which are provably secure against chosen message attack. 4 ) Construction Identity Friend or Foe systems. The first author was supnorted in part by a Weizmann ...
OM THE CRYPTOGRAPHIC APPLICATIONS OF RANDOM FUNCTIONS
(EXTENDED ABSTMCT)
Oded G o l d r e i c h , S h a f i Goldwasserr S i l v i o M i c a l i
L a b o r a t o r y f o r Computer S c i e n c e M.I.T.
Cambridge, IlA
02139
ABSTRACT
Now t h a t "random f u n c t i o n s ' ' can be e f f i c i e n t l y c o n s t r u c t e d ( [ G G M l ) ,
w e d i s c u s s some of t h e i r p o s s i b l e a p p l i c a t i o n s t o c r y p t o g r a p h y : 1)
D i s t r i b u t i n g u n f o r g a b l e I D numbers which can be l o c a l l y v e r i f i e d
by s t a t i o n s w h i c h c o n t a i n o n l y a s m a l l amount of s t o r a g e . 2)
Dynamic H a s h i n g : e v e n i f t h e a d v e r s a r y can change t h e k e y - d i s t r i -
b u t i o n depending on t h e v a l u e s t h e hashing function has a s s i g n e d t o t h e previous keys, s t i l l he can n o t f o r c e c o l l i s i o n s .
3)
C o n s t r u c t i n g d e t e r m i n i s t i c , memoryless a u t h e n t i c a t i o n schemes
which a r e p r o v a b l y s e c u r e a g a i n s t chosen message a t t a c k . 4) C o n s t r u c t i o n I d e n t i t y F r i e n d o r Foe systems.
The f i r s t a u t h o r was s u p n o r t e d i n p a r t by a Weizmann P o s t d o c t o r a l fellowship.
The s e c o n d a u t h o r w a s s u p p o r t e d i n p a r t by t h e I n t e r n a -
t i o n a l B u s i n e s s .%chines C o r p o r a t i o n under t h e IBfl/MIT J o i n t R e s e a r c h Program, F a c u l t y Zevelopment Award agreement d a t e d August 9 , 1 9 8 3 .
G.R. Blakley and D. Chaum (Eds.): Advances in Cryptology - CRYPT0 '84, LNCS 196, pp. 276-288, 1985. 0 Springer-Verlag Berlin Heidelberg 1985
277
1.
INTRODUCTIOK
I n Our p a p e r "HOW t o C o n s t r u c t Random F u n c t i o n s " ( [GGM]), w e h a v e 1)
I n t r o d u c e d a n a l g o r i t h m i c measure o f t h e r a n d o m e s s o f a f u n c t i o n .
( L o o s e l y s p e a k i n g , a f u n c t i o n i s random i f any p o l y n o m i a l t i m e a l g o r i t h m , which a s k s f o r t h e v a l u e s of t h e f u n c t i o n a t v a r i o u s p o i n t s , c a n n o t d i s t i n g u i s h t h e c a s e i n which it r e c e i v e s t h e t r u e values of t h e function,
f r o m t h e c a s e i n which it r e c e i v e s t h e o u t -
come o f i n d e p e n d e n t c o i n f l i p s . ) 2)
Constructed f u n c t i o n s t h a t a r e easy t o ev alu ate and, n e v e r t h e l e s s ,
a c h i e v e maximum a l g o r i t h m i c randomness, under t h e a s s u m p t i o n t h a t t h e r e e x i s t one-way p e r m u t a t i o n s . I n t h i s p a p e r , w e describe i n d e t a i l s 4 c r y p t o g r a p h i c a p p l i c a t i o n s o f t h e s e "pseudo-random
f u n c t i o n s " : S t o r a g e l e s s I D Number D i s t r i b u t i o n ,
Dynamic H a s h i n g , D e t e r m i n i s t i c P r i v a t e - k e y S i g n a t u r e Scheme a n d I d e n t i f y F r i e n d or F o e .
Before d e s c r i b i n g t h e s e a p p l i c a t i o n s ,
let
US
r e c a l l some of t h e d e f i n i t i o n s which a p p e a r e d i n [ G G M ] . 1.1 Poly-Random C o l l e c t i o n s L e t Ik denote t h e set of a l l k-bit
Hk, of a l l f u n c t i o n s f r o m Ik i n t o I k . Hk is 2 k z k .
strings.
Consider t h e s e t ,
Note t h a t t h e c a r d i n a l i t y of
Thus t o s p e c i f y a f u n c t i o n i n Hk w e would n e e d k2k b i t s :
an i m p r a c t i c a l t a s k e v e n f o r a m o d e r a t e l y l a r g e k.
Even more, assume
t h a t o n e r a n d o m l y s e l e c t s s u b s e t s H t E H k of c a r d i n a l i t y Zk s o t h a t e a c h f u n c t i o n i n H$ h a s a u n i q u e k - b i t index: t h e n t h e r e i s n o p o l y nomial t i m e T u r i n g Machine t h a t , g i v e n k, t h e i n d e x o f a f u n c t i o n # a n d ~ € 1w ~ fcHk i l l' e v a l u a t e f ( x ) . Our g o a l i s t o make "random f u n c t i o n s " a c c e s s i b l e f o r a p p l i c a t i o n s . 1.e. t o c o n s t r u c t f u n c t i o n s t h a t c a n b e e a s i l y s p e c i f i e d a n d e v a l u -
a t e d a n d y e t c a n n o t be d i s t i n g u i s h e d from f u n c t i o n s c h o s e n a t random i n Hk.
Thus w e r e s t r i c t o u r s e l v e s t o choose f u n c t i o n s from a s u b s e t
F k c Hk where t h e c o l l e c t i o n F = IFk} h a s t h e f o l l o w i n g p r o p e r t i e s : 1) I n d e x i n g : Each f u n c t i o n i n Fk h a s a unique k - b i t i n d e x a s s o c i a t e d w i t h i t . (Thus p i c k i n g randomly a f u n c t i o n fEFk i s e a s y . ) 2 ) P o l y - t i m e E v a l u a t i o n : T h e r e e x i s t s a polynomial time T u r i n q machine t h a t g i v e n a n i n d e x o f a f u n c t i o n fEFk and a n i n p u t x, corn-
putes f 3)
(x).
Pseudo-Randomness
: No
p r o b a b i l i s t i c algorithm t h a t runs i n t i m e
p o l y n o m i a l i n k c a n d i s t i n g u i s h t h e f u n c t i o n s i n Fk from t h e f u n c t i o n s i n Hk. More p r e c i s e l y :
i f t h e c o l l e c t i o n F passes a l l polynomial t i m e
s t a t i s t i c a l t e s t s for f u n c t i o n s , where t h e n o t i o n s " s t a t i s t i c a l t e s t f o r f u n c t i o n s " and " p a s s e s a t e s t " a r e h e r e b y d e f i n e d .
A polynomial
time s t a t i s t i c a l t e s t f o r f u n c t i o n i s a p r o b a b i l i s t i c
polynomial t i m e a l g o r i t h m T t h a t , g i v e n an i n p u t k and a c c e s s t o a n o r a c l e of f o r a f u n c t i o n f : I k - > I k , o u t p u t s e i t h e r 0 o r 1. A l g o r i t h m T c a n q u e r y t h e oracle Of o n l y by w r i t i n g on a s p e c i a l q u e r y - t a p e some yEIk and w i l l r e a d the o r a c l e answer, f ( y ) , on a s e p a r a t e a n s w e r - t a p e . A s u s u a l , Of
p r i n t s i t s answer i n one s t e p .
L e t F={FkI b e a c o l l e c t i o n of f u n c t i o n s .
W e s a y t h a t F passes
t h e t e s t T i f f o r any polynomial Q , f o r a l l s u f f i c i e n t l y l a r g e k:
F
where pk d e n o t e s t h e p r o b a b i l i t y t h a t T o u t p u t s 1 on i n p u t k a n d a c c e s s t o an o r a c l e f o r a f u n c t i o n f randomly chosen i n Fk. p: i s t h e p r o b a b i l i t y t h a t T o u t p u t s 1 when g i v e n t h e i n p u t p a r a m e t e r k a n d
a
a c c e s s t o an o r a c l e Of f o r a f u n c t i o n f randomly, p i c k e d i n H k ( i . e . random f u n c t i o n ) . Such a c o l l e c t i o n o f f u n c t i o n s F w i l l be c a l l e d a poly-random collection.
Loosely speaking, despite t h e f a c t t h a t t h e functions i n
F a r e e a s y t o s e l e c t and e a s y t o e v a l u a t e , they w i l l e x h i b i t , t o a n
examiner w i t h p o l y n o m i a l l y bounded r e s o u r c e s , a l l t h e p r o p e r t i e s
Of
randomly s e l e c t e d f u n c t i o n s . In[GGM] it w a s The above d e f i n i t i o n i s h i g h l y c o n s t r u c t i v e . shown how t o t r a n s f o r m a n y one-to-one one-way f u n c t i o n t o a n a l g o r i t h m AF € o r a poly-random
c o l l e c t i o n o f f u n c t i o n s F.
The c o n s t r u c t i o n i s
i n two s t e p s : f i r s t , u s i n g Yao's c o n s t r u c t i o n (see Appendix A ) t o t r a n s f o r m a one-to-one
one-way
function i n t o a Cryptographically
S t r o n g Pseudo Random B i t g e n e r a t o r (CSPRB-generator) ; n e x t , u s i n g ANY CSPRB-generator t o c o n s t r u c t a poly-random c o l l e c t i o n (see Appendix However, f o r p r a c t i c a l p u r p o s e s w e w i l l c o n s i d e r o n l y poly-random
9).
c o l l e c t i o n s whose u n d e r l y i n g CSPRB g e n e r a t o r i s f a s t . Efficiency c o n s i d e r a t i o n s I n t h e r e c e n t y e a r s many CSPRB g e n e r a t o r s have been p r o p o s e d ( [BBS
1,
[BM]
, [ G M T ] ,[Y1 ) , b a s e d on v a r i o u s i n t r a c t a b i l i t y a s s u m p t i o n s
and d e m o n s t r a t i n g v a r i o u s d e g r e e s o f p r a c t i c a l i t y . Using t h e new r e s u l t s of Chor and Goldreich[CG] it i s now p o s s i b l e t o c o n s t r u c t f a s t CSPRB g e n e r a t o r s which a r e " e q u i v a l e n t " t o f a c t o r ing: On i n p u t a k - b i t l o n g s e e d , t h e s e g e n e r a t o r s o u t p u t l o g k b i t s a t t h e p r i c e o f o n e modular m u l t i p l i c a t i o n of two k - b i t l o n g i n t e g e r s . F a c t o r i n g k - b i t l o n g i n t e g e r s i s poly ( k ) reducable t o d i s t i n g u i s h i n g t h e sequence g e n e r a t e d by t h e s e g e n e r a t o r s from t r u e l y random sequences. L e t T d e n o t e t h e a v e r a g e time needed f o r g e n e r a t i n g one b i t i n t h e
279
u n d e r l y i n g g e n e r a t o r u s e d i n o u r c o n s t r u c t i o n o f a poly-random collection.
Then, e v a l u a t i n g a f u n c t i o n chosen a t random from Fk c a n
be done i n t i m e 0 ( k 2 T )
.
1 . 2 Comparison w i t h CsPm g e n e r a t o r s The f u n d a m e n t a l d e f i n i t i o n s and p r o p e r t i e s o f C r y p t o g r a p h i c a l l y S t r o n g Pseudo-Random B i t ( C S P W 3 ) g e n e r a t o r s a r e given i n Appendix A. I t i s a t h e o r e t i c a l c h a l l e n g e and an e x t r e m e l y u s e f u l t a s k t o
f i n d t h e most g e n e r a l p r o p e r t i e s o f randomness t h a t can be a c h i e v e d by e f f i c i e n t pseudo-random programs. L e t u s c o n s i d e r t h e e f f e c t o f such programs on p r o b a b i l i s t i c
computation. CSPRB g e n e r a t o r s c u t down t h e number o f c o i n t o s s e s P e r f o r m i n g a p r o b a b i l i s t i c polynomial-time computation t h a t req u i r e s k t random b i t s i s t r i v i a l i f w e a r e w i l l i n g t o f l i p kt c o i n s . A v e r y i n t e r e s t i n g f e a t u r e o f CSPRB g e n e r a t o r s i s t h a t t h e y g u a r a n t e e
t h e same r e s u l t of t h e c o m p u t a t i o n by f l i p p i n g o n l y k c o i n s ! Poly Random C o l l e c t i o n c u t down t h e s t o r a g e as w e l l The e x i s t e n c e of poly-random c o l l e c t i o n s a l l o w s t o s u c c e s s f u l l y r e p l a c e a random o r a c l e ( f u n c t i o n ) , i n any polynomial t i m e c o m p u t a t i o n , by k random b i t s . I t s h o u l d b e n o t i c e d t h a t computing w i t h a random o r a c l e is d i f f e r e n t from computing w i t h a c o i n . each s t r i n g
In f a c t , the b i t associated with
x, n o t o n l y i s random, b u t does n o t change i n t i m e a n d i s
stored f o r free!
The a d v a n t a g e s o f t h e random o r a c l e model a r e
c l a r i f i e d by a l l t h e a p p l i c a t i o n s d i s c u s s e d i n t h e f o l l o w i n g s e c t i o n s . Aqain, i t i s t r i v i a l ( s e e Appendix C) t o s i m u l a t e a c o m p u t a t i o n w i t h a random o r a c l e ( f u n c t i o n ) t h a t i s q u e r i e d on k t i n p u t s i f o n e
i s w i l l i n g t o use kt b i t s of storage.
A very i n t e r e s t i n g f e a t u r e Of
poly-random c o l l e c t i o n s i s t h a t t h e y g u a r a n t e e t h e same r e s u l t o f t h e computation by u s i n g o n l y k b i t s o f s t o r a g e ! S h a r i n g Randomness i n a d i s t r i b u t e d environment An a d d i t i o n a l a d v a n t a g e o f o u r s o l u t i o n i s t h a t i t e n a b l e s many
p a r t i e s t o e f f i c i e n t l y s h a r e s u c h an f i n a d i s t r i b u t e d e n v i r o n m e n t . By s h a r i n g f w e mean t h a t i f f i s e v a l u a t e d a t d i f f e r e n t t i m e s by d i f f e r e n t p a r t i e s on t h e same i n p u t obtained.
x,
t h e same v a l u e f ( x ) w i l l b e
Such s h a r i n g i s e f f i c i e n t a s it can be a c h i e v e d by a n i n i -
t i a l s t e p which c o n s i s t s of
(1) One p a r t y f l i p p s k c o i n s ; and ( 2 ) A l l
p a r t i e s record the r e s u l t .
A f t e r t h i s i n i t i a l s t e p no more c o i n
f l i p s o r message e x c h a n g e s a r e needed.
The k b i t s s t o r e d by a l l de-
t e r m i n e a s h a r e d f u n c t i o n o f t h e poly-random c o l l e c t i o n .
280
A s s u m e t h a t i n " s i t u a t i o n " S , some p a r t y ( p r o c e s s o r ) p j w a n t s t o
make a random c h o i c e so t h a t t h e o t h e r p r o c e s s o r s w i l l know it.
it w i l l s i m p l y compute f ( j , S ) .
Then
Because o f t h e "randomness" of f ,
such c h o i c e s are as good a s t r u l y random c h o i c e s .
Note t h a t a n y o t h e r
p r o c e s s o r p i c a n compute t h e random c h o i c e s p r o c e s s o r p j d i d i n s i t u a t i o n S, w i t h o u t a n y e x t r a communication! 2.
"STORAGELESS" DISTRIBUTION O F SECRET NUMBERS
2 . 1 The Problem
Consider t h e p r o b l e m i n d i s t r i b u t i n g s e c r e t i d e n t i f i c a t i o n numbers (ID'S).
Every u s e r i n t h e s y s t e m s h o u l d r e c e i v e a secret I D from t h e
system, which i s e a s i l y v e r i f i a b l e by t h e system, b u t h a r d t o compute by anyone else.
An example may be a s s i g n i n g c a l l i n g c a r d numbers t o
telephone customers.
W e assume t h e r e a r e no two u s e r s w i t h t h e same
name. A p o s s i b l e s o l u t i o n c o u l d b e t o a s s i g n each u s e r U a secret
randomly s e l e c t e d number r , and s t o r e t h e p a i r ( U , r ) i n a p r o t e c t e d data base.
T h i s s o l u t i o n r e q u i r e s s t o r a g e p r o p o r t i o n a l t o t h e number
o f u s e r s , which may be v e r y l a r g e .
Using o u r random f u n c t i o n s , w e
propose a " s t o r a g e l e s s " s o l u t i o n t o t h i s problem. 2 . 2 Our S o l u t i o n
L e t Fk b e a F l y - r a n d o m
a t random.
c o l l e c t i o n , and l e t t h e s e r v e r p i c k fEFk
Then, t h e server a s s i g n s e a c h u s e r U ,
f ( U ) a s h e r secret
number. TO v e r i f y w h e t h e r ( U , n ) i s a l e g a l p a i r , t h e s e r v e r computes f ( U ) and compares i t w i t h n. Now, suppose t h a t A l i c e h a s s u c h a
secret I D and t h a t a l l of h e r r e l a t i v e s ( A 1 , A 2 e t c . .) , who p o s s e s s They t r y t o t h e i r own secret ID'S gang up t o d i s c o v e r A l i c e ' s I D . e x p l o i t t h e f a c t t h a t t h e i r names A1,A2.. . , A a r e s i m i l a r t o h e r s . 9 However, f o r f p i c k e d b y t h e s e r v e r from a p l y - r a n d o m c o l l e c t i o n , t h e y c o u l d n o t compute f ( A l i c e ) g i v e n f (A1)
,.. . ,f ( A q )
.
T h i s s o l u t i o n r e q u i r e s o n l y k b i t s o f s t o r a g e , when t h e number o f u s e r s i n t h e s y s t e m is bounded by a polynomial i n k . N o t i c e t h a t t h i s s o l u t i o n a l s o works i n a d i s t r i b u t e d e n v i r o n m e n t I f each " b r a n c h n o f t h e s e r v e r h a s a computer w i t h t h e ( s h a r e d k - b i t )
secret s embedded i n i t , a secret number can be handed o u t i n San F r a n c i s c o and b e ( l o c a l 1 y ) v e r i f i e d i n Boston. 2 . 3 The C o r r e c t n e s s Argument: S i m u l a t i o n A s s u m e t h a t one-way
p e r m u t a t i o n s e x i s t s and t h a t g i s s u c h a p e r -
m u t a t i o n . L e t E={Fk> b e a poly-random c o l l e c t i o n c o n s t r u c t e d u s i n g g and l e t f b e a f u n c t i o n randomly s e l e c t e d from Fk.
281
Assume t h a t A1,A2,
from f ( A 1 )
,- . ., f
.
...,Aq
have some advantage i n g u e s s i n g f ( A l i c e )
C l e a r l y , t h e y c o u l d n o t have such an a d v a n t a g e
i f f w e r e a t r u e l y random f u n c t i o n . from a t r u e l y random f u n c t i o n .
Thus, they can d i s t i n g u i s h f
T h i s , i n t u r n , p r o v i d e s an a l g o r i t h m
f o r i n v e r t i n g g. 3.
DYNAMIC HASHING
3 . 1 The problem
C o n s i d e r t h e problem o f h a s h i n g a few long keys (names) i n t o s h o r t e r a d d r e s s e s ( a b b r e v i a t i o n s ) , s u c h t h a t w i t h v e r y s m a l l probab i l i t y two k e y s are h a s h e d i n t o t h e same a d d r e s s . The c l a s s i c a l p u r p o s e s o f h a s h i n g a r e : (1) To s a v e on memory s p a c e .
( F o r example, a s s i g n i n g p h y s i c a l memory
l o c a t i o n t o v a r i a b l e s c a n be done by a p p l y i n g a h a s h i n g f u n c t i o n t o t h e v a r i a b l e names.
T h i s way t h e r e i s no need t o s t o r e t h e v a r i a b l e
names, which may b e l o n g . ) ( 2 ) TO a l l o w f a s t r e t r i e v a l of keyed i n f o r m a t i o n ( h a s h i n g w i l l h e l p
i n a p p l i c a t i o n s w h e r e a c c e s s i n g t h e memory i s slower t h a n e v a l u a t i n g t h e function)
.
3 . 2 Our s o l u t i o n
I n o r d e r t o p r e s e n t o u r s o l u t i o n l e t us f i r s t g e n e r a l i z e t h e d e f i n i t i o n o f a poly-random c o l l e c t i o n . two p o l y n o m i a l s .
L e t p l ( . ) a n d p2(.) be
A g e n e r a l i z e d poly-random c o l l e c t i o n i s a c o l l e c t i o n ,
F={Fpl ( k ) , p 2 ( k ) } , of i n d e x e d and e a s y t o e v a l u a t e f u n c t i o n s from I p l ( k ) i n t o I P 2 ( k ) s u c h t h a t a f u n c t i o n chosen a t random from Fpl (k),p2 ( k ) c a n n o t b e d i s t i n g u i s h e d i n p o l y ( k ) t i m e from a random
-
f u n c t i o n from I p l ( k ) into I p , ( k ) Our s o l u t i o n c o n s i s t s o f u s i n g a f u n c t i o n f chosen a t random from Fpl ( k ) ,p2 (k) a s a h a s h i n g f u n c t i o n . ( i . e . key K is hashed i n t o a d d r e s s f (K)) Note t h a t o u r h a s h i n g f u n c t i o n i s much more r o b o u s t w i t h r e s p e c t
.
t o polynomial t h e c o m p u t a t i o n t h a n t h e U n i v e r s a l Hashing s u g g e s t e d by C a r t e r and Weqman[CW].
I n t h e i r scheme, t h e a d v e r s a r y p i c k s a n
a r b i t r a r y key d i s t r i b u t i o n and t h e h a s h i n g performance ( e x p e c t e d number o f c o l l i s i o n s ) i s a n a l y z e d w i t h r e s p e c t t o t h i s f i x e d d i s t r i bution. Our scheme p e r f o r m s w e l l even i f t h e a d v e r s a r y does n o t f i x h i s key d i s t r i b u t i o n a p r i o r i , b u t c a n dynamically change t h e key d i s t r i b u t i o n d u r i n g t h e h a s h i n g p r o c e s s upon s e e i n g t h e h a s h i n g f u n c t i o n v a l u e s on p r e v i o u s k e y s .
I n o t h e r words, even i f a n a d v e r s a r y c a n
p i c k t h e keys t o b e h a s h e d and examine t h e v a l u e s o f t h e hash f u n c -
282
t i o n s on o l d k e y s , h e c a n n o t f o r c e c o l l i s i o n s . versary cannot
Moreover, t h e ad-
distinguish t h e h a s h i n g v a l u e f o r a new key from a
random v a l u e . The r o b o u s t n e s s o f o u r h a s h i n g t e c h n i q u e , makes i t p a r t i c u l a r l y s u i t a b l e f o r cryptographic purposes.
For example, B r a s s a r d ([B])
has p o i n t e d o u t t h e a d v a n t a g e s o f a u t h e n t i c a t i o n schemes b a s e d o n "cryptographically s t r o n g " hashing functions.
This them i s f u r t h e r
developed i n s e c t i o n 5. 4.
MESSAGE A U T H E N T I C A T I O N AND TIME-STAMPING
I n t h i s s e c t i o n w e w i l l show how t o c o n s t r u c t d e t e r m i n i s t i c , memoryless, a u t h e n t i c a t i o n schemes which a r e h i g h l y r o b u s t , a s d i s cussed i n t h e f o l l o w i n g c o n c r e t e ' s e t t i n g . A s s u m e t h a t a l l t h e employees o f a l a r g e bank communicate t h r o u g h
a p u b l i c network.
A s a n a d v e r s a r y may be a b l e t o i n j e c t messages,
t h e employees n e e d t o a u t h e n t i c a t e t h e messages t h e y send t o e a c h other (e.g.
" t r a n s f e r s u m S from a c c o u n t
A
t o account B " ) .
A sol-
u t i o n may c o n s i s t o f a p p e n d i n g t o t h e message m an a u t h e n t i c a t i o n t a g which i s h a r d t o compute by an a d v e r s a r y . pose t h e f o l l o w i n g .
In p a r t i c u l a r , w e pro-
L e t a l l employees have a c c e s s t o a u t h e n t i c a t i o n
machines which compute a f u n c t i o n fs i n a poly-random c o l l e c t i o n . The t a g a s s o c i a t e d w i t h a message m i s f s ( m ) . W e can t r a d e o f f s e c u r i t y f o r t h e l e n g t h o f t h e t a g . F o r example, i f o n e u s e s o n l y t h e f i r s t 2 0 b i t s of f s ( m ) a s a n a u t h e n t i c a t i o n t a g , t h e n t h e c h a n c e t h a t an a d v e r s a r y c o u l d s u c c e s s f u l l y a u t h e n t i c a t e a message i s a b o u t 1 i n a million. TO avoi-d p l a y b a c k o f p r e v i o u s l y a u t h e n t i c a t e d messages, i t i s common p r a c t i c e t o u s e time-stamps. catenated with d a t e it w a s s e n t .
Namely, a u t h e n t i c a t e m con-
So f a r , time-stamping w a s o n l y a
h e u r i s t i c as an a d v e r s a r y who sees t h e message m a u t h e n t i c a t e d w i t h d a t e D c o u l d c o n c e i v a b l y a u t h e n t i c a t e m w i t h a n o t h e r d a t e ( s a y D+1). Using o u r s o l u t i o n f o r message a u t h e n t i c a t i o n , time-stamping makes playback p r o v a b l y h a r d . f
T h i s i s t h e c a s e a s f o r a random f u n c t i o n
( x ) i s t o t a l l y u n r e l a t e d t o f (x+l) , and t h e r e f o r e t h e same h o l d s
( w i t h r e s p e c t t o p o l y n o m i a l - t i m e a d v e r s a r i e s ) f o r poly-random collec-
tions. Another t h r e a t t o t h e B a n k ' s s e c u r i t y i s t h e l o y a l t y of i t s own employees.
They h a v e t h e a u t h e n t i c a t i n g computer a t t h e i r d i s p o s a l
and can u s e i t t o l a u n c h a c h o s e n message a t t a c k a g a i n s t t h e scheme, s o t h a t when t h e y a r e f i r e d t h e y c a n f o r g e t r a n s a c t i o n s . Our message a u t h e n t i c a t i o n scheme r e m a i n s s e c u r e even when t h e employees a r e n o t t r u s t w o r t h y , if e a c h message t o b e a u t h e n t i c a t e d i s a u t o m a t i c a l l y
'
283
t i m e stamped by t h e c o m p u t e r .
An employee who l e a v e s t h e bank,
a f t e r h a v i n g w i d e l y e x p e r i m e n t e d w i t h t h e machine, w i l l n o t b e able t o a u t h e n t i c a t e e v e n o n e new message. 5.
AN I D E N T I F Y F R I E N D OR F O E SYSTEM
The members o f a l a r g e b u t e x c l u s i v e s o c i e t y a r e w e l l known f o r t h e i r brotherhood s p i r i t .
Upon meeting each o t h e r , anywhere i n t h e
w o r l d , t h e y e x t e n d h o s p i t a l i t y , f a v o r s , a d v i c e , money, e t c .
Naturally
they f a c e t h e danger o f imposters t r y i n g t o t a k e advantage o f t h e i r generosity.
Thus, upon m e e t i n g e a c h o t h e r , they must e x e c u t e
t o c o l f o r e s t a b l i s h i n g membership. (busses, t r a i n s , t h e a t r e )
,
2
pro-
A s they m e e t i n p u b l i c p l a c e s
t h e y must be c a r e f u l n o t t o y i e l d i n f o m a -
t i o n t h a t can l e a d t o f u t u r e s u c c e s s f u l impersonations.
They go
around c a r r y i n g p o c k e t computers on which they may ,make c a l c u l a t i o n s . C l e a r l y a p a s s w o r d scheme w i l l n o t s u f f i c e i n t h i s c o n t e x t , as t h e conversations a r e public.
An i n t e r a c t i v e i d e n t i f i c a t i o n scheme
i s needed where the a b i l i t y t o a s k q u e s t i o n s does n o t e n a b l e f u t u r e successful impersonations.
Note t h a t t h e q u e s t i o n s t h a t A may a s k
member B , must b e p i c k e d from an e x p o n e n t i a l range t o p r e v e n t a n a c t i v e i m p o s t e r from a s k i n g a l l p o s s i b l e q u e s t i o n s , r e c e i v i n g a l l p o s s i b l e a n s w e r s and t h e r e a f t e r s u c c e s s f u l l y i m p e r s o n a t i n g a s a memb e r ( o r t o p r e v e n t a p a s s i v e i m p o s t e r from having a n o n - n e g l i g i b l e p r o b a b i l i t y o f b e i n g a s k e d a q u e s t i o n t h a t he o v e r h e a r d the a n s w e r t o ) . Using o u r p l y - r a n d o m c o l l e c t i o n , w e can f u l l y s o l v e t h i s problem. L e t t h e p r e s i d e n t o f t h e s o c i e t y choose a k - b i t random s t r i n g s ,
s p e c i f y i n g a f u n c t i o n f,
i n a poly-random c o l l e c t i o n .
r e c e i v e s a computer which c a l c u l a t e s f,. a s k s " z ? " where zE$k.
Each m e m b e r
When member A m e e t s B , he
Only i f B answers fs(z), w i l l member A b e
convinced t h a t B i s a m e m b e r .
I n a d d i t i o n , i f t h e computers t h a t
c a l c u l a t e f, c a n b e m a n u f a c t u r e d so t h a t they can n o t be d u p l i c a t e d , t h e n l o s i n g a computer d o e s n o t compromis t h e s e c u r i t y of t h e e n t i r e scheme: i t j u s t a l l o w s o n e non-member t o enjoy t h e p r i v i l e g e s of the society. 6.
SOLVING BLUX BLUM
&
SHUB OPEN PROBLEM
B l u m , Blum a n d Shub [BBSI have presented. an i n t e r e s t i n g CSPRB
g e n e r a t o r whose s e q u e n c e s p a s s a l l polynomial t i m e s t a t i s t i c a l t e s t s (1) i f and o n l y i f d e c i d i n g Q u a d r a t i c R e s i d u o s i t y modulo a Blum-integer whose f a c t o r i z a t i o n i s n o t known, i s i n t r a c t a b l e . ( ' ) A Blum i n t e c j e r i s a n i n t e g e r o f t h e form p1p2 where p 1 and p2 a r e d i s t i n c t p r i m e s b o t h c o n g r u e n t t o 3 mod 4 .
284
N o t i c e t h a t , e v e n t h o u q h a CSPREi sequence g e n e r a t e d w i t h a k - b i t l o n g s e e d i s P l ( k ) - b i t l o n g , a CSPREi g e n e r a t o r and a s e e d s d e f i n e a n i n f i n i t e b i t - s e q u e n c e b ,,,bll...
An i n t e r e s t i n g f e a t u r e o f B l u m B l u m
Shub's g e n e r a t o r i s t h a t knowledge of t h e seed and o f t h e f a c t o r i z a t i o n o f t h e modulus a l l o w s d i r e c t a c c e s s t o each b i t i n an e x p o n e n t i a l l y l o n g b i t s t r i n g (1.e. i f k d e n o t e s t h e l e n g t h o f t h e s e e d and
i < k,
t h e n t h e i - t h b i t i n t h e s t r i n g ( b i ) can be computed i n p o l y ( k ) t i m e ) . T h i s i s due t o t h e s p e c i a l weak one-to-one
one-way f u n c t i o n o n w h i c h
t h e s e c u r i t y of t h e i r g e n e r a t o r i s b a s e d .
However, t h i s e x p o n e n t i a l l y
long b i t s t r i n g MAY NOT a p p e a r "random".
Blum, Blum and Shub o n l y
prove t h a t any SINGLE p o l y n o m i a l l y l o n g i n t e r v a l o f CONSECUTIVE b i t s i n th e s t r i n g pas ses a l l polynomialt t i m e s t a t i s t i c a l tests f o r strings. b2d+,
I n d e e d , i t may be t h e c a s e t h a t , given b l , . . . , b k
and
,. ..lb2& + k i t i s e a s y to compute any o t h e r b i t i n t h e s t r i n g .
Another CSPRB g e n e r a t o r which p o s s e s s t h e d i r e c t a c c e s s p r o p e r t y w a s s u g g e s t e d by G o l d w a s s e r , Micall and Tong
GMT
.
Their generator is
a l s o b a s e d on a s p e c i f i c i n t r a c t a b i l i t y a s s u m p t i o n ( f a c t o r i n g i n a s u b s e t ( o f h a l f ) o f t h e Blum i n t e g e r ) .
Also, i t i s n o t known w h e t h e r
d i r e c t a c c e s s i n t h e GMT g e n e r a t o r p r e s e r v e s randomness. The Blum B l u m Shub open problem c o n s i s t s of whether d i r e c t access t o e x p o n e n t i a l l y f a r away b i t s i n t h e i r pseudo-random pad i s a "randomness p r e s e r v i n g " o p e r a t i o n .
O r more g e n e r a l l y , w h e t h e r t h e r e
e x i s t g e n e r a t o r s which p o s s e s s such a "randomness p r e s e r v i n g d i r e c t access" property. The B l u m B l u m S h u b ' s g e n e r a t o r , when f e d w i t h a k - b i t l o n g seed s , d e f i n e s a f u n c t i o n f s i n t h e f o l l o w i n g way: f o r each k - b i t i n t e g e r
...
i s t h e x - t h b l o c k of k b i t s i n t h e pad. 1.e. f S ( X ) = b k m x , 1 b k S X + k . R e c a l l t h a t t h e Blum Blum Shub g e n e r a t o r i s based on c h e i n t r a c t a b i l i t y a s s u m p t i o n o f a s p e c i a l p e r m u t a t i o n and f u r t h e r m o r e , even under t h i s a s s u m p t i o n , d i r e c t a c c e s s was n o t proved t o b e a x,f,(X)
randomness p r e s e r v i n g o p e r a t i o n . "random"
.
As a consequence f s may n o t b e
W e s o l v e t h e above problem i n a v e r y s t r o n g s e n s e .
In f a c t w e
c o n s t r u c t random f u n c t i o n s f , from k - b i t s t r i n g s i n t o k - b i t s t r i n g s , g i v e n ANY one-way p e r m u t a t i o n .
Having c o n s t r u c t e d such an f , w e h a v e
...
.
v i r t u a l l y c o n s t r u c t e d t h e k 2 k - b i t l o n g s t r i n g s =f (1)f ( 2 ) f (2k) f For t h e s e t {sf) w e p r o v e t h a t d i r e c t a c c e s s i s a "randomness p r e serving" property.
205 APPEND1 CES
Appendix A: CSPRB G e n e r a t o r s , One-way Permutations and Yao's C o n s t r u c tion. F o l l o w i n g t h e u n p r e d i c t a b l e number g e n e r a t o r s of Shamir [ S ] , Blum and Micali [BM] h a v e i n t r o d u c e d t h e n o t i o n of C r y p t o g r a p h i c a l l y S t r o n g Pseudo-Random B i t (CSPRB) g e n e r a t o r s .
They have a l s o p r e s e n t e d the
f i r s t i n s t a n c e o f i t , r e l y i n g on t h e i n t r a c t a b i l i t y assumption of t h e d i s c r e t e l o g a r i t h m problem. L e t t be any f i x e d c o n s t a n t .
A CSPRB g e n e r a t o r i s a d e t e r m i n i s t i c
program t h a t r e c e i v e s a s i n p u t a (random) k - b i t l o n g s e e d and o u t p u t s
a k - b i t l o n g (pseudo-random) sequence s u c h t h a t t h e n e x t b i t i n t h e sequence c a n n o t be p r e d i c t e d i n polynomial ( i n k) t i m e from t h e preceeding b i t s .
Yao [Y] i n t r o d u c e s t h e n o t i o n o f a polynomial-time
s t a t i s t i c a l t e s t a n d shows t h a t t h e o u t p u t s o f CSPRB g e n e r a t o r s pass a l l polynomial-the
s t a t i s t i c a l tests.
H e a l s o proves t h a t one can
c o n s t r u c t CSPRB g e n e r a t o r s g i v e n any (weak) one-way p e r m u t a t i o n . L e t us be m o r e formal.
L e t f k : I k - > I k be a sequence o f p e r m u t a -
t i o n s such t h a t t h e r e i s a polynomial-time a l g o r i t h m t h a t on i n p u t X E computes I ~ fk(x).
f k ( x ) i f XEIk.
L e t t h e f u n c t i o n f b e d e f i n e d as f o l l o w s :
W e s a y t h a t f i s a one-to-one
f
one-way f u n c t i o n i f f o r
a l l p o l y n o m i a l - t h e T u r i n g Machines M t h e r e i s a polynomial P s u c h that, for a l l sufficiently large k fkV1(x) f o r a t l e a s t a f r a c t i o n L o f t h e X E I k . P (k) LEMMA l ( Y a o Y 1 : Given a weak one-to-one one-way f u n c t i o n , i t i s M(X)
p o s s i b l e t o c o n s t r u c t CSPRB g e n e r a t o r s . S k e t c h o f t h e p r o o f : Given a one-way p e r m u t a t i o n , f , Yao c o n s t r u c t a hard t o e v a l u a t e p r e d i c a t e by t a k i n g t h e e x c l o s i v e - o r o f t h e i n v e r s e
of f on p o l y n o m i a l l y many p o i n t s . Namely, Bk(X1rX2,. ..rXkt)'XOR where XOR s
fk-1(x,)fk-1(x2) . . . f k - l ( x k t ) i s t h e e x c l u s i v e - o r of a l l t h e b i t s o f t h e s t r i n g s .
Appendix B : The C o n s t r u c t i o n of F ( f r o m any CSPRB G e n e r a t o r ) ( GGM L e t G b e a CSPRB-generator.
Recall t h a t G i s a function d e f i n e d X X , b P l ( k ) . With no l o s s
on a l l b i t s t r i n g s s u c h t h a t i f XEIk,G(X)'bl,..
.
of g e n e r a l i t y , w e c a n assume t h a t P ( k ) L 2k. ( T h i s i s t h e case s i n c e G o l d r e i c h and M i c a l i ( GM
)
have shown t h a t
t h e e x i s t e n c e of a CSPRB g e n e r a t o r which expand a k - b i t l o n g seed i n t o a ( k + l ) - b i t o u t p u t p a d , y i e l d s t h e e x i s t e n c e of a g e n e r a t o r w h i c h expend a k - b i t l o n g s e e d i n t o a 2 k - b i t l o n g p a d ) . Sk be d e f i n e d a s follows. s k i s t h e s e t o f a l l t h e f i r s t Let S =
286
2k b i t s o u t p u t b y G on s e e d s o f l e n g t h k .
Then S p a s s e s a l l p o l y -
nomial t i m e s t a t i s t i c a l t e s t s f o r s t r i n g s . L e t X E I k b e a seed f o r G ,
by G on i n p u t X ; a1a 2 . . . a t
( X I 1)
... I -
G1(X)
G O ( X ) denotes t h e f i r s t k b i t s o u t p u t
d e n o t e s t h e n e x t k b i t s o u t p u t by G.
be a b i n a r y s t r i n g .
Let XEIk. T h e f u n c t i o n f
X
Let = =
W e define G,l=2...,t(x)=Gat(.-.
(Gu2(GUl
:Ik->Ik i s d e f i n e d a s f o l l o w s :
--
F o r Y'y1y2. * .Ykf f X (Y)'Gyly2. yk(x) Define Fk={f 1 and F={Fk}. X XEIk Note t h a t a f u n c t i o n i n Fk needs n o t be one-to-one.
-
The r e a d e r may f i n d it u s e f u l t o p i c t u r e a f u n c t i o n fX:Ik-'
Ikr
a s a f u l l binary tree of depth k with k-bit s t r i n g s stored i n t h e nodes and edges l a b e l l e d 0 o r 1. the root.
If a k - b i t
The k - b i t s t r i n g x w i l l b e s t o r e d i n
s t r i n g i s s i s s t o r e d i n an i n t e r n a l node,
then G 0 ( s ) i s s t o r e d i n v ' s l e f t - s o n , r i g h t - s o n f vr. l a b e l l e d 1.
vl,
and Gl(s) i s s t o r e d i n
V,
v'S
is
The e d q e ( v , v l ) i s l a b e l l e d 0 and t h e e d g e ( v , v , ) .
The s t r i n g f X ( y ) i s t h e n s t o r e d i n t h e l e a f r e a c h a b l e
from t h e r o o t f o l l o w i n g t h e edge p a t h l a b e l l e d y. I t i s e a s y t o see t h a t F s a t i s f i e s p r o p e r t i e s (1) and ( 2 ) o f poly-random c o l l e c t i o n s .
A proof t h a t F s a t i s f y a l s o property
(pseudo-randomness) c a n b e found i n
(3)
GGM (Main Theorem).
GENERALIZATIONS I n some a p p l i c a t i o n s , w e would l i k e t o have random f u n c t i o n s from I p j ( k ) - > I p 4 ( k ) . E.g. i n h a s h i n g w e might want f u n c t i o n s from I k i n t o 1 1 0 . W e m e e t t h i s n e e d by i n t r o d u c i n g t h e c o l l e c t i o n F=CFk} d e f i n e d a s f o l l o w s : F o r XEIk, f X Fk i s a f u n c t i o n from I p 3 ( k ) i n t o I p 4 ( k ) d e f i n e d as f o l l o w s . L e t y=yl. . . y p 3 ( k ) . Define f X ( y ) = F p 4 ( k ) G y l - - where rp ( k ) ( z ) a r e t h e f i r s t P 4 ( k ) b i t s o u t p u t by G when Yp,(k) ( x ) 4
f e d i n p u t ZEIk, w h e r e G i s a CSPRB g e n e r a t o r . Such an F i s a l s o a p l y - r a n d o m c o l l e c t i o n : p r o p e r t i e s (1) a n d ( 2 ) t r i v i a l l y h o l d , a n d p r o p e r t y ( 3 ) c a n be proved proof o f t h e Main Theorem i n
GGM
.
n a way s i m i l a r t o t h e
Appendix C : An ( u n s a t i s f a c t o r y )s t r a i g h t f o r w a r d s m u l a t i o n of random functions A s s u m e one n e e d s t o b e a b l e t o e v a l u a t e a f u n c t i o n t h a t l o o k s as
i f it i s randomly s e l e c t e d from Hk.
One can argue t h a t s i n c e he
W i l l
o n l y need t o e v a l u a t e t h e f u n c t i o n on polynomially many(in k ) i n p u t s , i t i s s u f f i c i e n t t h a t he proceeds a s follows:
287
Choose a CSPRB g e n e r a t o r G and a random k - S i t l o n g s e e d s .
This
c h o i c e s p e c i f i e s a k t + l - b i t l o n g pseudo-random b i t - s e q u e n c e b l ,
- ..,
b k t + l t h a t c a n b e u s e d as s e c u r e l y a s a t r u e l y random pad. L e t
x
l'---'
d e n o t e t h e c h r o n o l o g i c a l l y o r d e r e d sequence of i n p u t s on which t h e "random f u n c t i o n " f h a s a l r e a d y been e v a l u a t e d . A s s u m e now t h a t f n e e d s t o b e e v a l u a t e d on an i n p u t y. I f y f o r i=1 ...j,
xi
t h e n f ( y ) i s s e t t o be t h e j + l s t block of k c o n s e c u t i v e
b i t s i n t h e pseudo-random s e q u e n c e . (1.e. f ( y ) = b k . j + l . . . b k . j + k ) .
Also,
y i s s t o r e d as t h e j + l s t i n p u t ( s t o r i n g f ( y ) i s o p t i o n a l ) . O t h e r w i s e ,
i f y=xi f o r some i, f ( y ) i s recomputed a s t h e i t h b l o c k o f b i t s i n t h e pseudo-random s e q u e n c e ( o r i s r e t r i e v e d from memory). Note t h a t t h i s p r o c e d u r e d o e s n o t s p e c i f y a f u n c t i o n and t h u s d o e s n o t m e e t t h e t h e o r e t i c a l c h a l l e n g e . Furthermore, it w a s t e s s t o r a g e p r o p o r t i o n a l l y t o t h e number of o r a c l e q u e r i e s c i n p u t s on which t h e f u n c t i o n h a s b e e n e v a l u a t e d ) . T h i s i s a s t r i c t lower bound! I f the i n p u t s are randomly c h o s e n t h e y c a n n o t b e compressed a t a l l ! By means of a more c l e v e r u s e of CSPm g e n e r a t o r s , o u r s o l u t i o n r e q u i r e s o n l y k b i t s of s t o r a g e . Thus it m e e t s b o t h t h e t h e o r e t i c a l and t h e p r a c t i c a l c h a l l e n g e s . ACKNOWLEDGEMENTS W e would l i k e t o t h a n k Ron R i v e s t for s u g g e s t i n g t h e IFOF a p p l i c a tion.
288
REFERENCES [ A L ] D.
A n g l u i n a n d D.
L i c h t e n s t e i n , Provable S e c u r i t y o f
C r y p t o s y s t e m s : a S u r v e y , YaleU/DCS/TR-288,
1983
[SBSIL. Blum, PI. Slum a n d M. Shub, A s i m p l e secure pseudo random number g e n e r a t o r , Advances i n C r y p t o l o g y : ? r o c . of CRYPTO-82, e d . D. S h a m , R . L . R i v e s t and A.T.
Sherman. Plenum p r e s s
1983, P p 61-78.
[BG] 21. B l u m a n d S . G o l d w a s s e r , A n E f f i c i e n t P r o b a b i l i s t i c Public-Key E n c r y p t i o n Scheme Which Eiides a l l P a r t i a l I n f o r m a t i o n , p r e p r i n t
May 1984. [aM] M. B l u m a n d S . Micali, How t o g e n e r a t e c r y p t o g r a p h i c a l l y s t r o n g s e q u e n c e s o f pseudo-random b i t s . SIAM J . COMPUT., Nov. 1984. 131
Vol 1 3 , N o .
4,
G. B r a s s a r d , On c o m p u t a t i o n a l l y secure a u t h e n t i c a t i o n t a g s r e q u i r i n g s h o r t secret s h a r e d k e y s , Advances i n C r y p t o l o g y : P r o c . o f CRYPTO-82,
e d . D.
S h a m , R.L.
R i v e s t and A.T.
Sherman.
Plenum p r e s s 1 9 8 3 , p p 79-86. [CG] B.
Chor a n d 0. G o l d r e i c h ,
RSA W i n l e a s t s i g n i f i c a n t b i t s are
1, 1 secure, 2 'poly(logN) MIT/LCS/TlI-260 [CW] J . L .
, May
C a r t e r a n d M.N.
19 84. Negman, U n i v e r s a l c l a s s e s of h a s h f u n c t i o n s ,
Proc. 9 t h ACE Symp. on Theory of Computing, 1977, pp 106-112. [GGXIO. C a l d r e i c h , S. C o l d w a s s e r a n d S. Plicali, How t o c o n s t r u c random f u n c t i o n s , PIIT/LCS/TY-244
, November
1 9 83.
[GX] 0. G o l d r e i c h a n d S. Micali, The w e a k e s t CSPRB g e n e r a t o r i m n l i e s t h e s t r o n g e s t one, i n prenaration. [GETIS. G o l d w a s s e r , S . Micali and ?. Tong. Why and how t o e s t a b l i s h a p r i v a t e c o d e o n a n u b l i c network, Proc. 23rd IEEE Symp. o n F o u n d a t i o n s o f Computer S c i e n c e , 1982, p ~ 134-144. ,
[RSAIR. R i v e s t , A .
Shamir a n d L. Adleman, A method f o r o b t a i n i n g
d i g i t a l s i g n a t u r e s a n d p u b l i c key c r y p t o s y s t e m s , Commun. ACM
vol. 2 1 , Feb. 1 9 7 8 , pp 1 2 0 - 1 2 6 . [S]
A.
S h a m i r , O n t h e G e n e r a t i o n of C r y p t o g r a p h i c a l l y S t r o n g Pseudo-
random S e q u e n c e s , 8 t h I n t e r n a t i o n a l C o l l o q u i u n on Automata, Languages, a n d Programming, L e c t . Notes i n Comp. S c i . 62, S p r i n g e r V e r l a g , 1981. [Y]
A.C.
Yao, Theory and a p p l i c a t i o n s of t r a p d o o r f u n c t i o n s , P r o c .
2 3 r d IEEE S y m n . pp 6 0 - 9 1 .
on F o u n d a t i o n s o f Computer S c i e n c e , 1982,
