On The Cryptographic On The Cryptographic Applications of Random Applications of Random

FunctionsFunctionsOded GoldreichOded Goldreich

Shafi GoldwasserShafi GoldwasserSilvio MicaliSilvio Micali

Advances in Cryptology-CRYPTO ‘84Advances in Cryptology-CRYPTO ‘84

報告人報告人 : : 陳昱升陳昱升

AbstractAbstract

Some possible applications of random Some possible applications of random functionsfunctions

Storageless distribution of secret IDsStorageless distribution of secret IDs Dynamic hashingDynamic hashing Message authentication and time-stampinMessage authentication and time-stampin

gg An identify friend or foe systemAn identify friend or foe system

Outline

• Pseudorandom generators

• Pseudorandom functions

• 4 applications of random functions

• Solving Blum Blum & Shub open problem

Pseudorandom Generators

• Informally, a pseudorandom generator is a polynomial time algorithm that, on a random input, outputs a long sequence such that the next bit in the sequence cannot be predicted in polynomial time.

Pseudorandomgenerator

secret random input

010111001111010………..

?next bit

Pseudorandom Functions

• Informally, a function is pseudorandom if any polynomial time algorithm, which asks for the values of the function at various points, cannot distinguish the values of the function from the outcome of independent coin flips.

Pseudorandomfunction

f

x

f(x)

Compare f(x) with the outcome of independent coin flips

→indistinguishable Polynomialalgorithm

Poly-Random Collections

• A poly-random collection F={Fk} has the following properties– Indexing

• each function in Fk has a unique k-bit index.

– Poly-time evaluation• exist a polynomial time algorithm that given an ind

ex of a function f in Fk an input x, computes f(x).

– Pseudo-Randomness• No probabilistic algorithm can distinguish the functi

ons in Fk from a truly random function.

Fk

f…

...

Applications of random functions

1. Storageless Distribution of Secret IDs

2. Dynamic Hashing

3. Message Authentication and Time-Stamping

4. An Identify Friend or Foe System

Storageless Distribution of Secret IDs

-the problem

• The problem in distributing secret id numbers– every user should receive a secret ID from the

system, which is easily verifiable by the system, but hard to compute by anyone else.

Storageless Distribution of Secret IDs

-a possible solution

• A possible solution could assign each user U a secret r, and store the pair(U,r) in a protected data base.– This solution requires storage proportional to t

he number of users.

Storageless Distribution of Secret IDs

-a storageless solution

• The server pick f in Fk at random and assigns each user U, f(U) as her secret number.

• To verify whether (U,n) is a legal pair, the server computes f(U) and compares it with n.

ServerAliceAlice, n

Verify n ?= f(Alice)

Storageless Distribution of Secret IDs

-a storageless solution (conti.)• Suppose that Alice has such a secret ID and that

all of her relatives (A1,A2,…,Aq), who possess their own secret ID’s gang up to discover Alice’s ID.

• For f picked form a poly-random collection, they could not compute f(Alice) given f(A1), f(A2), …,f(Aq).

Dynamic Hashing-the problem

• The problem of hashing a few long keys into shorter addresses with a very small probability of collisions.

Dynamic Hashing-a possible solution

• Universal Hashing– H is a finite collection of hash functions that

map universe U into {0,1,…,m-1} and

.1

] , | [Prm

kHh)h(h(k)R

Dynamic Hashing-a solution using generalized poly-random

collection

• A generalized poly-random collection F={Fp1(k),p2(k)} is a similar poly-random collection of functions from Ip1(k) into Ip2(k).

• Our solution uses a function f chosen at random from Fp1(k),p2(k) as a hash function.

Dynamic Hashing-a solution using generalized poly-random collectio

n (conti.)

• This hashing function is more robust with respect to polynomial time computation than the Universal Hashing.– In their scheme, the adversary picks an arbitrary key

distribution and the hashing performance is analyzed with respect to this fixed distribution.

– Our scheme allows the adversary dynamically change the key distribution during the hashing process upon seeing the previous hashing function values. (adaptively)

Message Authentication and Time-Stamping-the Problem

• Assume that all the employees of a large bank communicate through a public network. The employees need to authenticate the messages they send to each other.

Message Authentication and Time-Stamping-solution

• Let all employees have access to authentication machines which compute a function fs in a poly-random collection.

• The tag associated with a message m is fs

(m).

• To avoid playback attack, it is common practice to use time-stamps.

employeesauthentication

machinem

fs(m)

m, fs(m)

An Identify Friend or Foe System

-the problem

• The members of a large but exclusive society are well known for their brotherhood spirit.

• They face the danger of imposters trying to take advantage of their generosity.

• Upon meeting each other, they must execute a protocol for establishing membership.

An Identify Friend or Foe System

-the solution

• Each member receives a computer which calculates fs.

• When member A meets B, he asks “z?”. Only if B answers fs(z), will member A be convinced that B is a member.

z

fs(z)

A B

Solving Blum Blum & ShubOpen Problem

• Problem: Whether direct access to exponentially far away bits in their pseudo-random pad is a “randomness preserving” oepration.

Pseudorandomgenerator

random input 010111……………..01111011

exponentially far away

?next bit

Solving Blum Blum & ShubOpen Problem (conti.)

• Having constructed pseudorandom function f, we have virtually constructed the k2k-bit long string sf=f(1)f(2)…f(2k).

ConclusionConclusion

Pseudorandom generatorsPseudorandom generators Pseudorandom functionsPseudorandom functions 4 applications of random functions4 applications of random functions Solving Blum Blum & Shub open probleSolving Blum Blum & Shub open proble

mm