1 / 34

Lecturer: Moni Naor Weizmann Institute of Science

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification : from weak to strong one-way functions. Lecturer: Moni Naor Weizmann Institute of Science. Recap.

Télécharger la présentation

Lecturer: Moni Naor Weizmann Institute of Science

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Foundations of CryptographyLecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way functions Lecturer:Moni Naor Weizmann Institute of Science

  2. Recap • Key Idea of Cryptography: use the intractability of some problems to create secure system. • The Identification Problem • Shannon and Min Entropies • One-way functions • Solution to the identification problem with multiple verifiers • Cryptographic Reductions: using one adversary to create another

  3. Rigorous Specification of Security To define security of a system must specify: • What constitute a failure of the system • The power of the adversary • computational • access to the system • what it means to break the system. Why is this more relevant in cryptography than other realms?

  4. Function and inversions • We say that a function f is hard to invert if given y=f(x) it is hard to find x’ such that y=f(x’) • x’ need not be equal to x • We will use f-1(y) to denote the set of preimages of y • To discuss hard must specify a computational model • Use two flavors: • Concrete • Asymptotic

  5. Computational Models • Asymptotic: Turing Machines with random tape • For classical models: precise model does not matter up to polynomial factor Random tape 1 0 1 1 0 1 0 Both algorithm for evaluatingfand the adversary are modeled by PTM Input tape

  6. One-way functions - asymptotic A function f: {0,1}* → {0,1}* is called aone-way function, if • f is a polynomial-time computable function • Also polynomial relationship between input and output length • for every probabilistic polynomial-time algorithm A, every positive polynomial p(.), and all sufficiently large n’s Prob[ A(f(x)) f-1(f(x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A

  7. Computational Models • Concrete : Boolean circuits (example) • precise model makes a difference • Time = circuit size Input Output

  8. One-way functions – concrete version A function f:{0,1}n → {0,1}n is called a (t,ε)one-way function, if • f is a polynomial-time computable function (independent of t) • for every t-time algorithm A, Prob[A(f(x)) f-1(f(x)) ] ≤ ε Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A Can either think oft and εas being fixed or ast(n), ε(n) Boolean circuit

  9. Perfect completeness Or 1-ε completeness The two guards problem Completeness: If Alice wants to `approve’ and Eve does not interfere – Bob moves to state Y Soundness: If Alice does not `approve’, then for any behavior from Eve and Charlie, Bob stays in N • Similarly if Bob and Charlie are switched Charlie Alice Bob Eve

  10. Solution to the password problem • Assume that • f: {0,1}n → {0,1}n is a (t,ε)one-way function • Adversary’s run times is bounded by t Setup phase: • Alice chooses xR{0,1}n • computes y=f(x) • Gives y to Bob and Charlie Approval phase: when Alice wants to approve – she sends x • If Bob gets anysymbols on channel – call them z; compute f(z) and compares to y • If equal moves to state Y • If not equal moves permanently to state N Bob Alice

  11. Are one-way functions essential to the two guards password problem? Suppose that we have a solution to the two guards problem Alice, Bob and Charlie can be implemented by polynomial time machines • for every probabilistic polynomial-time algorithm Acontrolling Eve and Charlie • every polynomial p(.), • and all sufficiently large n’s Prob[Bob moves to Y | Alice does not approve] ≤ 1/p(n) Already saw Theorem: the two guards password problem has a solution if and only if one-way functions exist

  12. One-way functions are essential to the two guards password problem Want to put protocol in canonical form • Recall observation: what Bob and Charlie received in the setup phase might as well be public • Claim: can get rid of interaction: • given an interactive identification protocol possible to construct a noninteractiveone. In the new protocol: • Alice` sends Bob` the random bits Alice used to generate the setup information • Bob` simulates the conversation between Alice and Bob in original protocol and accepts only if simulated Bob accepts. Claim: Probability of cheating remains the same in both protocols With Alice and bob With Alice’ and Bob’

  13. One-way functions are essential to the two guards password problem • Given a noninteracive identification protocol want to define a one-way function: • Define g(r): the setup phase mapping between the random bits r of Alice and the information y given to Bob and Charlie random bits r Alice setup Charlie y Bob

  14. One-way functions are essential to the two guards password problem • Define g(r): the setup phase mapping between the random bits r of Alice and the information y given to Bob and Charlie • Are we done? • Yes: if we have perfect completeness • But, the function g(r) is not necessarily one-way without perfect completeness… • Can be unlikely ways to generate it. Can be exploited to invert. • Example: Alice chooses x, x’{0,1}n. If x’=0n, set y=x, o.w. set y=f(x). • The protocol is still secure, but with probability 1/2n not complete • The resulting function g(x,x’) is easy to invert: • given y{0,1}n set inverse as (y, 0n )

  15. One-way functions are essential to the two guards password problem… • However: possible to estimate the probability that Bob accepts on a given string from Alice • Should be close to 1 for most r • Second attempt: define function g(r) as • the mapping that Alice does in the setup phase between her random bits r and the information given to Bob and Charlie, • plus a bit indicating whether probability of Bob accepts given r is greater than 2/3 Theorem: the two guards password problem has a solution if and only if one-way functions exist Arbitrary…

  16. Examples of One-way functions Examples of hard problems: • Subset sum • Discrete log • Factoring (numbers, polynomials) into prime components How do we get a one-way function out of them? Easy problem

  17. Subset Sum • Subset sum problem: given • n numbers 0 ≤ a1,a2 ,…,an ≤2m • Target sum T • Find subset S⊆ {1,...,n} ∑ i S ai,=T • (n,m)-subset sum assumption: for uniformly chosen • a1,a2 ,…,an R{0,…2m -1} and S⊆{1,...,n} • For any probabilistic polynomial time algorithm, the probability of finding S’⊆{1,...,n} such that ∑ i S ai= ∑ i S’ ai is negligible, where the probability is over the random choice of the ai‘s, S and the inner coin flips of the algorithm • Not true for very small or very large m. most difficult case m=n • Subset sum one-way function f:{0,1}mn+n→ {0,1}mn+m f(a1,a2 ,…,an , b1,b2 ,…,bn ) = (a1,a2 ,…,an , ∑ i=1nbi ai mod 2m )

  18. Exercise • Show a function f such that • if f is polynomial time invertible on all inputs, then P=NP • f is not one-way

  19. Discrete Log Problem • Let Gbe a group andgan element inG. • Let y=gzand xthe minimal non negative integer satisfying the equation. xis called the discrete log ofyto baseg. • Example: y=gx mod pin the multiplicative group ofZp • In general: easy to exponentiate via repeated squaring • Consider binary representation • What about discrete log? • If difficult,f(g,x) = (g, gx ) is a one-way function

  20. Weak One-way function A function f: {0,1}n → {0,1}n is called aweak one-way function, if • f is a polynomial-time computable function • There exists a polynomial p(¢), forevery probabilistic polynomial-time algorithm A, and all sufficiently large n’s Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n) Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A

  21. Integer Factoring • Consider f(x,y) = x • y • Easy to compute • Is it one-way? • No: if f(x,y) is even, can set inverse as (f(x,y)/2,2) • If factoring a number into prime factors is hard: • Specifically given N= P • Q , the product of two random large (n-bit) primes, it is hard to factor • Then somewhat hard – there are a non-negligible fraction of such numbers ~ 1/n2 from the density of primes • Hence a weak one-way function • Alternatively: • let g(r) be a function mapping random bits into random primes. • The function f(r1,r2) = g(r1) • g(r2) is one-way Why is it polynomial time computable?

  22. Exercise: weak exist if strong exists Show that if strong one-way functions exist, then there exists a function which is a weak one-way function but not a strong one

  23. What about the other direction? • Given • a function f that is guaranteed to be a weak one-way • Let p(n) be such that Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n) • can we construct a function g that is (strong) one-way? An instance of a hardness amplification problem • Simple idea: repetition. For some polynomial q(n) define g(x1,x2 ,…,xq(n) )=f(x1), f(x2), …, f(xq(n)) • To invert g need to succeed in inverting f in all q(n) places • If q(n) = p2(n) seems unlikely (1-1/p(n))p2(n) ≈ e-p(n) • But how to we show? Sequential repetition intuition – not a proof.

  24. Want: Inverting g with low probability implies inverting f with high probability • Given a machine B that inverts g want amachine B’ • operating in similar time bounds • inverts f with high probability • Idea: given y=f(x) plug it in some place in g and generate the rest of the locations at random z=(y, f(x2), …, f(xq(n))) • Ask machine Bto invert g at point z • Probability of success should be at least (exactly) B’s Probability of inverting g at a random point • Once is not enough • How to amplify? • Repeat while keeping y fixed • Put y at random position (or sort the inputs to g )

  25. Proof of Amplification for Repetition of Two Concentrate on a two-repetition: g(x1,x2 ) = f(x1), f(x2) • Goal: show that the probability of inverting g is roughly squared the probability of inverting f just as would be sequentially • Claim: Let (n) be a function that for some p(n) satisfies 1/p(n)≤ (n) ≤ 1-1/p(n) Let ε(n) be any inverse polynomial function Suppose that for every polynomial timeAand sufficiently large n Prob[A[f(x)] f-1(f(x)) ] ≤ (n) Then for every polynomial timeB and sufficiently large n Prob[B[g(x1,x2 )] g-1(g(x1,x2 )) ] ≤ 2(n)+ ε(n)

  26. Proof of Amplification for Two Repetition Given a better than 2+εalgorithm B for inverting g construct the following: • B’(y): Inversion algorithm forf • Repeatttimes • Choose x’at random and computey’=f(x’) • Run B(y,y’). • Check the results • If correct: Halt with success • Output failure Inner loop Helpful for constructive algorithm

  27. Probability of Success • Define S={y=f(x) | Prob[Inner loop successful| y ] > β} • Since the choices of the x’ are independent Prob[B’ succeeds| yS] > 1-(1- β)t Taking t= n/β means that when yS almost surely B’will invert it • Hence want to show that Prob[yS] > (n) • Probability is over the choice of x

  28. The success of B • Fix the random bits of B. Define P={(y1, y2)| B succeeds on (y1,y2)} • P= P⋂ {(y1,y2 )| y1,y2S} • ⋃ P⋂ {(y1,y2 )| y1S} • ⋃ P ⋂ {(y1,y2 )| y2S} y1 Well behaved part y2 Want to bound P by a square P

  29. S is the only success... But Prob[B[y1,y2] g-1(y1,y2) | y1 S] ≤ β and similarly Prob[B[y1,y2] g-1(y1,y2) | y2 S] ≤ β so Prob[(y1,y2)  P and y1,y2 S] ≥ Prob[(y1,y2)  P ] - 2β ≥ 2+ ε - 2β Setting β =ε/3 we have Prob[(y1,y2) P and y1,y2 S] ≥ 2 + ε/3

  30. Contradiction But Prob[(y1,y2) P and y1,y2S] ≤ Prob[y1 S] Prob[y2 S] = Prob2[yS] So Prob[yS] ≥ √(α2+ ε/3) > α

  31. Is there an ultimate one-way function?aka `universal’ Do not know: P≠NP implies the existence of one-way functions, Can we show a specific function f so that if some one-way exists, then f is one-way? • If f1:{0,1}* → {0,1}* and f2:{0,1}* → {0,1}* are guaranteed to: • Be polynomial time computable • At least one of them is one-way. then can construct a function g:{0,1}* → {0,1}* which is one-way: g(x1,x2 ) = (f1(x1),f2 (x2 )) Robust Combiner Can generalizes to a 1-out-m combiner

  32. The Construction • If a 5n2 time one-way function is guaranteed to exist, can construct an O(n2 log n) one-way function g: • Idea: enumerate Turing Machine and make sure they run 5n2 steps g(x1,x2 ,…,xlog (n) )=M1(x1), M2(x2), …, Mlog n(xlog (n)) • Eventually get to the TM of the one-way function • If a one-way function is guaranteed to exist, then there exists a 5n2 time one-way: • Idea: concentrate on the prefix, ignore the rest n’ where n=p(n’)

  33. Ultimate one-way function conclusions Original proof due to L. Levin • Be careful what you wish for • Problem with resulting one-way function: • Cannot learn about behavior on large inputs from small inputs • Whole rational of considering asymptotic results is eroded! • Construction does not work for non-uniform one-way functions • Notion of robust combiner seems fundamental • See “Robust Combiners for Oblivious Transfer and Other Primitives” by Harnik, Kilian, Naor, Reingold and Rosen, Eurocrypt 2005

  34. Distributionally One-Way Functions • A function f:{0,1}*  {0,1}* is one-way if: • it is computable in poly-time • the probability of successfully finding an inverse in poly-time is negligible (on a random input) • A function f:{0,1}*  {0,1}* is distributionally one-way if: • it is computable in poly-time • No poly-time algorithm can successfully find a random inverse (on a random input) • Distribution on inverting algorithm far from uniform on the pre-images Theorem [Impagliazzo Luby 89]: distributionally one-way functions exist iff one-way functions exists Example: function from two guards problem

More Related