Introduction to Cryptography

Transcription

1 B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15

2 Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1

3 Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF) is a function that is easy to compute but hard to invert Challenger (C) 1 s x R {0, 1} s y y := f(x) Inverter (A) 1 s x 2 Let E be the event that f(x ) = y Define A s advantage to be Adv f -1 (A) := Pr[E]

4 Hard-core predicates Strong OWFs are hard to invert in their entirety Want to say: f(x) reveals nothing about x Q: Do OWFs satisfy this requirement? A: In general, NO! (But why?) - Suppose g is an OWF, then it is easy to prove that f(x 1 11 x 2 ) = x 1 11 g(x 2 ) is also an OWF! A relaxation: Can we say f(x) reveals nothing about h(x), for some particular function h that depends on f but not x? 3

5 Hard-core predicates Let h: {0, 1} * {0, 1} be an efficiently computable function Think of h(x) as indicating whether x has some property (h(x)=1) or not (h(x)=0) Intuitively, we call h a hard-core predicate for f if f(x) reveals nothing about h(x) Challenger (C) 1 s x R {0, 1} s y y := f(x) Inverter (A) 1 s b {0, 1} 4 Let E be the event that h(x) = b Define A s advantage to be Adv h,f (A) := 1 Pr[E]- 1/2 1

6 Hard-core predicates Def n : Let f: {0, 1} * {0, 1} * and let h: {0, 1} * {0, 1} be an efficiently computable Boolean-valued function. Then h is a hard-core predicate for f if, for every PPT algorithm A, there exists a negligible function ε: N R + such that Adv h,f (A) ε(s). h is easy to compute from x but hard to predict from f(x) Equivalently: h(x) looks random given f(x) If h(x) equal some bit of x, then we call h a hard-core bit for f 5

7 Hard-core predicate examples Let f: {0, 1} * {0, 1} * be an OWF and define h(x) := 1x1 xi i=1 Q: Is h a hard-core predicate for f? A: In general, NO! (If g is a OWF, then f(x):=g(x) 11 1x1 i=1 x i is an OWF for which h(x) is not hard-core!) Let g: {0, 1} * {0, 1} * be the function that just drops the lsb of its input and define h(x) := lsb(x) Q: Is h a hard-core predicate for f? A: Yes! (But not a very useful/interesting one ) 6

8 Goldreich-Levin Theorem Thm: If there exists an OWF, then there exists a pair of functions (g, h) such that g is an OWF and h is a hard-core predicate for g. Specifically, if f is an OWF, then the function and g(x 11 r) := f(x) 11 r with 1x1 = 1r1 is an OWF 1x1 h(x) = (xi i=1 r i ) is a hard-core predicate for f. 7 Note: Goldreich-Levin does not claim that every OWF has a hard-core predicate!

9 Proving Goldreich-Levin s Theorem The full proof of Goldreich-Levin is long and involved The textbook devotes 7 full pages to the proof! We prove a super-simplified case Thm (A super-simplified Goldreich-Levin): Let f: {0, 1} * {0, 1} * and define, as in the Goldreich-Levin construction, 1x1 (i) g(x 11 r) := f(x) 11 r (with 1x1 = 1r1), and (ii) h(x) = (xi i=1 r i ) If there exists a PPT algorithm A such that n N and x 11 r {0, 1} 2n, A(g(x 11 r), 1 n ) = h(x 11 r), then there also exists a PPT algorithm A such that n N and x {0, 1} n A (f(x), 1 n ) f -1 (x). 8

10 Proof sketch for super-simplified Goldreich-Levin s Theorem 1x1 Let A be a PPT algorithm that computes h(x)= i=1 (xi r i ) given g(x11 r) := f(x) 11r and 1 n. For each i = 1,...,n, let e i denote the n-bit string with a 1 in its ith bit and 0s elsewhere Goal: Construct a PPT algorithm A to computes x f -1 (x) given (f(x), 1 n ) and oracle access to A For each i = 1,...,n, A (f(x), 1 n ) invokes A(g(x 11 e i ), 1 n ) to get x i A outputs x = x 1 11 x x n 9

11 One-way permutations Intuitively, π: {0, 1} * {0, 1} * is a one-way permutation if it is an OWF that is length-preserving and a bijection Challenger (C) Inverter (A) 1 s x R {0, 1} s y 1 s y := π(x) x 10 Let E be the event that π(x) = y Define A s advantage to be Adv π -1 (A) := Pr[E]

12 One-way permutation Def n : A function π: {0, 1} * {0, 1} * is a one-way permutation (OWP) if it is 1. easy to compute: there exists an efficient algorithm that, on input x {0, 1} *, outputs π(x); 2. length-preserving: for all x {0, 1} *, 1x1 = 1π(x)1; 3. one-to-one: for all x 1, x 2 {0, 1} *, π(x)=π(y) implies x=y; and 4. hard to invert: for every PPT algorithm A, there exists a negligible function ε: N R + such that Adv π -1 (A) ε(s). 11

13 Fixed-length PRGs from OWPs Thm: If OWPs exist, then fixed-length PRGs also exist. Specifically, given any OWP π and a hard-core predicate h for π, define G: {0, 1} * {0, 1} * such that x {0, 1} *, G(x) := π(x) 11 h(x). (Note: By Goldreich-Levin, if there exists an OWP, then there exists an OWP with a hard-core predicate) Then G is a PRG with expansion factor l(s) = s+1. 12

14 Variable-length PRGs from fixed-length PRGs Thm: If there exists a fixed-length PRG with expansion factor l(s)=s+1, then there exists a variable-length PRG. Idea: Given a PRG G:{0,1} * {0, 1} * with expansion factor l(s) = s+1, we construct a PRG G with expansion factor l (s) = s+2 via G (x) := G(x 1 ) 11 δ 1, where G(x) = x 1 11 δ 1. Given G, we construct a PRG G with expansion factor l (s) = s+3 via G (x) := G (x 2 ) 11 δ 2, where G (x) = x 2 11 δ 1 11 δ 2. And so on We can repeat this any polynomial number of times! 13

15 PRFs from variable-length PRGs Let G: {0, 1} * 1 N {0, 1} * be a variable-length PRG Construct a length-doubling PRG G (k) := G(k, 1 21k1 ) and set G L (k) and G R (k) equal to the first and last 1x1 bits of G PRF F is represented as a binary tree To evaluate F(k,x), input k to PRG in root node At each layer i, if x i = 0, go left; else, go right Each input x corresponds to a distinct leaf Evaluating F(k,x) requires 1x1 calls to G G L (k) k G x 1 =1 G R (k) G G G L (G L (k)) G R (G L (k)) G L (G R (k)) G R (G R (k)) x 2 =0 G G G G x 3 =1 14 G G G G G G G G

16 Existence of PR*s and OW*s OWF PRP OWP PRF Variable -length PRG Fixedlength PRG 15

17 That s all for today, folks! 16