TM of the one-way function

• If a one-way function is guaranteed to exist, then there exists a 5n2 time one-way:– Idea: concentrate on the prefix, ignore the rest

n’ where n=p(n’)

A function that takes that much time to compute

Ultimate one-way function conclusionsOriginal proof due to L. Levin

• Be careful what you wish for• Problem with resulting one-way function:

– Cannot learn about behavior on large inputs from small inputs– Whole rational of considering asymptotic results is eroded!

• Construction does not work for non-uniform one-way functions

• Notion of robust combiner seems fundamental– See “Robust Combiners for Oblivious Transfer and Other

Primitives” by Harnik, Kilian, Naor, Reingold and Rosen, Eurocrypt 2005

Distributionally One-Way Functions• A function f:{0,1}* {0,1}* is one-way if:

– it is computable in poly-time– the probability of successfully finding an inverse in poly-time is

negligible (on a random input)

• A function f :{0,1}* {0,1}* is distributionally one-way if:– it is computable in poly-time– No poly-time algorithm can successfully find a random inverse (on a

random input)• Distribution on inverting algorithm far from uniform on the pre-images

Theorem [Impagliazzo Luby 89]: distributionally one-way functions exist iff one-way functions exists

Example: function from two guards problem

Identification - many times

• Alice would want to send an `approve’ message to Bob many times.

• They want to prevent Eve from interfering – Bob should be sure that Alice indeed approved each

time. How to specify?

Alice Bob

Eve

Specification of the ProblemAlice and Bob communicate through a channelBob has an external counter CC (# of times Alice approved)Eve completely controls the channelRequirements:• If Alice wants to approve and Eve does not interfere – Bob increases the

counter CC • The number of times Alice approves is a bound the value of counter CC• If Alice wants to approve and Eve does interfere - no requirements

from the counter CC until there is a quiescent period– A time that Alice wants to approve and Eve does not interfere

Not the only possible specification!Not the only possible specification!Can mandate that an approval was sent since the last time counter increased

Solution to the many time identification problem

Let k be an upper bound on the number of identifications• If Alice and Bob share in the setup phase k passwords• Each time Alice want to `approve’ she sends the next

unused password.– In the ith time: yi

• Bob compare with the next password on the list

Can they do it with sharing less than k passwords?

y1, y2, … , yk

Giving y instead of x may turn out to be dangerous…

Compressing the list• Assume that

– f is a one-way function– Let k be an upper bound on the number of identifications

• Setup phase: Alice chooses x{0,1}n, defines a sequence

Where yi=f(k-i)(x) Gives Bob x

• When Alice wants to approve for the ith time: send the special symbol $ followed by i and yi=f(k-i)(x)

• Bob stores x; Set C Ã 0• If Bob gets a $ followed by symbols on channel

– denote them (j,z); – Compare j to C; reject if j ≤ C. – Check whether z=f(k-j)(x)

• If equal Set C Ã j

y1, y2, … yk=x

Is it secure?

• Need care in choosing f• Should be difficult to invert any one of the iterated

instances of f

One-way on its iteratesA function f: {0,1}n → {0,1}n is called one-way on its iterates, if• f is a polynomial-time computable function • for every probabilistic polynomial-time algorithm A, every polynomial

p(¢), and all sufficiently large n’s: for all k ≤ p(n)Prob[A[f(k)(x)] f-1(f (k)(x)) ] ≤ 1/p(n)

Where x is chosen uniformly in {0,1}n and the probability is also over the

internal coin flips of A

• From homework: not all one-way functions are one-way on their iterates• Every one-way permutation is one-way on its iterates• Subset sum function one-way on its iterates

– If it one-way then it is one-way of its iterates

If you start at a random point and iterate – still random

Example: the squaring function (Rabin) f(x,N)= (x2 mod N,N)

Quadratic residue mod a prime:• If s and r satisfy s=r2 mod P then s is called a quadratic residue modulo P • If P is a prime then:

– s=r2 mod P has exactly two solutions mod P if 0<s<P. Can denote +/-r– quadratic residues: multiplicative subgroup with (P-1)/2 elements. – If P=1 mod 4 then -1 is a quadratic residue mod P.

• Both square-roots are either quadratic residues or non residues– If P=3 mod 4 then -1 is a non-quadratic residue mod P.

• One square-roots is a quadratic residue, the other not.• Squaring mod P is a permutation on the quadratic residues!• Computing square-roots: if r=s(p+1)/4 mod P square, then

r2=s(p+1)/2 =s∙s(p-1)/2 = +/- s mod P

• If N=P∙Q then s is a quadratic residue modulo N if and only it is a quadratic residue for both P and Q

• If N=P∙Q where P,Q = 3 mod 4 - called Blum Integers– Each quadratic residue has 4 square-roots – Exactly one of which is quadratic residue in itself– Squaring mod N is a permutation on the quadratic residues!

Finding Square-roots and factoring are equivalent

• If know the factorization of N=P∙Q, then can compute square-roots

• If there is a procedure that computes square-roots correctly for non-negligible fraction – can boost it – Random self reducibility

• If we know (r,t) such that – s=r2 =t2 mod N – r =t mod P– r ≠t mod QThen we can factor by computing GCD(t-r,N)

• Homework: show how to use a square-root computing routine to factor while preserving the probability of success.

A one-way on its iterates function

• To fully specify the function – need a starting procedure for generating– N=P∙Q where P,Q=3 mod 4

– Easy to specify given• deterministic primality testing (even probabilistic is sufficient) • density of primes

– A quadratic residue mod N• Easy by generating a random square

• Resulting function – one-way on its iterates

Giving y instead of x may turn out to be dangerous…

Back to the compressing the list• Assume that

– f is a one-way function– Let k be an upper bound on the number of identifications

• Setup phase: Alice chooses x{0,1}n, defines a sequence

Where yi=f(k-i)(x) Gives Bob x

• When Alice wants to approve for the ith time: send the special symbol $ followed by i and yi=f(k-i)(x)

• Bob stores x; Set C Ã 0• If Bob gets a $ followed by symbols on channel

– denote them (j,z); – Compare j to C; reject if j ≤ C. – Check whether z=f(k-j)(x)

• If equal Set C Ã j

y1, y2, … yk=x

Security of schemeIf scheme can be broken: • There is the first time where Eve sent a false value z as yi

By the specification of the protocol:– If Eve substitutes a value yi which was sent by Alice with her own z

– she is caught

Hence first false z is also an attempt to forge: Alice approved only i-1 times but Eve convinced Bob to accepts i times

If probability of breaking is at least 1/p(n)

• There is a j ≤ k where Eve does this with probability at least 1/kp(n)

Important idea: Existence of a large step

Two possible evil actions:•Substitute a correct value •Invent a value, forge

To forge: Eve must invert yi-

1

…Security of schemeFor this j: can break the (k-j-1)th iterate of f with probability

at least 1/kp(n)

– Given yj-1 = f(k-j-1)(x) compute

y1=f(j-1)(yj-1), y2=f(j-2)(yj-1), …, yj-2=f(yj-1), yj-1

and simulate the adversary for j roundsCan send the expect values from Alice

– Adversary sees exactly the same distribution as in real life•Forging at step j must be done by inverting yj-1 •Hence probability adversary succeeds in forgery at step j is at least 1/kp(n)

From such a success: can invert the (k-j-1)th iterate of f on x

Problems with the scheme• Need to know an upper bound k on the number of

identifications• Need to perform work proportional to k before first identification

(what if it flops)• Total work (in all k sessions) by Alice: O(k2)

– For Bob, if stores last value: O(k)

– If Alice stores all k values yj: total work (in all k sessions) only O(k)

– Homework: how can Alice store O(log k) values and perform amortized O(log k) work

• More problems: – need to maintain state, both Alice and Bob (in addition to the counter)– What happens when there are two verifiers

Possible Pitfalls: why give x and not y

If Bob does not check from scratch Alternative protocol: Bob knows y0 =f(k)(x)

To verify at step i: Bob computes f(i)(z) and compares to y0

then:• Eve might substitute yj with a value z which she can invert in

subsequent sessions.– If possible to find “easy siblings” could be dangerous– Homework: show that there is a function f that is

• One-way on its iterates • Given x it is easy to find x' such that f(x)=f(x’) and it is easy to invert f

on x’

Question

• Is it possible to have a protocol based on a function that it one-way on its iterates without bob maintaining a state?

Want a scheme with unlimited use

If we have a function that only Alice can compute but both Bob and Charlie can verify

• Alice can compute for session number i the value f(i)

• Problem: interleaving of verifiers – can replay• Solution: challenge response

– Verifier chooses a random nonce r and asks to see f(r)

To be continued!

The authentication problemone-time version

• Alice would want to send a message m {0,1}n to Bob

• They want to prevent Eve from interfering – Bob should be sure that the message m’ he receives is

equal to the message m Alice sent

Alice Bob

Eve

m

Specification of the ProblemAlice and Bob communicate through a channelBob has an external register R N N (no message) ⋃ {0,1}n Eve completely controls the channelRequirements:• Completeness: If Alice wants to send m {0,1}n and Eve

does not interfere – Bob has value m in RR • Soundness: If Alice wants to send m and Eve does interfere

– RR is either NN or m (but not m’ ≠m )– If Alice does not want to send a message RR is NN

Since this is a generalization of the identification problem – must use shared secrets and probability or complexity

Probabilistic version:• for any behavior from Eve, for any message m {0,1}n, the

probability that Bob is in state m’ ≠ m or NN is at most ε

Authentication using hash functions• Suppose that

– H= {h| h: {0,1}n → {0,1}k } is a family of functions– Alice and Bob share a random function h H – To authenticate message m {0,1}n Alice sends (m,h(m)) – When receiving (m’,z) Bob computes h(m’) and compares to

z • If equal, moves register RR to m’• If not equal, register R R stays in NN

• What properties do we require from H– hard to guess h(m’) - at most ε

• But clearly not sufficient: one-time pad.– hard to guess h(m’) even after seeing h(m) - at most ε

• Should be true for any m’– Short representation for h - must have small log|H|– Easy to compute h(m) given h and m

Universal hash functions• Given that for hH we have h: {0,1}n → {0,1}k we know that

ε≥2-k • A family where this is an equality is called universal2

Definition: a family of functions H= {h| h: {0,1}n → {0,1}k } is called Strongly Universal2 or pair-wise independent if: – for all m1, m2 {0,1}n and y1, y2 {0,1}k we have

Prob[h(m1) = y1 and h(m2) = y2 ] = 2-2k Where the probability is over a randomly chosen h H

In particular Prob[h(m2) = y2 | h(m1) = y1 ] = 2-k

Theorem: when a strongly universal2 family is used in the protocol, Eve’s probability of cheating is at most 2-k

Constructing universal hash functionsThe linear polynomial construction: • fix a finite field F of size at least the message space 2n

– Could be either GF[2n] or GF[P] for some prime P ≥ 2n • The family H of functions h: F→ F is defined as

H= {ha,b(m) = a∙m + b | a, b F}

Claim: the family above is strongly universal2 Proof: for every m1≠m2, y1, y2 F there are unique a, b F such

thata∙m1+b = y1

a∙m2+b = y2

Size: each hH represented by 2n bits

Constructing universal hash functionsThe inner product construction: • fix a finite field F of size at least the target space 2k

– Could be either GF[2k] or GF[P] for some prime P ≥ 2k • Let n= ℓ ∙ k• Treat each message m{0,1}n as an (ℓ +1)-vector over F where the first entry is

1. Denote by (m0, m1, … ,mℓ) • The family H of functions h: Fℓ → F defined by all (ℓ+1)-vectors a=(a0, a1,

… ,aℓ)

H= {ha(m)= ∑i=0ℓ ai ∙mi | a0, a1, … ,aℓ F}

Claim: the family above is strongly universal2 Proof: for every (m0, m1, … ,ml) , (m’0, m’1, … ,m’l) y1, y2 F there are the

same number of solutions to ∑i=0

ℓ ai ∙mi = y1

∑i=0ℓ ai ∙m’i = y2

Size: each hH represented by n+k bits

Lower bound on size of strongly universal hash functions

Theorem: let H= {h| h: {0,1}n → {0,1} } be a family of pair-wise independent functions. Then

|H| is Ω(2n) More precisely, to obtain a d-wise independence family

|H| should be Ω(2n└d/2┘)Theorem: see

N. Alon and J. Spencer, The Probabilistic MethodChapter 15 on derandomization, proposition 2.3

An almost perfect solutionBy allowing ε to be slightly larger than 2-k we can get much

smaller families

Definition: a family of functions H= {h| h: {0,1}n → {0,1}k } is called δ-Universal2 if

for all m1, m2 {0,1}n where m1 ≠ m2 we have

Prob[h(m1) = h(m2) ] ≤ δ Properties:• Strongly-universal2 implies 2-k -Universal2

• Opposite not true: the function h(x) = x…

An almost perfect solutionIdea: combine • a family of δ-Universal2 functions H1= {h| {0,1}n → {0,1}k }with • a Strongly Universal2 family H2= {h| {0,1}k → {0,1}k }Consider the family H where each h H is {0,1}n → {0,1}k and is defined by

h1 H1 and h2 H2

h(x) = h2(h1(x)) As before Alice sends m, h(m)

Claim : probability of cheating is at most δ + 2-k Proof: when Eve sends m’, y’ we must have m ≠ m‘ but either

– y’ = h(m), which means that Eve succeeds with probability at most δ + 2-k • Collision in h1 Or in h2

Or– y’ ≠ h(m) which means that Eve succeeds with probability at most 2-k

• Collision in h2

Size: each hH represented by log |H1 |+ log |H2|

Constructing almost universal hash functionsThe polynomial evaluation construction {0,1}n → {0,1}k : • fix a finite field F of size at least the target space 2k

– Could be either GF[2k] or GF[P] for some prime P ≥ 2k • Let n= ℓ∙ k• Treat each (non-zero) message m{0,1}n as a degree (ℓ-1)-

polynomial over F. Denote by Pm.

• The family H of functions h: Fℓ → F is defined by all elements in F:H= {hx (m)= Pm (x)| xF}

Claim: the family above is δ-Universal2 for δ= (ℓ-1)/2k Proof: the maximum number of points where two different degree (ℓ-1)

polynomials agree is ℓ-1 Size: each hH represented by k bits

m

Composing universal hash functionsConcatenationLet H where each h H is {0,1}n → {0,1}k be a family of δ-

Universal2 functionsConsider the family H’ where each h’ H’ is {0,1}2n → {0,1}2k

and where h’(x1 ,x2) = h(x1 ), h(x2)

for some h H Claim: the family above is δ-Universal2 Proof: let x1, x2 and x’1, x’2 be a pair of inputs.• If x1 ≠ x’1 collision must occur in first part h(x1)=h(x’1)• Else, x2 ≠ x’2 and collision must occur in second part h(x2)=h(x’2)In either case the probability is at most δ

Composing universal hash functions

CompositionLet • H1= {h| h:{0,1}n1 → {0,1}n2 }with • H2= {h| h: {0,1}n2 → {0,1}n3 }be families of δ-Universal2 functions Consider the family H where each hH is {0,1}n1 → {0,1}n3 is defined by h1 H1

and h2 H2

h(x) = h2(h1(x))

Claim: the family above is 2δ-Universal2 Proof: the collision must occur either at the first hash function or the second hash function.

Each event happens with probability at most δ and we apply the union bound

n2

n1

n3

The Tree Construction

h1

h2

h3

Set n=ℓ∙k. Each hi :{0,1}2k → {0,1}k is chosen independently from a δ-Universal family H. The result is a family of functions {0,1}n → {0,1}k which is tδ-Universal

t is the number of levels in the tree

Size: t log |H|

m

Can construct functions from huge domains

Homework

• Given ε,n what is the number of bits needed to specify an authentication scheme?

• Bonus: Can interaction help? – Can the number of shared secret bits be smaller than in

a unidirectional scheme– Can the number of shared bits depend on ε only?

What about the public-key problem?

• Recall: Bob and Charlie share the set-up phase information• Is it possible to satisfy the requirements:

– Completeness: If Alice wants to send m {0,1}n and Eve does not interfere – Bob has value m in RR

– Soundness: If Alice wants to send m and Eve and Charlie do interfere

• RR is either NN or m (but not m’ ≠m )• If Alice does not want to send a message RR is NN • Who chooses which m Alice will want to approve?

– Adversary does. This is a chosen message attack

• As before: complexity to the rescue