Lecture 4: Hardness Amplification: From Weak to Strong OWFs

Similar documents
Lecture 4: One Way Functions - II

Computational Hardness

Foundation of Cryptography ( ), Lecture 1

1 Rabin Squaring Function and the Factoring Assumption

Lecture 13: Private Key Encryption

Lecture 14: Cryptographic Hash Functions

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lecture 9 - One Way Permutations

Lecture 8: Computational Indistinguishability and Pseudorandomness

Generic Case Complexity and One-Way Functions

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

Homework 7 Solutions

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

1 Distributional problems

1 Cryptographic hash functions

Concurrent Non-malleable Commitments from any One-way Function

Pseudorandom Generators

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 11: Key Agreement

CPSC 467: Cryptography and Computer Security

Reductions for One-Way Functions

Lecture 15: Interactive Proofs

Theoretical Cryptography, Lectures 18-20

Lecture 2: Perfect Secrecy and its Limitations

Lecture 6 : Induction DRAFT

6.080/6.089 GITCS Apr 15, Lecture 17

1 Cryptographic hash functions

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Lecture 7: CPA Security, MACs, OWFs

Lecture 3: Randomness in Computation

Impagliazzo s Hardcore Lemma

Scribe for Lecture #5

COMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.

Introduction to Cryptography

Randomized Complexity Classes; RP

Lecture 5: Derandomization (Part II)

Lecture 2: Program Obfuscation - II April 1, 2009

Lecture 3: AC 0, the switching lemma

6.842 Randomness and Computation Lecture 5

Lecture 11 - Basic Number Theory.

Lecture 7: Pseudo Random Generators

CS6840: Advanced Complexity Theory Mar 29, Lecturer: Jayalal Sarma M.N. Scribe: Dinesh K.

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Computational security & Private key encryption

Lecture 17: Constructions of Public-Key Encryption

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Pseudorandom Generators

From Non-Adaptive to Adaptive Pseudorandom Functions

: On the P vs. BPP problem. 30/12/2016 Lecture 12

Lecture 6 : Projected Gradient Descent

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

a Course in Cryptography rafael pass abhi shelat

CPSC 467: Cryptography and Computer Security

Lecture Notes on Secret Sharing

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPSC 467b: Cryptography and Computer Security

ZEROES OF INTEGER LINEAR RECURRENCES. 1. Introduction. 4 ( )( 2 1) n

2 Completing the Hardness of approximation of Set Cover

Notes on Complexity Theory Last updated: November, Lecture 10

CSA E0 235: Cryptography (19 Mar 2015) CBC-MAC

CMSC 858K Introduction to Secure Computation October 18, Lecture 19

Topic: Sampling, Medians of Means method and DNF counting Date: October 6, 2004 Scribe: Florin Oprea

Lecture 6: The Pigeonhole Principle and Probability Spaces

If NP languages are hard on the worst-case then it is easy to find their hard instances

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Lecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko

Indistinguishability and Pseudo-Randomness

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

CPSC 467: Cryptography and Computer Security

How many rounds can Random Selection handle?

Solutions to homework 2

CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010

Where do pseudo-random generators come from?

Lecture 6: Deterministic Primality Testing

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 8 Luca Trevisan September 19, 2017

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Lecture 29: Computational Learning Theory

1 Randomized complexity

Lecture Notes 20: Zero-Knowledge Proofs

Lecture 10 - MAC s continued, hash & MAC

Lecture 12: Randomness Continued

1 Randomized Computation

COS598D Lecture 3 Pseudorandom generators from one-way functions

Notes for Lecture 11

Input Locality and Hardness Amplification

Lecture 18: Zero-Knowledge Proofs

Notes for Lecture 15

Notes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators

Lecture 6: September 22

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Lecture Examples of problems which have randomized algorithms

6.892 Computing on Encrypted Data September 16, Lecture 2

Average Case Complexity: Levin s Theory

A Note on Negligible Functions

Lecture 15: Expanders

Proving languages to be nonregular

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Transcription:

COM S 687 Introduction to Cryptography September 5, 2006 Lecture 4: Hardness Amplification: From Weak to Strong OWFs Instructor: Rafael Pass Scribe: Jed Liu Review In the previous lecture, we formalised the notion of a strong one-way function that is easy to compute, but hard to invert. Definition (Negligible function) A function ɛ : N R is negligible if for any c N, there is a k 0 N such that we have ɛ(k) < k c for all k > k 0. Definition 2 (Strong one-way function) A function f : {0, } {0, } is strongly one-way if it satisfies the following two conditions.. Easy to compute. There is a probabilistic polytime algorithm C : {0, } {0, } such that C(x) = f(x) on all inputs x {0, }. 2. Hard to invert. Any efficient attempt to invert f on random input will succeed with only negligible probability. Formally, for any probabilistic polytime algorithm A : {0, } {0, }, there exists a negligible function ɛ such that for any input length k N, Pr [ x {0, } k ; y = f(x); A( k, y) = x : f(x ) = y ] ɛ(k). 2 Weak One-Way Functions Consider the function f mult : N 2 N defined by f mult (x, y) = xy, with x = y. Is this a one-way function? Clearly, by the multiplication algorithm, f mult is easy to compute. But f mult is not always hard to invert! If at least one of x and y is even, then their product will be even as well. This happens with probability 3 if the input (x, y) is picked 4 uniformly at random from N 2. So the following attack A will succeed with probability 3: 4 { (2, z ) if z even A(z) = 2 (0, 0) otherwise. Something is not quite right here, since f mult is conjectured to be hard to invert on some, but not all, inputs. Our current definition of a one-way function is too restrictive to 4-

capture this notion, so we will define a weaker variant that relaxes the hardness condition on inverting the function. This weaker version only requires that all efficient attempts at inverting will fail with some non-negligible probability. Definition 3 (Weak one-way function) A function f : {0, } {0, } is weakly one-way if it satisfies the following two conditions.. Easy to compute. (Same as that for a strong one-way function.) There is a probabilistic polytime algorithm C : {0, } {0, } such that C(x) = f(x) on all inputs x {0, }. 2. Hard to invert. Any efficient algorithm will fail to invert f on random input with non-negligible probability. More formally, for any probabilistic polytime algorithm A : {0, } {0, }, there exists a polynomial function q : N N such that for any input length k N, Pr [ x {0, } k ; y = f(x); A( k, y) = x : f(x ) = y ] q(k) It is conjectured that f mult is a weak one-way function. 3 Hardness Amplification By falling back on the weak version of a one-way function, we actually haven t lost anything. As we will now show, a weak one-way function can be used to produce a strong one-way function by amplifying hardness. The main insight we will use is if we run a weak one-way function f with enough inputs, with luck, f will be hard to invert on least one of those inputs. Theorem If there is a weak one-way function, then there is a strong one-way function. In particular, given a weak one-way function f : {0, } {0, }, there is a fixed m N, polynomial in the input length n N, such that the following function f : ({0, } n ) m ({0, } n ) m is strongly one-way: f (x, x 2,..., x m ) = (f(x ), f(x 2 ),..., f(x m )). We will prove this theorem by contradiction. We assume that f is not strongly one-way so that there is an algorithm A that inverts it with non-negligible probability. From this, we construct an algorithm A that inverts f with high probability. 4-2

Proof. Since f is weakly one-way, let q : N N be a polynomial such that for any probabilistic polytime algorithm A and any input length n N, Pr [x {0, } n ; y = f(x); A( n, y) = x : f(x ) = y] q(n). Define m = 2nq(n), dependent on the input length n N to f. Assume that f as defined in the theorem is not strongly one-way. Then let A be a probabilistic polytime algorithm and p : N N be a polynomial such that for infinitely many input lengths n N to f, A inverts f with probability p (n). i.e., Pr [x i {0, } n ; y i = f(x i ) : f (A (y, y 2,..., y m )) = (y, y 2,..., y m )] > p (m). Since m is polynomial in n, then the function p(n) = p (m) = p (2nq(n)) is also a polynomial. Rewriting the above probability, we have Pr [x i {0, } n ; y i = f(x i ) : f (A (y, y 2,..., y m )) = (y, y 2,..., y m )] > p(n). () Define the algorithm A 0 : {0, } n {0, } n, which will attempt to use A to invert f, as follows. () Input y {0, } n. (2) Pick a random i [, m]. (3) For all j i, pick a random x j {0, } n, and let y j = f(x j ). (4) Let y i = y. (5) Let (z, z 2,..., z m ) = A(y, y 2,..., y m ). (6) If f(z i ) = y, then output z i ; otherwise, fail and output. To improve our chances of inverting f, we will run A 0 multiple times. To capture this, define the algorithm A : {0, } n {0, } n to run A 0 with its input 2nm 2 p(n) times, outputting the first non- result it receives. If all runs of A 0 result in, then A outputs as well. Given this, call an element x {0, } n good if A 0 will successfully invert f(x) with non-negligible probability: otherwise, call x bad. Pr [A 0 (f(x)) ] 4-3 2m 2 p(n) ;

Note that the probability of A failing to invert f(x) on a good x is small: Pr [A(f(x)) fails x good] ( ) 2m 2 np(n) e n. 2m 2 p(n) We claim that there are a significant number of good elements enough for A to invert f with sufficient probability to contradict the weakly ) one-way assumption on f. In particular, we claim there are at least 2 ( n good elements in {0, } n. If this holds, then Pr [A(f(x)) fails] = Pr [A(f(x)) fails x good] Pr [x good] + Pr [A(f(x)) fails x bad] Pr [x bad] Pr [A(f(x)) fails x good] + Pr [x bad] ( ) 2m 2 np(n) 2m 2 p(n) + e n + <. q(n) This contradicts the assumption that f is q(n)-weak. ) It remains to be shown that there are at least 2 ( n good elements in {0, } n. ( ) Assume that there are more than 2 n bad elements. We will contradict fact () that with probability p(n), A succeeds in inverting f (x) on a random input x. To do so, we establish an upper bound on the probability by splitting it into two quantities: Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds] = Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and some x i is bad] +Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and all x i are good] For each j [, n], we have Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and x j is bad] Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds x j is bad] m Pr [A 0 (f(x j )) succeeds x j is bad] m =. 2m 2 p(n) 2mp(n) So taking a union bound, we have Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and some x i is bad] j Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and x j is bad] m =. 2mp(n) 2p(n) 4-4

Also, Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds and all x i are good] Pr [x i {0, } n : all x i are good] ( ) m ( 2nq(n) < = ) e n. Hence, Pr [x i {0, } n ; y i = f (x i ) : A ( y) succeeds] < + 2p(n) e n <, thus contradicting p(n) (). This theorem indicates that the existence of weak one-way functions is equivalent to that of strong one-way functions. In the next lecture, we will identify a universal one-way function f Levin. This function is universal in the sense that if one-way functions exist, then f Levin is one-way. 4-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback