Title: Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function
1Foundations of CryptographyLecture 2 One-way
functions are essential for identification.
Amplification from weak to strong one-way
function
- Lecturer Moni Naor
- Weizmann Institute of Science
2Recap
- Key Idea of Cryptography use the intractability
of some problems to create secure system. - The Identification Problem
- Shannon and Min Entropies
- One-way functions
- Solution to the identification problem with
multiple verifiers - Cryptographic Reductions using one adversary to
create another
3Rigorous Specification of Security
- To define security of a system must specify
- What constitute a failure of the system
- The power of the adversary
- computational
- access to the system
- what it means to break the system.
Why is this more relevant in cryptography than
other realms?
4Function and inversions
- We say that a function f is hard to invert if
given yf(x) it is hard to find x such that
yf(x) - x need not be equal to x
- We will use f-1(y) to denote the set of preimages
of y - To discuss hard must specify a computational
model - Use two flavors
- Concrete
- Asymptotic
5Computational Models
- Asymptotic Turing Machines with random tape
- For classical models precise model does not
matter up to polynomial factor
Random tape
0
0
0
1
1
1
1
Both algorithm for evaluating f and the adversary
are modeled by PTM
Input tape
6One-way functions - asymptotic
- A function f 0,1 ? 0,1 is called a
one-way function, if - f is a polynomial-time computable function
- Also polynomial relationship between input and
output length - for every probabilistic polynomial-time algorithm
A, every positive polynomial p(.), and all
sufficiently large ns - Prob A(f(x)) ? f-1(f(x)) 1/p(n)
-
- Where x is chosen uniformly in 0,1n and the
probability is also over the internal coin flips
of A
7Computational Models
- Concrete Boolean circuits (example)
- precise model makes a difference
- Time circuit size
Input
Output
8One-way functions concrete version
- A function f0,1n ? 0,1n is called a (t,e)
one-way function, if - f is a polynomial-time computable function
(independent of t) - for every t-time algorithm A,
- ProbA(f(x)) ? f-1(f(x)) e
- Where x is chosen uniformly in 0,1n and the
probability is also over the internal coin flips
of A - Can either think of t and e as being fixed or as
t(n), e(n)
Boolean circuit
9The two guards problem
- If Alice wants to approve and Eve does not
interfere Bob moves to state Y - If Alice does not approve, then for any behavior
from Eve and Charlie, Bob stays in N - Similarly if Bob and Charlie are switched
Charlie
Alice
Bob
Eve
10Are one-way functions essential to the two guards
password problem?
- Precise definition
- for every probabilistic polynomial-time algorithm
A controlling Eve and Charlie - every polynomial p(.),
- and all sufficiently large ns
- ProbBob moves to Y Alice does not approve
1/p(n) - Recall observation what Bob and Charlie
received in the setup phase might as well be
public - Claim can get rid of interaction
- given an interactive identification protocol
possible to construct a noninteractive one. In
the new protocol - Alice sends Bob the random bits Alice used to
generate the setup information - Bob simulates the conversation between Alice and
Bob in original protocol and accepts only if
simulated Bob accepts. - Probability of cheating is the same
11One-way functions are essential to the two guards
password problem
- Are we done? Given a noninteracive
identification protocol want to define a one-way
function - Define f(r) the setup phase mapping between the
random bits r of Alice and the information y
given to Bob and Charlie - Problem the function f(r) is not necessarily
one-way - Can be unlikely ways to generate it. Can be
exploited to invert. - Example Alice chooses x, x? 0,1n if x 0n
set yx o.w. set yf(x) - The protocol is still secure, but with
probability 1/2n not complete - The resulting function f(x,x) is easy to invert
- given y ?0,1n set inverse as (y, 0n )
12One-way functions are essential to the two guards
password problem
- However possible to estimate the probability
that Bob accepts on a given string from Alice - Should be close to 1 for most r
- Second attempt define function f(r) as
- the mapping that Alice does in the setup phase
between her random bits r and the information
given to Bob and Charlie, - plus a bit indicating whether probability of Bob
accepts given r is greater than 2/3 -
- Theorem the two guards password problem has a
solution if and only if one-way functions exist
Arbitrary
13Examples of One-way functions
- Examples of hard problems
- Subset sum
- Discrete log
- Factoring (numbers, polynomials) into prime
components - How do we get a one-way function out of them?
Easy problem
14Subset Sum
- Subset sum problem given
- n numbers 0 a1, a2 ,, an 2m
- Target sum T
- Find subset S? 1,...,n ? i ?S ai,T
- (n,m)-subset sum assumption for uniformly chosen
- a1, a2 ,, an ?R0,2m -1 and S? 1,...,n
- For any probabilistic polynomial time algorithm,
the probability of finding S?1,...,n such that
- ? i ?S ai ? i ?S ai
- is negligible, where the probability is over the
random choice of the ais, S and the inner coin
flips of the algorithm - Not true for very small or very large m. most
difficult case mn - Subset sum one-way function f0,1mnn ?
0,1mnm - f(a1, a2 ,, an , b1, b2 ,, bn )
- (a1, a2 ,, an , ? i1n bi ai mod 2m )
15Exercise
- Show a function f such that
- if f is polynomial time invertible on all
inputs, then PNP - f is not one-way
16Discrete Log Problem
- Let G be a group and g an element in G.
- Let ygz and x the minimal non negative
- integer satisfying the equation.
- x is called the discrete log of y to base g.
- Example ygx mod p in the multiplicative group
of Zp - In general easy to exponentiate via repeated
squaring - Consider binary representation
- What about discrete log?
- If difficult, f(g,x) (g, gx ) is a one-way
function
17Integer Factoring
- Consider f(x,y) x y
- Easy to compute
- Is it one-way?
- No if f(x,y) is even, can set inverse as
(f(x,y)/2,2) - If factoring a number into prime factors is hard
- Specifically given N P Q , the product of two
random large (n-bit) primes, it is hard to factor - Then somewhat hard there are a non-negligible
fraction of such numbers 1/n2 from the
density of primes - Hence a weak one-way function
- Alternatively
- let g(r) be a function mapping random bits into
random primes. - The function f(r1,r2) g(r1) g(r2) is one-way
Why is it polynomial time computable?
18Weak One-way function
- A function f 0,1n ? 0,1n is called a weak
one-way function, if - f is a polynomial-time computable function
- There exists a polynomial p(), for every
probabilistic polynomial-time algorithm A, and
all sufficiently large ns - ProbAf(x) ? f-1(f(x)) 1-1/p(n)
-
- Where x is chosen uniformly in 0,1n and the
probability is also over the internal coin flips
of A
19Exercise weak exist if strong exists
- Show that if strong one-way functions exist, then
there exists a a function which is a weak one-way
function but not a strong one
20What about the other direction?
- Given
- a function f that is guaranteed to be a weak
one-way - Let p(n) be such that ProbAf(x) ? f-1(f(x))
1-1/p(n) - can we construct a function g that is (strong)
one-way? - An instance of a hardness amplification problem
- Simple idea repetition. For some polynomial q(n)
define - g(x1, x2 ,, xq(n) )f(x1), f(x2), , f(xq(n))
- To invert g need to succeed in inverting f in all
q(n) places - If q(n) p2(n) seems unlikely (1-1/p(n))p2(n)
e-p(n) - But how to we show? Sequential repetition
intuition not a proof.
21Want Inverting g with low probability implies
inverting f with high probability
- Given a machine B that inverts g want a machine
B - operating in similar time bounds
- inverts f with high probability
- Idea given yf(x) plug it in some place in g and
generate the rest of the locations at random - z(y, f(x2), , f(xq(n)))
- Ask machine B to invert g at point z
- Probability of success should be at least
(exactly) Bs Probability of inverting g at a
random point - Once is not enough
- How to amplify?
- Repeat while keeping y fixed
- Put y at random position (or sort the inputs to
g )
22Proof of Amplification for Repetition of Two
- Concentrate on a two-repetition g(x1, x2
)f(x1), f(x2) - Goal show that the probability of inverting g is
roughly squared the probability of inverting f - just as would be sequentially
- Claim
- Let ?(n) be a function that for some
p(n) satisfies - 1/p(n) ?(n) 1-1/p(n)
- Let e(n) be any inverse polynomial
function - suppose that for every polynomial
time A and sufficiently large n - ProbAf(x) ? f-1(f(x)) ?(n)
- Then for every polynomial time B and
sufficiently large n - ProbBg(x1, x2 ) ? g-1(g(x1, x2 )) ?2(n)
e(n)
23Proof of Amplification for Two Repetition
- Given a better than ?2e algorithm B for
inverting g construct the following - B(y) Inversion algorithm for f
- Repeat t times
- Choose x at random and compute yf(x)
- Run B(y,y).
- Check the results
- If correct Halt with success
- Output failure
Inner loop
Helpful for constructive algorithm
24Probability of Success
- Define
- Syf(x) ProbInner loop successful y gt ß
- Since the choices of the x are independent
- ProbB succeeds y?S gt 1-(1- ß)t
- Taking t n/ß means that when y?S almost surely
B will invert it - Hence want to show that Prob y?S gt ?(n)
- Probability is over the choice of x
25The success of B
- Fix the random bits of B.
- Define P(y1, y2) B succeeds on (y1,y2)
- P P ? (y1,y2 ) y1,y2 ?S
- ? P ? (y1,y2 ) y1 ?S
- ? P ? (y1,y2 ) y2 ?S
y1
Well behaved part
y2
Want to bound P by a square
P
26S is the only success...
- But
- ProbBy1, y2 ? g-1(y1, y2) y1 ? S ß
- and similarly
- ProbBy1, y2 ? g-1(y1, y2) y2 ? S ß
- so
- Prob(y1, y2) ? P and y1,y2 ? S
- Prob(y1, y2) ? P - 2ß
- ?2 e - 2ß
- Setting ß e/3 we have
- Prob(y1, y2) ?P and y1,y2 ? S ?2 e/3
27Contradiction
- But
- Prob(y1, y2) ?P and y1,y2 ?S
- Proby1 ?S Proby2 ?S
- Prob2y ?S
- So
- Proby ?S v(a2 e/3) gt a
28Is there an ultimate one-way function?aka
universal
- Short of showing that P?NP implies the existence
of one-way functions, - can we show a specific function f so that if some
one-way exists, then f is one-way - If f10,1 ? 0,1 and f20,1 ? 0,1 are
guaranteed to - Be polynomial time computable
- At least one of them is one-way.
- then can construct a function g0,1 ? 0,1
which is one-way - g(x1, x2 ) (f1(x1),f2 (x2 ))
Robust Combiner
Can generalizes to a 1-out-m combiner
29The Construction
- If a 5n2 time one-way function is guaranteed to
exist, can construct an O(n2 log n) one-way
function g - Idea enumerate Turing Machine and make sure they
run 5n2 steps - g(x1, x2 ,, xlog (n) )M1(x1), M2(x2), , Mlog
n(xlog (n)) - Eventually get to the TM of the one-way function
- If a one-way function is guaranteed to exist,
then there exists a 5n2 time one-way - Idea concentrate on the prefix, ignore the rest
n where np(n)
30Ultimate one-way function conclusions
- Original proof due to L. Levin
- Be careful what you wish for
- Problem with resulting one-way function
- Cannot learn about behavior on large inputs from
small inputs - Whole rational of considering asymptotic results
is eroded! - Construction does not work for non-uniform
one-way functions - Notion of robust combiner seems fundamental
- See Robust Combiners for Oblivious Transfer and
Other Primitives by Harnik, Kilian, Naor,
Reingold and Rosen, Eurocrypt 2005
31Distributionally One-Way Functions
- A function f0,1 ? 0,1 is one-way if
- it is computable in poly-time
- the probability of successfully finding an
inverse in poly-time is negligible (on a random
input) - A function f 0,1 ? 0,1 is distributionally
one-way if - it is computable in poly-time
- No poly-time algorithm can successfully find a
random inverse (on a random input) - Distribution on inverting algorithm far from
uniform on the pre-images - Theorem Impagliazzo Luby 89 distributionally
one-way functions exist iff one-way functions
exists
Example function from two guard problem