This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography 5/11/2004 Solutions to homework 3 1 Authentication Scheme from OneWay Permutations Let PPT algorithms ( Gen,Sample,Eval ) define a OWF (or OWP) { f i } i ∈I . Suppose that players U and B use the following authentication scheme. For example, say that B is a bank’s web portal and C is a web applet run by the bank’s client. The scheme is designed to last for one year, and needs to be reinitialized after that: • Initialization Protocol: Let n = 365. B runs Gen (1 τ ) to pick a oneway function f i with security parameter τ and runs Sample ( i ) to pick a random element x ( n ) in the domain D i of f i . Then B computes, for k going from n down to 1, values x ( k − 1) = f i ( x ( k ) ) = Eval ( i,x ( k ) ). (You’ll see in a second why we are computing them backward rather than forward.) B keeps for himself x (0) as the “verification value” for C , and gives to C (over some secure channel) the “root authentication secret” x (365) . C then regenerates all the x ( k ) values for k = 0 ,..., 364 by consecutive applications of f i . Let’s denote ktimes repeated application of f i as a function ( f i ) ( k ) : D i → { , 1 } ∗ . With this notation we have x ( n − k ) = ( f i ) ( k ) ( x ( n ) ) for every k . • Authentication Protocol: To authenticate himself to B on day t , C sends to B value x = x ( t ) and announces that he is “ C ”. B then picks the yesterday’s verification value x ( t − 1) for that client, and authenticates this client as indeed “ C ” if f i ( x ) = x ( t − 1) . If the equation holds B stores x as x ( t ) . (It’s easy to generalize this to the case when C contacted B last on any day t ′ < t : Just compute ( f i ) ( t − t ′ ) on x ( t ) and compare with x ( t ′ ) .) Assume that the adversary E , who tries to authenticate himself as “ C ” to B too, can eavesdrop on all instances of the ( C,B ) authentication protocol but cannot interrupt any such instance. On the other hand E can initiate an instance of the authentication protocol with B himself and try to make B authenticate him as “ C ”. 1.1 [25 points] Prove that if the function collection { f i } defined by ( Gen,Sample,Eval ) is a One Way Permutation collection then the above authentication protocol is secure against the eaves dropping adversary E in the following sense: Show that if there exists a PPT E which, after listening to some number k ∈ [1 ,n ] of authentication sessions ( C,B ), has a nonnegligible chance of being authenticated by B as “ C ” on a session that E initializes, then you can use such adversary E to create a PPT algorithm A which has a non negligible advantage in an attack against onewayness of the OWP collection f i . In other words, algorithm A should succeed with non negligible probability in inverting permutation f i on value y = f i ( x ) for a random x ∈ D i . This will show that if the above authentication protocol is insecure against eavesdroppers (i.e. there exists a PPT attackereavesdroppers (i....
View
Full
Document
This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.
 Spring '04
 Jarecki

Click to edit the document details