Lecture 1 - NYU Computer Science
Transcrição
Lecture 1 - NYU Computer Science
G22.3220-001/ G63.2180-001 Advanced Cryptography September 9, 2009 Lecture 1 Lecturer: Yevgeniy Dodis Scribe: Bianca De Souza Identification problem Suppose Alice wants to convince Bob she is who she is . Her twin sister Eve is interested to fool Bob by successfully impersonating Alice. In this situation, the following questions rise: • Dimension 1: Is Bob’s storage secure from Eve? • Dimension 2: Can Eve eavesdrop when real Alice is authenticating to Bob? • Dimension 3: Is Alice’s storage secure from Eve? Depending on each possibility for the above questions, a particular scheme (sometimes more than one scheme) is applicable. We address dimensions 1 and 2, while dimension 3 will be addressed later. Next, we are going to address each of these situations for dimensions 1 and 2. Secure Communication and Bob’s storage Note that when both storage and communication channel are secure, Alice and Bob may share a common secret and when communicating to verify Alice, Bob asks her what is the common secret. This is a trivial case. 1-1 What about Dimension 3 (Alice’s storage insecure)? Of course, if Eve knows x then Eve will be able to impersonate her. So how can we hope to have security in this case? We will assume that Eve knows ≤ ℓ bits of information about x, where ℓ < n = |x|. Formally, for an arbitrary function g : {0, 1}n → {0, 1}ℓ , we assume that Eve can obtain y = g(x). We can then observe the following simple lemma, establishing dimension 3 of the trivial scheme. Lemma 1. If Alice and Bob share a random n-bit secret x and Eve can learn y = g(x), where |y| ≤ n − λ then Eve can’t impersonate Alice with probability ≥ 2−λ . To see this consider two given random variables X and Y , possibly correlated. We can define the following useful notions: (a) Entropy:1 we say H∞ (X) ≥ n if for all (unbounded) A, Pr(A → X) ≤ 1 2n . (b) Conditional Entropy: more generally, we say H∞ (X | Y ) ≥ t if for all (unbounded) A, Pr(A(Y ) → X) ≤ 21t . We can then easily show that Lemma 2. If |Y | ≤ ℓ and H∞ (x) ≥ n then H∞ (X | Y ) ≥ n − ℓ. 1 To prove this, assume that there is some A such that Pr(A(Y ) → X) > 2n−ℓ . We can construct ℓ who simply guesses the value Y , being right with probability at least 1/2 , and then runs A(Y ). 1 Clearly, Pr(A′ → X) > 21ℓ · 2n−ℓ = 21n , a contradiction. Lemma 1 now follows with X = x, Y = g(x) and ℓ = |Y | ≤ n − λ. A′ Password authentication In the scenario where the channel of communication is secure but Bob’s store is not, the following protocol can be used: Alice has a secret x (password) and Bob stores y = f (x) for a certain function f. • Alice sends x = x′ to Bob and Bob computes f (x′ ). • Bob compares it with the value y stored and accept Alice’s proof if and only if f (x′ ) = y. Since Eve may have access to Bob’s storage, what properties of f are needed for this scheme to work? (a) f is efficient (easy to compute) (b) Given y = f (x) for a random x, it is hard to compute any x′ such that f (x′ ) = y. In other words, f is a one-way function (OWF)! Definition 3. Let λ be a security parameter, n = n(λ) is the input size and k = k(λ) is the output length. A function f : {0, 1}n → {0, 1}k is one-way if : 1. ∃ poly-time algorithm which computes f (x) correctly ∀x. 2. ∀ PPT(probabilistic polynomial time) attacker A, AdvOWF (A) ≤ negl(λ) , where AdvOWF (A) = Pr(f (x′ ) = y | x ← {0, 1}n ; y = f (x); x′ ← A(y, 1λ )) 1 This notion is usually called min-entropy, but we will omit “min-” since we will not study other notions. 1-2 Remark: More generally, one can have a key generator algorithm Gen such that Gen(1λ ) outputs a public key P K, which implicitly defines a domain D = D(P K) and the range R = R(P K) of a given one-way function fP K . Example: Under the Discrete Log Assumption, exponentiation mod a prime is a OWF. Gen(1λ ): p is a randomly generated λ-bit prime. g is a generator of field Z∗p . Public key P K = (p, g) determines DP K = Zp−1 and RP K = Z∗p . fp,g (x) = g x mod p. n ≈ k ≈ λ. What about in dimension 3? As before, let’s assume that Eve can learn at most ℓ = ℓ(n) bits about Alice’s n-bit secret x (ℓ < n). To solve this leakage problem, we need the definition below. Definition 4. λ is a security parameter, n = n(λ) and k = k(λ) are the bit length of the input and output, respectively. A function f : {0, 1}n → {0, 1}k is an ℓ-leakage-resilient one-way function (ℓ-LR-OWF) if : 1. ∃ poly-time algorithm which computes f (x) correctly ∀x. 2. ∀ PPTA = (A1 , A2 ) such that P K ← Gen(1λ ), x ← DP K A1 (P K) → (g, state) y = fP K (x), z ← g(x) A2 (y, z, state) → x′ Pr(fP K (x′ ) = y) ≤ negl(λ) With this in mind, we can try the following: Attempt 1: Hope that all OWF’s are LR. The good news is that it is true for ℓ(λ) = O(log λ) 1 ). The bad news is that it is unlikely we can say more about it. As an example, (since 21ℓ ≥ poly(λ) consider f (x1 , x2 ) = f ′ (x1 ) where |x1 | = λ and |x2 | = λ100 . Attempt 2: Try natural OWF’s. As examples, for p prime, consider f ′ (x) = g x mod p and f (x) = g1x1 g2x2 mod p where g, g1 and g2 are independent random generators of a large primeorder subgroup G of Z∗p . Turns out we don’t know how to prove leakage-resilience of f ′ , but will later will that f is LR under the Discrete Log Assumption. Let us see why... Definition 5. λ is a security parameter, n = n(λ) is the input size and k = k(λ) is the output length. A function f : {0, 1}n → {0, 1}k is second preimage resistant (SPR) if : 1. n > k. 2. ∀ PPTattacker B, AdvSPR (B) ≤ negl(λ), where AdvSPR (B) = Pr(x 6= x′ , f (x′ ) = f (x′ ) | x ← {0, 1}n ; B(x) → x′ ) Lemma 6. If f is SPR then f is (n − k − ω(log λ))-LR-OWF. Further, if f is regular (i.e., every y ∈ {0, 1}k has precisely 2n−k pre-images x), then f is (n − k − 1)-LR-OWF. Proof. Assume that f is not LR-OWF. So there exists A such that AdvLR−OWF (A) ≥ ǫ nonℓ+k neglegible. We can construct an algorithm B such that AdvSPR (B) ≥ ǫ − 22n , i.e., non-negligible because ℓ ≤ (n − k − ω(log λ)). 1-3 B(P K, f, x) • run A(P K) → g • y = f (x) • z ← g(x) • run A(y, z) → x′ • output x′ We have that Pr(A succeds) ≥ ǫ where f (x′ ) = f (x). But what are the changes that x 6= x′ ? Recall that Pr(X ∧ Y ) ≥ Pr(X) − Pr(not Y ). Thus, Pr(B succeeds) ≥ Pr(A succeeds ∧ x 6= x′ ) ≥ Pr(A succeeds) − Pr(x = x′ ) ≥ ǫ − Pr(x = x′ ) ℓ+k All that remains is to show that Pr(x = x′ ) ≤ 22n = negl(λ). But |(y, z)| = k + ℓ, so Lemma 1 1 = negl(λ). implies that H∞ (X | (Y, Z)) ≥ n − (k + ℓ). Therefore for all A, Pr(x = x′ ) ≤ 2n−(ℓ+k) When f is regular, we can have a better analysis. Namely, Pr(B succeeds) ≥ Pr(A succeeds ∧ x 6= x′ ) = Pr(A succeeds) · Pr(x 6= x′ | A succeeds) ℓ+k ≥ ǫ · (1 − 22n ) ≥ 2ǫ Here we used the fact that every y has 2n−k pre-images, so even though A’s success biases the distribution of y, this does not affect the chances that x 6= x′ , so the latter probability is indeed ℓ+k (1 − 22n ) ≥ 21 . Let’s construct the promised SPR. Theorem 7. (See Pompel’ 89) If OWF exist then ∀ polynomial poly(λ) there exist SPR where k = λ and n = poly(λ). Corollary 8. If OWFexist then there exist ℓ-LR-OWFon n bits with ℓ(n) = n − λ. Observation 9. If f is collision-resistant then f is SPR. Definition 10. A function f is collision-resistant (CR) if for all A, AdvCR (A) ≤ negl(λ) where AdvCR (A) = Pr(x 6= x′ , f (x′ ) = f (x′ ) | (x, x′ ) ← A(f )) Note that for CR’s, A can choose any x and for the case of SPR’s x has to be random. 1-4 Example: For our previous example, we show f (x) = g1x1 g2x2 mod p is collision-resistant. Suppose that f is not a CR, then one can find (x1 , x2 ) 6= (x′1 , x′2 ) such that x′ x′ g1x1 g2x2 = g1 1 g2 2 [(x′ −x )(x −x′ )−1 mod q] Thus, g2 = g1 1 1 2 2 , where q is the order of the subgroup G of Z∗p with the large prime order. But this contradicts the fact that computing discrete log of g2 base g1 is hard since g2 is random. Note that this function is f : 2k −→ k. Using the previous lemma and the regularity of f , we can tolerate leakage of ℓ = n − k − 1 ≈ 2k − k = k = n/2 bits. Using more generators g1 , . . . , gt , we can have f : tk −→ k and tolerate leakage of ℓ = n − k − 1 ≈ tk − k = (1 − 1t )n bits. With this, we have covered the first row of the table above. Symetric-Key Identification Schemes Suppose that Alice and Bob share a symmetric key s ∈ {0, 1}λ , which is not known to Eve. However, Eve can now observe the communication between Alice and Bob. More specifically, Eve’s attack has two stategs: (a) Learning stage, where Eve can see how real Alice proves her identity. There are two options here. Passive attack - means that Eve does not interfere, she only gets transcripts of honest interactions between Alice and Bob. Active attack - means that Eve interact with either Bob or Alice (or both); for instance, as in the ’chosen message attack’ or ’man-in-the-middle’. (b) Impersonation stage, where Alice disappears and Eve is trying to impersonate Alice to Bob: We require that Pr(Eve impersonates Alice) ≤ negl(λ). That means that after Alice leaves the communication channel, Eve is not able pretend to be Alice. Below are two natural schemes using symmetric-key encryption and authetication. Scheme Using Symmetric-key Encryption (Es , Ds ): • Given m ← {0, 1}λ , Bob computes c = Es (m) and sends c to Alice • Alice then computes m̃ = Ds (c) and sends it to Bob • If m = m̃ then Bob accepts Alice’s ID Scheme Using Symmetric-key Authentication (M ACs ): • Given m ← {0, 1}λ , Bob sends m to Alice • Alice then computes σ = M ACs (m) and sends it to Bob • Bob verifies Alice’s ID using s to get m back 1-5 Next time we’ll prove the following theorems: Theorem 11. The SK-ENC scheme above is: (i) passive secure if (E, D) is one-way under chosen plaintext attack (OW-CPA). (ii) active secure if (E, D) is one-way against pre-challenge chosen ciphertext attack (OW-CCA1). Theorem 12. The SK-MAC scheme above is active secure if M AC is universally unforgeable under chosen message attack (UUF-CMA). 1-6