5.2 KiB
CSE442T Introduction to Cryptography (Lecture 18)
Chapter 5: Authentication
5.1 Introduction
Signatures
private key
Alice and Bob share a secret key k.
Message Authentication Codes (MACs)
public key
Any one can verify the signature.
Digital Signatures
Definitions 134.1
A message authentication codes (MACs) is a triple (Gen, Tag, Ver) where
k\gets Gen(1^k)is a p.p.t. algorithm that takes as input a security parameterkand outputs a keyk.\sigma\gets Tag_k(m)is a p.p.t. algorithm that takes as input a keykand a messagemand outputs a tag\sigma.Ver_k(m, \sigma)is a deterministic algorithm that takes as input a keyk, a messagem, and a tag\sigmaand outputs "Accept" if\sigmais a valid tag formunderkand "Reject" otherwise.
For all n\in\mathbb{N}, all m\in\mathcal{M}_n.
P[k\gets Gen(1^k):Ver_k(m, Tag_k(m))=\textup {``Accept''}]=1
Definition 134.2 (Security of MACs)
Security: Prevent an adversary from producing any accepted (m, \sigma) pair that they haven't seen before.
- Assume they have seen some history of signed messages.
(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q). - Adversary
\mathcal{A}has oracle access toTag_k. Goal is to produce a new(m, \sigma)pair that is accepted but none of(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q).
\forall n.u.p.p.t. adversary \mathcal{A} with oracle access to Tag_k(\cdot),
\Pr[k\gets Gen(1^k);(m, \sigma)\gets\mathcal{A}^{Tag_k(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]<\epsilon(n)
MACs scheme
F=\{f_s\} is a PRF family.
f_s:\{0,1\}^{|S|}\to\{0,1\}^{|S|}
Gen(1^k): s\gets \{0,1\}^n
Tag_k(m) outputs f_s(m).
Ver_s(m, \sigma) outputs "Accept" if f_s(m)=\sigma and "Reject" otherwise.
Proof of security (Outline):
Suppose we used F\gets RF_n (true random function).
If \mathcal{A} wants F(m) for m\in \{m_1, \ldots, m_q\}. F(m)\gets U_n.
\begin{aligned}
&P[F\gets RF_n; (m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]\\
&=P[F\gets RF_n; (m, \sigma)\gets F(m)]\\
&=\frac{1}{2^n}<\epsilon(n)
\end{aligned}
Suppose an adversary \mathcal{A} has \frac{1}{p(n)} chance of success with our PRF-based scheme...
This could be used to distinguish PRF f_s from a random function.
The distinguisher runs as follows:
- Runs
\mathcal{A}(1^n) - Whenever
\mathcal{A}asks forTag_k(m), we ask our oracle forf(m) (m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^n)- Query oracle for
f(m) - If
\sigma=f(m), output 1 - Otherwise, output 0
D will output 1 for PRF with probability \frac{1}{p(n)} and for RF with probability \frac{1}{2^n}.
Definition 135.1(Digital Signature D.S. over \{M_n\}_n)
A digital signature scheme is a triple (Gen, Sign, Ver) where
(pk,sk)\gets Gen(1^k)is a p.p.t. algorithm that takes as input a security parameterkand outputs a public keypkand a secret keysk.\sigma\gets Sign_{sk}(m)is a p.p.t. algorithm that takes as input a secret keyskand a messagemand outputs a signature\sigma.Ver_{pk}(m, \sigma)is a deterministic algorithm that takes as input a public keypk, a messagem, and a signature\sigmaand outputs "Accept" if\sigmais a valid signature formunderpkand "Reject" otherwise.
For all n\in\mathbb{N}, all m\in\mathcal{M}_n.
P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1
Security of Digital Signature
P[(pk,sk)\gets Gen(1^k); (m, \sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_{pk}(m, \sigma)=\textup{``Accept''}]<\epsilon(n)
For all n.u.p.p.t. adversary \mathcal{A} with oracle access to Sign_{sk}(\cdot).
5.4 One time security: \mathcal{A} can only use oracle once.
Output (m, \sigma) if m\neq m
Security parameter n
One time security on \{0,1\}^n
One time security on \{0,1\}^*
Regular security on \{0,1\}^*
Note: the adversary automatically has access to Ver_{pk}(\cdot)
One time security scheme (Lamport Scheme on \{0,1\}^n)
Gen(1^k): \mathbb{Z}_n random n-bit string
sk: List 0: \bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0
List 1: \bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1
All \bar{x_i}^j\in\{0,1\}^n
pk: For a strong one-way function f
List 0: f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)
List 1: f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)
Sign_{sk}(m):(m_1, m_2, \ldots, m_n)\mapsto(\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n})
Ver_{pk}(m, \sigma): output "Accept" if \sigma is a prefix of f(m) and "Reject" otherwise.
Example: When we sign a message
01100,Sign_{sk}(01100)=(\bar{x_1}^0, \bar{x_2}^1, \bar{x_3}^1, \bar{x_4}^0, \bar{x_5}^0)We only reveal thex_1^0, x_2^1, x_3^1, x_4^0, x_5^0For the second signature, we need to reveal exactly different bits.
The adversary can query the oracle forf(0^n)(reveals list0) andf(1^n)(reveals list1) to produce any valid signature they want.