solutions 3

solutions 3 - ICS 180 Introduction to Cryptography...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ICS 180: Introduction to Cryptography 5/11/2004 Solutions to homework 3 1 Authentication Scheme from One-Way Permutations Let PPT algorithms ( Gen,Sample,Eval ) define a OWF (or OWP) { f i } i ∈I . Suppose that players U and B use the following authentication scheme. For example, say that B is a bank’s web portal and C is a web applet run by the bank’s client. The scheme is designed to last for one year, and needs to be reinitialized after that: • Initialization Protocol: Let n = 365. B runs Gen (1 τ ) to pick a one-way function f i with security parameter τ and runs Sample ( i ) to pick a random element x ( n ) in the domain D i of f i . Then B computes, for k going from n down to 1, values x ( k − 1) = f i ( x ( k ) ) = Eval ( i,x ( k ) ). (You’ll see in a second why we are computing them backward rather than forward.) B keeps for himself x (0) as the “verification value” for C , and gives to C (over some secure channel) the “root authentication secret” x (365) . C then re-generates all the x ( k ) values for k = 0 ,..., 364 by consecutive applications of f i . Let’s denote k-times repeated application of f i as a function ( f i ) ( k ) : D i → { , 1 } ∗ . With this notation we have x ( n − k ) = ( f i ) ( k ) ( x ( n ) ) for every k . • Authentication Protocol: To authenticate himself to B on day t , C sends to B value x = x ( t ) and announces that he is “ C ”. B then picks the yesterday’s verification value x ( t − 1) for that client, and authenticates this client as indeed “ C ” if f i ( x ) = x ( t − 1) . If the equation holds B stores x as x ( t ) . (It’s easy to generalize this to the case when C contacted B last on any day t ′ < t : Just compute ( f i ) ( t − t ′ ) on x ( t ) and compare with x ( t ′ ) .) Assume that the adversary E , who tries to authenticate himself as “ C ” to B too, can eavesdrop on all instances of the ( C,B ) authentication protocol but cannot interrupt any such instance. On the other hand E can initiate an instance of the authentication protocol with B himself and try to make B authenticate him as “ C ”. 1.1 [25 points] Prove that if the function collection { f i } defined by ( Gen,Sample,Eval ) is a One Way Permutation collection then the above authentication protocol is secure against the eaves- dropping adversary E in the following sense: Show that if there exists a PPT E which, after listening to some number k ∈ [1 ,n ] of authentication sessions ( C,B ), has a non-negligible chance of being authenticated by B as “ C ” on a session that E initializes, then you can use such adversary E to create a PPT algorithm A which has a non negligible advantage in an attack against one-wayness of the OWP collection f i . In other words, algorithm A should succeed with non negligible probability in inverting permutation f i on value y = f i ( x ) for a random x ∈ D i . This will show that if the above authentication protocol is insecure against eavesdroppers (i.e. there exists a PPT attackereavesdroppers (i....
View Full Document

This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.

Page1 / 7

solutions 3 - ICS 180 Introduction to Cryptography...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online