LAS TIC EN LA EDUCACIÓN COLOMBIANA

4. MARCO TEÓRICO

4.3 LAS TIC EN LA EDUCACIÓN COLOMBIANA

There are various attacks on ‘hash then sign’ signature schemes, the most basic of which is thebirthday attack. This attack is loosely motivated by the following scenario.

8.6 The birthday attack 181

Suppose that Fred wishes to forge Alice’s signature for a particular message

M1. Unsurprisingly Alice is unwilling to signM1, however, she is willing to

sign another messageM2. Now almost certainly the valuesh(M1)=h(M2) and

so a valid signature for M2is not a valid signature for M1. However, if Alice

is willing to sign M2 she may well also be willing to sign a messageM2 that

differs from M2 in a few bits (for instance suppose some of the spaces in the

message are replaced by tabs). Also Fred may be satisfied with a signature of a message M₁ that only differs fromM1in a few bits. With this in mind, Fred

produces two lists of possible messages

M1 = {M1,1,M1,2, . . . ,M1,n} and

M2= {M2,1,M2,2, . . . ,M2,n}.

The first list consists of messages obtained fromM1by changing a few bits and

are all messages that Fred would like Alice to sign but which she would never be willing to sign. The second list consists of messages obtained from M2 by

changing a few bits and are all messages that Alice would be willing to sign. Now all Fred needs to do is to find a pairM₁ ∈M1 andM2 ∈M2such that h(M₁)=h(M₂). Fred can then ask Alice to sign the messageM₂(which she is happy to do) and later he can claim that Alice in fact signed the messageM₁(a message that she would never have willingly signed).

If the hash functionhis truly collision-resistant then Fred will fail, since this attack requires him to find a collision. However, it shows how the ability to find even a single collision may have disastrous consequences for the security of a signature scheme. This leads us to consider the question of how Fred might go about finding a single collision for an arbitrary hash function.

Our next result, describing the birthday attack, shows that Fred may not need to examine too many messages before he finds a collision. To be precise it says that if Fred generates random messages and computes their hash values then with probability at least 1/2 he finds a collision after generating√2|R|

messages, where|R|is the total number of possible hash values for the hash function in question. Thus if we wish a hash function to be collision-resistant we must ensure that it maps messages to hash values consisting oft-bits, where 2(t+1)/2₌√₂_|_R_|_{is sufficiently large that generating 2}(t+1)/2_{random messages}

and corresponding hash values is infeasible for Fred.

Theorem 8.10 If h:{0,1}m _{→ {}₀_,₁_}t_, ₃_≤_t _<_{m, n}₌₂(t+1)/2 _and M1, . . . ,Mn ∈R {0,1}mare chosen independently at random then

Pr[There is a collision]> 1 2.

182 8 Digital signatures

Proof:Let us assume to start with that the hash functionh isregular, that is for every possible hash valuey∈ {0,1}t _{the number of messages}_M _{∈ {}₀_,₁_}m satisfyingh(M)=yis exactly 2m−t_.

Thus for any fixed hash valuey∈ {0,1}t_{and random message}_M _{we have} Pr[h(M)=y]= 1

2t.

Now if Fred choosesnrandom messages independently from{0,1}m_{then the} probability that they all have distinct hash values is the same as the probability that ifn balls are thrown independently and uniformly at random into 2t bins then no bin contains more than one ball. The total number of ways of throwing

n balls into 2t bins is 2tn, whereas the number of ways of throwingn balls into 2t _{bins so that no bin contains more than one ball is}_n_!2t

n . Hence we have Pr[No collision]= 2t n n! 2tn = n−1 i=1 1− i 2t .

We can now use the inequality 1−x≤e−xfor 0≤x≤1 to give Pr[No collision]≤

n₋1

i₌1

e−i/2t.

Using the fact that

1+2+ · · · +(n−1)= n(n−1)

2 ,

we obtain

Pr[No collision]≤e−n(n−1)/2t+1.

So forn=2(t+1)/2 _{the probability that no collision occurs is at most exp(}₋₁₊

1/2(t₊1)/2_{). Using the fact that}_t _≥_{3 we have}

Pr[No collision]≤e−3/4<1 2. Hence

Pr[There is a collision]>1 2.

Ifh is not regular, that is certain hash values are more likely than others, the result also holds (see Exercise 8.4 for details). 2

8.6 The birthday attack 183

This last result tells us that for a hash function to be secure against the birthday attack it must be true that generating 2t/2_{messages and corresponding}

hash values is infeasible (where the hash value is at-bit string). However, it says nothing about a lower bound on when this attack might succeed. In fact if the hash function is regular then the birthday attack is unlikely to succeed if fewer than 2t/2messages are generated.

Proposition 8.11 If h:{0,1}m_{→ {}₀_,₁_}t_{is regular,}₃_≤_t _<_{m, n}₌₂(t−k)/2 and M1, . . . ,Mn ∈R {0,1}mare chosen independently at random then

Pr[There is a collision]< 1 2k+1.

Proof:Sincehis regular we know that for eachy∈ {0,1}t_{we have}_|_h−1₍_y₎_{| =}

2m−t_{. Let}_F

ibe the event that theith message has a hash value that is the same as one of the earlier messages. Then

Pr[Fi]≤ i−1 2t , so Pr[There is a collision]=Pr[F2∪F3∪ · · · ∪Fn] ≤ n i₌2 Pr[Fi] ≤ n i₌2 i−1 2t = n(n−1) 2t+1 . Hence Pr[There is a collision]< n 2 2t₊1 ≤ 2t₋k 2t₊1 = 1 2k₊1. ₂

In fact one can show that the more ‘irregular’ the hash function is the quicker the birthday attack will succeed. Intuitively this is not surprising. As an extreme case think of a hash function that maps all messages to a single hash value. For details see Bellare and Kohno (2004).

Note that the hash function SHA-1 maps messages to hash values of 160 bits. So this result says that if SHA-1 is regular then the birthday attack is infeasible since 280_{messages are required. In general for any attack on a hash function to}

184 8 Digital signatures

Exercise 8.4h

(a) Show that if p1+p2+ · · · +pN =1 and pi ≥0 for 1≤i≤ N then fork≤N pi1pi2· · ·pik ≤ N k k! Nk,

where the sum is over all choices of distincti1, . . .iksatisfying 1≤ij ≤N for 1≤ j ≤k.

(b) Hence complete the proof of Theorem 8.10 by showing that if a hash functionhis not regular then the success probability of the birthday attack is at least as good as whenhis regular.

Problems

8.1a _{Estimate the complexity of the signing procedure of the RSA scheme.}

How does this compare with the time needed to verify a signature? 8.2a _{Repeat the above for the Elgamal signature scheme (assume that Alice}

uses a safe prime, that isp=2q+1, withqalso prime).

8.3h Suppose Alice uses a signature scheme based on Rabin’s cryptosystem with public keynand private key (p,q). So the signature of a message

M is S such that S2₌_M_mod_n_{. Can all messages 0}_≤_M _<_n _be

signed? Given that she restricts her message space to those messages that can be signed show that Fred can totally break this scheme using a chosen-message attack. (That is Fred can recover Alice’s private key using an attack where he is first shown Alice’s public key and then chooses messages for Alice to sign.)

8.4a _{Show that if Fred sees two message-signature pairs (}_M_1,_S 1) and

(M2,S2) in the RSA scheme then he can forge the signature to the

messageM1M2modn.

8.5h Show that the DSA scheme is existentially forgeable under a direct attack.

8.6a _{Suppose Alice sends two different messages}_M

1to Bob andM2to Carol,

and provides signatures for each message using the DSA. Show that if Alice is lazy and instead of choosing two different random values of

k(in step (2) of the DSA) she uses the same value for both signatures then it is possible for Eve to recover her private keyxAfrom the signed messages.

8.7h _Let_h _:_{₀_,₁_}m_{→ {}₀_,₁_}t_{be a hash function, with}_t _≤_m₋_{1. Show that} ifh can be inverted in polynomial time then there is a probabilistic

8.6 The birthday attack 185

algorithm for finding a collision with polynomial expected running time.

8.8h _{Suppose that}_h _:_M_→_H_{is a hash function which sends messages}_M _∈

Mto hash valuesh(M)∈H. IfN(h) denotes the number of unordered pairs of messages which collide andsy= |h−1(y)|for y∈H, prove that

2N(h)= y∈H

sy2− |M|.

Hence show thatN(h) is minimised when thesyare all equal.

8.9h Prove that in a non-leap year, if at least 23 people are in a room then the probability that a pair share the same birthday is at least 1/2. 8.10 Consider the hash functionh :Zq×Zq →Z∗pdefined by

h(x,y)=axbymodp,

wherea,bare distinct primitive roots mod pandp,q are prime with

p =2q+1. (a) Show that if

h(x1,y1)=h(x2,y2),

with (x1,y1)=(x2,y2), thend =gcd(y2−y1,p−1) is either 1

or 2.

(b) Show that ifd=1 then

logab=(x1−x2)(y2−y1)−1modp−1.

logab=(x1−x2)zmodp−1

logab=q+(x1−x2)zmodp−1.

(d) Deduce that if an adversary can find a collision in polynomial time then they can calculate logabmodpin polynomial time.

8.11a If the hash function of the previous question is to resist the birthday attack how large should p be? (You may suppose that no forger is able to produce more than 280 _{messages and corresponding hash}

186 8 Digital signatures

Further notes

We have given just a brief introduction to signature schemes. The origin of the concept appears to be the seminal paper of Diffie and Hellman (1976) and the first practical method was the RSA scheme in (Rivest, Shamir and Adleman, 1978).

The Elgamal scheme was introduced in the 1985 paper containing his public key cryptosystem. Other early schemes based on symmetric cryptosystems were proposed by Lamport (1979) and Rabin (1978).

Hash functions have a much longer history. They have many noncrypto- graphic applications: Knuth (1973) traces them back to work at IBM in 1953. The introduction of the concept of a one-way hash function seems to have been the papers of Rabin (1978), Merkle (1978) and Davies and Price (1980). Mitchell, Piper and Wilde (1992) is an interesting review of digital signatures which also treats hash functions while Menezes, van Oorschot and Vanstone (1996) is an invaluable source for both signatures and hashing. More recent surveys are Pedersen (1999) and Preneel (1999).

The cryptographic hash function SHA-1 was introduced as a Federal Infor- mation Processing Standard (FIPS-180-1) in 1995 by the National Institute of Standards and Technology (NIST) as a technical revision aimed at improving security of an earlier version SHA-0 introduced as FIPS-180 by NIST in 1993. For more details on the construction and implementation of SHA-1 and its relation to earlier families of hash functions see Chapter 9 of Menezes, van Oorschot and Vanstone (1996). The book by Pfitzmann (1996) and the chapter on signature schemes in Goldreich (2004) provide an up-to-date account of the state of current knowledge in this area.

9

In document Concepciones de los docentes de ciencias naturales de la institución educativa fe y alegría respecto al uso de las tic en los procesos educativos (página 34-39)