Introduction to Cryptography

Similar documents
Lecture 7: Hard-core Predicate and PRG

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Homework 7 Solutions

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Lecture 9 - One Way Permutations

CS 355: TOPICS IN CRYPTOGRAPHY

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Introduction to Cryptography

: On the P vs. BPP problem. 18/12/16 Lecture 10

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Pseudorandom functions and permutations

Lecture 5: Hard Core Predicates

Pseudorandom Generators

COS598D Lecture 3 Pseudorandom generators from one-way functions

Lecture 5, CPA Secure Encryption from PRFs

Notes for Lecture 15

COMS W4995 Introduction to Cryptography September 29, Lecture 8: Number Theory

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Lecture 3: Interactive Proofs and Zero-Knowledge

Limits: An Intuitive Approach

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

We begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.

Computer Science A Cryptography and Data Security. Claude Crépeau

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Where do pseudo-random generators come from?

Lecture 2: Program Obfuscation - II April 1, 2009

Provable Security for Program Obfuscation

Pseudorandom Generators

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

Pseudorandom Generators

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Lecture 7: CPA Security, MACs, OWFs

Learning and Fourier Analysis

Lecture 22. m n c (k) i,j x i x j = c (k) k=1

Foundation of Cryptography ( ), Lecture 1

Lecture 5: February 16, 2012

Lecture 22: Counting

Lecture 10: Learning DNF, AC 0, Juntas. 1 Learning DNF in Almost Polynomial Time

Modern Cryptography Lecture 4

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

18733: Applied Cryptography Anupam Datta (CMU) Block ciphers. Dan Boneh

Notes for Lecture 14 v0.9

Lecture 4: Hardness Amplification: From Weak to Strong OWFs

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Scribe for Lecture #5

Notes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators

Optimal Constructions of Universal One-way Hash Functions from Special One-way Functions!

Computational Extractors and Pseudorandomness

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Goldreich-Levin Hardcore Predicate. Lecture 28: List Decoding Hadamard Code and Goldreich-L

6.045: Automata, Computability, and Complexity (GITCS) Class 17 Nancy Lynch

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Indistinguishability and Pseudo-Randomness

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

1 Cryptographic hash functions

Lecture 3: Randomness in Computation

Lecture 5. Lecturer: Yevgeniy Dodis Spring 2012

Polynomial Interpolation Part II

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Doubly half-injective PRGs for incompressible white-box cryptography

1 Cryptographic hash functions

Stream ciphers. Pawel Wocjan. Department of Electrical Engineering & Computer Science University of Central Florida

Provable-Security Approach begins with [GM82] Classical Approach. Practical Cryptography: Provable Security as a Tool for Protocol Design

8. Limit Laws. lim(f g)(x) = lim f(x) lim g(x), (x) = lim x a f(x) g lim x a g(x)

On the Power of the Randomized Iterate

Pseudorandom Generators

Handout 5. α a1 a n. }, where. xi if a i = 1 1 if a i = 0.

Authentication. Chapter Message Authentication

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

III. Pseudorandom functions & encryption

Lecture 24: Approximate Counting

Lecture 4: One Way Functions - II

The security of all bits using list decoding

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Lecture 15: Interactive Proofs

Lecture 11: Key Agreement

Bootstrapping Obfuscators via Fast Pseudorandom Functions

From Non-Adaptive to Adaptive Pseudorandom Functions

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Homework 5 Solutions

The Many Entropies in One-Way Functions

BEYOND POST QUANTUM CRYPTOGRAPHY

CPA-Security. Definition: A private-key encryption scheme

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

Lecture 13: Private Key Encryption

ECS 189A Final Cryptography Spring 2011

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Lecture 23: Alternation vs. Counting

Minimum Polynomials of Linear Transformations

An Improved Pseudorandom Generator Based on Hardness of Factoring

Lecture 14: Cryptographic Hash Functions

Quantum Computing Lecture 6. Quantum Search

Transcription:

B504 / I538: Introduction to Cryptography Spring 2017 Lecture 15

Assignment 3 is due! Assignment 4 is out and is due in three weeks! 1

Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF) is a function that is easy to compute but hard to invert Challenger (C) 1 s x R {0, 1} s y y := f(x) Inverter (A) 1 s x 2 Let E be the event that f(x ) = y Define A s advantage to be Adv f -1 (A) := Pr[E]

Hard-core predicates Strong OWFs are hard to invert in their entirety Want to say: f(x) reveals nothing about x Q: Do OWFs satisfy this requirement? A: In general, NO! (But why?) - Suppose g is an OWF, then it is easy to prove that f(x 1 11 x 2 ) = x 1 11 g(x 2 ) is also an OWF! A relaxation: Can we say f(x) reveals nothing about h(x), for some particular function h that depends on f but not x? 3

Hard-core predicates Let h: {0, 1} * {0, 1} be an efficiently computable function Think of h(x) as indicating whether x has some property (h(x)=1) or not (h(x)=0) Intuitively, we call h a hard-core predicate for f if f(x) reveals nothing about h(x) Challenger (C) 1 s x R {0, 1} s y y := f(x) Inverter (A) 1 s b {0, 1} 4 Let E be the event that h(x) = b Define A s advantage to be Adv h,f (A) := 1 Pr[E]- 1/2 1

Hard-core predicates Def n : Let f: {0, 1} * {0, 1} * and let h: {0, 1} * {0, 1} be an efficiently computable Boolean-valued function. Then h is a hard-core predicate for f if, for every PPT algorithm A, there exists a negligible function ε: N R + such that Adv h,f (A) ε(s). h is easy to compute from x but hard to predict from f(x) Equivalently: h(x) looks random given f(x) If h(x) equal some bit of x, then we call h a hard-core bit for f 5

Hard-core predicate examples Let f: {0, 1} * {0, 1} * be an OWF and define h(x) := 1x1 xi i=1 Q: Is h a hard-core predicate for f? A: In general, NO! (If g is a OWF, then f(x):=g(x) 11 1x1 i=1 x i is an OWF for which h(x) is not hard-core!) Let g: {0, 1} * {0, 1} * be the function that just drops the lsb of its input and define h(x) := lsb(x) Q: Is h a hard-core predicate for f? A: Yes! (But not a very useful/interesting one ) 6

Goldreich-Levin Theorem Thm: If there exists an OWF, then there exists a pair of functions (g, h) such that g is an OWF and h is a hard-core predicate for g. Specifically, if f is an OWF, then the function and g(x 11 r) := f(x) 11 r with 1x1 = 1r1 is an OWF 1x1 h(x) = (xi i=1 r i ) is a hard-core predicate for f. 7 Note: Goldreich-Levin does not claim that every OWF has a hard-core predicate!

Proving Goldreich-Levin s Theorem The full proof of Goldreich-Levin is long and involved The textbook devotes 7 full pages to the proof! We prove a super-simplified case Thm (A super-simplified Goldreich-Levin): Let f: {0, 1} * {0, 1} * and define, as in the Goldreich-Levin construction, 1x1 (i) g(x 11 r) := f(x) 11 r (with 1x1 = 1r1), and (ii) h(x) = (xi i=1 r i ) If there exists a PPT algorithm A such that n N and x 11 r {0, 1} 2n, A(g(x 11 r), 1 n ) = h(x 11 r), then there also exists a PPT algorithm A such that n N and x {0, 1} n A (f(x), 1 n ) f -1 (x). 8

Proof sketch for super-simplified Goldreich-Levin s Theorem 1x1 Let A be a PPT algorithm that computes h(x)= i=1 (xi r i ) given g(x11 r) := f(x) 11r and 1 n. For each i = 1,...,n, let e i denote the n-bit string with a 1 in its ith bit and 0s elsewhere Goal: Construct a PPT algorithm A to computes x f -1 (x) given (f(x), 1 n ) and oracle access to A For each i = 1,...,n, A (f(x), 1 n ) invokes A(g(x 11 e i ), 1 n ) to get x i A outputs x = x 1 11 x 2 11 11 x n 9

One-way permutations Intuitively, π: {0, 1} * {0, 1} * is a one-way permutation if it is an OWF that is length-preserving and a bijection Challenger (C) Inverter (A) 1 s x R {0, 1} s y 1 s y := π(x) x 10 Let E be the event that π(x) = y Define A s advantage to be Adv π -1 (A) := Pr[E]

One-way permutation Def n : A function π: {0, 1} * {0, 1} * is a one-way permutation (OWP) if it is 1. easy to compute: there exists an efficient algorithm that, on input x {0, 1} *, outputs π(x); 2. length-preserving: for all x {0, 1} *, 1x1 = 1π(x)1; 3. one-to-one: for all x 1, x 2 {0, 1} *, π(x)=π(y) implies x=y; and 4. hard to invert: for every PPT algorithm A, there exists a negligible function ε: N R + such that Adv π -1 (A) ε(s). 11

Fixed-length PRGs from OWPs Thm: If OWPs exist, then fixed-length PRGs also exist. Specifically, given any OWP π and a hard-core predicate h for π, define G: {0, 1} * {0, 1} * such that x {0, 1} *, G(x) := π(x) 11 h(x). (Note: By Goldreich-Levin, if there exists an OWP, then there exists an OWP with a hard-core predicate) Then G is a PRG with expansion factor l(s) = s+1. 12

Variable-length PRGs from fixed-length PRGs Thm: If there exists a fixed-length PRG with expansion factor l(s)=s+1, then there exists a variable-length PRG. Idea: Given a PRG G:{0,1} * {0, 1} * with expansion factor l(s) = s+1, we construct a PRG G with expansion factor l (s) = s+2 via G (x) := G(x 1 ) 11 δ 1, where G(x) = x 1 11 δ 1. Given G, we construct a PRG G with expansion factor l (s) = s+3 via G (x) := G (x 2 ) 11 δ 2, where G (x) = x 2 11 δ 1 11 δ 2. And so on We can repeat this any polynomial number of times! 13

PRFs from variable-length PRGs Let G: {0, 1} * 1 N {0, 1} * be a variable-length PRG Construct a length-doubling PRG G (k) := G(k, 1 21k1 ) and set G L (k) and G R (k) equal to the first and last 1x1 bits of G PRF F is represented as a binary tree To evaluate F(k,x), input k to PRG in root node At each layer i, if x i = 0, go left; else, go right Each input x corresponds to a distinct leaf Evaluating F(k,x) requires 1x1 calls to G G L (k) k G x 1 =1 G R (k) G G G L (G L (k)) G R (G L (k)) G L (G R (k)) G R (G R (k)) x 2 =0 G G G G x 3 =1 14 G G G G G G G G

Existence of PR*s and OW*s OWF PRP OWP PRF Variable -length PRG Fixedlength PRG 15

That s all for today, folks! 16

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback