Cryptography Modern cryptography was born in 1970s when - - PowerPoint PPT Presentation

Cryptography

Modern cryptography was born in 1970’s when computationally easy-to-verify but ‘hard-to-solve’ problems were discovered.

Computational Complexity, by Fu Yuxi Cryptography 1 / 75

Cryptography is closely related to some advanced topics in computational complexity.

Computational Complexity, by Fu Yuxi Cryptography 2 / 75

Synopsis

• 1. Computationally Secure Encryption
• 2. Pseudorandom Generator
• 3. Pseudorandom Function
• 4. One-Way Function
• 5. Zero Knowledge Proof
• 6. Remark

Computational Complexity, by Fu Yuxi Cryptography 3 / 75

Computationally Secure Encryption

Computational Complexity, by Fu Yuxi Cryptography 4 / 75

An encryption scheme is a pair (E, D) of algorithms such that Dk(Ek(x)) = x for all key k and plaintext x. Obviously Ek is one-one for every k.

Computational Complexity, by Fu Yuxi Cryptography 5 / 75

Shannon’s Perfect Secrecy

(E, D) is perfectly secret if for every pair x, x′ ∈ {0, 1}m, the distributions EUn(x) and EUn(x′) are identical.

◮ n is the key length. ◮ Un is the uniform distribution over {0, 1}n.

Computational Complexity, by Fu Yuxi Cryptography 6 / 75

One Time Pad Encryption Scheme, Vernan 1917

Encryption:

◮ Plaintext x ∈ {0, 1}n. ◮ Generate a key k ∈R {0, 1}n, encrypt x by x ⊕ k.

Decryption:

◮ Ciphertext y ∈ {0, 1}n. ◮ The plaintext is recovered by y ⊕ k.

If a key k is used twice, useful information can be derived.

Computational Complexity, by Fu Yuxi Cryptography 7 / 75

One Time Pad Encryption Scheme

• Fact. The one time pad encryption scheme is perfectly secure.

It is crucial that the key is as long as the message.

Computational Complexity, by Fu Yuxi Cryptography 8 / 75

Shannon Theorem. Suppose (E, D) is an encryption scheme. If n < m, then there exist x, x′ such that EUn(x) and EUn(x′) differ.

Proof.

A proof can be read off from the proof of Lemma.

◮ Perfectly secret encryption scheme is not a practical scenario. ◮ Modern cryptography offers a solution.

Computational Complexity, by Fu Yuxi Cryptography 9 / 75

Negligible Functions

A function ǫ : N → [0, 1] is negligible if ∀c.∃N.∀n ≥ N.ǫ(n) < 1 nc . In other words ǫ is negligible if it tends to 0 faster than

1 p(n) for every polynomial p(n). ◮ Events with negligible probability can be practically ignored. ◮ ǫ is not negligible if ∃c. ǫ(n) ≥ 1 nc for infinitely many n.

Computational Complexity, by Fu Yuxi Cryptography 10 / 75

Computationally Secure Encryption Scheme

An encryption scheme (E, D) for keys of length n and messages of length m is computationally secure if for every P-time PTM A there is a negligible function ǫ : N → [0, 1] such that

• Prk∈R{0,1}n,x∈R{0,1}m[A(Ek(x)) = (i, b) ∧ xi = b] − 1

2

• ≤ ǫ(n).

Computational Complexity, by Fu Yuxi Cryptography 11 / 75

Is there a computationally secure encryption scheme? The answer is conditional.

Computational Complexity, by Fu Yuxi Cryptography 12 / 75

• Lemma. Suppose P = NP. Let (E, D) be a P-time encryption scheme with key shorter

than message. A P-time algorithm A exists such that for every message length m, there is a pair x0, x1 ∈ {0, 1}m satisfying Prb∈R{0,1},k∈R{0,1}n[A(Ek(xb)) = b] ≥ 3/4 where n is the key length and n < m.

• 1. Let S be defined as follows:

y ∈ S iff ∃k.y = Ek(x0), where x0 = 0m.

• 2. If P = NP then S is P-time decidable by some algorithm A.

◮ A(x) = 0 iff x ∈ S.

• 3. Let Dx = distribution EUn(x). Then Pr[A(Dx0)=0] = 1.

Computational Complexity, by Fu Yuxi Cryptography 13 / 75

If Pr[Dx∈S] > 1

2 for all x then one would have

1 2 < Prx[Pr[Dx∈S]] = Prk[Prx[Ek(x)∈S]] ≤ 1 2, where ≤ holds because |S| ≤ 2n ≤ 2m−1 by the definition of S and Ek is injective. It follows that Pr[Dx1∈S] ≤ 1

2 for some x1 ∈ {0, 1}m. According to the definition of A,

• ne has Pr[A(Dx1)=0] ≤ 1
• 2. Hence

Prb,k[A(Ek(xb))=b] = 1 2Pr[A(Dx0)=0] + 1 2Pr[A(Dx1)=1] = 1 2 + 1 2Pr[A(Dx1)=1] ≥ 3 4.

Computational Complexity, by Fu Yuxi Cryptography 14 / 75

P = NP is necessary for modern cryptography. We do not know if it is sufficient.

Computational Complexity, by Fu Yuxi Cryptography 15 / 75

Pseudorandom Generator

Computational Complexity, by Fu Yuxi Cryptography 16 / 75

Modern cryptography addresses the long key issue by studying how to generate long keys from short ones.

◮ An observer cannot detect efficiently any useful difference between a

pseudorandom key and a truly random key.

Computational Complexity, by Fu Yuxi Cryptography 17 / 75

What is a pseudorandom string? How do we characterize pseudorandom strings?

◮ For modern cryptography it suffices that encrypted messages are distributed in a

way that looks random to all efficient observers.

Computational Complexity, by Fu Yuxi Cryptography 18 / 75

Pseudorandom Generator

Let G : {0, 1}∗ → {0, 1}∗ and ℓ : N → N be P-time computable such that ℓ(n) > n for all n and |G(x)| = ℓ(|x|) for all x ∈ {0, 1}∗. G is a computationally secure pseudorandom generator of stretch ℓ(n) if, for every P-time PTM A, there exists a negligible function ǫ : N → [0, 1] such that

• Pr[A(G(Un)) = 1] − Pr[A(Uℓ(n)) = 1]
• ≤ ǫ(n).

1.

• Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.

Computational Complexity, by Fu Yuxi Cryptography 19 / 75

A pseudorandom generator says nothing about how it is constructed.

Computational Complexity, by Fu Yuxi Cryptography 20 / 75

Unpredictability

Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch ℓ(n), where ℓ : N → N is P-time computable such that ∀n.ℓ(n) > n. We say that G is unpredictable if for every P-time PTM B there is a negligible function ǫ : N → [0, 1] such that

• Prx∈R{0,1}n,y=G(x),i∈R[ℓ(n)][B(1n, y1, . . . , yi−1) = yi] − 1

2

• ≤ ǫ(n).

1.

• M. Blum, S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. FOCS 1982.

Computational Complexity, by Fu Yuxi Cryptography 21 / 75

Unpredictability ⇐ Pseudorandomness

Suppose G is a pseudorandom generator. If it is not unpredictable then there is some c such that

• Prx∈R{0,1}n,y=G(x),i∈R[ℓ(n)][B(1n, y1, . . . , yi−1) = yi] − 1

2

• ≥ 1

nc

holds for a P-time PTM B for infinitely many n. Some i exists such that

• Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi] − 1

2

• ≥

1 ncℓ(n)

for infinitely many n. It follows from Pr[B(Uℓ(n)) = 1] = 1

2 that

Pr[B(G(Un)) = 1] − Pr[B(Uℓ(n)) = 1] ≥ 1 ncℓ(n)

for infinitely many n, which is a contradiction.

Computational Complexity, by Fu Yuxi Cryptography 22 / 75

Unpredictability ⇒ Pseudorandomness

Theorem (Yao, 1982). If G is unpredictable, then it is a pseudorandom generator.

1.

• Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.

Computational Complexity, by Fu Yuxi Cryptography 23 / 75

Unpredictability ⇒ Pseudorandomness

Let ℓ : N → N be P-time computable such that ℓ(n) ≥ n. Let G : {0, 1}∗ → {0, 1}∗ be P-time computable unpredictable function with stretch ℓ. Suppose G is not a pseudorandom generator. Then there is some constant c and some P-time PTM A such that, wlog, Pr[A(G(Un)) = 1] − Pr[A(Uℓ(n)) = 1] ≥ 1 nc for infinitely many n.

Computational Complexity, by Fu Yuxi Cryptography 24 / 75

Unpredictability ⇒ Pseudorandomness

For i ≤ ℓ(n), the hybrid distribution Di is defined as follows:

• 1. choose x ∈R {0, 1}n and compute y = G(x);
• 2. output y1, . . . , yi, zi+1, . . . , zℓ(n) with zi+1, . . . , zℓ(n) ∈R {0, 1}.

We notice that D0 = Uℓ(n) and Dℓ(n) = G(Un). Let pi = Pr[A(Di) = 1]. By assumption for infinitely many n, pℓ(n) − p0 = (pℓ(n) − pℓ(n)−1) + (pℓ(n)−1 − pℓ(n)−2) + . . . + (p1 − p0) ≥ 1 nc .

Computational Complexity, by Fu Yuxi Cryptography 25 / 75

Unpredictability ⇒ Pseudorandomness

Algorithm B asserts that everything A says is correct.

◮ Input 1n, i ∈ [ℓ(n)] and y1, . . . , yi−1.

• 1. randomly generate zi, . . . , zℓ(n);
• 2. compute a = A(y1, . . . , yi−1, zi, . . . , zℓ(n));
• 3. output zi if a = 1 and 1 − zi if a = 0.

We are done if we can prove the following inequality

Prx∈R{0,1}n,y=G(x),i∈R[ℓ(n)][B(1n, y1, . . . , yi−1) = yi] − 1 2 ≥ 1 ncℓ(n),

which can be derived if the following holds for every i ∈ [ℓ(n)]:

Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi] = 1 2 + (pi − pi−1).

Computational Complexity, by Fu Yuxi Cryptography 26 / 75

Unpredictability ⇒ Pseudorandomness

B predicts yi correctly if a = 1 ∧ zi = yi or a = 0 ∧ zi = 1 − yi. This event happens with probability

1 2Prx,y=G(x)[a = 1|zi = yi] + 1 2

• 1 − Prx,y=G(x)[a = 1|zi = 1 − yi]
• .

Now Prx∈R{0,1}n,y=G(x)[a = 1|zi = yi] = pi. On the other hand,

pi−1 = Pr[A(Di−1) = 1] = Pr[a = 1|zi = yi]/2 + Pr[a = 1|zi = 1 − yi]/2 = pi/2 + Pr[a = 1|zi = 1 − yi]/2. (1)

We get Pr[a = 1|zi = 1 − yi] = 2pi−1 − pi from (1).

Computational Complexity, by Fu Yuxi Cryptography 27 / 75

Theorem Given a pseudorandom generator with stretch nc, one can design a computationally secure encryption scheme (E, D) using n-length keys for nc-length messages. Given a random key of length n, generate a key of length nc using the pseudorandom generator, and then apply the one-time pad encryption scheme.

Computational Complexity, by Fu Yuxi Cryptography 28 / 75

Application: Derandomization

If pseudorandom generator exists, then we can construct subexponential deterministic algorithms for problems in BPP.

◮ This is the derandomization of BPP.

The basic idea:

◮ Let L be decided by an nd-time PTM P with bounded error. ◮ For every small ǫ let c be such that 0 < d c < ǫ < 1. ◮ Apply to all strings of length n

d c the pseudorandom generator with stretch nc and

then execute P by following the choices prescribed by the produced pseudorandom strings of length nd.

◮ The algorithm runs in time O(2nǫ)

Computational Complexity, by Fu Yuxi Cryptography 29 / 75

Pseudorandom Function

Computational Complexity, by Fu Yuxi Cryptography 30 / 75

Let Fn denote the set of all functions of type {0, 1}n → {0, 1}n.

• 1. Generally n2n bits are necessary to specify a function in Fn.
• 2. Consequently its computation is not efficient.

We look for an efficient subset Gn of Fn that appears random.

• 1. Every element of Gn is specified by n bits.
• 2. Every element of Gn is P-time computable.
• 3. Yet no P-time PTM can detect noticeable difference between a random element
• f Gn and a random element of Fn.

◮ There are 2n2n elements in Fn. ◮ There are only 2n elements in Gn.

Computational Complexity, by Fu Yuxi Cryptography 31 / 75

Pseudorandom functions are pseudorandom generators with exponential stretch.

◮ A pseudofunction is a blackbox, a distinguisher can only ask for the values of the

function at a small number of inputs.

Computational Complexity, by Fu Yuxi Cryptography 32 / 75

Pseudorandom Function

Let {fk}k∈{0,1}∗ be a family of functions such that

◮ fk : {0, 1}|k| → {0, 1}|k| for every k ∈ {0, 1}∗, and ◮ fk(x) is P-time computable from k, x.

The family {fk}k∈{0,1}∗ is pseudorandom if for every P-time probabilistic OTM A there is a negligible function ǫ : N → [0, 1] such that for all n,

• Prk∈R{0,1}n[Afk(1n) = 1] − Prg∈RFn[Ag(1n) = 1]
• ≤ ǫ(n).

A needs no input. The string 1n marks the input length.

Computational Complexity, by Fu Yuxi Cryptography 33 / 75

Pseudorandom Generator ⇐ Pseudorandom Function

Suppose {fk}k∈{0,1}∗ is a pseudorandom family of functions. It follows from definition

◮ that for every polynomial ℓ(n), the map G defined by

k ∈ {0, 1}n → fk(1), . . . , fk(ℓ(n)) ∈ {0, 1}nℓ(n) is a pseudorandom generator.

Computational Complexity, by Fu Yuxi Cryptography 34 / 75

Goldreich-Goldwasser-Micali Theorem. Suppose that there exists a pseudorandom generator G with stretch ℓ(n) = 2n. Then there exists a pseudorandom function family.

1.

• O. Goldreich, S. Goldwasser, S. Micali. How to Construct Random Functions. FOCS 1984.

Computational Complexity, by Fu Yuxi Cryptography 35 / 75

Pseudorandom Generator ⇒ Pseudorandom Function

Let G be a pseudorandom generator with stretch 2n.

◮ G0(x) is the first n bits of G(x); ◮ G1(x) is the last n bits of G(x).

For each seed k ∈ {0, 1}n the function fk is defined by fk(x) = Gxn(Gxn−1(. . . Gx1(k) . . .)). We will prove that {fk}k∈{0,1}∗ is a pseudorandom function family.

Computational Complexity, by Fu Yuxi Cryptography 36 / 75

x1 = 0 x1 = 1 x2 = 0 x2 = 1 x2 = 0 x2 = 1 . . . . . . . . . . . . . . . . . . . . . . . . k G0(k) G1(k) G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))

Figure: The Algorithm that Calculates fk(x).

Computational Complexity, by Fu Yuxi Cryptography 37 / 75

Pseudorandom Generator ⇒ Pseudorandom Function

Let A be a T-time PTM that distinguishes {fk}k∈{0,1}n and Fn. Ie. some c exists such that the following inequality holds for infinitely many n, Prg∈RFn[Ag(1n) = 1] − Prk∈R{0,1}n[Afk(1n) = 1] ≥ 1 nc . We construct a P-time PTM B that distinguishes U2n and G(Un) with

1 nT · 1 nc bias. ◮ Define a random implementation O of the oracles fUn in terms of G.

• 1. generate a seed k ∈R {0, 1}n randomly;
• 2. run the algorithm that calculates fk on all queries.

◮ We then modify O to get {Oi}i≤nT using hybrid approach.

Computational Complexity, by Fu Yuxi Cryptography 38 / 75

Pseudorandom Generator ⇒ Pseudorandom Function

For i ≤ nT the random oracle Oi is defined as follows:

• 1. In the first i-th steps generate children randomly.
• 2. After the first i-steps generate children pseudo-randomly using G.
• 3. The random answers must be consistent!

Clearly O0 is O, and OnT is a random function. Let pi = Pr[AOi(1n) = 1]. Observe that

◮ p0 = Prk∈R{0,1}n[Afk(1n) = 1] and pnT = Prg∈RFn[Ag(1n) = 1].

By assumption pnT − p0 ≥ 1

nc .

Computational Complexity, by Fu Yuxi Cryptography 39 / 75

Algorithm B.

• 1. Input k ∈ {0, 1}2n.
• 2. Generate i ∈R [nT].
• 3. Run AOi(1n), with the modification of Oi that in the i-th invocation the two

children are the first respectively the last n bits of k. The following can be easily verified.

◮ If k ∈R U2n, then B’s output is distributed as AOi(1n). ◮ If k ∈R G(Un), then B’s output is distributed as AOi−1(1n).

Using hybrid argument, Pr[B(U2n) = 1] − Pr[B(G(Un)) = 1] is

• i∈[nT]

Pr[AOi(1n) = 1] nT −

• i∈[nT]

Pr[AOi−1(1n) = 1] nT = pnT nT − p0 nT ≥ 1 nT · 1 nc .

Computational Complexity, by Fu Yuxi Cryptography 40 / 75

Application: One Key for Many Messages

By Goldreich-Goldwasser-Micali Theorem and Yao’s Theorem, the string fk(r1)fk(r2)fk(r3) . . . fk(rℓ(k)) is unpredictable.

• 1. Alice encrypts a message x ∈ {0, 1}n by choosing r ∈R {0, 1}n and sends

(r, fk(r) ⊕ x) to Bob, where k ∈ {0, 1}n is the key.

• 2. Bob receives (r, y) and calculates fk(r) ⊕ y to recover x.

Computational Complexity, by Fu Yuxi Cryptography 41 / 75

Application: Message Authentication Code

For the same reason the following protocol is secure.

• 1. Alice sends x to Bob.
• 2. Bob sends (x, fk(x)) to Alice.
• 3. Alice receives (x, y) and checks if y = fk(x) to verify that the message has not

been corrupted.

Computational Complexity, by Fu Yuxi Cryptography 42 / 75

Application: Lower Bound for Machine Learning

In machine learning the goal is to learn a function f from a sequence of examples (r1, f (r1)), . . . , (rk, f (rk)).

◮ The existence of pseudorandom function implies that even if f is P-time

computable, there is no way to learn it in P-time.

Computational Complexity, by Fu Yuxi Cryptography 43 / 75

One-Way Function

Computational Complexity, by Fu Yuxi Cryptography 44 / 75

Suppose G : {0, 1}∗ → {0, 1}∗ is a pseudorandom generator. For every P-time PTM A there must be a negligible function ǫ : N → [0, 1] such that the following holds for every n, Prx∈R{0,1}n[A(1n, G(x)) = x′ ∧ G(x′) = G(x)] ≤ ǫ(n).

Computational Complexity, by Fu Yuxi Cryptography 45 / 75

One-Way Function

A P-time function f : {0, 1}∗ → {0, 1}∗ is a one-way function if for every P-time PTM A there is a negligible function ǫ : N → [0, 1] such that for every n, Prx∈R{0,1}n,y=f (x)[A(1n, y) = x′ ∧ f (x′) = y] ≤ ǫ(n).

Computational Complexity, by Fu Yuxi Cryptography 46 / 75

Let f : {0, 1}∗ → {0, 1}∗ be a P-time computable function such that ∀x.|x| ≤ |f (x)|.

◮ If P = NP then {(l, u, y) | ∃x.f (x) = y ∧ l ≤ x ≤ u} ∈ P. ◮ By divide-and-conquer one can compute f −1 in P-time.

The existence of one way function implies P = NP.

Computational Complexity, by Fu Yuxi Cryptography 47 / 75

Integer multiplication is believed to be one-way.

Computational Complexity, by Fu Yuxi Cryptography 48 / 75

• Theorem. If one-way permutations exist, then for every c ∈ N, there exists a

pseudorandom generator with stretch S(n) = nc.

1.

• Q. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.
• Theorem. If one-way functions exist, then for every c ∈ N, there exists a

pseudorandom generator with stretch S(n) = nc.

1.

• J. H˚

astad, R. Impagliazzo, L. Levin and M. Luby. A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing, 28:1364-1396, 1999. Computational Complexity, by Fu Yuxi Cryptography 49 / 75

The crucial step is to obtain a pseudorandom generator that extends input by one bit.

◮ If f is a one-way permutation, then G(x, r) = f (x), r, x ⊙ r is a pseudorandom

• generator. Intuitively r is random, f (x) is pseudorandom, and the (2n+1)-th bit

cannot be predicted with probability noticeably larger than 1/2. We shall prove Theorem using Goldreich-Levin Theorem.

Computational Complexity, by Fu Yuxi Cryptography 50 / 75

Goldreich-Levin Theorem. Suppose f : {0, 1}∗ → {0, 1}∗ is a one-way permutation. Then for every P-time PTM A there is a negligible function ǫ : N → [0, 1] such that

• Prx,r∈R{0,1}n[A(f (x), r) = x ⊙ r] − 1

2

• ≤ ǫ(n),

where x ⊙ r = n

i=1 xiri

(mod 2).

1.

• O. Goldreich, L. Levin. A Hard-Core Predicate for All One-Way Functions. STOC 1989.

We call x ⊙ r the hard core bit of the function xr → f (x)r.

Computational Complexity, by Fu Yuxi Cryptography 51 / 75

Scenario:

◮ We know f (x) and that A(f (x), r) approximates x ⊙ r to some extent. ◮ We hope to recover x.

• 1. If A(f (x), r) = x ⊙ r for all r, then it is easy to recover x by the following algorithm:

◮ Run A(f (x), e1), . . . , A(f (x), en). ◮ Paste the resulting n bits to get x.

Computational Complexity, by Fu Yuxi Cryptography 52 / 75

• 2. Suppose Prr∈R{0,1}n[A(f (x), r) = x ⊙ r] ≥ 0.9.

Now x ⊙ r is uniformly distributed if r is uniformly distributed. So by union bound

Prr∈R{0,1}n[(A(f (x), r) = x ⊙ r) ∨ (A(f (x), r ⊕ ei) = x ⊙ (r ⊕ ei))] ≤ 0.2.

The equality (x ⊙ r) ⊕ (x ⊙ (r ⊕ ei)) = x ⊙ (r ⊕ r ⊕ ei) = x ⊙ ei = xi implies that

Prr∈R{0,1}n[A(f (x), r) ⊕ A(f (x), r ⊕ ei) = xi] ≥ 0.8, (2)

which can be amplified to 1 − 1/10n by majority vote.

◮ If we decrease 0.9 to 0.75, then 0.8 goes down to 0.5, rendering the lower bound

in (2) utterly useless.

Computational Complexity, by Fu Yuxi Cryptography 53 / 75

Algorithm B: The input is y = f (x).

• 1. m := 200n.
• 2. Choose r1, . . . , rm ∈R {0, 1}n.
• 3. For i from 1 to n do

3.1 z1 := A(f (x), r 1), z′

1 := A(f (x), r 1 ⊕ ei),

. . . , zm := A(f (x), r m), z′

m := A(f (x), r m ⊕ ei).

3.2 guess that xi is the majority value of {zj ⊕ z′

j }j∈[m].

Computational Complexity, by Fu Yuxi Cryptography 54 / 75

Analysis of B:

• 1. Let the indicator random variable Zj be defined by

Zj(r j) =

• 1,

if A(f (x), r j) = x ⊙ r j and A(y, r j ⊕ ei) = x ⊙ (r j ⊕ ei), 0,

• therwise.
• 2. Clearly Z1, . . . , Zm are independent. Let Z = Z1 + . . . + Zm.
• 3. E[Zj] ≥ 0.8 and E[Z] ≥ 0.8m.
• 4. Pr[|Z−E[Z]| ≥ 0.3m] ≤ 1/(0.3√m)2 by Chebychev inequality.
• 5. It follows from m = 200n that Pr[Z ≤ 0.5m] ≤ 1/10n.

◮ Chebychev inequality: Pr

• |Z−E[Z]| ≥ k
• Var(Z)
• ≤ 1/k2.

◮ Var(Z) = m

j=1 Var(Zj) ≤ m since Var(Zj) ≤ 1 for all j.

Computational Complexity, by Fu Yuxi Cryptography 55 / 75

• 3. Suppose there are constant c ∈ N and P-time PTM A such that

Prx,r∈R{0,1}n[A(f (x), r) = x ⊙ r] − 1 2 ≥ 1 nc for infinitely many n. There is at least a

1 2nc fragment of x’s, the good x’s, such that

Prr∈R{0,1}n[A(f (x), r) = x ⊙ r] − 1 2 ≥ 1 2nc for infinitely many n.

• Lemma. Suppose a1, a2, . . . , an ∈ [0, 1] and ρ = (

i∈[n] ai)/n. There is at least ρ 2

fraction of ai’s such that ai ≥ ρ

2.

Computational Complexity, by Fu Yuxi Cryptography 56 / 75

The point is that we cannot afford to applying A twice for probabilistic reason. Instead of calculating A(f (x), r1), . . . , A(f (x), rm), we guess x ⊙ r1, . . . , x ⊙ rm. Because we are guessing the values of these expressions, we do not need to know x.

◮ Choose randomly distinct seeds s1, . . . , sk ∈R {0, 1}n. ◮ { R}R⊆{s1,...,sk} are random and pairwise independent. ◮ {x ⊙ R}R⊆{s1,...,sk} are completely determined by x ⊙ s1, . . . , x ⊙ sk.

We can afford exhaustive guessing if k = log m.

Computational Complexity, by Fu Yuxi Cryptography 57 / 75

Algorithm C: The input is y = f (x).

• 1. Input y ∈ {0, 1}n. Think of y as f (x) for some x.
• 2. m := 10n2c+1;
• 3. k := log(m);
• 4. Generate s1, . . . , sk ∈R {0, 1}n;
• 5. Let R1, . . . , Rm be subsets of {s1, . . . , sk} in a canonical way;
• 6. For each guess w ∈ {0, 1}k do

6.1 for each i ∈ [n] do

6.1.1 x ⊙ s1 := w1, . . . , x ⊙ sk := wk; z1 :=

t∈R1

• x ⊙ st

, . . . , zm :=

t∈Rm

• x ⊙ st

; z′

1 := A

• y, R1 ⊕ ei

, . . . , z′

m := A

• y, Rm ⊕ ei

; 6.1.2 guess that xi is the majority value of {zj ⊕ z′

j }j∈[m].

6.2 x := x1 . . . xn; 6.3 if f (x) = y, output x and halt.

Computational Complexity, by Fu Yuxi Cryptography 58 / 75

Analysis of C:

• 1. Let the indicator random variable Zj be defined by

Zj(r j) =

• 1,

if A(y, r j ⊕ ei) = x ⊙ (r j ⊕ ei), 0,

• therwise.
• 2. Z1, . . . , Zm are pairwise independent and E[Zj] ≥ 1/2 + 1/nc.
• 3. Hence E[Z] ≥ m/2 + m/nc, where Z = Z1 + . . . + Zm.
• 4. Using Var(Z) = m

j=1 Var(Zj) ≤ m, we derive

Pr[|Z−E[Z]| ≥ m/nc] ≤ Pr[|Z−E[Z]| ≥ √m nc

• Var(Z)]

≤ n2c m = n2c 10n2c+1 = 1 10n.

• 5. Now Pr[Z ≤ m/2] ≤

1 10n follows from 3 and 4.

Computational Complexity, by Fu Yuxi Cryptography 59 / 75

• Theorem. Let f be a one-way permutation. The function mapping x, r ∈ {0, 1}n onto

r, f nc(x) ⊙ r, f nc−1(x) ⊙ r, . . . , f 1(x) ⊙ r is a pseudorandom generator of stretch n + nc for every c ∈ N. Let A be a P-time PTM such that for x, r ∈R {0, 1}n and i ∈R [nc],

Pr[A(r, f nc(x) ⊙ r, f nc−1(x) ⊙ r, . . . , f i+1(x) ⊙ r) = f i(x) ⊙ r] − 1 2 ≥ 1 nd

for some d ∈ N and infinitely many n.

continued on the next slide. Computational Complexity, by Fu Yuxi Cryptography 60 / 75

B(y, r), where y, r ∈ {0, 1}n, is designed as follows:

• 1. Generate i ∈R [nc];
• 2. Output A(r, f nc−i(y) ⊙ r, . . . , f 1(y) ⊙ r, y ⊙ r).

The probability that B(f (x), r) outputs x ⊙ r is the same as

Pr[A(r, f nc(x) ⊙ r, f nc−1(x) ⊙ r, . . . , f i+1(x) ⊙ r) = f i(x) ⊙ r].

Hence

Prx,r∈R{0,1}n[B(f (x), r) = x ⊙ r] − 1 2 ≥ 1 nd ,

contradicting to Goldreich-Levin Theorem. Since f is a permutation r, f nc−i(x) ⊙ r, . . . , f 1(x) ⊙ r, x ⊙ r is the same distribution as r, f nc(x) ⊙ r, . . . , f i+1(x) ⊙ r, f i(x) ⊙ r.

Computational Complexity, by Fu Yuxi Cryptography 61 / 75

• ne-way function ⇔ pseudorandom generator ⇔ unpredictability

Computational Complexity, by Fu Yuxi Cryptography 62 / 75

Application: Tossing Coin Over Phone

Suppose A and B want to toss a coin over phone. We can apply the following protocol.

• 1. A chooses x, r ∈R {0, 1}n and sends (fn(x), r) to B, where fn is a one-way permutation

known to both parties.

• 2. B chooses b ∈R {0, 1} and sends it to A.
• 3. A sends x to B.
• 4. A and B agree to use b ⊕ (x ⊙ r).

A cannot manipulate the result because it cannot change x. B cannot manipulate the result because it did not know x. A can make sure that the result is random as long as x is. B can make sure that the result is random as long as b is.

Computational Complexity, by Fu Yuxi Cryptography 63 / 75

Zero Knowledge Proof

Computational Complexity, by Fu Yuxi Cryptography 64 / 75

In an interactive proof for an NP problem, say GI, a certificate usually reveals more than the mere fact that a statement is true.

Computational Complexity, by Fu Yuxi Cryptography 65 / 75

It turns out that it is possible to design an interactive proof system such that a verifier does not learn anything from interaction apart from the fact that a statement is true.

◮ In the following definition, Perfect Zero Knowledge requires that no matter what a

verifier learns after participating a proof for a statement x, it could have derived the same thing by itself without participating in any interaction.

1.

• S. Goldwasser, S. Micali and C. Rackoff The Knowledge Complexity of Interactive Proof Systems. STOC, 186-208, 1985.

Computational Complexity, by Fu Yuxi Cryptography 66 / 75

Zero Knowledge Proof of NP Language

Suppose L ∈ NP and M is a P-time TM such that x ∈ L if and only if ∃u ∈ {0, 1}p(|x|).M(x, u) = 1 for some polynomial p.

Computational Complexity, by Fu Yuxi Cryptography 67 / 75

Zero Knowledge Proof of NP Language

A pair P, V of interactive P-time PTM’s is called a zero knowledge proof for L if they enjoy the following properties.

◮ Completeness. If M(x, u) = 1, then Pr[outV(P(x, u), V(x))] ≥ 2 3. ◮ Soundness. If x /

∈ L, then Pr[outV(P∗(x, u), V(x))] ≤ 1

3 for all P∗ and u. ◮ Perfect Zero Knowledge. For every P-time interactive PTM V∗ there is an

expected P-time PTM S∗, called a simulator, such that for every x ∈ L and a certificate u for x ∈ L, the following holds:

• utV∗(P(x, u), V∗(x)) ≡ S∗(x),

meaning that the two random variables are identical even though S∗ does not have any access to u.

Computational Complexity, by Fu Yuxi Cryptography 68 / 75

The idea of simulation to demonstrate security is central to many aspects of cryptography.

Computational Complexity, by Fu Yuxi Cryptography 69 / 75

Zero Knowledge Proof for Graph Isomorphism

Public Input: G0, G1 with n vertices. P knows: A permutation π ∈ [n] → [n] such that G1 = π(G0). P sends H = π′(G1) with a random permutation π′ ∈R [n] → [n]. V sends a random bit b ∈R {0, 1}. P sends π′′ = π′, if b = 1, π′π, if b = 0. V checks if H = π′′(Gb). If G0 ≃ G1, V accepts with probability one. If G0 ≃ G1, V rejects with probability 1

2.

Computational Complexity, by Fu Yuxi Cryptography 70 / 75

Zero Knowledge Proof for Graph Isomorphism

Let V∗ be some verifier’s strategy.

◮ If G0 ≃ G1, then P’s first message has the same distribution as the message sent

by the following simulator S∗:

◮ Generate b′ ∈R {0, 1} and π′ ∈R [n] → [n]; ◮ Send H = π′(Gb′) to V∗; ◮ Get some b from V∗; ◮ If b = b′ then send π′ to V∗ and output whatever V∗ outputs, otherwise restart S∗.

◮ The key point is that H reveals nothing about b′ if G0 ≃ G1.

If V∗ runs in P-time, then S∗ runs in expected P-time.

Computational Complexity, by Fu Yuxi Cryptography 71 / 75

Secure Multiparty Computation

Ten people working in a firm want to calculate their average salaries without revealing the salary of any of them.

Computational Complexity, by Fu Yuxi Cryptography 72 / 75

Remark

Computational Complexity, by Fu Yuxi Cryptography 73 / 75

Cryptography on weaker assumption (say P = NP) ?

Computational Complexity, by Fu Yuxi Cryptography 74 / 75

Modern cryptography is founded on something not provable.

Computational Complexity, by Fu Yuxi Cryptography 75 / 75