one-way functions and basic assumptions - people.cs.nctu...
TRANSCRIPT
One-Way Functions andBasic Assumptions
Wen-Guey Tzeng
Department of Computer Science
National Chiao Tung University
One-way functions & basic assumptions – p. 1/26
NotationSpecified range of randomness:B is a Boolean predicate
prob(B(x) = 1 : x← X) = prob({x ∈ X|B(x) = 1})
= pX({x ∈ X|B(x) = 1})
LetA be a probabilistic algorithm andB a Boolean predicate,
prob(B(x,A(x)) = 1 : xpX← X)
=∑
x∈X
prob(x) · prob(B(x,A(x)) = 1)
=∑
x∈X
prob(x) · prob({r ∈ Ztx2 |B(x,AD(x, r)) = 1})
Shorthand:x← X ≡ xpX← X.
One-way functions & basic assumptions – p. 2/26
If A computesf : X → Y andBf (x, y) = 1 iff f(x) = y,
prob(A(x) = f(x) : x← X)
= prob(Bf(x,A(x)) = 1 : x← X)
Multiple variables:
prob(A(x1, x2) = f(x1, x2) : x1 ← X1, x2 ← X2,x1)
=∑
x1,x2
prob(x1, x2) · prob(A(x1, x2) = f(x1, x2))
=∑
x1,x2
prob(x1)prob(x2|x1) · prob(A(x1, x2) = f(x1, x2))
One-way functions & basic assumptions – p. 3/26
Function familyParameterized key/index set
• Let k be the security parameter.
• Ik = {i : |i| = k}: a key set of sizek
• I = ∪k∈N{Ik}: a parameterized key set
EXP: the set of discrete exponentiation functions:
• Ik = {(p, g) : p is prime, |p| = k, g is a geneator ofZ∗
p}.
• Expp,g(x) = gx mod p.
• EXP = {Expp,g : (p, g) ∈ I}.
One-way functions & basic assumptions – p. 4/26
LOG: the set of discrete logarithm functions:
• Ik = {(p, g) : p is prime, |p| = k, g is a geneator ofZ∗
p}.
• Logp,g(y) = logg y mod p.
• LOG = {Logp,g : (p, g) ∈ I}.
One-way functions & basic assumptions – p. 5/26
Computing functionsDefinition 1 A function familyF = {fi : Xi → Yi} indexed by
I = ∪k∈N{Ik} is polynomial-time computableif there is an
R(k)-bounded algorithmA such that
for all i ∈ Ik, x ∈ Xi, A(i, x) = fi(x),
that is,timeA(i, x) ≤ R(k), whereR(k) is a polynomial.
• EXP is polynomial-time computable.
• We don’t know whetherLOG is polynomial-time
computable.
One-way functions & basic assumptions – p. 6/26
Hardness assumptions
Discrete logarithm assumption
Let Ik = {(p, g) | |p| = k} andQ(k) be a positive polynomial.
LetA(p, g, y) be probabilistic polynomial algorithm. Then, there
existsk0 ∈ N , for all k ≥ k0, such that
prob(A(p, g, y) = Logp,g(y) : (p, g)u← Ik, y
u← Z∗
p)
≤ 1/Q(k).
One-way functions & basic assumptions – p. 7/26
Negligible functionsDefinition 2 A functionǫ(k) is negligibleif for every positive
polynomialQ(k), there isk0, such that for eachk ≥ k0,
ǫ(k) ≤ 1/Q(k).
Examples
• 1/2k, 1/klog k are negligible functions.
• 1/k2, 1/k log k are non-negligible functions.
One-way functions & basic assumptions – p. 8/26
Alternative definition for the discrete logarithm assumption
prob(A(p, g, y) = Logp,g(y) : (p, g)u← Ik, y
u← Z∗
p) = ǫ(k)
is negligible.
Various spectrums forǫ(k)
• For each(p, g), prob(A(p, g, y) = Logp,g(y)) is small.
• There are some(p, g), prob(A(p, g, y) = Logp,g(y)) is
large.
• · · ·
One-way functions & basic assumptions – p. 9/26
The following two statements are equivalent:
1. For every positive polynomialP , there isk0 > 0 such that
for all k ≥ k0,
prob(A(i, x) = fi(x) : i← Ik, x← Xi) ≤ 1/P (k);
2. For all positive polynomialsQ andR, there isk0 > 0, such
that for allk ≥ k0
prob({i ∈ Ik| prob(A(i, x) = fi(x) : x← Xi) > 1/Q(k)})
≤ 1/R(k).
(No significant portion of functions are solvable with
non-negligible probability)
One-way functions & basic assumptions – p. 10/26
Proof. Let pi = prob(A(i, x) = fi(x) : x← Xi).
(1)⇒ (2):
(2)⇒ (1):
2
One-way functions & basic assumptions – p. 11/26
If some PPAA solves LOG, fork ≥ k0,
prob(A(p, g, x) = Logp,g(y) : (p, g)← Ik, y ← Z∗
p) ≥ 1/P (k)
then, fork ≥ k0,
prob({(p, g) ∈ Ik| prob(A(p, g, y) = Logp,g(y) : y ← Z∗
p) > 1/2P (k)})
≥ 1/2P (k).
One-way functions & basic assumptions – p. 12/26
Random self-reductionDefinition 3 A function family israndom self-reducibleif there
is a PPAB such that
for everyi ∈ Ik, x ∈ Xi, pB(i,x) = pXi
and given an answery′ to x′ = B(i, x), we can find an answery
to x.
Thus, ifprob(A(x) = fi(x) : x← Xi) > 1/Q(k),
then there isA, prob(A(x) = fi(x)) > 1/Q(k) for eachx ∈ Xi.
One-way functions & basic assumptions – p. 13/26
Example 4 LOG is self-reducible via the self-reduction function
B(p, g, y) = ygr mod p, ru← Zp−1
Given an answerx′ = log ygr, (x′ − r) mod p− 1 = logg y = x
is the answer toy.
For (p, g) ∈ I, if there is a PPAA such that
prob(A(p, g, y) = Logp,g(y) : yu← Z∗
p) > 1/Q(k),
there is PPAA, for eachy ∈ Z∗
p ,
prob(A(p, g, y) = Logp,g(y)) > 1− 2−P (k).
One-way functions & basic assumptions – p. 14/26
Hard problemsThe property ofself reductionincreases the creditability of some
hardness assumptions.
The following self-reducible function families are assumed to be
hard.
• INVRSA = {InvRsan,e : (n, e) ∈ I}, wheren = pq,
|p| = |q| = k, gcd(e, ϕ(n) = 1, andd = e−1 mod ϕ(n),
InvRsan,e(y) = yd for y ∈ Z∗
n.
• SQRT= {Sqrtn : n ∈ I}, wheren = pq, |p| = |q| = k,
Sqrtn(y) = y1/2 for y ∈ QRn.
• PQR= {Pqrn : n ∈ I}, wherePqrn(x) = L(n, x) for
x ∈ J+1n , n = pq.
One-way functions & basic assumptions – p. 15/26
One-way functions• A family f = (fi : Di → Ri)i∈I of functions.
• f−1i (y) = {x ∈ Xi | fi(x) = y}
• K: key sampling algorithm,K(1k) = i ∈ Ik.
• K is usually the uniform sampling algorithm.
One-way functions & basic assumptions – p. 16/26
Definition 5 f is aone-way functionwith key generator Kiff
1. f can be computed by a Monte Carlo algorithmF (i, x).
2. f is not invertible by any efficient algorithm, that is,
for any PPAA and every positive polynomialQ(k), there is
k0 > 0 such that for anyk ≥ k0,
prob(A(i, fi(x)) ∈ f−1i (fi(x)) : i← K(1k), x
u← Di)
≤ 1/Q(k)
One-way permutation: eachfi is a permutation.
One-way functions & basic assumptions – p. 17/26
Trapdoor one-way functionEach functionfi has atrapdoorti such thatf−1 = (f−1
i : i ∈ I)
can be computed by a Monte Carlo algorithmF−1(i, ti, y),
wherey = fi(x), x ∈ Di.
• RSA, QR, SQRT are all trapdoor one-way functions.
• EXP has no known trapdoors.
One-way functions & basic assumptions – p. 18/26
Hard-core predicate"f(x) is not invertible"does not imply"the wholex is
unknown".
Example 6 fp,g(x) = gx mod p = y is one-way. But, given
(p, g, y), the last bit ofx is L(p, y), which can be computed by
the Euler’s criteria.
Example 7 Letf be one-way. Then,
g(x) = g(x1‖x2) = f(x1)‖x2
is also one-way, where|x1| = |x2|.
But, giveny = g(x), we know a half ofx at least.
One-way functions & basic assumptions – p. 19/26
Definition 8 Letf = (fi : Di → Ri)i∈I be one-way with key
generatorK. LetB = (Bi : Di → {0, 1})i∈I be a family of
Boolean predicates.B is called ahard-core predicate of f if
1. B can be computed by a Monte Carlo algorithmA1(i, x).
2. B(x) is not computable fromf(x) by any PPA.
For every PPAA2, polynomialQ, there isk0 such that for
all k ≥ k0,
prob(A2(i, fi(x)) = Bi(x) : i← K(1k), xu← Di)
≤1
2+
1
Q(k).
One-way functions & basic assumptions – p. 20/26
Example 9 f = RSA, Bi(x) = last-bit(x). Giveni = (n, e)
andy, it is hard to computelast-bit(x), wherey = xe mod n.
One-way functions & basic assumptions – p. 21/26
Universal hard-core predicate• Inner product: Bi(x, y) =
⊕lj=1(xjyj), |x| = |y| = l;
• Function extension:fi(x) is extended to
fi(x, y) = fi(x)‖y, where|x| = |y|.
Theorem 10 If f is one-way. Then,B is a hard-core predicate
for f .
Givenfi(x) andy, it is required to compute the XOR of the bits
of x indicated byy.
One-way functions & basic assumptions – p. 22/26
The following two statements are equivalent:
1. For every PPA A and polynomialP , there isk0, such that
for all k ≥ k0:
prob(A(i, fi(x)) = Bi(x) : i← Ik, x← Xi) ≤1
2+
1
P (k)
2. For every PPA A and polynomialsQ andR, there isk0 such
that for allk ≥ k0,
prob({i ∈ Ik | prob(A(i, fi(x)) = Bi(x) : x← Xi) >1
2+
1
Q(k)})
≤1
R(k).
One-way functions & basic assumptions – p. 23/26
Proof. (2)⇒ (1): easy.
(1)⇒ (2):
Let pi = prob(A(i, fi(x)) = B(i, x) : x← Xi).
We partitionIk = G ∪ N1 ∪ N2 ∪ B, where
G = {i ∈ Ik | pi > 1/2 + 1/Q(k)}
N1 = {i ∈ Ik | 1/2 + 1/2R(k)Q(k) < pi ≤ 1/2 + 1/Q(k)}
N2 = {i ∈ Ik | 1/2−1/2R(k)Q(k) < pi ≤ 1/2+1/2R(k)Q(k)}
B = {i ∈ Ik | pi ≤ 1/2− 1/2R(k)Q(k)}
Assume that(2) is not true, that is,prob(G) > 1/R(k).
One-way functions & basic assumptions – p. 24/26
For every polynomialL, there exists PPAE,
∀i ∈ Ik, prob(|E(i)− pi| < 1/2R(k)Q(k)) > 1− 1/L(k) = δ.
We can constructA(i, ·) as follows:
Input: fi(x); (x← Xi)
1. RunE(i) to computepi for estimatingpi.
2. If pi ≥ 1/2, outputA(i, fi(x));
if pi < 1/2, output1−A(i, fi(x)).
One-way functions & basic assumptions – p. 25/26
prob(A(i, fi(x)) = B(i, x) : i← Ik, x← Xi)
= prob(A(i, fi(x)) = B(i, x) : x← Xi|i ∈ G) · prob(G)
+ prob(A(i, fi(x)) = B(i, x) : x← Xi|i ∈ N1) · prob(N1)
+ prob(A(i, fi(x)) = B(i, x) : x← Xi|i ∈ N2) · prob(N2)
+ prob(A(i, fi(x)) = B(i, x) : x← Xi)|i ∈ B) · prob(B)
≥ δ(1/2 + 1/Q(k)) · prob(G) + δ(1/2 + 1/2R(k)Q(k)) · prob(N1)
+ (1/2− 1/2R(k)Q(k)) · prob(N2) + δ(1/2 + 1/2R(k)Q(k)) · prob(B)
≥ δ((1/2 + 1/Q(k))(1/R(k)) + (1/2− 1/2R(k)Q(k))(1− 1/R(k))
≥ δ(1/2 + 1/2Q(k)R(k))
≥ 1/2 + 1/3Q(k)R(k)
where we setL(k) = 4Q(k)R(k) andP (k) = 3Q(k)R(k). �
One-way functions & basic assumptions – p. 26/26