Foundations of Cryptography Lecture 2

1
Foundations of CryptographyLecture 2

• Lecturer Moni Naor

2
Recap of last weeks lecture

• Key idea of cryptography use the intractability
  of some problems for the advantage of
  constructing secure system
• The identification problem
• Shannon Entropy and Min Entropy
• Good source on Information Theory
• T. Cover and J. A. Thomas, Elements of
  Information Theory
• One-way functions

3
Are one-way functions essential to the two guards
password problem?

• Precise definition
• for every probabilistic polynomial-time algorithm
  A controlling Eve and Charlie
• every polynomial p(.),
• and all sufficiently large ns
• ProbBob moves Y Alice does not approve
  1/p(n)
• Recall observation what Bob and Charlie
  received in the setup phase might as well be
  public
• Claim can get rid of interaction
• given an interactive identification protocol
  possible to construct a noninteractive one. In
  new protocol
• Alice sends Bob the random bits Alice used to
  generate the setup information
• Bob simulates the conversation between Alice
  and Bob in original protocol and accepts only if
  simulated Bob accepts.
• Probability of cheating is the same

4
One-way functions are essential to the two guards
password problem

• Are we done? Given a noninteracive
  identification protocol want to define a one-way
  function
• Define function f(r) as the mapping that Alice
  does in the setup phase between her random bits r
  and the information y given to Bob and Charlie
• Problem the function f(r) is not necessarily
  one-way
• Can be unlikely ways to generate it. Can be
  exploited to invert.
• Example Alice chooses x, x? 0,1n if x 0n
  set yx o.w. set yf(x)
• The protocol is still secure, but with
  probability 1/2n not complete
• The resulting function f(x,x) is easy to invert
  
• given y ?0,1n set inverse as (y, 0n )

5
One-way functions are essential to the two guards
password problem

• However possible to estimate the probability
  that Bob accepts on a given string from Alice
• Second attempt define function f(r) as
• the mapping that Alice does in the setup phase
  between her random bits r and the information
  given to Bob and Charlie,
• plus a bit indicating that probability of Bob
  accepts given r is greater than 2/3
• Theorem the two guards password problem has a
  solution if and only if one-way functions exist

6
Examples of One-way functions

• Examples of hard problems
• Subset sum
• Discrete log
• Factoring (numbers, polynomials) into prime
  components
• How do we get a one-way function out of them?

Easy problem
7
Subset Sum

• Subset sum problem given
• n numbers 0 a1, a2 ,, an 2m
• Target sum T
• Find subset S? 1,...,n ? i ?S ai,T
• (n,m)-subset sum assumption for uniformly chosen
  
• a1, a2 ,, an ?R0,2m -1 and S? 1,...,n
• For any probabilistic polynomial time algorithm,
  the probability of finding S? 1,...,n such
  that
• ? i ?S ai ? i ?S ai
• is negligible, where the probability is over the
  random choice of the ais, S and the inner coin
  flips of the algorithm
• Subset sum one-way function f0,1mnn ? 0,1m
  
• f(a1, a2 ,, an , b1, b2 ,, bn )
• (a1, a2 ,, an , ? i1n bi ai mod 2m )

8
Homework

• Show that if the subset sum assumption holds,
  then the subset sum function is one-way
• Show that the hardest case is when nm
• If there is some function g such that for mg(n)
  the (n,g(n))- subset sum assumption holds, then
  the (n,n)- subset sum assumption holds
• Show a function f such that
• if f is polynomial time invertable on all
  inputs, then PNP
• f is not one-way

9
Discrete Log Problem

• Let G be a group and g an element in G.
• Let ygz and x the minimal non negative
• integer satisfying the equation.
• x is called the discrete log of y to base g.
• Example ygx mod p in the multiplicative group
  of Zp
• In general easy to exponentiate via repeated
  squaring
• Consider binary representation
• What about discrete log?
• If difficult, f(g,x) (g, gx ) is a one-way
  function

10
Integer Factoring

• Consider f(x,y) x y
• Easy to compute
• Is it one-way?
• No if f(x,y) is even can set inverse as
  (f(x,y)/2,2)
• If factoring a number into prime factors is hard
• Specifically given N P Q , the product of two
  random large (n-bit) primes, it is hard to factor
• Then somewhat hard there are a non-neglible
  fraction of such numbers 1/n2 from the
  density of primes
• Hence a weak one-way function
• Alternatively
• let g(r) be a function mapping random bits into
  random primes.
• The function f(r1,r2) g(r1) g(r2) is one-way

11
Weak One-way function

• A function f 0,1n ? 0,1n is called a weak
  one-way function, if
• f is a polynomial-time computable function
• There exists a polynomial p(.), for every
  probabilistic polynomial-time algorithm A, and
  all sufficiently large ns
• ProbAf(x) ? f-1(f(x)) 1-1/p(n)
• Where x is chosen uniformly in 0,1n and the
  probability is also over the internal coin flips
  of A

12
Homework weak exist if strong exists

• Show that if strong one-way functions exist, then
  there exists a a function which is a weak one-way
  function but not a strong one

13
What about the other direction?

• Given
• a function f that is guaranteed to be a weak
  one-way
• Let p(n) be such that ProbAf(x) ? f-1(f(x))
  1-1/p(n)
• can we construct a function g that is (strong)
  one-way?
• An instance of a hardness amplification problem
• Simple idea repetition. For some polynomial q(n)
  define
• g(x1, x2 ,, xq(n) )f(x1), f(x2), , f(xq(n))
• To invert g need to succeed in inverting f in all
  q(n) places
• If q(n) p2(n) seems unlikely (1-1/p(n))p2(n)
  e-p(n)
• But how to we show? Sequential repetition
  intuition not a proof.

14
Want Inverting g with low probability implies
inverting f with high probability

• Given an machine A that inverts g want a machine
  A
• operating in similar time bounds
• inverts f with high probability
• Idea given yf(x) plug it in some place in g and
  generate the rest of the locations at random
• z(y, f(x2), , f(xq(n)))
• Ask machine A to invert g at point z
• Probability of success should be at least
  (exactly) As Probability of inverting g at a
  random point
• Once is not enough
• How to amplify?
• Repeat while keeping y fixed
• Put y at random position (or sort the inputs to
  g )

15
Proof of Amplification for Repetition of Two

• Concentrate on repetition of two g(x1, x2
  )f(x1), f(x2)
• Goal show that the probability of inverting g is
  roughly squared the probability of inverting f
• just as would be sequentially
• Claim
• Let a(n) be a function that for some
  p(n) satisfies
• 1/p(n) a(n) 1-1/p(n)
• Let e(n) be any inverse polynomial
  function
• suppose that for every polynomial
  time A and sufficiently large n
• ProbAf(x) ? f-1(f(x)) a(n)
• Then for every polynomial time B and
  sufficiently large n
• ProbBg(x1, x2 ) ? g-1(g(x1, x2 )) a2(n)
  e(n)

16
Proof of Amplification for Two Repetition

• Suppose not, then given a better than a2 e
  algorithm B for g construct the following
• A(y) Inversion algorithm for f
• Repeat t times
• Choose x at random and compute yf(x)
• Run B(y,y).
• Check the results
• If correct Halt with success
• Output failure

Inner loop
17
Probability of Success

• Define
• Syf(x) ProbInner loop successful y gt ß
• Since the choices of the x are independent
• ProbA succeeds x?S gt 1-(1- ß)t
• Taking t n/ß means that when y?S almost surely
  A will invert it
• Hence want to show that Prob y?S gt a(n)

18
The success of B

• Fix the random bits of B. Define
• P(y1, y2) B succeeds on (y1,y2)

• P P ? (y1,y2 ) y1,y2 ?S
• ? P ? (y1,y2 ) y1 ?S
• ? P ? (y1,y2 ) y2 ?S

y1
y2
P
19
S is the only success..

• But
• ProbBy1, y2 ? g-1(y1, y2) y1 ?S ß
• and similarly
• ProbBy1, y2 ? g-1(y1, y2) y2 ?S ß
• so
• Prob(y1, y2) ?P and y1,y2 ?S
• Prob(y1, y2) ?P - 2ß
• a2 e - 2ß
• Setting ß e/3 we have
• Prob(y1, y2) ?P and y1,y2 ?S a2 e/3

20
Contradiction

• But
• Prob(y1, y2) ?P and y1,y2 ?S
• Proby1 ?S Proby2 ?S
• Prob2y ?S
• So
• Proby ?S v(a2 e/3) gt a