This preview shows pages 1–2. Sign up to view the full content.
ICS 180: Introduction to Cryptography
4/23/2004
Homework 3
Due
Tuesday
, 5/04/2004
[[ you get more than a week! ]]
1
Authentication Scheme from OneWay Permutations
Let PPT algorithms (
Gen,Sample,Eval
) defne a OWF (or OWP)
{
f
i
}
i
∈I
. Suppose that
players
U
and
B
use the ±ollowing authentication scheme. For example, say that
B
is a
bank’s web portal and
C
is a web applet run by the bank’s client. The scheme is designed
to last ±or one year, and needs to be reinitialized a±ter that:
•
Initialization Protocol:
Let
n
= 365.
B
runs
Gen
(1
τ
) to pick a oneway ±unction
f
i
with security parameter
τ
and runs
Sample
(
i
) to pick a random element
x
(
n
)
in the domain
D
i
o±
f
i
. Then
B
computes, ±or
k
going ±rom
n
down to 1, values
x
(
k
−
1)
=
f
i
(
x
(
k
)
) =
Eval
(
i,x
(
k
)
). (You’ll see in a second why we are computing them
backward rather than ±orward.)
B
keeps ±or himsel±
x
(0)
as the “verifcation value” ±or
C
, and gives to
C
(over some secure channel) the “root authentication secret”
x
(365)
.
C
then regenerates all the
x
(
k
)
values ±or
k
= 0
,...,
364 by consecutive applications o±
f
i
. Let’s denote
k
times repeated application o±
f
i
as a ±unction (
f
i
)
(
k
)
:
D
i
→ {
0
,
1
}
∗
.
With this notation we have
x
(
n
−
k
)
= (
f
i
)
(
k
)
(
x
(
n
)
) ±or every
k
.
•
Authentication Protocol:
To authenticate himsel± to
B
on day
t
,
C
sends to
B
value
x
=
x
(
t
)
and announces that he is “
C
”.
B
then picks the yesterday’s verifcation
value
x
(
t
−
1)
±or that client, and authenticates this client as indeed “
C
” i±
f
i
(
x
) =
x
(
t
−
1)
.
I± the equation holds
B
stores
x
as
x
(
t
)
. (It’s easy to generalize this to the case when
C
contacted
B
last on any day
t
′
< t
: Just compute (
f
i
)
(
t
−
t
′
)
on
x
(
t
)
and compare
with
x
(
t
′
)
.)
Assume that the adversary
E
, who tries to authenticate himsel± as “
C
” to
B
too, can
eavesdrop
on all instances o± the (
C,B
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
This is the end of the preview. Sign up
to
access the rest of the document.
 Spring '04
 Jarecki

Click to edit the document details