Foundations of Cryptography Lecture 2: One-way functions are essential for identification....
-
Upload
benny-daffron -
Category
Documents
-
view
217 -
download
2
Transcript of Foundations of Cryptography Lecture 2: One-way functions are essential for identification....
Foundations of Cryptography
Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function
Lecturer: Moni Naor
Weizmann Institute of Science
Recap
• Key Idea of Cryptography: use the intractability of some problems to create secure system.
• The Identification Problem• Shannon and Min Entropies• One-way functions• Solution to the identification problem with multiple
verifiers• Cryptographic Reductions: using one adversary to
create another
Rigorous Specification of Security
To define security of a system must specify:1. What constitute a failure of the system 2. The power of the adversary
– computational – access to the system– what it means to break the system.
Why is this more relevant in cryptography than other realms?
Function and inversions
• We say that a function f is hard to invert if given y=f(x) it is hard to find x’ such that y=f(x’) – x’ need not be equal to x– We will use f-1(y) to denote the set of preimages of y
• To discuss hard must specify a computational model
• Use two flavors:– Concrete– Asymptotic
Computational Models• Asymptotic: Turing Machines with random tape
– For classical models: precise model does not matter up to polynomial factor
Random tape
0 0 01 1 1 1
Input tape
Both algorithm for evaluating f and the adversary are modeled by PTM
One-way functions - asymptoticA function f: {0,1}* → {0,1}* is called a one-way function, if• f is a polynomial-time computable function
– Also polynomial relationship between input and output length• for every probabilistic polynomial-time algorithm A, every positive
polynomial p(.), and all sufficiently large n’s
Prob[ A(f(x)) f-1(f(x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1}n and the probability is also over
the internal coin flips of A
Computational Models• Concrete : Boolean circuits (example)
– precise model makes a difference– Time = circuit size
Output
Input
One-way functions – concrete version
A function f:{0,1}n → {0,1}n is called a (t,ε) one-way function, if
• f is a polynomial-time computable function (independent of t)• for every t-time algorithm A,
Prob[A(f(x)) f-1(f(x)) ] ≤ εWhere x is chosen uniformly in {0,1}n and the probability is also
over the internal coin flips of A
Can either think of t and ε as being fixed or as t(n), ε(n)
Boolean circuit
The two guards problem• If Alice wants to approve and Eve does not
interfere – Bob moves to state YY• If Alice does not approve, then for any behavior
from Eve and Charlie, Bob stays in N N • Similarly if Bob and Charlie are switched
Alice
Bob
Eve
Charlie
Are one-way functions essential to the two guards password problem?
• Precise definition: – for every probabilistic polynomial-time algorithm A controlling Eve
and Charlie– every polynomial p(.),– and all sufficiently large n’s
Prob[Bob moves to YY | Alice does not approve] ≤ 1/p(n)• Recall observation: what Bob and Charlie received in the
setup phase might as well be public• Claim: can get rid of interaction:
– given an interactive identification protocol possible to construct a noninteractive one. In the new protocol:
• Alice` sends Bob` the random bits Alice used to generate the setup information• Bob` simulates the conversation between Alice and Bob in original protocol and
accepts only if simulated Bob accepts.• Probability of cheating is the same
One-way functions are essential to the two guards password problem
• Are we done? Given a noninteracive identification protocol want to define a one-way function
• Define f(r): the setup phase mapping between the random bits r of Alice and the information y given to Bob and Charlie
• Problem: the function f(r) is not necessarily one-way…– Can be unlikely ways to generate it. Can be exploited to invert.– Example: Alice chooses x, x’ {0,1}n if x’= 0n set y=x o.w.
set y=f(x) – The protocol is still secure, but with probability 1/2n not complete– The resulting function f(x,x’) is easy to invert:
• given y {0,1}n set inverse as (y, 0n )
One-way functions are essential to the two guards password problem…
• However: possible to estimate the probability that Bob accepts on a given string from Alice– Should be close to 1 for most r
• Second attempt: define function f(r) as – the mapping that Alice does in the setup phase between her random
bits r and the information given to Bob and Charlie,– plus a bit indicating whether probability of Bob accepts given r is
greater than 2/3
Theorem: the two guards password problem has a solution if
and only if one-way functions exist
Arbitrary…
Examples of One-way functions
Examples of hard problems:
• Subset sum• Discrete log• Factoring (numbers, polynomials) into prime
components
How do we get a one-way function out of them?
Easy problem
Subset Sum• Subset sum problem: given
– n numbers 0 ≤ a1, a2 ,…, an ≤ 2m
– Target sum T – Find subset S⊆ {1,...,n} ∑ i S ai,=T
• (n,m)-subset sum assumption: for uniformly chosen – a1, a2 ,…, an R{0,…2m -1} and S⊆ {1,...,n}– For any probabilistic polynomial time algorithm, the probability of finding
S’⊆{1,...,n} such that ∑ i S ai= ∑ i S’ ai
is negligible, where the probability is over the random choice of the ai‘s, S and the inner coin flips of the algorithm
– Not true for very small or very large m. most difficult case m=n
• Subset sum one-way function f:{0,1}mn+n → {0,1}mn+m f(a1, a2 ,…, an , b1, b2 ,…, bn ) =
(a1, a2 ,…, an , ∑ i=1n
bi ai mod 2m )
Exercise
• Show a function f such that– if f is polynomial time invertible on all inputs, then
P=NP– f is not one-way
Discrete Log Problem
• Let G be a group and g an element in G.• Let y=gz and x the minimal non negative integer satisfying the equation.
x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative group of Zp
• In general: easy to exponentiate via repeated squaring – Consider binary representation
• What about discrete log?– If difficult, f(g,x) = (g, gx ) is a one-way function
Why is it polynomial time computable?
Integer Factoring• Consider f(x,y) = x • y• Easy to compute• Is it one-way?
– No: if f(x,y) is even, can set inverse as (f(x,y)/2,2) • If factoring a number into prime factors is hard:
– Specifically given N= P • Q , the product of two random large (n-bit) primes, it is hard to factor
– Then somewhat hard – there are a non-negligible fraction of such numbers ~ 1/n2 from the density of primes
– Hence a weak one-way function• Alternatively:
– let g(r) be a function mapping random bits into random primes. – The function f(r1,r2) = g(r1) • g(r2) is one-way
Weak One-way function
A function f: {0,1}n → {0,1}n is called a weak one-way function, if
• f is a polynomial-time computable function • There exists a polynomial p(¢), for every probabilistic
polynomial-time algorithm A, and all sufficiently large n’s
Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n) Where x is chosen uniformly in {0,1}n and the probability
is also over the internal coin flips of A
Exercise: weak exist if strong exists
Show that if strong one-way functions exist, then there exists a a function which is a weak one-way function but not a strong one
What about the other direction?• Given
– a function f that is guaranteed to be a weak one-way• Let p(n) be such that Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n)
– can we construct a function g that is (strong) one-way?An instance of a hardness amplification problem• Simple idea: repetition. For some polynomial q(n) define
g(x1, x2 ,…, xq(n) )=f(x1), f(x2), …, f(xq(n))
• To invert g need to succeed in inverting f in all q(n) places– If q(n) = p2(n) seems unlikely (1-1/p(n))p2(n) ≈ e-p(n) – But how to we show? Sequential repetition intuition – not a proof.
Want: Inverting g with low probability implies inverting f with high probability
• Given a machine B that inverts g want a machine B’ – operating in similar time bounds– inverts f with high probability
• Idea: given y=f(x) plug it in some place in g and generate the rest of the locations at random
z=(y, f(x2), …, f(xq(n)))• Ask machine B to invert g at point z• Probability of success should be at least (exactly) B’s Probability of
inverting g at a random point • Once is not enough• How to amplify?
– Repeat while keeping y fixed– Put y at random position (or sort the inputs to g )
Proof of Amplification for Repetition of TwoConcentrate on a two-repetition: g(x1, x2 )=f(x1), f(x2)• Goal: show that the probability of inverting g is roughly squared the
probability of inverting f just as would be sequentially
• Claim: Let (n) be a function that for some p(n) satisfies
1/p(n) ≤ (n) ≤ 1-1/p(n) Let ε(n) be any inverse polynomial function suppose that for every polynomial time A and sufficiently large n
Prob[A[f(x)] f-1(f(x)) ] ≤ (n)
Then for every polynomial time B and sufficiently large n
Prob[B[g(x1, x2 )] g-1(g(x1, x2 )) ] ≤ 2(n) + ε(n)
Proof of Amplification for Two Repetition
Given a better than 2+ε algorithm B for inverting g construct the following:
• B’(y): Inversion algorithm for f– Repeat t times
• Choose x’ at random and compute y’=f(x’)• Run B(y,y’).• Check the results• If correct: Halt with success
– Output failure
Inner loop
Helpful for constructive algorithm
Probability of Success
• Define S={y=f(x) | Prob[Inner loop successful| y ] >
β}• Since the choices of the x’ are independent
Prob[B’ succeeds| yS] > 1-(1- β)t
Taking t= n/β means that when yS almost surely B’ will invert it
• Hence want to show that Prob[ yS] > (n)– Probability is over the choice of x
The success of B• Fix the random bits of B. Define P={(y1, y2)| B succeeds on (y1,y2)}
y1
y2
P
P= P ⋂ {(y1,y2 )| y1,y2 S}
⋃ P ⋂ {(y1,y2 )| y1 S}
⋃ P ⋂ {(y1,y2 )| y2 S} Well behaved part
Want to bound P by a square
S is the only success...But
Prob[B[y1, y2] g-1(y1, y2) | y1 S] ≤ β and similarly
Prob[B[y1, y2] g-1(y1, y2) | y2 S] ≤ βso Prob[(y1, y2) P and y1,y2 S]
≥ Prob[(y1, y2) P ] - 2β
≥ 2+ ε - 2β Setting β =ε/3 we have
Prob[(y1, y2) P and y1,y2 S] ≥ 2 + ε/3
ContradictionBut Prob[(y1, y2) P and y1,y2 S]
≤ Prob[y1 S] Prob[y2 S]
= Prob2[y S]
SoProb[y S] ≥ √(α2+ ε/3) > α
Is there an ultimate one-way function?aka `universal’
Short of showing that P≠NP implies the existence of one-way functions, can we show a specific function f so that if some one-way exists,
then f is one-way • If f1:{0,1}* → {0,1}* and f2:{0,1}* → {0,1}*
are guaranteed to:– Be polynomial time computable– At least one of them is one-way.
then can construct a function g:{0,1}* → {0,1}* which is one-way:
g(x1, x2 ) = (f1(x1),f2 (x2 ))
Robust Combiner Can generalizes to a 1-out-m combiner
The Construction• If a 5n2 time one-way function is guaranteed to exist, can
construct an O(n2 log n) one-way function g:– Idea: enumerate Turing Machine and make sure they run 5n2
steps
g(x1, x2 ,…, xlog (n) )=M1(x1), M2(x2), …, Mlog n(xlog
(n))– Eventually get to the TM of the one-way function
• If a one-way function is guaranteed to exist, then there exists a 5n2 time one-way:– Idea: concentrate on the prefix, ignore the rest
n’ where n=p(n’)
Ultimate one-way function conclusionsOriginal proof due to L. Levin
• Be careful what you wish for• Problem with resulting one-way function:
– Cannot learn about behavior on large inputs from small inputs– Whole rational of considering asymptotic results is eroded!
• Construction does not work for non-uniform one-way functions
• Notion of robust combiner seems fundamental– See “Robust Combiners for Oblivious Transfer and Other
Primitives” by Harnik, Kilian, Naor, Reingold and Rosen, Eurocrypt 2005
Distributionally One-Way Functions• A function f:{0,1}* {0,1}* is one-way if:
– it is computable in poly-time– the probability of successfully finding an inverse in poly-time is
negligible (on a random input)
• A function f :{0,1}* {0,1}* is distributionally one-way if:– it is computable in poly-time– No poly-time algorithm can successfully find a random inverse (on a
random input)• Distribution on inverting algorithm far from uniform on the pre-images
Theorem [Impagliazzo Luby 89]: distributionally one-way functions exist iff one-way functions exists
Example: function from two guard problem