This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography 5/11/2004 Solutions to homework 3 1 Authentication Scheme from OneWay Permutations Let PPT algorithms ( Gen,Sample,Eval ) define a OWF (or OWP) { f i } i I . Suppose that players U and B use the following authentication scheme. For example, say that B is a banks web portal and C is a web applet run by the banks client. The scheme is designed to last for one year, and needs to be reinitialized after that: Initialization Protocol: Let n = 365. B runs Gen (1 ) to pick a oneway function f i with security parameter and runs Sample ( i ) to pick a random element x ( n ) in the domain D i of f i . Then B computes, for k going from n down to 1, values x ( k 1) = f i ( x ( k ) ) = Eval ( i,x ( k ) ). (Youll see in a second why we are computing them backward rather than forward.) B keeps for himself x (0) as the verification value for C , and gives to C (over some secure channel) the root authentication secret x (365) . C then regenerates all the x ( k ) values for k = 0 ,..., 364 by consecutive applications of f i . Lets denote ktimes repeated application of f i as a function ( f i ) ( k ) : D i { , 1 } . With this notation we have x ( n k ) = ( f i ) ( k ) ( x ( n ) ) for every k . Authentication Protocol: To authenticate himself to B on day t , C sends to B value x = x ( t ) and announces that he is C . B then picks the yesterdays verification value x ( t 1) for that client, and authenticates this client as indeed C if f i ( x ) = x ( t 1) . If the equation holds B stores x as x ( t ) . (Its easy to generalize this to the case when C contacted B last on any day t < t : Just compute ( f i ) ( t t ) on x ( t ) and compare with x ( t ) .) Assume that the adversary E , who tries to authenticate himself as C to B too, can eavesdrop on all instances of the ( C,B ) authentication protocol but cannot interrupt any such instance. On the other hand E can initiate an instance of the authentication protocol with B himself and try to make B authenticate him as C . 1.1 [25 points] Prove that if the function collection { f i } defined by ( Gen,Sample,Eval ) is a One Way Permutation collection then the above authentication protocol is secure against the eaves dropping adversary E in the following sense: Show that if there exists a PPT E which, after listening to some number k [1 ,n ] of authentication sessions ( C,B ), has a nonnegligible chance of being authenticated by B as C on a session that E initializes, then you can use such adversary E to create a PPT algorithm A which has a non negligible advantage in an attack against onewayness of the OWP collection f i . In other words, algorithm A should succeed with non negligible probability in inverting permutation f i on value y = f i ( x ) for a random x D i . This will show that if the above authentication protocol is insecure against eavesdroppers (i.e. there exists a PPT attackereavesdroppers (i....
View Full
Document
 Spring '04
 Jarecki

Click to edit the document details