Resilient Functions and Their Applications

1. Resilient Functions and Their Applications 2001.6.25 Jung Hee Cheon http://vega.icu.ac.kr/~jhcheon Information and Communications University (ICU)

2. Resilient Functions • A balanced function {0,1}n{0,1}m - every possible output m-tuple is equally likely to occur • A resilient function f : {0,1}n{0,1}m every possible output m-tuple is equally likely to occur when the values of k arbitrary inputs are fixed and the remaining n-k input bits are chosen independently at random. • It is called a k-resilient function or a (n,m,k)-resilient function. • A 0-resilient function is just a balanced function. • A k-resilient function is (k-1)-resilient.

3. History • [Sie84] T. Siegenthaler, “Correlation-Immunity of Nonlinear Combining Functions for Cryptographic Applications,” IEEE Tran. on Information Theory, 1984 • Nonlinear, output=1 • [CGH85] Chor, Goldreich, Hastad, Friedman, Rudich, and Smolensky, “The bit extraction problem or t-resilient functions”, IEEE Symposium on Foundations of Computer Science (FOCS), 1985 • linear, output > 1 • [BBR85] Bennett, Brassard and Robert, “How to reduce your enemy’s information”, Proc. of Crypto’85 (or SIAM J. of Computing, 1988) • linear, output > 1

4. Relation to Error Correcting Codes • An [n,m,d] linear code is an m-dimensional subspace C of GF(2)n such that the Hamming distance between any two vectors in C is at least d. • This code can corrects (d-1)/2 • Error Correcting Games • The user picks two functions fe : {0,1}n{0,1}m and fd : {0,1}n{0,1}m, a m-bit string s and applies fe to s 2. The adversary may alter any t bits of c=fe(s) resulting in a string c’ 3. The user applies the function fd to c’ • Objective of the user is to always retrieve s • The user always wins if and only if fe gives an t-error correcting code

5. Bit Extraction Problem • Three move game [CGH85] 1. The user picks a function f : {0,1}n{0,1}m 2-1. The adversary picks t locations in the input n-bit string and sets the bit values of these locations. 2-2. The user does not know which locations and what values were chosen by the adversary. 2-3. The remaining n-t bits of the string are set by the outcomes of independent unbiased coin tosses. 3. The user applies the function f to the entire string • Objective • User: to cause the output of the function to be uniformly distributed in {0,1}m • Adversary: to prevent this • Question: Which of the parties has a winning strategy

6. Bit Extraction Problem (Cont.) • Easy Case 1: The user always win the game if • m = 1 and t < n • t = 1 and m < n • Easy Case 2: The adversary always win the game if • m > n – t • Problem: What is the maximum m such that there exist a (n,m,t)-resilient function. • Observation: The user has the winning strategy if and only if f is a (n,m,t)-resilient function.

7. Privacy Amplification • Proposed by Bennett, Brassard, Robert (Crypto’85) - Privacy amplification by public discussion (Siam J. Comput. 1988) • Privacy Amplification is a process that allows two parties to distill a shorter highly secret key from a common random string • about which an eavesdropper has partial information and • The two parties know nothing about the eavesdropper’s information except that it satisfies a certain constraint. • Questions: What is the maximum of the maximal length of secure secret key?

8. Privacy Amplification (Cont.) • In this case, we usually use a hash function, but it is not exactly the case. • Use a (n,m,k)-resilient function to distill a secret key. • The common random variable has length n • The secret key has length m • If the information of the eavesdropper is at most k bits, the distilled key is perfectly secret. • Mobile network • Does not have enough memory and computation power • Quantum Transmission and Cryptography

9. Coloring Problem • Color the n-dimensional Boolean cube with c=2s colors in such a way that every k-dimensional subcube is equicolored, i.e. each color occurs the same number of times. • It’s called a (c;n,k) coloring problem • (2s;n,k) coloring exists iff there exists (n,s,n-k)-resilient function exists.

10. Agree on a shared random string • Consider a synchronous communication network consisting of n processors, each having a perfect source of random bits. (I.e. the source’s output is a sequence of independent unbiased coin flips). • The processors wish to share a common randomly selected bit string. • One processor just transmits to all processors the output of his local source. • If some sources are faulty, it may not be unbiased. • Each processor transmit the output by his local source and take XOR • If one of the sources are not faulty, it is unbiased. • Very wasteful !!

11. Agree on shared random string (Cont.) • Supposed that it is guaranteed that at most t of the local sources are faulty. • Each processor randomly chooses and transmits a s-bit string • Apply a resilient function to get a shared random string

12. Renewing a Partially Leaked Key • Two parties share a secret, randomly selected n-bit key • An eavesdropper has succeeded in finding out t of the bits of the key (but the parties do not know which t bits there are) • The parties wish to have a completely new and secret key without any secret communication. • Using a (n,m,k)-resilient function, • each party can distill the secure m-bit key • from unsecure n-bit key • when the eavesdropper’s information is restricted to k bits (anywhere)

13. Oblivious Transfer • Oblivious Transfer • A owns two secret k-bit strings. • She is willing to disclose one of them to B at his choosing • provided he does not learn anything about the other string • B does not want A to learn which secret he chose to learn • It is called One-out-of-two String Oblivious Transfer, (2,1)-OTk • (2,1)-OTk requires 3.5 k instances of (2,1)-OT using self-intersecting codes • (2,1)-OTk requires 2k instances of (2,1)-OT using resilient functions

14. Oblivious Transfer (Cont.) • Implement (2,1)-OT(w0,w1)(c) • A offers B to read one of two random strings x0 or x1 by a simple sequence of (2,1)-OT(x0i,x1i)(ci) • A informs B a resilient function to transform x0 into w0 and x1 into w1. • An honest B who accessed all the bits xc can reconstruct wc • An dishonest B who tried to access some of the bits of x0 and x1 will not have enough information on the corresponding wi or even joint information on both w0 and w1.

15. Easy Construction – Linear Resilient • An [n,m,d] linear code is an m-dimensional subspace C of GF(2)n such that the Hamming distance between any two vectors in C is at least d. • Generating matrix G: an m×n matrix whose rows form a basis for C. • Lemma A mn matrix M of rank m is the generating matrix of an [n,k,d] code if and only if d is the smallest number of columns that can be deleted from M to give a matrix of rank less than m • If we delete d columns, there exists a combination of rows with all zeros. • If deleting t columns gives a matrix of rank less than m, then t  d

16. Easy Construction – Linear Resilient (Cont.) • [CGH85] Let M be a generating matrix for an [n,m,d] linear code. Then f(x)=xGT is an (n,m,d-1)-resilient function. • Suppose an opponent fixes t components of x (t < d) • x’: (n-t)-tuple formed by deleting these t components • M’: (n-t)-by-m matrix formed by deleting these t components • f(x)=x’M’T+b for some fixed b • The image of f is uniformly random since M’ has rank m • [CGH85] The existence of an [n,k,d] linear code is equivalent to the existence of a linear (n,k,d-1)-resilient function. • Conjecture 1: If there is a (n,m,k)-resilient function, does there exist a linear (n,m,k)-resilient function?

17. DISCUSSION Questions????