MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 3

Roadmap of the Course: Worlds in Crypto … Cryptomania: Public-key Lecture 7-10,… encryption Minicrypt: Zero- Knowledge Lecture 2-6, 11-12 proofs PRP Digital Bit Signatures Commitment Secret-key PRF encryption PRG Hashing OWF OWF

Today 1. Define one-way functions (OWF). 2. Define Hardcore bits (HCB). 3. Show that one-way functions* + HCB ⇒ PRG 4. Goldreich-Levin Theorem: every OWF has a HCB.

One-way Functions (Informally) F Easy to compute Hard to invert domain range

One-way Functions (Take 1) ! : {0,1} ! → {0,1} $(!) is A function (family) 𝐺 ! !∈ℕ where 𝐺 one-way if for every p.p.t. adversary 𝐵 , there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 ! 𝑦 : 𝐵 1 ! , 𝑧 = 𝑦 ≤ 𝜈(𝑜) Consider 𝑮 𝒐 𝒚 = 𝟏 for all x. This is one-way according to the above definition. In fact, impossible to find the inverse even if 𝐵 has unbounded time. Conclusion: not a useful/meaningful definition.

One-way Functions (Take 1) ! : {0,1} ! → {0,1} $(!) is A function (family) 𝐺 ! !∈ℕ where 𝐺 one-way if for every p.p.t. adversary 𝐵 , there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 ! 𝑦 : 𝐵 1 ! , 𝑧 = 𝑦 ≤ 𝜈(𝑜) The Right Definition: Impossible to find an inverse in p.p.t.

One-way Functions: The Definition ! : {0,1} ! → {0,1} $(!) is A function (family) 𝐺 ! !∈ℕ where 𝐺 one-way if for every p.p.t. adversary 𝐵 , there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 ! 𝑦 ; 𝐵 1 ! , 𝑧 = 𝒚 ( : 𝒛 = 𝑮 𝒐 𝒚 ( ≤ 𝜈(𝑜) • Can always find an inverse with unbounded time • … but should be hard with probabilistic polynomial time One-way Permutations : One-to-one one-way functions with 𝑛 𝑜 = 𝑜.

One-way Functions: Candidates Subset sum: ! 𝑦 * 𝑏 * mod 2 !,) ) G( 𝑏 ) , … , 𝑏 ! , 𝑦 ) , … , 𝑦 ! ) = ( 𝑏 ) , … , 𝑏 ! , ∑ *+) where 𝑏 * are random n-bit numbers, and 𝑦 * are random bits. One-way functions candidates are abundant in nature. We will see many other candidates from number theory, coding theory, combinatorics later in class.

Today 1. Define one-way functions (OWF). 2. Define Hardcore bits (HCB). 3. Show that one-way permutations (OWP) ⇒ PRG 4. Goldreich-Levin Theorem: every OWF has a HCB.

Hardcore Bits If 𝐺 is a one-way function, we know it’s hard to compute a pre-image of 𝐺 𝑦 for a randomly chosen 𝑦 . How about computing partial information about an inverse? Exercise : There are one-way functions for which it is easy to compute the first half of the bits of the inverse.

Hardcore Bits If 𝐺 is a one-way function, we know it’s hard to compute a pre-image of 𝐺 𝑦 for a randomly chosen 𝑦 . HARDCORE BIT (Take 1) Nevertheless, there has to be a hardcore set of hard to invert Nevertheless, there has to be a hardcore set of hard to invert inputs. Concretely: Does there necessarily exist some bit of 𝑦 inputs. Concretely: Does there exist some bit of 𝑦 that is hard that is hard to compute? to guess with probability non-negligibly better than 1/2? • Any bit can be guessed correctly w.p. 1/2 • So, “hard to compute” → “hard to guess with probability non-negligibly better than 1/2”

Hardcore Bits If 𝐺 is a one-way function, we know it’s hard to compute a pre-image of 𝐺 𝑦 for a randomly chosen 𝑦 . HARDCORE BIT (Take 1) For any function (family) 𝐺: {0,1} ! → {0,1} $ , a bit 𝑗 = 𝑗(𝑜) is hardcore if for every p.p.t. adversary 𝐵 , there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 : 𝐵 𝑧 = 𝑦 * ≤ 1 2 + 𝜈(𝑜)

Does every one-way function have a hardcore bit? (Hard) Exercise : There are functions that are one-way, yet every bit is somewhat easy to predict (say, with probability ) - + 1/𝑜 ). So, we will generalize the notion of a hardcore “bit”.

Hardcore Bits HARDCORE PREDICATE (Definition) For any function (family) 𝐺: {0,1} ! → {0,1} $ , a function 𝐶: {0,1} ! → {0,1} is a hardcore predicate if for every p.p.t. adversary 𝐵 , there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 : 𝐵 𝑧 = 𝐶(𝑦) ≤ 1 2 + 𝜈(𝑜) For us, henceforth, a hardcore bit will mean a hardcore predicate.

Hardcore Predicate (in pictures) F(x) o t y s e a t E u p m o c Hard to x compute Easy to B(x) compute

Discussion on the Definition HARDCORE PREDICATE (Definition) For any function (family) 𝐺: {0,1} ! → {0,1} $ , a bit 𝐶: {0,1} ! → {0,1} is a hardcore predicate (HCP) if for every p.p.t. adversary 𝐵 , there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 : 𝐵 𝑧 = 𝐶(𝑦) ≤ 1 2 + 𝜈(𝑜) 1. Definition of HCP makes sense for any function family, not just one-way functions. 2. Some functions can have information-theoretically hard to guess predicates (e.g., compressing functions) 3. We’ll be interested in settings where 𝑦 is uniquely determined given F(𝑦) , yet B(𝑦) is hard to predict given F(𝑦)

Today 1. Define one-way functions (OWF). 2. Define Hardcore bits (HCB). 3. Show that one-way permutations (OWP) ⇒ PRG 4. Goldreich-Levin Theorem: every OWF has a HCB.

OWP ⇒ PRG CONSTRUCTION Let 𝐺 be a one-way permutation, and 𝐶 an associated hardcore predicate for 𝐺 . Then, define 𝐻 𝑦 = F 𝑦 | B(𝑦) . Theorem : 𝐻 is a PRG assuming 𝐺 is a one-way permutation. (Note that 𝐻 stretches by one bit. Shafi will tell you how to extend the stretch of 𝐻 to any poly number of bits.)

OWP ⇒ PRG CONSTRUCTION Let 𝐺 be a one-way permutation, and 𝐶 an associated hardcore predicate for 𝐺 . Then, define 𝐻 𝑦 = F 𝑦 | B(𝑦) . Theorem : 𝐻 is a PRG assuming 𝐺 is a one-way permutation. Proof (next slide) : From Distinguishing to Predicting.

OWP ⇒ PRG Theorem : 𝐻 is a PRG assuming 𝐺 is a one-way permutation. Proof : Assume for contradiction that 𝐻 is not a PRG. Therefore, there is a p.p.t. distinguisher 𝐸 and a polynomial function 𝑞 such that Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Think: D outputs “1” = D thinks its input is pseudorandom

OWP ⇒ PRG Theorem : 𝐻 is a PRG assuming 𝐺 is a one-way permutation and B is its hardcore predicate . Proof : Assume for contradiction that 𝐻 is not a PRG. Therefore, there is a p.p.t. distinguisher 𝐸 and a polynomial function 𝑞 such that Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) We will construct a hardcore predictor 𝐵 and show: Pr 𝑦 ← 0,1 ! : 𝐵 𝐺(𝑦) = 𝐶(𝑦) ≥ 1 2 + 1/𝑞′(𝑜)

OWP ⇒ PRG Theorem : 𝐻 is a PRG assuming 𝐺 is a one-way permutation and B is its hardcore predicate . Proof : Assume for contradiction that 𝐻 is not a PRG. Therefore, there is a p.p.t. distinguisher 𝐸 and a polynomial function 𝑞 such that Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) We will construct a hardcore predictor 𝐵 and show: Pr 𝑦 ← 0,1 ! : 𝐵 𝐺(𝑦) = 𝐶(𝑦) ≥ 1 2 + 1/𝑞′(𝑜)

OWP ⇒ PRG Let’s look closely at D. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) By definition: Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜)

OWP ⇒ PRG Let’s look closely at D. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) A syntactic change: Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑧 . ← 0,1 ! , 𝑧 ) ← 0,1 , 𝑧 = 𝑧 . |𝑧 ) : 𝐸(𝑧) = 1 ≥ 1/𝑞(𝑜)

OWP ⇒ PRG Let’s look closely at D. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Rewriting the second term: Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧 ) ← 0,1 , 𝑧 = 𝐺(𝑦)|𝑧 ) : 𝐸(𝑧) = 1 ≥ 1/𝑞(𝑜) = Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝟏: 𝐸(𝑧) = 1 + Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝟐: 𝐸(𝑧) = 1 2

OWP ⇒ PRG Let’s look closely at D. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Rewriting the second term (again): Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧 ) ← 0,1 , 𝑧 = 𝐺(𝑦)|𝑧 ) : 𝐸(𝑧) = 1 ≥ 1/𝑞(𝑜) = Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 + Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 2

OWP ⇒ PRG Let’s look closely at D. Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Putting things together: 1 2 (Pr 𝑦 ← 0,1 ! ; 𝑧 = 𝐺 𝑦 |𝑪(𝒚): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 ) ≥ 1/𝑞(𝑜) In English: D says “1” more often when fed with the “right bit” than the “wrong bit”.