Building blocks

國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

2.2 Building blocks

Some technologies are frequently regarded as building blocks to construct the encryption schemes.

These techniques are often adopted as a black or white box; that is, their functionalities and security notions are commonly utilized while omitting the implementation details. In this section, several building blocks are defined for further constructions.

2.2.1 Hash function

In modern cryptosystems, hash functions [30] like MD5, SHA-1, SHA-256 are frequently adopted in cryptosystems to efficiently map numbers from its domain to co-domain space. Some cryptosystems like [12], [31], [32] employee the mapping properties to include different kind of messages like ID, serial number or timestamp into the cryptosystems. In addition, a secure hash function is able to construct a fixed-length strong hashed value on input any infinite-length messages; and in a very high probability that no collision will occur among distinct input messages so that the outputted hash values can be regarded as message digits which asserts the integrity of the transmitted messages. There are several security requirements related to hash function such as the avalanche effect which denotes that two very similar inputs with tiny difference (perhaps only one bit) will lead to two totally indistinguishable outputs. Rigorously, the security of hash functions is discussed in the following two aspects:

• One-wayness: A hash function 𝐻 is called one-way if any polynomial-time adversary has only negligible probability to extract the input value 𝑥 from the output value 𝐻(𝑥). In most cases, the domain size is much larger than the co-domain so that the multi-to-one mapping makes it not difficult to be one-way.

𝐴𝑑𝑣_𝒜,•^“ª(𝜅)¹²³Pr [𝑥 ← 𝒜(𝐻(𝑥))] (8)

• Collision-resistant: A hash function 𝐻 is said to be collision-resistant if it is computationally difficult to find two different inputs that are hashed to the same output.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

digits. By the pigeonhole principle, no hash function is absolutely collision-resistant since the domain size is far larger than the co-domain size. Whereas, the co-domain size is also big enough so that the collisions happen with only negligible probability if the computation result is uniformly distributed in the co-domain space.

𝐴𝑑𝑣_𝒜,•^Ž« (𝜅)¹²³Pr [(𝑥 ≠ 𝑦) ⋀ (𝐻 𝑥 = 𝐻 𝑦 ): (𝑥, 𝑦) ← 𝒜(𝐻)] (9)

Some properties of hash functions are omitted here, such as the hiding property and the puzzle-friendly property, both of which play vital roles in the block chain and Bitcoin systems [33], [34].

It is worthy to note that the hash functions are seldom proved collision-resistant. Instead, most of them are believed collision-resistant and generally utilized until some collisions were found. A famous example is that the SHA-1 hash function had been widely used for several years until a collision was found and announced by Google Inc. in February 2017 [35]. In this report, the complexity of breaking MD5 and SHA-1 are estimated as 30 seconds in a smart phone and 1 year among 110 GPU processors, respectively (see Figure 6).

Figure 6: The complexity analysis of collision finding for existing hash functions

Random oracle model

Another spotlight of the cryptographic hash functions is the random oracle model [36]–[38]. In a high-level description, no output of hash functions is truly random. It is an assumption that assumes the outputs of a hash function is good enough to be replaced by a random oracle. In the security proof procedures (which will be introduced in chapter 3), the adversary in the random oracle model is not allowed to directly access hash functions. The hash values are obtained through requesting hash queries to the hash oracle 𝒪_• controlled by the simulator. Relatively, it is called in the standard model if the adversary can compute the hash values itself.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

Obviously, it is a very strong assumption so that the security in the standard model is much more reliable than that in the random oracle model. For example, Fujisaki and Okamoto proposed a generic construction [39] that shows all CCA secure PKE schemes could be proved CCA2 secure in the random oracle model through their enhancement¹. Some literatures like [37] argue that the assumption is too strong so that the security under the random oracle model implies no security in the real world. Other scholars advocate the security in the random oracle model remains valuable since some reduction between them might be eligible; whereas, the reduction itself is in the similar level of the reduction between NP/P problems.

2.2.2 Secret sharing

The secret sharing concept was firstly proposed by Adi Shamir [40], drawn in Figure 7. It was proposed to satisfy the following scenario: Someone owns a secret 𝑠 and tries to share it with 𝑛 users. Then, two properties below are expected after sharing.

• Any 𝑡 participants are able to reconstruct the secret.

• Any permutation of insufficient (at most 𝑡 − 1) participants acquire no information about the secret 𝑠.

The original work proposed a sound 𝑡-out-of- 𝑛 secret sharing solution with perfect security. The secret owner firstly picks 𝑡 − 1 random numbers (𝑟_•, 𝑟_—, ⋯ , 𝑟_•°•) . Second, it samples a polynomial-function 𝑓(𝑥) with degree 𝑡 − 1 , which is uniquely determined by 𝑡 points { 0, 𝑠 , (1, 𝑟_•), (2, 𝑟_—), ⋯ , (𝑡 − 1, 𝑟_•°•)} on the 2-D platform. Then, for all 𝑖 ∈ [1, 𝑛], the secret owner transmits a point (𝑖, 𝑓(𝑖)) to participant 𝑃_„ through a secure channel to complete the secret sharing algorithm. Any 𝑡 participants can cooperate to rebuild the polynomial function 𝑓 𝑥 by gathering their points, and in addition to compute 𝑠 ← 𝑓(0). On the other hand, any 𝑡 − 1

1 Public key encryption (PKE) and chosen ciphertext attacks (CCA) will be formally introduced in

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

participants cannot obtain the secret because 𝑡 points are necessary to recover a (𝑡 − 1)-degree polynomial function. That is, it is perfect secure against any insufficient participants. The secret sharing skill is widely adopted in numerous researches such as [41], [42]. In addition, it is also applied to secret key storage applications like Bitcoin [33], [34] and block chain systems.

Figure 7: Shamir secret sharing

2.2.3 Commitment

A cryptographic commitment [43], [44] acts like an envelope. Someone seals a value inside the envelope and leaves it on a public platform. So far, no one knows the content inside. Later, it can open the envelope to publish the value. In this architecture, two properties are expected to hold:

the value keeps secret before opening and the value was not tampered while opening. The former one is called hiding and the latter one is binding in the cryptographic commitments. Let 𝑐 ← 𝑐𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑟) be a commitment of value 𝑥 and a high min-entropy randomness 𝑟, two properties are formally regulated as follows.

• Hiding: Given 𝑐𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑟), it is hard find 𝑥. The probability of breaking the hiding property of a commitment is estimated as:

𝐴𝑑𝑣_{𝒜,€‚²²„•} ^{•„1„?…} (𝜅)¹²³Pr [𝑥 ← 𝒜(𝑐𝑜𝑚𝑚𝑖𝑡(𝑥, 𝑟))] (10)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

• Binding: It is difficult to find two value-randomness (𝑥, 𝑟) pairs that were committed to the same commitment. That is:

𝐴𝑑𝑣_{𝒜,€‚²²„•} ^{³„?1„?…} (𝜅)¹²³Pr 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥_•, 𝑟_• = 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥_—, 𝑟_— ∧ 𝑥_•, 𝑟_• ≠ 𝑥_—, 𝑟_— : 𝑥_•, 𝑥_—, 𝑟_•, 𝑟_— ← 𝒜

(11)

Theorem 1: A commitment cannot be both perfect hiding and perfect binding

Proof. At least, it is impossible in a two-party setting. The term perfect means even the adversary has unbounded computational power, the probability of breaking the hiding/binding property is still 0. The proof is intuitive. First, by the pigeonhole principle, it has to be a one-to-one mapping relationship between the domain and the co-domain fields if one commitment is perfect binding.

Assume the co-domain size is 𝑛, it could be easily explained why the perfect hiding is infeasible.

Given a value 𝑥 and its commitment 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑟 for some randomness 𝑟, all other values 𝑦 ≠ 𝑥 in this setting will not be perfect hiding because for all possible randomness 𝑟′, relationship 𝑐𝑜𝑚𝑚𝑖𝑡 𝑥, 𝑟 = 𝑐𝑜𝑚𝑚𝑖𝑡 𝑦, 𝑟′ will definitely fail owing to the one-to-one mapping. In other words, there are at most 𝑛 − 1 possible value of 𝑐𝑜𝑚𝑚𝑖𝑡 𝑦, 𝑟′ , and the damaged probability directly indicates that the commitment with perfect hiding and perfect binding is infeasible in a two-party setting. By the way, in literature [43], an addition third party is employed to construct a commitment with perfect hiding and perfect binding.

Pedersen commitments

Let 𝑔, ℎ be two generators in a multiplicative cyclic group 𝔾 with order 𝑞 , and the discrete logarithm problem between ℎ and base 𝑔 is unknown. For a value 𝑥 ∈ ℤ_W^∗ , the Pedersen commitment [44] is computed as 𝑐 ← 𝑔^ƒℎ^s where 𝑟 ^$ ℤ_W^∗ and it is opened via providing (𝑥, 𝑟).

The Pederson commitment is computational binding based on the hardness of the DL problem. In other words, the Pederson commitment is binding if 𝐴𝑑𝑣_𝒜,𝔾 ^Š‹ (𝜅) is negligible. On the other hand, it is perfect hiding because for all commitment 𝑐 ← 𝑔^ƒℎ^s, the following relationship holds.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

2.2.4 Key derivation function

A key derivation function (𝐾𝐷𝐹) [45], [46] is a particular function based on hash functions. With a high min-entropy randomness 𝑟, the 𝐾𝐷𝐹 deterministically outputs a high min-entropy key for other cryptosystems like encryption schemes or pseudo random functions. Let 𝛴 be a source of key material. A key derivation function 𝐾𝐷𝐹 is called (𝑡, 𝑞, 𝜀(𝜅))-secure with respect to 𝛴 if for any polynomial-time algorithm 𝒜 running in time 𝑡 with at most 𝑞 oracle queries the probability 𝐴𝑑𝑣_𝒜 ^¸Š”(𝜅) ≤ 𝜀(𝜅) for distinguishing the output of 𝐾𝐷𝐹(𝑘, 𝑐) from uniformly drawn random strings of the same length, assuming that (𝑘, 𝛼) ← 𝛴 where 𝑘 is the secret key material and 𝛼 is some side information. It is assumed that 𝒜 knows 𝛼, has control over the context information 𝑐 and has oracle access to 𝐾𝐷𝐹(𝑘,·) which cannot be queried on 𝑐.

2.2.5 Pseudo random function

A pseudo random function [47], [48] is a key driven function that takes a high min-entropy key and a seed as input in order to output a number that looks random. Let 𝑘 be a high min-entropy key, any polynomial time adversary cannot distinguish value 𝑃𝑅𝐹(𝑘, 𝑠) from a random number.

The formal security definition of the 𝑃𝑅𝐹 function is described in the follow experiment. 𝑃𝑅𝐹 is called (𝑡, 𝑞, 𝜀(𝜅))-secure if for any polynomial-time algorithm 𝒜 running in time 𝑡 with at most 𝑞 oracle queries the probability 𝐴𝑑𝑣_𝒜 ^»«”(𝜅) ≤ 𝜀(𝜅) for distinguishing the outputs of 𝑃𝑅𝐹(𝑘, 𝑠) from the outputs of a truly random function 𝑓 of the same length, assuming that 𝒜 has oracle access to 𝒪_»«”(·) which contains either 𝑃𝑅𝐹(𝑘,·) or 𝑓(·) and which cannot be queried on 𝑠.

2.2.6 Message authentication code

A message authentication code [49] is also a key driven technology frequently adopted to ensure the integrity of transmitted data. It is comprised of the algorithms.

• 𝑀𝐾𝐺𝑒𝑛(1^¼): on input security parameter 𝜅, it outputs a key 𝑚𝑘 ← {0, 1}^¼.

• 𝑇𝑎𝑔(𝑚𝑘, 𝑚): on input a key 𝑚𝑘 and a message 𝑚, output tag 𝜇 ← 𝑇𝑎𝑔(𝑚𝑘, 𝑚).

• 𝑉𝑟𝑓𝑦(𝑚𝑘, 𝑚, 𝜇): on input a key 𝑚𝑘, a message 𝑚 and a tag 𝜇 outputs 1 if 𝜇 is valid or 0 otherwise.

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

A message authentication code is secure if no polynomial time adversary can forge a legal message authentication code without knowing the corresponding key. Let 𝑚𝑘 ← 𝑀𝐾𝐺𝑒𝑛(κ), and oracle 𝒪_»«”(·) returns 𝑇𝑎𝑔(𝑚𝑘, 𝑚), the security is formalized as the following probability estimation.

The only limit is the outputted message 𝑚^∗ has never been queried to oracle 𝒪_»«” · .

𝐴𝑑𝑣_𝒜,ÁÂŽ ^{Ã?3‚ƒ…2}(𝜅)¹²³Pr [1 = 𝑉𝑟𝑓𝑦 𝑚𝑘, 𝑚^∗, 𝜇^∗ : (𝑚^∗, 𝜇^∗) ← 𝒜^{𝒪ÄÅÆ(·)}] (13)

‧ 國

立 政 治 大 學

‧

N a

tio na

l C h engchi U ni ve rs it y

在文檔中 可搜尋式加密和密文相等性驗證 - 政大學術集成 (頁 32-39)