Lecture 5: Hard Core Predicates

Similar documents
Lecture 16: Public Key Encryption:II

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Introduction to Cryptography

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Lecture 4: One Way Functions - II

Public-Key Encryption

Lecture 11: Key Agreement

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 7: CPA Security, MACs, OWFs

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

CPSC 467b: Cryptography and Computer Security

1 Cryptographic hash functions

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Lecture 17: Constructions of Public-Key Encryption

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 2: Program Obfuscation - II April 1, 2009

Lecture 14: Hardness Assumptions

1 Cryptographic hash functions

Pseudorandom Generators

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Notes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Pseudorandom Generators

6.892 Computing on Encrypted Data September 16, Lecture 2

1 Distributional problems

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

10 Concrete candidates for public key crypto

Lecture 13: Private Key Encryption

Lecture 5. 1 Review (Pairwise Independence and Derandomization)

Interactive protocols & zero-knowledge

The security of all bits using list decoding

COS598D Lecture 3 Pseudorandom generators from one-way functions

CS 355: TOPICS IN CRYPTOGRAPHY

Pseudorandom Generators

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

Pseudorandom Generators

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Lecture 3: Randomness in Computation

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

6.080/6.089 GITCS Apr 15, Lecture 17

Lecture 26: Arthur-Merlin Games

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

Introduction to Modern Cryptography. Benny Chor

Lecture 9 - One Way Permutations

Where do pseudo-random generators come from?

Lectures 2+3: Provable Security

Introduction to Cryptology. Lecture 20

Interactive protocols & zero-knowledge

CSC 5170: Theory of Computational Complexity Lecture 5 The Chinese University of Hong Kong 8 February 2010

Exam 2 Solutions. In class questions

Lecture 3: Interactive Proofs and Zero-Knowledge

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

An Introduction to Probabilistic Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

Lattice Cryptography

Theoretical Cryptography, Lectures 18-20

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Answering Many Queries with Differential Privacy

Homework 7 Solutions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Lecture 31: Miller Rabin Test. Miller Rabin Test

DS-GA 3001: PROBLEM SESSION 2 SOLUTIONS VLADIMIR KOBZAR

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

1 Rabin Squaring Function and the Factoring Assumption

Exercise Sheet Cryptography 1, 2011

Lecture Overview. 2 Weak Induction

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

CSE 190, Great ideas in algorithms: Pairwise independent hash functions

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Warmup Recall, a group H is cyclic if H can be generated by a single element. In other words, there is some element x P H for which Multiplicative

Lecture 15: Expanders

Lecture Notes 20: Zero-Knowledge Proofs

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Modern Cryptography Lecture 4

Basic Probabilistic Checking 3

Lattice Cryptography

Lecture 4: Hardness Amplification: From Weak to Strong OWFs

Randomness and non-uniformity

Advanced Topics in Cryptography

Secret Sharing CPT, Version 3

PROPERTY PRESERVING SYMMETRIC ENCRYPTION REVISITED

An Epistemic Characterization of Zero Knowledge

Foundations of Cryptography

Gentry s SWHE Scheme

Impagliazzo s Hardcore Lemma

2 Message authentication codes (MACs)

CPSC 467b: Cryptography and Computer Security

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Generic Case Complexity and One-Way Functions

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Lecture 14: Secure Multiparty Computation

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Computational Hardness

Introduction to Elliptic Curve Cryptography. Anupam Datta

Lecture 10 - MAC s continued, hash & MAC

Transcription:

Lecture 5: Hard Core Predicates Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 1 / 17

Last Time Proof via Reduction: fˆ is a weak OWF Amplification: From weak to strong OWFs Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 2 / 17

Today What do OWFs Hide? Hard Core Predicate Concluding Remarks on OWFs Scribe notes volunteers? Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 3 / 17

What OWFs Hide The concept of OWFs is simple and concise But OWFs often not very useful by themselves It only guarantees that fpxq hides x but nothing more! E.g., it may not hide first bit of x, Or even first half bits of x Or ANY subset of bits In fact: if apxq is some information about x, we don t know if fpxq will hide apxq for any non-trivial ap q Is there any non-trivial function of x, even 1 bit, that OWFs hide? Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 4 / 17

Hard Core Predicate A hard core predicate for a OWF f is a function over its inputs txu its output is a single bit (called the hard core bit ) it can be easily computed given x but hard to compute given only fpxq Intuition: f may leak many bits of x but it does not leak the hard-core bit. In other words, learning the hardcore bit of x, even given fpxq, is as hard as inverting f itself. Think: What does hard to compute mean for a single bit? you can always guess the bit with probability 1{2. Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 5 / 17

Hard Core Predicate: Definition Hard-core bit cannot be efficiently learned or predicted or computed with probability ą 1 2 ` µp x q even given fpxq Definition (Hard Core Predicate) A predicate h : t0, 1u Ñ t0, 1u is a hard-core predicate for fp q if h is efficiently computable given x and there exists a negligible function ν s.t. for every non-uniform PPT adversary A and @n P N: ı Pr x Ð t0, 1u n : Ap1 n, fpxqq hpxq ď 1 2 ` νpnq. Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 6 / 17

Hard Core Predicate: Construction Can we construct hard-core predicates for general OWFs f? Define xx, ry to be the inner product function mod 2. I.e:, ÿ xx, ry x i r i mod 2 Same as taking of a random subset of bits of x. Theorem (Goldreich-Levin) Let f be a OWF (OWP). Define function i gpx, rq pfpxq, rq where x r. Then g is a OWF (OWP) and hpx, rq xx, ry is a hard-core predicate for g. Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 7 / 17

Some remarks The theorem is not for f, but for a different function, g. Is this useful at all? Indeed, consider the function g 1 : g 1 p1xq g 1 p0xq fpxq. Clearly, the first bit of g s input is hard core for g. It works even if f is not one-way! The problem with the above is that it looses information about its input. This is not good for applications. It explains nothing about the inherent hardness of f Function g in the GL theorem statistically does not loose any information that f does not about its input....and the hard core bit for g is easy to guess if f is not one-way. Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 8 / 17

Proof of the Goldreich-Levin theorem Proof via reduction? Main challenge: Adversary A for h only outputs 1 bit. Need to build an inverter B for f that outputs n bits. Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 9 / 17

Warmup Proof (1) Assumption: Given gpx, rq pfpxq, rq, adversary A always (i.e., with probability 1) outputs hpx, rq correctly Inverter B: Compute x i Ð Apfpxq, e iq for every i P rns where: Output x x 1... x n e i p 0,..., 0 loomoon pi 1q-times, 1,..., 0q Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 10 / 17

Warmup Proof (2) Assumption: Given gpx, rq pfpxq, rq, for every x, adversary A outputs hpx, rq with probability 3{4 ` εpnq over the choices of r. @x : Pr r rapfpxq, rq hpx, rqs ě 3 4 ` εpnq. Main Problem: Adversary may not work on improper inputs (e.g., r e i as in previous case) Main Idea: Split each query into two queries s.t. each query individually looks random Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 11 / 17

Warmup Proof (2) Inverter B: Let a : Apfpxq, e i rq and b : Apfpxq, rq, for r $ Ð t0, 1u n Compute c : a b as a guess for x i Repeat many times to get many such c and take majority to get x i Output x x 1... x n Proof that B inverts fpxq: If both a and b are correct, then c x i because: c a b xx, e i r i y xx, ry x pr`e i q`x r mod 2 x e i x i. Claim: c x i with probability 1{2 ` 2ε Proof: by union bound A is wrong about either a or b with at most: p1{4 εpnqq ` p1{4 εpnqq 1{2 2ε probability. So a, b are correct w/ prob. ě 1{2 ` 2ε, so is c. 2n εpnq If you repeat times, by Chernoff Bound, majority of c will be correct x i w/ 1 e n prob. Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 12 / 17

Full Proof of the GL Theorem In the next class! Goldreich-Levin theorem has been extremely influential even outside cryptography Has applications to learning, list-decoding codes, extractors,... Great tool to add to your toolkit Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 13 / 17

Further Remarks One-way functions are necessary for most of cryptography But often not sufficient for things like key-exchange or public-key encryption. Black-box separations known [Impagliazzo-Rudich 89]; Open problem: full separations not known More examples of one-way functions? More than 1 hard core bit? Other ways to get hard core bit? Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 14 / 17

On more examples of OWFs We saw a OWF based on factoring. Are there more candidates? Many examples based on: Discrete Log: compute x P G from pg, y, pq where g generates a group G, and p G is prime, and y g x in G. RSA Problem: compute d from pe, Nq s.t. e d 1 mod φpnq where φpnq Z N and N is product of two large primes. Quadratic Residuosity: compute square roots of perfect squares modulo N (Rabin s function). More: more examples from lattices and LWE problem; such hardness assumptions are few and rare. You actually get a collection of OWFs from the above, not a single OWF. However, collections imply a single OWF as well. (discussed later) Special hard-core predicates and more than 1 bit based on specific structures of these functions. (For general OWFs, GL can be extended to yield log n hard core bits). Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 15 / 17

On more examples of OWFs Universal One-way Functions (Levin) Suppose somebody tells you that OWFs exist! but they don t know what that function is. Can you use this fact to build an explicit OWF? Explicit = one which you could implement (in principle, on Turing machines). Yes! Levin constructs an explicit function which is one-way if there exists any OWF (even if not known explicitly). OWFs from the famous P vs NP problem? OWFs whose hardness can be reduced to the validity of P NP. Unlikely to exist based on current evidence [Goldreich-Goldwasser-Moshkovitz,...] Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 16 / 17

Markov and Chernoff Bounds Proof on the board? Instructor: Omkant Pandey Lecture 5: Hard Core Predicates Spring 2017 (CSE 594) 17 / 17

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback