220 likes | 293 Views
On The Cryptographic Applications of Random Functions. Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘ 84 報告人 : 陳昱升. Abstract. Some possible applications of random functions Storageless distribution of secret IDs Dynamic hashing
E N D
On The Cryptographic Applications of Random Functions Oded Goldreich Shafi Goldwasser Silvio Micali Advances in Cryptology-CRYPTO ‘84 報告人: 陳昱升
Abstract • Some possible applications of random functions • Storageless distribution of secret IDs • Dynamic hashing • Message authentication and time-stamping • An identify friend or foe system
Outline • Pseudorandom generators • Pseudorandom functions • 4 applications of random functions • Solving Blum Blum & Shub open problem
Pseudorandom Generators • Informally, a pseudorandomgenerator is a polynomial time algorithm that, on a random input, outputs a long sequence such that the next bit in the sequence cannot be predicted in polynomial time. Pseudorandom generator secret random input 010111001111010……….. ? next bit
Pseudorandom Functions • Informally, a function is pseudorandom if any polynomial time algorithm, which asks for the values of the function at various points, cannot distinguish the values of the function from the outcome of independent coin flips. x Pseudorandom function f Compare f(x) with the outcome of independent coin flips →indistinguishable f(x) Polynomial algorithm
Poly-Random Collections • A poly-random collection F={Fk} has the following properties • Indexing • each function in Fk has a unique k-bit index. • Poly-time evaluation • exist a polynomial time algorithm that given an index of a function f in Fk an input x, computes f(x). • Pseudo-Randomness • No probabilistic algorithm can distinguish the functions in Fk from a truly random function. … ... f Fk
Applications of random functions • Storageless Distribution of Secret IDs • Dynamic Hashing • Message Authentication and Time-Stamping • An Identify Friend or Foe System
Storageless Distribution of Secret IDs-the problem • The problem in distributing secret id numbers • every user should receive a secret ID from the system, which is easily verifiable by the system, but hard to compute by anyone else.
Storageless Distribution of Secret IDs -a possible solution • A possible solution could assign each user U a secret r, and store the pair(U,r) in a protected data base. • This solution requires storage proportional to the number of users.
Storageless Distribution of Secret IDs -a storageless solution • The server pick f in Fk at random and assigns each user U, f(U) as her secret number. • To verify whether (U,n) is a legal pair, the server computes f(U) and compares it with n. Alice, n Alice Server Verify n ?= f(Alice)
Storageless Distribution of Secret IDs -a storageless solution (conti.) • Suppose that Alice has such a secret ID and that all of her relatives (A1,A2,…,Aq), who possess their own secret ID’s gang up to discover Alice’s ID. • For f picked form a poly-random collection, they could not compute f(Alice) given f(A1), f(A2), …,f(Aq).
Dynamic Hashing-the problem • The problem of hashing a few long keys into shorter addresses with a very small probability of collisions.
Dynamic Hashing-a possible solution • Universal Hashing • H is a finite collection of hash functions that map universe U into {0,1,…,m-1} and
Dynamic Hashing-a solution using generalized poly-random collection • A generalized poly-random collection F={Fp1(k),p2(k)} is a similar poly-random collection of functions from Ip1(k) into Ip2(k). • Our solution uses a function f chosen at random from Fp1(k),p2(k) as a hash function.
Dynamic Hashing-a solution using generalized poly-random collection (conti.) • This hashing function is more robust with respect to polynomial time computation than the Universal Hashing. • In their scheme, the adversary picks an arbitrary key distribution and the hashing performance is analyzed with respect to this fixed distribution. • Our scheme allows the adversary dynamically change the key distribution during the hashing process upon seeing the previous hashing function values. (adaptively)
Message Authentication and Time-Stamping-the Problem • Assume that all the employees of a large bank communicate through a public network. The employees need to authenticate the messages they send to each other.
Message Authentication and Time-Stamping-solution • Let all employees have access to authentication machines which compute a function fs in a poly-random collection. • The tag associated with a message m is fs(m). • To avoid playback attack, it is common practice to use time-stamps. authentication machine m m, fs(m) employees fs(m)
An Identify Friend or Foe System-the problem • The members of a large but exclusive society are well known for their brotherhood spirit. • They face the danger of imposters trying to take advantage of their generosity. • Upon meeting each other, they must execute a protocol for establishing membership.
An Identify Friend or Foe System-the solution • Each member receives a computer which calculates fs. • When member A meets B, he asks “z?”. Only if B answers fs(z), will member A be convinced that B is a member. z fs(z) B A
Solving Blum Blum & ShubOpen Problem • Problem: Whether direct access to exponentially far away bits in their pseudo-random pad is a “randomness preserving” oepration. exponentially far away Pseudorandom generator random input 010111……………..01111011 ? next bit
Solving Blum Blum & ShubOpen Problem (conti.) • Having constructed pseudorandom function f, we have virtually constructed the k2k-bit long string sf=f(1)f(2)…f(2k).
Conclusion • Pseudorandom generators • Pseudorandom functions • 4 applications of random functions • Solving Blum Blum & Shub open problem