solutions 3

# solutions 3 - ICS 180 Introduction to Cryptography...

• Homework Help
• davidvictor
• 7
• 100% (1) 1 out of 1 people found this document helpful

This preview shows pages 1–3. Sign up to view the full content.

ICS 180: Introduction to Cryptography 5/11/2004 Solutions to homework 3 1 Authentication Scheme from One-Way Permutations Let PPT algorithms ( Gen, Sample, Eval ) define a OWF (or OWP) { f i } i ∈I . Suppose that players U and B use the following authentication scheme. For example, say that B is a bank’s web portal and C is a web applet run by the bank’s client. The scheme is designed to last for one year, and needs to be reinitialized after that: Initialization Protocol: Let n = 365. B runs Gen (1 τ ) to pick a one-way function f i with security parameter τ and runs Sample ( i ) to pick a random element x ( n ) in the domain D i of f i . Then B computes, for k going from n down to 1, values x ( k 1) = f i ( x ( k ) ) = Eval ( i, x ( k ) ). (You’ll see in a second why we are computing them backward rather than forward.) B keeps for himself x (0) as the “verification value” for C , and gives to C (over some secure channel) the “root authentication secret” x (365) . C then re-generates all the x ( k ) values for k = 0 , ..., 364 by consecutive applications of f i . Let’s denote k -times repeated application of f i as a function ( f i ) ( k ) : D i → { 0 , 1 } . With this notation we have x ( n k ) = ( f i ) ( k ) ( x ( n ) ) for every k . Authentication Protocol: To authenticate himself to B on day t , C sends to B value x = x ( t ) and announces that he is “ C ”. B then picks the yesterday’s verification value x ( t 1) for that client, and authenticates this client as indeed “ C ” if f i ( x ) = x ( t 1) . If the equation holds B stores x as x ( t ) . (It’s easy to generalize this to the case when C contacted B last on any day t < t : Just compute ( f i ) ( t t ) on x ( t ) and compare with x ( t ) .) Assume that the adversary E , who tries to authenticate himself as “ C ” to B too, can eavesdrop on all instances of the ( C, B ) authentication protocol but cannot interrupt any such instance. On the other hand E can initiate an instance of the authentication protocol with B himself and try to make B authenticate him as “ C ”. 1.1 [25 points] Prove that if the function collection { f i } defined by ( Gen, Sample, Eval ) is a One Way Permutation collection then the above authentication protocol is secure against the eaves- dropping adversary E in the following sense: Show that if there exists a PPT E which, after listening to some number k [1 , n ] of authentication sessions ( C, B ), has a non-negligible chance of being authenticated by B as “ C ” on a session that E initializes, then you can use such adversary E to create a PPT algorithm A which has a non negligible advantage in an attack against one-wayness of the OWP collection f i . In other words, algorithm A should succeed with non negligible probability in inverting permutation f i on value y = f i ( x ) for a random x D i . This will show that if the above authentication protocol is insecure against eavesdroppers (i.e. there exists a PPT attacker E which cheats the scheme with a significant S3-1

This preview has intentionally blurred sections. Sign up to view the full version.

enough probability) then the function collection { f i } cannot be a OWP collection. There- fore, by counterpositive, if { f i } is
This is the end of the preview. Sign up to access the rest of the document.
• Spring '04
• Jarecki
• Cryptography, DI, authentication scheme, one-way function fi, KGen

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern