Lecture 18

Chapter 5: Authentication

5.1 Introduction

Signatures

private key

Alice and Bob share a secret key $k$ .

Message Authentication Codes (MACs)

public key

Any one can verify the signature.

Digital Signatures

Definitions 134.1

A message authentication codes (MACs) is a triple $(Gen, Tag, Ver)$ where

$k\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a key $k$ .
$\sigma\gets Tag_k(m)$ is a p.p.t. algorithm that takes as input a key $k$ and a message $m$ and outputs a tag $\sigma$ .
$Ver_k(m, \sigma)$ is a deterministic algorithm that takes as input a key $k$ , a message $m$ , and a tag $\sigma$ and outputs "Accept" if $\sigma$ is a valid tag for $m$ under $k$ and "Reject" otherwise.

For all $n\in\mathbb{N}$ , all $m\in\mathcal{M}_n$ .

P[k\gets Gen(1^k):Ver_k(m, Tag_k(m))=\textup {``Accept''}]=1

Definition 134.2 (Security of MACs)

Security: Prevent an adversary from producing any accepted $(m, \sigma)$ pair that they haven't seen before.

Assume they have seen some history of signed messages. $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$ .
Adversary $\mathcal{A}$ has oracle access to $Tag_k$ . Goal is to produce a new $(m, \sigma)$ pair that is accepted but none of $(m_1, \sigma_1), (m_2, \sigma_2), \ldots, (m_q, \sigma_q)$ .

$\forall$ n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Tag_k(\cdot)$ ,

\Pr[k\gets Gen(1^k);(m, \sigma)\gets\mathcal{A}^{Tag_k(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]<\epsilon(n)

MACs scheme

$F=\{f_s\}$ is a PRF family.

$f_s:\{0,1\}^{|S|}\to\{0,1\}^{|S|}$

$Gen(1^k): s\gets \{0,1\}^n$

$Tag_k(m)$ outputs $f_s(m)$ .

$Ver_s(m, \sigma)$ outputs "Accept" if $f_s(m)=\sigma$ and "Reject" otherwise.

Proof of security (Outline):

Suppose we used $F\gets RF_n$ (true random function).

If $\mathcal{A}$ wants $F(m)$ for $m\in \{m_1, \ldots, m_q\}$ . $F(m)\gets U_n$ .

\begin{aligned} &P[F\gets RF_n; (m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_k(m, \sigma)=\textup{``Accept''}]\\ &=P[F\gets RF_n; (m, \sigma)\gets F(m)]\\ &=\frac{1}{2^n}<\epsilon(n) \end{aligned}

Suppose an adversary $\mathcal{A}$ has $\frac{1}{p(n)}$ chance of success with our PRF-based scheme...

This could be used to distinguish PRF $f_s$ from a random function.

The distinguisher runs as follows:

Runs $\mathcal{A}(1^n)$
Whenever $\mathcal{A}$ asks for $Tag_k(m)$ , we ask our oracle for $f(m)$
$(m, \sigma)\gets\mathcal{A}^{F(\cdot)}(1^n)$
Query oracle for $f(m)$
If $\sigma=f(m)$ , output 1
Otherwise, output 0

$D$ will output 1 for PRF with probability $\frac{1}{p(n)}$ and for RF with probability $\frac{1}{2^n}$ .

Definition 135.1(Digital Signature D.S. over $\{M_n\}_n$ )

A digital signature scheme is a triple $(Gen, Sign, Ver)$ where

$(pk,sk)\gets Gen(1^k)$ is a p.p.t. algorithm that takes as input a security parameter $k$ and outputs a public key $pk$ and a secret key $sk$ .
$\sigma\gets Sign_{sk}(m)$ is a p.p.t. algorithm that takes as input a secret key $sk$ and a message $m$ and outputs a signature $\sigma$ .
$Ver_{pk}(m, \sigma)$ is a deterministic algorithm that takes as input a public key $pk$ , a message $m$ , and a signature $\sigma$ and outputs "Accept" if $\sigma$ is a valid signature for $m$ under $pk$ and "Reject" otherwise.

For all $n\in\mathbb{N}$ , all $m\in\mathcal{M}_n$ .

P[(pk,sk)\gets Gen(1^k); \sigma\gets Sign_{sk}(m); Ver_{pk}(m, \sigma)=\textup{``Accept''}]=1

Security of Digital Signature

\Pr[(pk,sk)\gets Gen(1^k); (m, \sigma)\gets\mathcal{A}^{Sign_{sk}(\cdot)}(1^k);\mathcal{A}\textup{ did not query }m \textup{ and } Ver_{pk}(m, \sigma)=\textup{``Accept''}]<\epsilon(n)

For all n.u.p.p.t. adversary $\mathcal{A}$ with oracle access to $Sign_{sk}(\cdot)$ .

5.4 One time security: $\mathcal{A}$ can only use oracle once.

Output $(m, \sigma)$ if $m\neq m$

Security parameter $n$

One time security on $\{0,1\}^n$

One time security on $\{0,1\}^*$

Regular security on $\{0,1\}^*$

Note: the adversary automatically has access to $Ver_{pk}(\cdot)$

One time security scheme (Lamport Scheme on $\{0,1\}^n$ )

$Gen(1^k)$ : $\mathbb{Z}_n$ random n-bit string

$sk$ : List 0: $\bar{x_1}^0, \bar{x_2}^0, \ldots, \bar{x_n}^0$

List 1: $\bar{x_1}^1, \bar{x_2}^1, \ldots, \bar{x_n}^1$

All $\bar{x_i}^j\in\{0,1\}^n$

$pk$ : For a strong one-way function $f$

List 0: $f(\bar{x_1}^0), f(\bar{x_2}^0), \ldots, f(\bar{x_n}^0)$

List 1: $f(\bar{x_1}^1), f(\bar{x_2}^1), \ldots, f(\bar{x_n}^1)$

$Sign_{sk}(m):(m_1, m_2, \ldots, m_n)\mapsto(\bar{x_1}^{m_1}, \bar{x_2}^{m_2}, \ldots, \bar{x_n}^{m_n})$

$Ver_{pk}(m, \sigma)$ : output "Accept" if $\sigma$ is a prefix of $f(m)$ and "Reject" otherwise.

Example: When we sign a message $01100$ , $Sign_{sk}(01100)=(\bar{x_1}^0, \bar{x_2}^1, \bar{x_3}^1, \bar{x_4}^0, \bar{x_5}^0)$ We only reveal the $x_1^0, x_2^1, x_3^1, x_4^0, x_5^0$ For the second signature, we need to reveal exactly different bits.
The adversary can query the oracle for $f(0^n)$ (reveals list0) and $f(1^n)$ (reveals list1) to produce any valid signature they want.

Cse442t L17