Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function

1
Foundations of CryptographyLecture 2 One-way
functions are essential for identification.
Amplification from weak to strong one-way
function

• Lecturer Moni Naor
• Weizmann Institute of Science

2
Recap

• Key Idea of Cryptography use the intractability
  of some problems to create secure system.
• The Identification Problem
• Shannon and Min Entropies
• One-way functions
• Solution to the identification problem with
  multiple verifiers
• Cryptographic Reductions using one adversary to
  create another

3
Rigorous Specification of Security

• To define security of a system must specify
• What constitute a failure of the system
• The power of the adversary
• computational
• access to the system
• what it means to break the system.

Why is this more relevant in cryptography than
other realms?
4
Function and inversions

• We say that a function f is hard to invert if
  given yf(x) it is hard to find x such that
  yf(x)
• x need not be equal to x
• We will use f-1(y) to denote the set of preimages
  of y
• To discuss hard must specify a computational
  model
• Use two flavors
• Concrete
• Asymptotic

5
Computational Models

• Asymptotic Turing Machines with random tape
• For classical models precise model does not
  matter up to polynomial factor

Random tape
0
0
0
1
1
1
1
Both algorithm for evaluating f and the adversary
are modeled by PTM
Input tape
6
One-way functions - asymptotic

• A function f 0,1 ? 0,1 is called a
  one-way function, if
• f is a polynomial-time computable function
• Also polynomial relationship between input and
  output length
• for every probabilistic polynomial-time algorithm
  A, every positive polynomial p(.), and all
  sufficiently large ns
• Prob A(f(x)) ? f-1(f(x)) 1/p(n)
• Where x is chosen uniformly in 0,1n and the
  probability is also over the internal coin flips
  of A

7
Computational Models

• Concrete Boolean circuits (example)
• precise model makes a difference
• Time circuit size

Input
Output
8
One-way functions concrete version

• A function f0,1n ? 0,1n is called a (t,e)
  one-way function, if
• f is a polynomial-time computable function
  (independent of t)
• for every t-time algorithm A,
• ProbA(f(x)) ? f-1(f(x)) e
• Where x is chosen uniformly in 0,1n and the
  probability is also over the internal coin flips
  of A
• Can either think of t and e as being fixed or as
  t(n), e(n)

Boolean circuit
9
The two guards problem

• If Alice wants to approve and Eve does not
  interfere Bob moves to state Y
• If Alice does not approve, then for any behavior
  from Eve and Charlie, Bob stays in N
• Similarly if Bob and Charlie are switched

Charlie
Alice
Bob
Eve
10
Are one-way functions essential to the two guards
password problem?

• Precise definition
• for every probabilistic polynomial-time algorithm
  A controlling Eve and Charlie
• every polynomial p(.),
• and all sufficiently large ns
• ProbBob moves to Y Alice does not approve
  1/p(n)
• Recall observation what Bob and Charlie
  received in the setup phase might as well be
  public
• Claim can get rid of interaction
• given an interactive identification protocol
  possible to construct a noninteractive one. In
  the new protocol
• Alice sends Bob the random bits Alice used to
  generate the setup information
• Bob simulates the conversation between Alice and
  Bob in original protocol and accepts only if
  simulated Bob accepts.
• Probability of cheating is the same

11
One-way functions are essential to the two guards
password problem

• Are we done? Given a noninteracive
  identification protocol want to define a one-way
  function
• Define f(r) the setup phase mapping between the
  random bits r of Alice and the information y
  given to Bob and Charlie
• Problem the function f(r) is not necessarily
  one-way
• Can be unlikely ways to generate it. Can be
  exploited to invert.
• Example Alice chooses x, x? 0,1n if x 0n
  set yx o.w. set yf(x)
• The protocol is still secure, but with
  probability 1/2n not complete
• The resulting function f(x,x) is easy to invert
  
• given y ?0,1n set inverse as (y, 0n )

12
One-way functions are essential to the two guards
password problem

• However possible to estimate the probability
  that Bob accepts on a given string from Alice
• Should be close to 1 for most r
• Second attempt define function f(r) as
• the mapping that Alice does in the setup phase
  between her random bits r and the information
  given to Bob and Charlie,
• plus a bit indicating whether probability of Bob
  accepts given r is greater than 2/3
• Theorem the two guards password problem has a
  solution if and only if one-way functions exist

Arbitrary
13
Examples of One-way functions

• Examples of hard problems
• Subset sum
• Discrete log
• Factoring (numbers, polynomials) into prime
  components
• How do we get a one-way function out of them?

Easy problem
14
Subset Sum

• Subset sum problem given
• n numbers 0 a1, a2 ,, an 2m
• Target sum T
• Find subset S? 1,...,n ? i ?S ai,T
• (n,m)-subset sum assumption for uniformly chosen
  
• a1, a2 ,, an ?R0,2m -1 and S? 1,...,n
• For any probabilistic polynomial time algorithm,
  the probability of finding S?1,...,n such that
  
• ? i ?S ai ? i ?S ai
• is negligible, where the probability is over the
  random choice of the ais, S and the inner coin
  flips of the algorithm
• Not true for very small or very large m. most
  difficult case mn
• Subset sum one-way function f0,1mnn ?
  0,1mnm
• f(a1, a2 ,, an , b1, b2 ,, bn )
• (a1, a2 ,, an , ? i1n bi ai mod 2m )

15
Exercise

• Show a function f such that
• if f is polynomial time invertible on all
  inputs, then PNP
• f is not one-way

16
Discrete Log Problem

• Let G be a group and g an element in G.
• Let ygz and x the minimal non negative
• integer satisfying the equation.
• x is called the discrete log of y to base g.
• Example ygx mod p in the multiplicative group
  of Zp
• In general easy to exponentiate via repeated
  squaring
• Consider binary representation
• What about discrete log?
• If difficult, f(g,x) (g, gx ) is a one-way
  function

17
Integer Factoring

• Consider f(x,y) x y
• Easy to compute
• Is it one-way?
• No if f(x,y) is even, can set inverse as
  (f(x,y)/2,2)
• If factoring a number into prime factors is hard
• Specifically given N P Q , the product of two
  random large (n-bit) primes, it is hard to factor
• Then somewhat hard there are a non-negligible
  fraction of such numbers 1/n2 from the
  density of primes
• Hence a weak one-way function
• Alternatively
• let g(r) be a function mapping random bits into
  random primes.
• The function f(r1,r2) g(r1) g(r2) is one-way

Why is it polynomial time computable?
18
Weak One-way function

• A function f 0,1n ? 0,1n is called a weak
  one-way function, if
• f is a polynomial-time computable function
• There exists a polynomial p(), for every
  probabilistic polynomial-time algorithm A, and
  all sufficiently large ns
• ProbAf(x) ? f-1(f(x)) 1-1/p(n)
• Where x is chosen uniformly in 0,1n and the
  probability is also over the internal coin flips
  of A

19
Exercise weak exist if strong exists

• Show that if strong one-way functions exist, then
  there exists a a function which is a weak one-way
  function but not a strong one

20
What about the other direction?

• Given
• a function f that is guaranteed to be a weak
  one-way
• Let p(n) be such that ProbAf(x) ? f-1(f(x))
  1-1/p(n)
• can we construct a function g that is (strong)
  one-way?
• An instance of a hardness amplification problem
• Simple idea repetition. For some polynomial q(n)
  define
• g(x1, x2 ,, xq(n) )f(x1), f(x2), , f(xq(n))
• To invert g need to succeed in inverting f in all
  q(n) places
• If q(n) p2(n) seems unlikely (1-1/p(n))p2(n)
  e-p(n)
• But how to we show? Sequential repetition
  intuition not a proof.

21
Want Inverting g with low probability implies
inverting f with high probability

• Given a machine B that inverts g want a machine
  B
• operating in similar time bounds
• inverts f with high probability
• Idea given yf(x) plug it in some place in g and
  generate the rest of the locations at random
• z(y, f(x2), , f(xq(n)))
• Ask machine B to invert g at point z
• Probability of success should be at least
  (exactly) Bs Probability of inverting g at a
  random point
• Once is not enough
• How to amplify?
• Repeat while keeping y fixed
• Put y at random position (or sort the inputs to
  g )

22
Proof of Amplification for Repetition of Two

• Concentrate on a two-repetition g(x1, x2
  )f(x1), f(x2)
• Goal show that the probability of inverting g is
  roughly squared the probability of inverting f
• just as would be sequentially
• Claim
• Let ?(n) be a function that for some
  p(n) satisfies
• 1/p(n) ?(n) 1-1/p(n)
• Let e(n) be any inverse polynomial
  function
• suppose that for every polynomial
  time A and sufficiently large n
• ProbAf(x) ? f-1(f(x)) ?(n)
• Then for every polynomial time B and
  sufficiently large n
• ProbBg(x1, x2 ) ? g-1(g(x1, x2 )) ?2(n)
  e(n)

23
Proof of Amplification for Two Repetition

• Given a better than ?2e algorithm B for
  inverting g construct the following
• B(y) Inversion algorithm for f
• Repeat t times
• Choose x at random and compute yf(x)
• Run B(y,y).
• Check the results
• If correct Halt with success
• Output failure

Inner loop
Helpful for constructive algorithm
24
Probability of Success

• Define
• Syf(x) ProbInner loop successful y gt ß
• Since the choices of the x are independent
• ProbB succeeds y?S gt 1-(1- ß)t
• Taking t n/ß means that when y?S almost surely
  B will invert it
• Hence want to show that Prob y?S gt ?(n)
• Probability is over the choice of x

25
The success of B

• Fix the random bits of B.
• Define P(y1, y2) B succeeds on (y1,y2)

• P P ? (y1,y2 ) y1,y2 ?S
• ? P ? (y1,y2 ) y1 ?S
• ? P ? (y1,y2 ) y2 ?S

y1
Well behaved part
y2
Want to bound P by a square
P
26
S is the only success...

• But
• ProbBy1, y2 ? g-1(y1, y2) y1 ? S ß
• and similarly
• ProbBy1, y2 ? g-1(y1, y2) y2 ? S ß
• so
• Prob(y1, y2) ? P and y1,y2 ? S
• Prob(y1, y2) ? P - 2ß
• ?2 e - 2ß
• Setting ß e/3 we have
• Prob(y1, y2) ?P and y1,y2 ? S ?2 e/3

27
Contradiction

• But
• Prob(y1, y2) ?P and y1,y2 ?S
• Proby1 ?S Proby2 ?S
• Prob2y ?S
• So
• Proby ?S v(a2 e/3) gt a

28
Is there an ultimate one-way function?aka
universal

• Short of showing that P?NP implies the existence
  of one-way functions,
• can we show a specific function f so that if some
  one-way exists, then f is one-way
• If f10,1 ? 0,1 and f20,1 ? 0,1 are
  guaranteed to
• Be polynomial time computable
• At least one of them is one-way.
• then can construct a function g0,1 ? 0,1
  which is one-way
• g(x1, x2 ) (f1(x1),f2 (x2 ))

Robust Combiner
Can generalizes to a 1-out-m combiner
29
The Construction

• If a 5n2 time one-way function is guaranteed to
  exist, can construct an O(n2 log n) one-way
  function g
• Idea enumerate Turing Machine and make sure they
  run 5n2 steps
• g(x1, x2 ,, xlog (n) )M1(x1), M2(x2), , Mlog
  n(xlog (n))
• Eventually get to the TM of the one-way function
• If a one-way function is guaranteed to exist,
  then there exists a 5n2 time one-way
• Idea concentrate on the prefix, ignore the rest

n where np(n)
30
Ultimate one-way function conclusions

• Original proof due to L. Levin
• Be careful what you wish for
• Problem with resulting one-way function
• Cannot learn about behavior on large inputs from
  small inputs
• Whole rational of considering asymptotic results
  is eroded!
• Construction does not work for non-uniform
  one-way functions
• Notion of robust combiner seems fundamental
• See Robust Combiners for Oblivious Transfer and
  Other Primitives by Harnik, Kilian, Naor,
  Reingold and Rosen, Eurocrypt 2005

31
Distributionally One-Way Functions

• A function f0,1 ? 0,1 is one-way if
• it is computable in poly-time
• the probability of successfully finding an
  inverse in poly-time is negligible (on a random
  input)
• A function f 0,1 ? 0,1 is distributionally
  one-way if
• it is computable in poly-time
• No poly-time algorithm can successfully find a
  random inverse (on a random input)
• Distribution on inverting algorithm far from
  uniform on the pre-images
• Theorem Impagliazzo Luby 89 distributionally
  one-way functions exist iff one-way functions
  exists

Example function from two guard problem