Lecturer: Moni Naor - PowerPoint PPT Presentation

About This Presentation
Title:

Lecturer: Moni Naor

Description:

... then it is a pseudo-random generator Subset sum problem ... the value of xi ri the number of locations where x and r are 1 ... (for any code with good ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 40
Provided by: acil150
Category:

less

Transcript and Presenter's Notes

Title: Lecturer: Moni Naor


1
Foundations of CryptographyLecture 8
Application of GL, Next-bit unpredictability,
Pseudo-Random Functions.
  • Lecturer Moni Naor

2
Recap of last weeks lecture
  • Hardcore Predicates and Pseudo-Random Generators
  • Inner product is a hardcore predicate for all
    functions
  • Proof via list decoding
  • Interpretations
  • Applications to Diffie-Hellman

3
Inner Product Hardcore bit
  • The inner product bit choose r ?R 0,1n let
  • h(x,r) r x ? xi ri mod 2
  • Theorem Goldreich-Levin for any one-way
    function the inner product is a hardcore
    predicate
  • Proof structure
  • Algorithm A for inverting f
  • There are many xs for which A returns a correct
    answer (r x) on ½e of the r s
  • Reconstruction algorithm R take an algorithm A
    that guesses h(x,r) correctly with probability
    ½e over the rs and output a list of candidates
    for x
  • No use of the y info by R (except feeding to A)
  • Choose from the list the/an x such that f(x)y

The main step!
4
Application if subset is one-way, then it is a
pseudo-random generator
  • Subset sum problem given
  • n numbers 0 a1, a2 ,, an 2m
  • Target sum y
  • Find subset S? 1,...,n ? i ?S ai,y
  • Subset sum one-way function f0,1mnn ?
    0,1mmn
  • f(a1, a2 ,, an , x1, x2 ,, xn )
  • (a1, a2 ,, an , ? i1n xi ai mod 2m )
  • If mltn then we get out less bits then we put in.
  • If mgtn then we get out more bits then we put in.
  • Theorem if for mgtn subset sum is a one-way
    function, then it is also a pseudo-random
    generator.

5
Subset Sum Generator
  • Idea of proof use the distinguisher A to compute
    r x
  • For simplicity do the computation mod P for
    large prime P
  • Given r ? 0,1n and (a1, a2 ,, an ,y)
  • Generate new problem (a1, a2 ,, an ,y)
  • Choose c ?R ZP
  • Let ai ai if ri0 and ai aic mod P if ri1
  • Guess k ?R 0,?,n - the value of ? xi ri
  • the number of locations where x and r are 1
  • Let y yc k mod P
  • Run the distinguisher A on (a1, a2 ,, an
    ,y)
  • output what A says Xored with parity(k)
  • Claim if k is correct, then (a1, a2 ,, an
    ,y) is ?R pseudo-random
  • Claim for any incorrect k (a1, a2 ,, an
    ,y) is ?R random
  • y z (k-h)c mod P where z ? i1n xi ai mod
    P and h? xi ri
  • Therefore probability to guess r x is 1/n(½e)
    (n-1)/n (½) ½e/n

ProbA0pseudo ½e
ProbA0random ½
Pseudo-random
random
correct k
Incorrect k
Probability over a1, a2 ,, an, x and r and
randomness
6
Interpretations of the Goldreich-Levin Theorem
  • A tool for constructing pseudo-random generators
  • The main part of the proof
  • A mechanism for translating general confusion
    into randomness
  • Diffie-Hellman example
  • List decoding of Hadamard Codes
  • works in the other direction as well (for any
    code with good list decoding)
  • List decoding, as opposed to unique decoding,
    allows getting much closer to distance
  • Explains unique decoding when prediction was
    3/4e
  • Finding all linear functions agreeing with a
    function given in a black-box
  • Learning all Fourier coefficients larger than e
  • If the Fourier coefficients are concentrated on a
    small set can find them
  • True for AC0 circuits
  • Decision Trees

7
Two important techniques for showing
pseudo-randomness
  • Hybrid argument
  • Next-bit prediction and pseudo-randomness

8
Hybrid argument
  • To prove that two distributions D and D are
    indistinguishable
  • suggest a collection of distributions
  • D D0, D1, Dk D
  • If D and D can be distinguished, then there is
    a pair Di and Di1 that can be distinguished.
  • Advantage e in distinguishing between D and D
    means advantage e/k between some Di and Di1
  • Use a distinguisher for the pair Di and Di1 to
    derive a contradiction

9
Composing PRGs
  • Composition
  • Let
  • g1 be a (l1, l2 )-pseudo-random generator
  • g2 be a (l2, l3)-pseudo-random generator
  • Consider g(x) g2(g1(x))
  • Claim g is a (l1, l3 )-pseudo-random generator
  • Proof consider three distributions on 0,1l3
  • D1 y uniform in 0,1l3
  • D2 yg(x) for x uniform in 0,1l1
  • D3 yg2(z) for z uniform in 0,1l2
  • By assumption there is a distinguisher A between
    D1 and D2
  • A must either
  • Distinguish between D1 and D3 - can use A use
    to distinguish g2
  • or
  • Distinguish between D2 and D3 - can use A use
    to distinguish g1

l1
l2
l3
triangle inequality
10
Composing PRGs
  • When composing
  • a generator secure against advantage e1
  • and a
  • a generator secure against advantage e2
  • we get security against advantage e1e2
  • When composing the single bit expansion generator
    m times
  • Loss in security is at most e/m
  • Hybrid argument to prove that two distributions
    D and D are indistinguishable
  • suggest a collection of distributions D D0, D1,
    Dk D such that
  • If D and D can be distinguished, there is a
    pair Di and Di1 that can be distinguished.
  • Difference e between D and D means e/k between
    some Di and Di1
  • Use such a distinguisher to derive a contradiction

11
From single bit expansion to many bit
expansionbased on one-way permutations
Internal Configuration
Input
Output
x
f(x)
h(x,r)
r
h(f(x),r)
f(2)(x)
f(3)(x)
h(f (2)(x),r)
h(f (m-1)(x),r)
f(m)(x)
  • Can make r and f(m)(x) public
  • But not any other internal state
  • Can make m as large as needed

12
From single bit expansion to many bit expansion
Internal Configuration
Input
Output
g(x)n1
x1 g(x)1-n
x
x2 g(x1)1-n
g(x1)n1
g0,1n ? 0,1n1
x3 g(x2)1-n
g(x2)n1


xm g(xm-1)1-n
g(xm)n1
  • Should not make any internal state xi - public
  • Except xm
  • Can make m as large as needed

13
Exercise
  • Let Dn and Dn be two distributions that
    are
  • Computationally indistinguishable
  • Polynomial time samplable
  • Suppose that y1, ym are all sampled according
    to Dn or all are sampled according to Dn
  • Prove no probabilistic polynomial time machine
    can tell, given y1, ym, whether they were
    sampled from Dn or Dn

14
Existence of PRGs
  • What we have proved
  • Theorem if pseudo-random generators stretching
    by a single bit exist, then pseudo-random
    generators stretching by any polynomial factor
    exist
  • Theorem if one-way permutations exist, then
    pseudo-random generators exist
  • A much harder theorem to prove
  • Theorem HILL if one-way functions exist, then
    pseudo-random generators exist

15
Two important techniques for showing
pseudo-randomness
  • Hybrid argument
  • Next-bit prediction and pseudo-randomness

16
Next-bit Test
  • Definition a function g0,1 ? 0,1 is
    next-bit unpredictable if
  • It is polynomial time computable
  • It stretches the input g(x)gtx
  • denote by l(n) the length of the output on
    inputs of length n
  • If the input (seed) is random, then the output
    passes the next-bit test
  • For any prefix 0 ilt l(n), for any PPT adversary
    A that is a predictor receives the first i bits
    of y g(x) and tries to guess the next bit, for
    any polynomial p(n) and sufficiently large n
  • ProbA(yi,y2,, yi) yi1 1/2 lt 1/p(n)
  • Theorem a function g0,1 ? 0,1 is next-bit
    unpredictable if
  • and only if it is a pseudo-random generator

17
Proof of equivalence
  • If g is a presumed pseudo-random generator and
    there is a predictor for the next bit can use it
    to distinguish
  • Distinguisher
  • If predictor is correct guess pseudo-random
  • If predictor is not-correct guess random
  • On outputs of g distinguisher is correct with
    probability at least 1/2 1/p(n)
  • On uniformly random inputs distinguisher is
    correct with probability exactly 1/2

18
Proof of equivalence
  • If there is distinguisher A for the output of g
    from random
  • form a sequence of distributions and use the
    successes of A to predict the next bit for some
    value
  • y1, y2 ? yl-1 yl
  • y1, y2 ? yl-1 rl
  • ?
  • y1, y2 ? yi ri1 ? rl
  • ?
  • r1, r2 ? rl-1 rl
  • There exists an 0 i l-1 where A can
    distinguish Di from Di1.
  • Can use A to predict yi1 !

Dl
g(x)y1, y2 ? yl r1, r2 ? rl 2R Ul
Dl-1
Di
D0
19
Next-block Undpredictable
  • Suppose that g maps a given a seed S into a
    sequence of blocks
  • let l(n) be the number of blocks given a seed of
    length n
  • Passes the next-block unpredicatability test
  • For any prefix 0 ilt l(n), for any probabilistic
    polynomial time adversary A that receives the
    first i blocks of y g(x) and tries to guess the
    next block yi1, for any polynomial p(n) and
    sufficiently large n
  • ProbA(y1,y2,, yi) yi1 lt 1/p(n)
  • Homework show how to convert a next-block
    unpredictable generator into a pseudo-random
    generator.

y1 y2, ,
20
Pseudo-random Generators and Encryption
Output of a pseudo-random generator
  • A pseudo-random string should be able to replace
    any random string
  • When running an algorithm
  • If the results are measurably different, can use
    as distinguisher
  • Basis of derandomization
  • For encrypting communication as one-time pad
  • Need to define the type of desired protection of
    messages
  • Semantic Security
  • Indistinguishability of encryption

Uniformity
21
The world so far
Signature Schemes
Pseudo-random generators
One-way functions
Two guards Identification
UOWHFs
P ? NP
  • Will soon see
  • Computational Pseudorandomness
  • Shared-key Encryption and Authentication

22
Pseudo-Random Generatorsconcrete version
  • Gn?0,1?m ??0,1?n
  • Instead of passes all polynomial time statistical
    tests
  • (t,?)-pseudo-random - no test A running in time t
    can distinguish with advantage ?

23
Recall Three Basic issues in cryptography
  • Identification
  • Authentication
  • Encryption
  • Solve in a shared key environment

A
B
S
S
24
Identification remote login using pseudo-random
sequence
  • A and B share a key S??0,1?k
  • In order for A to identify itself to B
  • Generate sequence Gn(S)
  • For each identification session send next block
    of Gn(S)

Gn(S)
25
Problems...
  • More than two parties
  • Malicious adversaries - add noise
  • Coordinating the location block number
  • Better approach Challenge-Response

26
Challenge-Response Protocol
  • B selects a random location and sends to A
  • A sends value at random location

A
B
Whats this?
27
Desired Properties
  • Very long string - prevent repetitions
  • Random access to the sequence
  • Unpredictability - cannot guess the value at a
    random location
  • even after seeing values at many parts of the
    string to the adversarys choice.
  • Pseudo-randomness implies unpredictability
  • Not the other way around for blocks

28
Authenticating Messages
  • A wants to send message M??0,1?n to B
  • B should be confident that A is indeed the sender
    of M
  • One-time application
  • S (a,b) where a,b?R ?0,1?n
  • To authenticate M supply aM? b
  • Computation is done in GF2n

29
Problems and Solutions
  • Problems - same as for identification
  • If a very long random string available -
  • can use for one-time authentication
  • Works even if only random looking
  • a,b

A
B
Use this!
30
Encryption of Messages
  • A wants to send message M??0,1?n to B
  • only B should be able to learn M
  • One-time application
  • S a where a?R ?0,1?n
  • To encrypt M send a ? M

31
Encryption of Messages
  • If a very long random looking string available -
  • can use as in one-time encryption

A
B
Use this!
32
Pseudo-random Function
  • A way to provide an extremely long shared string

33
Pseudo-random Functions
  • Concrete Treatment
  • F ?0,1?k ? ?0,1?n ? ?0,1?m
  • key Domain
    Range
  • Denote Y FS (X)
  • A family of functions Fk FS S??0,1?k ? is
    (t, ?, q)-pseudo-random if it is
  • Efficiently computable - random access
  • and...

34
(t,?,q)-pseudo-random
  • The tester A that can choose adaptively
  • X1 and gets Y1 FS (X1)
  • X2 and gets Y2 FS (X2 )
  • Xq and gets Yq FS (Xq)
  • Then A has to decide whether
  • FS ?R Fk or
  • FS ?R R n ? m ? F F ?0,1?n ? ?0,1?m ?

35
(t,?,q)-pseudo-random
  • For a function F chosen at random from
  • (1) Fk FS S??0,1?k ?
  • (2) R n ? m ? F F ?0,1?n ? ?0,1?m ?
  • For all t-time machines A that choose q
    locations and try to distinguish (1) from (2)
  • ? Prob?A? 1 ? F?R Fk ?
  • - Prob?A? 1 ? F?R R n ? m ? ? ? ?

36
Equivalent/Non-Equivalent Definitions
  • Instead of next bit test for X??X1,X2 ,?, Xq?
    chosen by A, decide whether given Y is
  • Y FS (X) or
  • Y?R?0,1?m
  • Adaptive vs. Non-adaptive
  • Unpredictability vs. pseudo-randomness
  • A pseudo-random sequence generator
  • g?0,1?m ??0,1?n
  • a pseudo-random function on small domain ?0,1?log
    n??0,1? with key in ?0,1?m

37
Application to the basic issues in cryptography
  • Solution using a shared key S
  • Identification
  • B to A X ?R ?0,1?n
  • A to B Y FS (X)
  • A verifies
  • Authentication
  • A to B Y FS (M)
  • replay attack
  • Encryption
  • A chooses X?R ?0,1?n
  • A to B ltX , Y FS (X) ? M gt

38
Reading Assignment
  • Naor and Reingold, From Unpredictability to
    Indistinguishability A Simple Construction of
    Pseudo-Random Functions from MACs, Crypto'98.
  • www.wisdom.weizmann.ac.il/naor/PAPERS/mac_abs.htm
    l
  • Gradwohl, Naor, Pinkas and Rothblum,
    Cryptographic and Physical Zero-Knowledge Proof
    Systems for Solutions of Sudoku Puzzles
  • Especially Section 1-3
  • www.wisdom.weizmann.ac.il/naor/PAPERS/sudoku_abs.
    html

39
Sources
  • Goldreichs Foundations of Cryptography, volumes
    1 and 2
  • M. Blum and S. Micali, How to Generate
    Cryptographically Strong Sequences of
    Pseudo-Random Bits , SIAM J. on Computing, 1984.
  • O. Goldreich and L. Levin, A Hard-Core Predicate
    for all One-Way Functions, STOC 1989.
  • Goldreich, Goldwasser and Micali, How to
    construct random functions , Journal of the ACM
    33, 1986, 792 - 807.
Write a Comment
User Comments (0)
About PowerShow.com