340 likes | 451 Vues
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification : from weak to strong one-way functions. Lecturer: Moni Naor Weizmann Institute of Science. Recap.
E N D
Foundations of CryptographyLecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way functions Lecturer:Moni Naor Weizmann Institute of Science
Recap • Key Idea of Cryptography: use the intractability of some problems to create secure system. • The Identification Problem • Shannon and Min Entropies • One-way functions • Solution to the identification problem with multiple verifiers • Cryptographic Reductions: using one adversary to create another
Rigorous Specification of Security To define security of a system must specify: • What constitute a failure of the system • The power of the adversary • computational • access to the system • what it means to break the system. Why is this more relevant in cryptography than other realms?
Function and inversions • We say that a function f is hard to invert if given y=f(x) it is hard to find x’ such that y=f(x’) • x’ need not be equal to x • We will use f-1(y) to denote the set of preimages of y • To discuss hard must specify a computational model • Use two flavors: • Concrete • Asymptotic
Computational Models • Asymptotic: Turing Machines with random tape • For classical models: precise model does not matter up to polynomial factor Random tape 1 0 1 1 0 1 0 Both algorithm for evaluatingfand the adversary are modeled by PTM Input tape
One-way functions - asymptotic A function f: {0,1}* → {0,1}* is called aone-way function, if • f is a polynomial-time computable function • Also polynomial relationship between input and output length • for every probabilistic polynomial-time algorithm A, every positive polynomial p(.), and all sufficiently large n’s Prob[ A(f(x)) f-1(f(x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A
Computational Models • Concrete : Boolean circuits (example) • precise model makes a difference • Time = circuit size Input Output
One-way functions – concrete version A function f:{0,1}n → {0,1}n is called a (t,ε)one-way function, if • f is a polynomial-time computable function (independent of t) • for every t-time algorithm A, Prob[A(f(x)) f-1(f(x)) ] ≤ ε Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A Can either think oft and εas being fixed or ast(n), ε(n) Boolean circuit
Perfect completeness Or 1-ε completeness The two guards problem Completeness: If Alice wants to `approve’ and Eve does not interfere – Bob moves to state Y Soundness: If Alice does not `approve’, then for any behavior from Eve and Charlie, Bob stays in N • Similarly if Bob and Charlie are switched Charlie Alice Bob Eve
Solution to the password problem • Assume that • f: {0,1}n → {0,1}n is a (t,ε)one-way function • Adversary’s run times is bounded by t Setup phase: • Alice chooses xR{0,1}n • computes y=f(x) • Gives y to Bob and Charlie Approval phase: when Alice wants to approve – she sends x • If Bob gets anysymbols on channel – call them z; compute f(z) and compares to y • If equal moves to state Y • If not equal moves permanently to state N Bob Alice
Are one-way functions essential to the two guards password problem? Suppose that we have a solution to the two guards problem Alice, Bob and Charlie can be implemented by polynomial time machines • for every probabilistic polynomial-time algorithm Acontrolling Eve and Charlie • every polynomial p(.), • and all sufficiently large n’s Prob[Bob moves to Y | Alice does not approve] ≤ 1/p(n) Already saw Theorem: the two guards password problem has a solution if and only if one-way functions exist
One-way functions are essential to the two guards password problem Want to put protocol in canonical form • Recall observation: what Bob and Charlie received in the setup phase might as well be public • Claim: can get rid of interaction: • given an interactive identification protocol possible to construct a noninteractiveone. In the new protocol: • Alice` sends Bob` the random bits Alice used to generate the setup information • Bob` simulates the conversation between Alice and Bob in original protocol and accepts only if simulated Bob accepts. Claim: Probability of cheating remains the same in both protocols With Alice and bob With Alice’ and Bob’
One-way functions are essential to the two guards password problem • Given a noninteracive identification protocol want to define a one-way function: • Define g(r): the setup phase mapping between the random bits r of Alice and the information y given to Bob and Charlie random bits r Alice setup Charlie y Bob
One-way functions are essential to the two guards password problem • Define g(r): the setup phase mapping between the random bits r of Alice and the information y given to Bob and Charlie • Are we done? • Yes: if we have perfect completeness • But, the function g(r) is not necessarily one-way without perfect completeness… • Can be unlikely ways to generate it. Can be exploited to invert. • Example: Alice chooses x, x’{0,1}n. If x’=0n, set y=x, o.w. set y=f(x). • The protocol is still secure, but with probability 1/2n not complete • The resulting function g(x,x’) is easy to invert: • given y{0,1}n set inverse as (y, 0n )
One-way functions are essential to the two guards password problem… • However: possible to estimate the probability that Bob accepts on a given string from Alice • Should be close to 1 for most r • Second attempt: define function g(r) as • the mapping that Alice does in the setup phase between her random bits r and the information given to Bob and Charlie, • plus a bit indicating whether probability of Bob accepts given r is greater than 2/3 Theorem: the two guards password problem has a solution if and only if one-way functions exist Arbitrary…
Examples of One-way functions Examples of hard problems: • Subset sum • Discrete log • Factoring (numbers, polynomials) into prime components How do we get a one-way function out of them? Easy problem
Subset Sum • Subset sum problem: given • n numbers 0 ≤ a1,a2 ,…,an ≤2m • Target sum T • Find subset S⊆ {1,...,n} ∑ i S ai,=T • (n,m)-subset sum assumption: for uniformly chosen • a1,a2 ,…,an R{0,…2m -1} and S⊆{1,...,n} • For any probabilistic polynomial time algorithm, the probability of finding S’⊆{1,...,n} such that ∑ i S ai= ∑ i S’ ai is negligible, where the probability is over the random choice of the ai‘s, S and the inner coin flips of the algorithm • Not true for very small or very large m. most difficult case m=n • Subset sum one-way function f:{0,1}mn+n→ {0,1}mn+m f(a1,a2 ,…,an , b1,b2 ,…,bn ) = (a1,a2 ,…,an , ∑ i=1nbi ai mod 2m )
Exercise • Show a function f such that • if f is polynomial time invertible on all inputs, then P=NP • f is not one-way
Discrete Log Problem • Let Gbe a group andgan element inG. • Let y=gzand xthe minimal non negative integer satisfying the equation. xis called the discrete log ofyto baseg. • Example: y=gx mod pin the multiplicative group ofZp • In general: easy to exponentiate via repeated squaring • Consider binary representation • What about discrete log? • If difficult,f(g,x) = (g, gx ) is a one-way function
Weak One-way function A function f: {0,1}n → {0,1}n is called aweak one-way function, if • f is a polynomial-time computable function • There exists a polynomial p(¢), forevery probabilistic polynomial-time algorithm A, and all sufficiently large n’s Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n) Where x is chosen uniformly in {0,1}nand the probability is also over the internal coin flips of A
Integer Factoring • Consider f(x,y) = x • y • Easy to compute • Is it one-way? • No: if f(x,y) is even, can set inverse as (f(x,y)/2,2) • If factoring a number into prime factors is hard: • Specifically given N= P • Q , the product of two random large (n-bit) primes, it is hard to factor • Then somewhat hard – there are a non-negligible fraction of such numbers ~ 1/n2 from the density of primes • Hence a weak one-way function • Alternatively: • let g(r) be a function mapping random bits into random primes. • The function f(r1,r2) = g(r1) • g(r2) is one-way Why is it polynomial time computable?
Exercise: weak exist if strong exists Show that if strong one-way functions exist, then there exists a function which is a weak one-way function but not a strong one
What about the other direction? • Given • a function f that is guaranteed to be a weak one-way • Let p(n) be such that Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n) • can we construct a function g that is (strong) one-way? An instance of a hardness amplification problem • Simple idea: repetition. For some polynomial q(n) define g(x1,x2 ,…,xq(n) )=f(x1), f(x2), …, f(xq(n)) • To invert g need to succeed in inverting f in all q(n) places • If q(n) = p2(n) seems unlikely (1-1/p(n))p2(n) ≈ e-p(n) • But how to we show? Sequential repetition intuition – not a proof.
Want: Inverting g with low probability implies inverting f with high probability • Given a machine B that inverts g want amachine B’ • operating in similar time bounds • inverts f with high probability • Idea: given y=f(x) plug it in some place in g and generate the rest of the locations at random z=(y, f(x2), …, f(xq(n))) • Ask machine Bto invert g at point z • Probability of success should be at least (exactly) B’s Probability of inverting g at a random point • Once is not enough • How to amplify? • Repeat while keeping y fixed • Put y at random position (or sort the inputs to g )
Proof of Amplification for Repetition of Two Concentrate on a two-repetition: g(x1,x2 ) = f(x1), f(x2) • Goal: show that the probability of inverting g is roughly squared the probability of inverting f just as would be sequentially • Claim: Let (n) be a function that for some p(n) satisfies 1/p(n)≤ (n) ≤ 1-1/p(n) Let ε(n) be any inverse polynomial function Suppose that for every polynomial timeAand sufficiently large n Prob[A[f(x)] f-1(f(x)) ] ≤ (n) Then for every polynomial timeB and sufficiently large n Prob[B[g(x1,x2 )] g-1(g(x1,x2 )) ] ≤ 2(n)+ ε(n)
Proof of Amplification for Two Repetition Given a better than 2+εalgorithm B for inverting g construct the following: • B’(y): Inversion algorithm forf • Repeatttimes • Choose x’at random and computey’=f(x’) • Run B(y,y’). • Check the results • If correct: Halt with success • Output failure Inner loop Helpful for constructive algorithm
Probability of Success • Define S={y=f(x) | Prob[Inner loop successful| y ] > β} • Since the choices of the x’ are independent Prob[B’ succeeds| yS] > 1-(1- β)t Taking t= n/β means that when yS almost surely B’will invert it • Hence want to show that Prob[yS] > (n) • Probability is over the choice of x
The success of B • Fix the random bits of B. Define P={(y1, y2)| B succeeds on (y1,y2)} • P= P⋂ {(y1,y2 )| y1,y2S} • ⋃ P⋂ {(y1,y2 )| y1S} • ⋃ P ⋂ {(y1,y2 )| y2S} y1 Well behaved part y2 Want to bound P by a square P
S is the only success... But Prob[B[y1,y2] g-1(y1,y2) | y1 S] ≤ β and similarly Prob[B[y1,y2] g-1(y1,y2) | y2 S] ≤ β so Prob[(y1,y2) P and y1,y2 S] ≥ Prob[(y1,y2) P ] - 2β ≥ 2+ ε - 2β Setting β =ε/3 we have Prob[(y1,y2) P and y1,y2 S] ≥ 2 + ε/3
Contradiction But Prob[(y1,y2) P and y1,y2S] ≤ Prob[y1 S] Prob[y2 S] = Prob2[yS] So Prob[yS] ≥ √(α2+ ε/3) > α
Is there an ultimate one-way function?aka `universal’ Do not know: P≠NP implies the existence of one-way functions, Can we show a specific function f so that if some one-way exists, then f is one-way? • If f1:{0,1}* → {0,1}* and f2:{0,1}* → {0,1}* are guaranteed to: • Be polynomial time computable • At least one of them is one-way. then can construct a function g:{0,1}* → {0,1}* which is one-way: g(x1,x2 ) = (f1(x1),f2 (x2 )) Robust Combiner Can generalizes to a 1-out-m combiner
The Construction • If a 5n2 time one-way function is guaranteed to exist, can construct an O(n2 log n) one-way function g: • Idea: enumerate Turing Machine and make sure they run 5n2 steps g(x1,x2 ,…,xlog (n) )=M1(x1), M2(x2), …, Mlog n(xlog (n)) • Eventually get to the TM of the one-way function • If a one-way function is guaranteed to exist, then there exists a 5n2 time one-way: • Idea: concentrate on the prefix, ignore the rest n’ where n=p(n’)
Ultimate one-way function conclusions Original proof due to L. Levin • Be careful what you wish for • Problem with resulting one-way function: • Cannot learn about behavior on large inputs from small inputs • Whole rational of considering asymptotic results is eroded! • Construction does not work for non-uniform one-way functions • Notion of robust combiner seems fundamental • See “Robust Combiners for Oblivious Transfer and Other Primitives” by Harnik, Kilian, Naor, Reingold and Rosen, Eurocrypt 2005
Distributionally One-Way Functions • A function f:{0,1}* {0,1}* is one-way if: • it is computable in poly-time • the probability of successfully finding an inverse in poly-time is negligible (on a random input) • A function f:{0,1}* {0,1}* is distributionally one-way if: • it is computable in poly-time • No poly-time algorithm can successfully find a random inverse (on a random input) • Distribution on inverting algorithm far from uniform on the pre-images Theorem [Impagliazzo Luby 89]: distributionally one-way functions exist iff one-way functions exists Example: function from two guards problem