An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Similar documents
1 Introduction Almost any interesting cryptographic task must be based on the computational hardness of some problem. Proving such hardness assumption

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

Generating ElGamal signatures without. knowing the secret key??? Daniel Bleichenbacher. ETH Zurich.

Short Exponent Diffie-Hellman Problems

Efficient Pseudorandom Generators Based on the DDH Assumption

Breaking Plain ElGamal and Plain RSA Encryption

recover the secret key [14]. More recently, the resistance of smart-card implementations of the AES candidates against monitoring power consumption wa

ISSN Technical Report L Self-Denable Claw Free Functions Takeshi Koshiba and Osamu Watanabe TR May Department of Computer Science Tok

A Pseudo-Random Encryption Mode

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Contents 1 Introduction Objects, specications, and implementations : : : : : : : : : : : : : : : : : : : : : : : : : : : : Indistinguishab

protocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered

during signature generation the secret key is never reconstructed at a single location. To provide fault tolerance, one slightly modies the above tech

Anonymous Authentication Protocol for Dynamic Groups with Power-Limited Devices

Security Proofs for Signature Schemes. Ecole Normale Superieure. 45, rue d'ulm Paris Cedex 05

14 Diffie-Hellman Key Agreement

Reproduced without access to the TeX macros. Ad-hoc macro denitions were used instead. ON THE POWER OF TWO-POINTS BASED SAMPLING

1 Number Theory Basics

Public Key Cryptography

is caused by the urgent need to protect against account-holders who doublespend their electronic cash, since hardly anything is easier to copy than di

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Lecture 6: Cryptanalysis of public-key algorithms.,

[6] was based on the quadratic residuosity problem, whilst the second given by Boneh and Franklin [3] was based on the Weil pairing. Originally the ex

Lecture V : Public Key Cryptography

An Improved Pseudorandom Generator Based on Hardness of Factoring

An Improved Pseudo-Random Generator Based on Discrete Log

Discrete logarithm and related schemes

f (x) f (x) easy easy

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

A Twist on the Naor-Yung Paradigm and Its Application to Ecient CCA-Secure Encryption from Hard Search Problems

Chapter 8 Public-key Cryptography and Digital Signatures

Computer Science Dept.

Contents 1 Introduction 2 2 Formal Setting and General Observations Specication : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

Bellare and Rogaway presented a generic and ecient way to convert a trap-door one-way permutation to an IND-CCA2 secure scheme in the random oracle mo

New Variant of ElGamal Signature Scheme

Related-Key Security for Pseudorandom Functions Beyond the Linear Barrier

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Efficient Conversion of Secret-shared Values Between Different Fields

On Fast and Provably Secure Message Authentication Based on. Universal Hashing. Victor Shoup. December 4, 1996.

Adaptive Security of Compositions

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

Distributed computation of the number. of points on an elliptic curve

one eciently recover the entire key? There is no known method for doing so. Furthermore, the common belief is that no such ecient algorithm exists. Th

Extracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

Cryptographic Hash Functions

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Perfect Zero-Knowledge Arguments for N P Using any One-Way. Permutation. Abstract

Computational Number Theory. Adam O Neill Based on

n-party protocol for this purpose has maximum privacy if whatever a subset of the users can

Hardness of Distinguishing the MSB or LSB of Secret Keys in Diffie-Hellman Schemes

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Sharing DSS by the Chinese Remainder Theorem

On the Security of EPOC and TSH-ESIGN

El Gamal A DDH based encryption scheme. Table of contents

Finding Succinct. Ordered Minimal Perfect. Hash Functions. Steven S. Seiden 3 Daniel S. Hirschberg 3. September 22, Abstract

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Théorie de l'information et codage. Master de cryptographie Cours 10 : RSA. 20,23 et 27 mars Université Rennes 1

assume that the message itself is considered the RNS representation of a number, thus mapping in and out of the RNS system is not necessary. This is p

How to Enhance the Security of Public-Key. Encryption at Minimum Cost 3. NTT Laboratories, 1-1 Hikarinooka Yokosuka-shi Kanagawa Japan

Constructing Verifiable Random Number in Finite Field

SIS-based Signatures

Fast Signature Generation with a. Fiat Shamir { Like Scheme. Fachbereich Mathematik / Informatik. Abstract

Benes and Butterfly schemes revisited

Embedding and Probabilistic. Correlation Attacks on. Clock-Controlled Shift Registers. Jovan Dj. Golic 1

NON-LINEAR COMPLEXITY OF THE NAOR REINGOLD PSEUDO-RANDOM FUNCTION

The Elliptic Curve Digital Signature Algorithm (ECDSA) 1 2. Alfred Menezes. August 23, Updated: February 24, 2000

Concurrent Non-malleable Commitments from any One-way Function

Leftovers from Lecture 3

From Non-Adaptive to Adaptive Pseudorandom Functions

Efficient Identity-Based Encryption Without Random Oracles

Efficient Pseudorandom Generators Based on the DDH Assumption

Notes for Lecture 9. 1 Combining Encryption and Authentication

Introduction to Cryptography. Lecture 8

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

cse 311: foundations of computing Fall 2015 Lecture 12: Primes, GCD, applications

COS598D Lecture 3 Pseudorandom generators from one-way functions

Circuit depth relative to a random oracle. Peter Bro Miltersen. Aarhus University, Computer Science Department

Cryptanalysis of the Knapsack Generator

Dual Discrete Logarithms

10 Concrete candidates for public key crypto

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs

The Hardness of the Hidden Subset Sum Problem and Its Cryptographic Implications

Secure and Practical Identity-Based Encryption

Transform Domain Analysis of DES. Guang Gong and Solomon W. Golomb. University of Southern California. Tels and

CS 355: Topics in Cryptography Spring Problem Set 5.

Cryptographic Protocols FS2011 1

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Selecting Elliptic Curves for Cryptography: An Eciency and Security Analysis

Asymmetric Encryption

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Introduction to Cybersecurity Cryptography (Part 4)

Appears in the proceedings of the First ACM Conference on Computer and Communications Security, Random Oracles are Practical:

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

How to Construct Constant-Round. Zero-Knowledge Proof Systems for NP. Oded Goldreich y Ariel Kahan z. March Abstract

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Transcription:

An Implementation of Ecient Pseudo-Random Functions Michael Langberg March 5, 1998 Abstract Naor and Reingold [3] have recently introduced two new constructions of very ecient pseudo-random functions, proven to be as secure as the decisional version of the Die- Hellman [] assumption or the assumption that factoring is hard. In this site we dene and exhibit an implementation of the construction which is based on the decisional Die- Hellman assumption. 1 Naor and Reingold's main construction Naor and Reingold dene a pseudo-random function f ~ P;Q;g;~a as follows: The key of each pseudo-random function is a tuple, hp; Q; g;~ai, where P is a large prime, Q a large prime divisor of P?1, g an element of order Q in Z and P ~a = ha 0; a 1 ; : : :a n i a uniformly distributed sequence of n + 1 elements in Z Q. For any n-bit input, x = x 1 x x n, the function f ~ P;Q;g;~a is dened by: ~f P;Q;g;~a (x) def = (g a 0 Q x ) i =1 a i mod P This function is the core of our implementation. Implementation.1 Outline The function f ~ P;Q;g;~a has domain f0; 1g n and range hgi (the subgroup of Z P generated by g). We now show how to adjust f ~ P;Q;g;~a in order to get a f0; 1g! f0; 1g` pseudo-random function. I.e., the input of the function is a bit string of arbitrary length and the output is a pseudo-random bit string of xed length ` (instead of a pseudo-random element in hgi). For every input x f0; 1g the function f = f : f0; 1g P;Q;g;~a;^h;h! f0; 1g` we implement is dened by: f(x) = h( f(^h(x); ~ 0); f(^h(x); ~ 1)) where ^h; h are two hash functions (dened below) and ~ f = ~ f P;Q;g;~a. In words, the computation of f is as follows: First apply ^h on the input to get y = ^h(x). Then compute two 1

pseudo-random elements ~ f(y; 0) and ~ f(y; 1) in hgi. Finally concatenate these elements and hash the outcome by the second hash function h.. The Role and Denition of ^h The rst step in the computation of f is hashing the input x f0; 1g to receive an element y = ^h(x) s.t. (y; 0) and (y; 1) are in the domain of the pseudo-random function ~ f. In order for ~ f (^h(x); ) to be pseudo-random it is enough to require that for any two dierent inputs x; y f0; 1g the probability of collision, Pr^h[^h(x) = ^h(y)], is negligible. To get this we dene ^h = ^h r : f0; 1g! Z R as follows: ^h r (m) = ( kx i=1 m i r i?1 ) mod R where R is a 161-bit prime, r (the key of ^h) is a uniformly distributed element in Z R and the input m is partitioned into a sequence, hm 1 : : :m k i, of elements in Z R. With this denition the collision probability on any two inputs of length at most 160k is bounded by k k. R 160 The probability of collision for some pair of inputs among ` arbitrarily chosen inputs is bounded by k`. For practical values of ` and k this probability is suciently small. 160.3 The Role and Denition of h As mentioned above, on input y f0; 1g n our core function f ~ will output a pseudo-random element in the subgroup hgi. Converting this element into a pseudo-random value in f0; 1g` is done using a second hash function h : (Z R ) k! Z R. The requirement from h is that for any pair of dierent inputs x; y the collision probability Pr h [h(x) = h(y)] is 1=R (or \extremely close" to this value). Therefore, we cannot dene h = h y in the same way we dened ^h. Rather than that we use the following denition: h y (m) = ( kx i=1 m i y i ) mod R where R is a 161-bit prime (as above), y = hy 1 : : : y k i (the key of ^h) is a uniformly distributed sequence of elements in Z R and the input m = hm 1 : : : m k i is a sequence of elements in Z R. With this denition of h we can conclude from [3] that if X is a random variable uniformly distributed over a set of size 400, then for all but a fraction?80 of the choices of y the random variable h(x) is of statistical distance at most?80 from the uniform distribution over Z R. Therefore, if X is a pseudo-random element in such a set then (for all but a fraction?80 of the choices of y) the random variable h(x) is a pseudo-random value in Z R. Note that choosing R extremely close to 160 guarantees h(x) to be pseudorandom in f0; 1g 160. In our case, for any x f0; 1g the value f(^h(x)) ~ is pseudo-random in hgi. Thus if we x Q 400 (implying the size of hgi to be 400 ) we can dene our pseudo-random function as f(x) = h( ~ f(^h(x))) : f0; 1g! f0; 1g 160

However, dening Q of size 400 bits seems to be an overkill (in terms of security) and leads to an inecient implementation. We therefore use the following optimization: We de- ne Q of size 00 bits and on input x f0; 1g we compute the element h ~ f(^h(x); 0); ~ f(^h(x); 1)i which is pseudo-random in hgi. Since hgi is of size approximately 400, we dene f : f0; 1g! f0; 1g 160 (by the previous analysis) to be f(x) = h( ~ f(^h(x); 0); ~ f(^h(x); 1)) This suggestion is more ecient than the previous one since the exponent of g in the computation of ~ f(^h(x); 1) can be derived from the exponent of g in the computation of ~f(^h(x); 0) using a single modular multiplication..4 The size of P and Q In our discussion so far we assumed that ~ f is a pseudo-random function. As shown by Naor and Reingold, this is true as long as the decisional version of the Die-Hellman assumption holds. In the current state of knowledge it seems that choosing P of 1000 bits and Q of 00 bits makes this assumption suciently safe..5 Constants The specic constants used in our implementation are: 1. Q = 00 + 35, P = (Q 4? 95) Q + 1.. g = 11 P?1 Q. 3. n = 160. 4. R = 160 + 7..6 Large numbers : For all computations and primality checks involving large numbers we used the NTL package [4] by V. Shoup. 3 Key Generation In this implementation the key P; Q; g;~a; ^h; h was generated as follows: The Triplet hp; Q; gi In order to dene f, ~ we need two large primes P; Q s.t. Qj(P? 1) and an element g Z of Q order Q. This task is achieved in three steps. First we nd a prime Q of size 00, then we nd a prime P of size 1000 such that P = Q + 1 for some N. The density of primes in the natural numbers allows us to nd appropriate Q and quite easily. Finally we x g to be P?1 Q for some N such that g 6= 1 (the primality of Q ensures that the order of g is exactly Q). Note that we do not insist that P; Q and g be uniform in their range (since it is not clear that such a requirement is essential for the Die-Hellman assumption). 3

The Keys ~a, r and y In order to implement f a large amount of random (or pseudo-random) keys are needed. These keys can be generated by a pseudo-random generator which is a slight modication of our construction f. Let ^f P;Q;g;^a;h = f P;Q;g;a;Id;h where a = ha 0 ; a 1 : : :a n i, ^a = h1; a 1 : : : a n i and Id is the identity function. Following the proof in [3] it can be proven that ^f is pseudorandom on all inputs but 0. Using ^f we implement the pseudo-random function : ^f (1) P;Q;g;^a 1 ;h : f0; 1g3! f0; 1g 160 This implementation itself uses a seed of 880 random bits : 800 for the random key ^a 1 and 080 for the key y. Denoting y i = ^f (1) (i) for i = 1 : : :7 we have, by our above analysis, that each y i is pseudo-random in f0; 1g 160. Thus ~y = hy 1 : : : y 7 i is pseudo-random in f0; 1g 110. Using ~y as a random source we can derive a new pseudo-random key, ^a, with 5 elements by partitioning ~y into chunks of length blog Qc. Choosing Q such that jq?blog Qc j is negligible Q guarantees that the elements received remain pseudo-random in Z Q. Our new key now allows us to dene ^f () : P;Q;g; ^a ;h f0; 1g4! f0; 1g 160 Repeating the above procedure grants us with a new pseudo-random ~y f0; 1g 400 allowing us to dene ^f (3) P;Q;g; ^a 3 ;h : f0; 1g11! f0; 1g 160 Using f (3) directly, all keys needed for our implementation can be manufactured. As mentioned, the above process uses a random seed of size 880, this can be improved by replacing the hash function h with a new hash function ~ h that has a smaller random key but still fullls the requirements regarding h stated in the previous section. Therefore we dene : ~h y (m) = (y 1^hy (m) + y 3^hy4 (m) + ^h y5 (m)) mod R where ^h is the hash function dened in the previous section and y = hy1 : : :y 5 i is a uniformly distributed sequence of elements in Z R. Note that for any pair of dierent inputs x; y the collision probability, Pr ~h [ ~ h(x) = h(y)], ~ 13 is extremely close to 1=R (at most 1=R + 160 3) and the key of ~ h is of size 800 bits. This new hash function ~ h was not used originally in the implementation of our pseudo-random function f because it is less ecient that h. All in all the above construction with h ~ enables us to generate all random keys for the implementation of f using a random seed of 1600 bits. 4 Eciency 1. In order to compute ~ f P;Q;g;~a (x) for jxj = n we need at most n multiplications modulo Q and one exponentiation modulo P.. Computing the value of g i mod P for i = 0 : : :log Q as preprocessing improves our eciency by turning the single modular exponentiation into log Q modular multiplications. 4

3. Additional preprocessing can improve the eciency even further, for example computing the values of g 4i mod P for all = 1 : : :3; i = 0 : : : log Q will turn the single modular exponentiation into log Q modular multiplications, and computing the values of a i a i+1 for i = 0 : : : n will turn the n modular multiplications into n modular multiplications. For more details see [1]. In our implementation we preprocessed by computing g 3i mod P for all = 1 : : :31, i = 0 : : : log Q. The reason for this specic choice is that, for technical reasons, our 5 implementation performs part of its preprocessing on each run (and therefore there was no point in a more extensive preprocessing). In general, the more preprocessing done the faster the implementation will be. 4. The computation of f consists of two computations of ~ f (that are not entirely independent) and two hash executions. All in all computing f with our constants takes about 0.5 seconds. As mentioned above, for technical reasons our implementation performs part of the preprocessing on each run, making our running time about one second per execution. 5 Security The construction we implemented is as secure as the decisional version of the Die-Hellman [] assumption. For this to be true we need the keys to be random and secret. In our implementation we used pseudo-random keys that are as secure as the main construction (of f). Regarding the secrecy of the keys, since we lack the means for secret-'bulletproof' storage it might be feasible to access the keys. References [1] E. F. Brickell, D. M. Gordon, K. S. McCurley and D. B. Wilson, Fast exponentiation with precomputation, Proc. Advances in Cryptology - EUROCRYPT '9, LNCS, Springer, 199, pp. 00{07. [] W. Die and M. Hellman, New directions in cryptography, IEEE Trans. Inform. Theory, vol. (6), 1976, pp. 644-654. [3] M. Naor and O. Reingold, Number-theoretic constructions of ecient pseudo-random functions. To appear in: Proc. 38th IEEE Symp. on Foundations of Computer Science, 1997. [4] V. Shoup, NTL package, http://www.cs.wisc.edu/shoup/ntl. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback