One-Way Functions and Basic Assumptions - people.cs.nctu...

One-Way Functions andBasic Assumptions

Wen-Guey Tzeng

Department of Computer Science

National Chiao Tung University

One-way functions & basic assumptions – p. 1/26

NotationSpecified range of randomness:B is a Boolean predicate

prob(B(x) = 1 : x← X) = prob({x ∈ X|B(x) = 1})

= pX({x ∈ X|B(x) = 1})

LetA be a probabilistic algorithm andB a Boolean predicate,

prob(B(x,A(x)) = 1 : xpX← X)

=∑

x∈X

prob(x) · prob(B(x,A(x)) = 1)

=∑

x∈X

prob(x) · prob({r ∈ Ztx2 |B(x,AD(x, r)) = 1})

Shorthand:x← X ≡ xpX← X.


If A computesf : X → Y andBf (x, y) = 1 iff f(x) = y,

prob(A(x) = f(x) : x← X)

= prob(Bf(x,A(x)) = 1 : x← X)

Multiple variables:

prob(A(x1, x2) = f(x1, x2) : x1 ← X1, x2 ← X2,x1)

=∑

x1,x2

prob(x1, x2) · prob(A(x1, x2) = f(x1, x2))

=∑

x1,x2

prob(x1)prob(x2|x1) · prob(A(x1, x2) = f(x1, x2))


Function familyParameterized key/index set

• Let k be the security parameter.

• Ik = {i : |i| = k}: a key set of sizek

• I = ∪k∈N{Ik}: a parameterized key set

EXP: the set of discrete exponentiation functions:

• Ik = {(p, g) : p is prime, |p| = k, g is a geneator ofZ∗

p}.

• Expp,g(x) = gx mod p.

• EXP = {Expp,g : (p, g) ∈ I}.


LOG: the set of discrete logarithm functions:

• Ik = {(p, g) : p is prime, |p| = k, g is a geneator ofZ∗

p}.

• Logp,g(y) = logg y mod p.

• LOG = {Logp,g : (p, g) ∈ I}.


Computing functionsDefinition 1 A function familyF = {fi : Xi → Yi} indexed by

I = ∪k∈N{Ik} is polynomial-time computableif there is an

R(k)-bounded algorithmA such that

for all i ∈ Ik, x ∈ Xi, A(i, x) = fi(x),

that is,timeA(i, x) ≤ R(k), whereR(k) is a polynomial.

• EXP is polynomial-time computable.

• We don’t know whetherLOG is polynomial-time

computable.


Hardness assumptions

Discrete logarithm assumption

Let Ik = {(p, g) | |p| = k} andQ(k) be a positive polynomial.

LetA(p, g, y) be probabilistic polynomial algorithm. Then, there

existsk0 ∈ N , for all k ≥ k0, such that

prob(A(p, g, y) = Logp,g(y) : (p, g)u← Ik, y

u← Z∗

p)

≤ 1/Q(k).


Negligible functionsDefinition 2 A functionǫ(k) is negligibleif for every positive

polynomialQ(k), there isk0, such that for eachk ≥ k0,

ǫ(k) ≤ 1/Q(k).

Examples

• 1/2k, 1/klog k are negligible functions.

• 1/k2, 1/k log k are non-negligible functions.


Alternative definition for the discrete logarithm assumption

prob(A(p, g, y) = Logp,g(y) : (p, g)u← Ik, y

u← Z∗

p) = ǫ(k)

is negligible.

Various spectrums forǫ(k)

• For each(p, g), prob(A(p, g, y) = Logp,g(y)) is small.

• There are some(p, g), prob(A(p, g, y) = Logp,g(y)) is

large.

• · · ·


The following two statements are equivalent:

1. For every positive polynomialP , there isk0 > 0 such that

for all k ≥ k0,

prob(A(i, x) = fi(x) : i← Ik, x← Xi) ≤ 1/P (k);

2. For all positive polynomialsQ andR, there isk0 > 0, such

that for allk ≥ k0

prob({i ∈ Ik| prob(A(i, x) = fi(x) : x← Xi) > 1/Q(k)})

≤ 1/R(k).

(No significant portion of functions are solvable with

non-negligible probability)


Proof. Let pi = prob(A(i, x) = fi(x) : x← Xi).

(1)⇒ (2):

(2)⇒ (1):

2


If some PPAA solves LOG, fork ≥ k0,

prob(A(p, g, x) = Logp,g(y) : (p, g)← Ik, y ← Z∗

p) ≥ 1/P (k)

then, fork ≥ k0,

prob({(p, g) ∈ Ik| prob(A(p, g, y) = Logp,g(y) : y ← Z∗

p) > 1/2P (k)})

≥ 1/2P (k).


Random self-reductionDefinition 3 A function family israndom self-reducibleif there

is a PPAB such that

for everyi ∈ Ik, x ∈ Xi, pB(i,x) = pXi

and given an answery′ to x′ = B(i, x), we can find an answery

to x.

Thus, ifprob(A(x) = fi(x) : x← Xi) > 1/Q(k),

then there isA, prob(A(x) = fi(x)) > 1/Q(k) for eachx ∈ Xi.


Example 4 LOG is self-reducible via the self-reduction function

B(p, g, y) = ygr mod p, ru← Zp−1

Given an answerx′ = log ygr, (x′ − r) mod p− 1 = logg y = x

is the answer toy.

For (p, g) ∈ I, if there is a PPAA such that

prob(A(p, g, y) = Logp,g(y) : yu← Z∗

p) > 1/Q(k),

there is PPAA, for eachy ∈ Z∗

p ,

prob(A(p, g, y) = Logp,g(y)) > 1− 2−P (k).


Hard problemsThe property ofself reductionincreases the creditability of some

hardness assumptions.

The following self-reducible function families are assumed to be

hard.

• INVRSA = {InvRsan,e : (n, e) ∈ I}, wheren = pq,

|p| = |q| = k, gcd(e, ϕ(n) = 1, andd = e−1 mod ϕ(n),

InvRsan,e(y) = yd for y ∈ Z∗

n.

• SQRT= {Sqrtn : n ∈ I}, wheren = pq, |p| = |q| = k,

Sqrtn(y) = y1/2 for y ∈ QRn.

• PQR= {Pqrn : n ∈ I}, wherePqrn(x) = L(n, x) for

x ∈ J+1n , n = pq.


One-way functions• A family f = (fi : Di → Ri)i∈I of functions.

• f−1i (y) = {x ∈ Xi | fi(x) = y}

• K: key sampling algorithm,K(1k) = i ∈ Ik.

• K is usually the uniform sampling algorithm.


Definition 5 f is aone-way functionwith key generator Kiff

1. f can be computed by a Monte Carlo algorithmF (i, x).

2. f is not invertible by any efficient algorithm, that is,

for any PPAA and every positive polynomialQ(k), there is

k0 > 0 such that for anyk ≥ k0,

prob(A(i, fi(x)) ∈ f−1i (fi(x)) : i← K(1k), x

u← Di)

≤ 1/Q(k)

One-way permutation: eachfi is a permutation.


Trapdoor one-way functionEach functionfi has atrapdoorti such thatf−1 = (f−1

i : i ∈ I)

can be computed by a Monte Carlo algorithmF−1(i, ti, y),

wherey = fi(x), x ∈ Di.

• RSA, QR, SQRT are all trapdoor one-way functions.

• EXP has no known trapdoors.


Hard-core predicate"f(x) is not invertible"does not imply"the wholex is

unknown".

Example 6 fp,g(x) = gx mod p = y is one-way. But, given

(p, g, y), the last bit ofx is L(p, y), which can be computed by

the Euler’s criteria.

Example 7 Letf be one-way. Then,

g(x) = g(x1‖x2) = f(x1)‖x2

is also one-way, where|x1| = |x2|.

But, giveny = g(x), we know a half ofx at least.


Definition 8 Letf = (fi : Di → Ri)i∈I be one-way with key

generatorK. LetB = (Bi : Di → {0, 1})i∈I be a family of

Boolean predicates.B is called ahard-core predicate of f if

1. B can be computed by a Monte Carlo algorithmA1(i, x).

2. B(x) is not computable fromf(x) by any PPA.

For every PPAA2, polynomialQ, there isk0 such that for

all k ≥ k0,

prob(A2(i, fi(x)) = Bi(x) : i← K(1k), xu← Di)

≤1

2+

1

Q(k).


Example 9 f = RSA, Bi(x) = last-bit(x). Giveni = (n, e)

andy, it is hard to computelast-bit(x), wherey = xe mod n.


Universal hard-core predicate• Inner product: Bi(x, y) =

⊕lj=1(xjyj), |x| = |y| = l;

• Function extension:fi(x) is extended to

fi(x, y) = fi(x)‖y, where|x| = |y|.

Theorem 10 If f is one-way. Then,B is a hard-core predicate

for f .

Givenfi(x) andy, it is required to compute the XOR of the bits

of x indicated byy.


The following two statements are equivalent:

1. For every PPA A and polynomialP , there isk0, such that

for all k ≥ k0:

prob(A(i, fi(x)) = Bi(x) : i← Ik, x← Xi) ≤1

2+

1

P (k)

2. For every PPA A and polynomialsQ andR, there isk0 such

that for allk ≥ k0,

prob({i ∈ Ik | prob(A(i, fi(x)) = Bi(x) : x← Xi) >1

2+

1

Q(k)})

≤1

R(k).


Proof. (2)⇒ (1): easy.

(1)⇒ (2):

Let pi = prob(A(i, fi(x)) = B(i, x) : x← Xi).

We partitionIk = G ∪ N1 ∪ N2 ∪ B, where

G = {i ∈ Ik | pi > 1/2 + 1/Q(k)}

N1 = {i ∈ Ik | 1/2 + 1/2R(k)Q(k) < pi ≤ 1/2 + 1/Q(k)}

N2 = {i ∈ Ik | 1/2−1/2R(k)Q(k) < pi ≤ 1/2+1/2R(k)Q(k)}

B = {i ∈ Ik | pi ≤ 1/2− 1/2R(k)Q(k)}

Assume that(2) is not true, that is,prob(G) > 1/R(k).


For every polynomialL, there exists PPAE,

∀i ∈ Ik, prob(|E(i)− pi| < 1/2R(k)Q(k)) > 1− 1/L(k) = δ.

We can constructA(i, ·) as follows:

Input: fi(x); (x← Xi)

1. RunE(i) to computepi for estimatingpi.

2. If pi ≥ 1/2, outputA(i, fi(x));

if pi < 1/2, output1−A(i, fi(x)).


prob(A(i, fi(x)) = B(i, x) : i← Ik, x← Xi)

= prob(A(i, fi(x)) = B(i, x) : x← Xi|i ∈ G) · prob(G)

+ prob(A(i, fi(x)) = B(i, x) : x← Xi|i ∈ N1) · prob(N1)

+ prob(A(i, fi(x)) = B(i, x) : x← Xi|i ∈ N2) · prob(N2)

+ prob(A(i, fi(x)) = B(i, x) : x← Xi)|i ∈ B) · prob(B)

≥ δ(1/2 + 1/Q(k)) · prob(G) + δ(1/2 + 1/2R(k)Q(k)) · prob(N1)

+ (1/2− 1/2R(k)Q(k)) · prob(N2) + δ(1/2 + 1/2R(k)Q(k)) · prob(B)

≥ δ((1/2 + 1/Q(k))(1/R(k)) + (1/2− 1/2R(k)Q(k))(1− 1/R(k))

≥ δ(1/2 + 1/2Q(k)R(k))

≥ 1/2 + 1/3Q(k)R(k)

where we setL(k) = 4Q(k)R(k) andP (k) = 3Q(k)R(k). �


One-Way Functions and Basic Assumptions - people.cs.nctu...

Documents

Transcript of One-Way Functions and Basic Assumptions - people.cs.nctu...