MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276

Lecture 3 Foundations of Cryptography

Roadmap of the Course: Worlds in Crypto

OWF PRG

Secret-key encryption

PRF

Hashing Digital Signatures

PRP

Bit Commitment Zero- Knowledge proofs

Lecture 2-6, 11-12

Public-key encryption

Lecture 7-10,… … Minicrypt: Cryptomania: OWF

Today

• 1. Define one-way functions (OWF).
• 2. Define Hardcore bits (HCB).
• 4. Goldreich-Levin Theorem: every OWF has a HCB.
• 3. Show that one-way functions* + HCB ⇒ PRG

One-way Functions (Informally)

F

domain range Easy to compute Hard to invert

One-way Functions (Take 1)

A function (family) 𝐺

! !∈ℕ where 𝐺 !: {0,1}!→ {0,1}$(!) is

• ne-way if for every p.p.t. adversary 𝐵, there is a negligible

function 𝜈 s.t. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺

! 𝑦 : 𝐵 1!, 𝑧 = 𝑦 ≤ 𝜈(𝑜)

Consider 𝑮𝒐 𝒚 = 𝟏 for all x. This is one-way according to the above definition. In fact, impossible to find the inverse even if 𝐵 has unbounded time. Conclusion: not a useful/meaningful definition.

One-way Functions (Take 1)

A function (family) 𝐺

! !∈ℕ where 𝐺 !: {0,1}!→ {0,1}$(!) is

• ne-way if for every p.p.t. adversary 𝐵, there is a negligible

function 𝜈 s.t. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺

! 𝑦 : 𝐵 1!, 𝑧 = 𝑦 ≤ 𝜈(𝑜)

The Right Definition: Impossible to find an inverse in p.p.t.

One-way Functions: The Definition

A function (family) 𝐺

! !∈ℕ where 𝐺 !: {0,1}!→ {0,1}$(!) is

• ne-way if for every p.p.t. adversary 𝐵, there is a negligible

function 𝜈 s.t. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺

! 𝑦 ; 𝐵 1!, 𝑧 = 𝒚(: 𝒛 = 𝑮𝒐 𝒚(

≤ 𝜈(𝑜) One-way Permutations: One-to-one one-way functions with 𝑛 𝑜 = 𝑜.

• Can always find an inverse with unbounded time
• … but should be hard with probabilistic polynomial time

One-way Functions: Candidates

G(𝑏), … , 𝑏!, 𝑦), … , 𝑦!) = (𝑏), … , 𝑏!,∑*+)

!

𝑦*𝑏* mod 2!,)) where 𝑏* are random n-bit numbers, and 𝑦* are random bits. Subset sum: One-way functions candidates are abundant in nature. We will see many other candidates from number theory, coding theory, combinatorics later in class.

Today

• 1. Define one-way functions (OWF).
• 2. Define Hardcore bits (HCB).
• 4. Goldreich-Levin Theorem: every OWF has a HCB.
• 3. Show that one-way permutations (OWP) ⇒ PRG

Hardcore Bits

If 𝐺 is a one-way function, we know it’s hard to compute a pre-image of 𝐺 𝑦 for a randomly chosen 𝑦. How about computing partial information about an inverse? Exercise: There are one-way functions for which it is easy to compute the first half of the bits of the inverse.

Hardcore Bits

If 𝐺 is a one-way function, we know it’s hard to compute a pre-image of 𝐺 𝑦 for a randomly chosen 𝑦. Nevertheless, there has to be a hardcore set of hard to invert

• inputs. Concretely: Does there necessarily exist some bit of 𝑦

that is hard to compute?

• Any bit can be guessed correctly w.p. 1/2
• So, “hard to compute” → “hard to guess with

probability non-negligibly better than 1/2” Nevertheless, there has to be a hardcore set of hard to invert

• inputs. Concretely: Does there exist some bit of 𝑦 that is hard

to guess with probability non-negligibly better than 1/2? HARDCORE BIT (Take 1)

Hardcore Bits

If 𝐺 is a one-way function, we know it’s hard to compute a pre-image of 𝐺 𝑦 for a randomly chosen 𝑦. HARDCORE BIT (Take 1) For any function (family) 𝐺: {0,1}!→ {0,1}$, a bit 𝑗 = 𝑗(𝑜) is hardcore if for every p.p.t. adversary 𝐵, there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 : 𝐵 𝑧 = 𝑦* ≤ 1 2 + 𝜈(𝑜)

Does every one-way function have a hardcore bit?

(Hard) Exercise: There are functions that are one-way, yet every bit is somewhat easy to predict (say, with probability )

• + 1/𝑜).

So, we will generalize the notion of a hardcore “bit”.

Hardcore Bits

HARDCORE PREDICATE (Definition) For any function (family) 𝐺: {0,1}!→ {0,1}$, a function 𝐶: {0,1}!→ {0,1} is a hardcore predicate if for every p.p.t. adversary 𝐵, there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 : 𝐵 𝑧 = 𝐶(𝑦) ≤ 1 2 + 𝜈(𝑜) For us, henceforth, a hardcore bit will mean a hardcore predicate.

Hardcore Predicate (in pictures)

x

E a s y t

• c
• m

p u t e Easy to compute

F(x) B(x)

Hard to compute

Discussion on the Definition

HARDCORE PREDICATE (Definition) For any function (family) 𝐺: {0,1}!→ {0,1}$, a bit 𝐶: {0,1}!→ {0,1} is a hardcore predicate (HCP) if for every p.p.t. adversary 𝐵, there is a negligible function 𝜈 s.t. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 : 𝐵 𝑧 = 𝐶(𝑦) ≤ 1 2 + 𝜈(𝑜)

• 1. Definition of HCP makes sense for any function family, not

just one-way functions.

• 2. Some functions can have information-theoretically hard to

guess predicates (e.g., compressing functions)

• 3. We’ll be interested in settings where 𝑦 is uniquely determined

given F(𝑦), yet B(𝑦)is hard to predict given F(𝑦)

Today

• 1. Define one-way functions (OWF).
• 2. Define Hardcore bits (HCB).
• 4. Goldreich-Levin Theorem: every OWF has a HCB.
• 3. Show that one-way permutations (OWP) ⇒ PRG

OWP ⇒ PRG

Let 𝐺 be a one-way permutation, and 𝐶 an associated hardcore predicate for 𝐺. CONSTRUCTION Then, define 𝐻 𝑦 = F 𝑦 | B(𝑦) . Theorem: 𝐻 is a PRG assuming 𝐺 is a one-way permutation. (Note that 𝐻 stretches by one bit. Shafi will tell you how to extend the stretch of 𝐻 to any poly number of bits.)

OWP ⇒ PRG

Let 𝐺 be a one-way permutation, and 𝐶 an associated hardcore predicate for 𝐺. CONSTRUCTION Then, define 𝐻 𝑦 = F 𝑦 | B(𝑦) . Theorem: 𝐻 is a PRG assuming 𝐺 is a one-way permutation. Proof (next slide): From Distinguishing to Predicting.

OWP ⇒ PRG

Theorem: 𝐻 is a PRG assuming 𝐺 is a one-way permutation. Proof: Assume for contradiction that 𝐻 is not a PRG. Therefore, there is a p.p.t. distinguisher 𝐸 and a polynomial function 𝑞 such that Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Think: D outputs “1” = D thinks its input is pseudorandom

OWP ⇒ PRG

Theorem: 𝐻 is a PRG assuming 𝐺 is a one-way permutation and B is its hardcore predicate . Proof: Assume for contradiction that 𝐻 is not a PRG. Therefore, there is a p.p.t. distinguisher 𝐸 and a polynomial function 𝑞 such that Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) We will construct a hardcore predictor 𝐵 and show: Pr 𝑦 ← 0,1 !: 𝐵 𝐺(𝑦) = 𝐶(𝑦) ≥ 1 2 + 1/𝑞′(𝑜)

OWP ⇒ PRG

Theorem: 𝐻 is a PRG assuming 𝐺 is a one-way permutation and B is its hardcore predicate . Proof: Assume for contradiction that 𝐻 is not a PRG. Therefore, there is a p.p.t. distinguisher 𝐸 and a polynomial function 𝑞 such that Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) We will construct a hardcore predictor 𝐵 and show: Pr 𝑦 ← 0,1 !: 𝐵 𝐺(𝑦) = 𝐶(𝑦) ≥ 1 2 + 1/𝑞′(𝑜)

OWP ⇒ PRG

Let’s look closely at D. Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) By definition: Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜)

OWP ⇒ PRG

Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑧. ← 0,1 ! , 𝑧) ← 0,1 , 𝑧 = 𝑧.|𝑧): 𝐸(𝑧) = 1 ≥ 1/𝑞(𝑜) A syntactic change: Let’s look closely at D.

OWP ⇒ PRG

Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧) ← 0,1 , 𝑧 = 𝐺(𝑦)|𝑧): 𝐸(𝑧) = 1 ≥ 1/𝑞(𝑜) Rewriting the second term:

=

Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝟏: 𝐸(𝑧) = 1 + Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝟐: 𝐸(𝑧) = 1 2

Let’s look closely at D.

OWP ⇒ PRG

Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 |𝐶(𝑦): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧) ← 0,1 , 𝑧 = 𝐺(𝑦)|𝑧): 𝐸(𝑧) = 1 ≥ 1/𝑞(𝑜) Rewriting the second term (again):

=

Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 + Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 2

Let’s look closely at D.

1 2 (Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 |𝑪(𝒚): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 ) ≥ 1/𝑞(𝑜)

OWP ⇒ PRG

Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Putting things together: In English: D says “1” more often when fed with the “right bit” than the “wrong bit”. Let’s look closely at D.

1 2 (Pr 𝑦 ← 0,1 !; 𝑧 = 𝐺 𝑦 |𝑪(𝒚): 𝐸 𝑧 = 1 − Pr 𝑦 ← 0,1 ! , 𝑧 = 𝐺(𝑦)|𝑪(𝒚): 𝐸(𝑧) = 1 ) ≥ 1/𝑞(𝑜)

OWP ⇒ PRG

Pr 𝑦 ← 0,1 !; 𝑧 = 𝐻 𝑦 : 𝐸 𝑧 = 1 − Pr 𝑧 ← 0,1 !,) ∶ 𝐸 𝑧 = 1 ≥ 1/𝑞(𝑜) Putting things together: Now, let’s use D to predict the right bit.

(∗)

Let’s look closely at D.

OWP ⇒ PRG

The Predictor A works as follows: Get as input 𝑨 = 𝐺(𝑦); Pick a random bit 𝑐; and feed 𝐸 with input 𝑨|b. If 𝐸 says “1”, output b as the prediction for the hardcore bit and if 𝐸 says “0”, output S 𝑐.

Analysis of the Predictor A

Pr 𝑦 ← 0,1 !: 𝐵 𝐺(𝑦) = 𝐶(𝑦) = Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝑐 = 1| 𝑐 = 𝐶(𝑦) Pr 𝑐 = 𝐶 𝑦 + Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝑐 = 0| 𝑐 ≠ 𝐶(𝑦) Pr 𝑐 ≠ 𝐶 𝑦 = 1 2 (Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝑐 = 1| 𝑐 = 𝐶(𝑦) + Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝑐 = 0| 𝑐 ≠ 𝐶(𝑦) ) = 1 2 (Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝐶(𝑦) = 1 + Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝐶(𝑦) = 0 ) = 1 2 (Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝐶(𝑦) = 1 + 1 − Pr 𝑦 ← 0,1 !: 𝐸 𝐺 𝑦 |𝐶(𝑦) = 1 ) = 𝟐 𝟑 (𝟐 +(∗)) ≥ 𝟐 𝟑 + 𝟐/𝒒(𝒐)

Today

• 1. Define one-way functions (OWF).
• 2. Define Hardcore bits (HCB).
• 4. Goldreich-Levin Theorem: every OWF has a HCB.
• 3. Show that one-way permutations (OWP) ⇒ PRG

A Hardcore Predicate for all OWF

Let’s shoot for a universal hardcore predicate. i.e., a single predicate 𝐶 where it is hard to guess 𝐶(𝑦) given F(𝑦) Is this possible? Turns out the answer is “no”. Pick your favorite amazing 𝐶. I claim that you can construct a one-way function 𝐺 for which 𝐶 is not hard-core. I will leave it to you as an exercise. So, what is one to do?

Goldreich-Levin (GL) Theorem

Let {𝐶@: {0,1}!→ {0,1}} where be a collection of predicates (one for each 𝑠). Then, a random 𝐶@ is hardcore for every one-way function 𝐺. That is, for every

• ne-way function F, every PPT A, there is a negligible function

𝜈 s.t. 𝐶@ 𝑦 = 𝑠, 𝑦 = ∑*+)

!

𝑠*𝑦* mod 2 Pr 𝑦 ← 0,1 !; 𝑠 ← 0,1 !: 𝐵 𝐺 𝑦 , 𝑠 = 𝐶@(𝑦) ≤ 1 2 + 𝜈(𝑜) Alternative Interpretation 1: For every one-way function 𝐺, there is a related one-way function 𝐺( 𝑦, 𝑠 = (𝐺 𝑦 , 𝑠) which has a deterministic hardcore predicate.

Goldreich-Levin (GL) Theorem

Let {𝐶@: {0,1}!→ {0,1}} where be a collection of predicates (one for each 𝑠). Then, a random 𝐶@ is hardcore for every one-way function 𝐺. That is, for every

• ne-way function F, every PPT A, there is a negligible function

𝜈 s.t. 𝐶@ 𝑦 = 𝑠, 𝑦 = ∑*+)

!

𝑠*𝑦* mod 2 Pr 𝑦 ← 0,1 !; 𝑠 ← 0,1 !: 𝐵 𝐺 𝑦 , 𝑠 = 𝐶@(𝑦) ≤ 1 2 + 𝜈(𝑜) Alternative Interpretation 2: For every one-way function 𝐺, there exists (non-uniformly) a (possibly different) hardcore predicate 𝑠A, 𝑦 . (Cool open problem: remove the non-uniformity)

Proof of GL Theorem

Assume for contradiction there is a predictor 𝑄 Pr 𝑦 ← 0,1 !; 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 ≥ 1 2 + 1/𝑞(𝑜) We will need to show an inverter 𝐵 for 𝐺 Pr 𝑦 ← 0,1 ! ∶ 𝐵 𝐺 𝑦 = 𝑦(: 𝐺 𝑦( = 𝐺(𝑦) ≥ 1/𝑞′(𝑜) Let’s make our lives easier: assume a perfect predictor 𝑄 Pr 𝑦 ← 0,1 !; 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 = 1

Proof of GL Theorem

Assume for contradiction there is a predictor 𝑄 The inverter 𝐵 works as follows: On input y = 𝐺 𝑦 , 𝐵 runs the predictor 𝑄 𝑜 times, on inputs 𝑧, 𝑓) , 𝑧, 𝑓- , … , and (𝑧, 𝑓!) where 𝑓) =

• 100. . 0, 𝑓- = 010 … 0,… are the unit vectors.

Let’s make our lives easier: assume a perfect predictor 𝑄 Pr 𝑦 ← 0,1 !; 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 = 1 Since 𝐵 is perfect, it returns 𝑓*, 𝑦 = 𝑦*, the 𝑗BC bit of 𝑦 on the 𝑗BC invocation.

Proof of GL Theorem

Assume for contradiction there is a predictor 𝑄 First, we need an averaging argument. OK, now let’s assume less: assume a pretty good predictor 𝑄 Pr 𝑦 ← 0,1 !; 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 ≥ 3 4 + 1/𝑞(𝑜) Claim: For at least a 1/2𝑞(𝑜) fraction of the 𝑦, Pr 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 ≥ 3 4 + 1/2𝑞(𝑜) Call these the good 𝑦. Proof: Exercise in counting.

Proof of GL Theorem

Pr 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 ≥ 3 4 + 1/2𝑞(𝑜) For at least a 1/2𝑞(𝑜) fraction of the 𝑦, Key Idea: Linearity Pick a random 𝑠 and ask 𝑄 to tells us 𝑠, 𝑦 and 𝑠 + 𝑓*, 𝑦 . Subtract the two answers to get 𝑓*, 𝑦 = 𝑦*. Proof: Pr[we compute 𝑦* correctly] ≥ Pr[P predicts 𝑠, 𝑦 and 𝑠 + 𝑓*, 𝑦 correctly] = 1 − Pr P predicts 𝑠, 𝑦 or 𝑠 + 𝑓*, 𝑦 wrong ≥ 1 − (Pr P predicts 𝑠, 𝑦 wrong + Pr P predicts 𝑠 + 𝑓*, 𝑦 wrong ) ≥ 1 − 2 g

) D − )

• E !

= )

• + 1/𝑞(𝑜)

(by union bound)

Proof of GL Theorem

Pr 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 ≥ 3 4 + 1/2𝑞(𝑜) For at least a 1/2𝑞(𝑜) fraction of the 𝑦, Pick a random 𝑠 and ask 𝑄 to tells us 𝑠, 𝑦 and 𝑠 + 𝑓*, 𝑦 . Subtract the two answers to get a guess for 𝑦*. Repeat log 𝑜 /𝑞(𝑜) times: Compute the majority of all such guesses and set the bit as 𝑦* Repeat for each 𝑗 ∈ 1,2, … , 𝑜 : Output the concatenation of all 𝑦* as 𝑦. Inverter A: Analysis: Chernoff + Union Bound

Real Proof (will not do in class)

Pr 𝑠 ← 0,1 !: 𝑄 𝐺 𝑦 , 𝑠 = 𝑠, 𝑦 ≥ 𝟐 𝟑 + 1/2𝑞(𝑜) Assume (after averaging) that for ≥ 1/2𝑞(𝑜) fraction of the 𝑦, Key Idea: Pairwise independence Reference: Goldreich Book Part 1, Section 2.5.2.

http://www.wisdom.weizmann.ac.il/~oded/PSBookFrag/part2N.ps

The Coding-Theoretic View of GL

𝑦 → ( 𝑦, 𝑠 )@∈{.,)}! can be viewed as a highly redundant, exponentially long encoding of 𝑦 = the Hadamard code. 𝑄(𝐺 𝑦 , 𝑠) can be thought of as providing access to a noisy codeword. The real proof = list-decoding algorithm for Hadamard code with error rate )

• − 1/𝑞(𝑜).

What we proved = unique decoding algorithm for Hadamard code with error rate )

D − 1/𝑞(𝑜).

Recap

• 1. Defined one-way functions (OWF).
• 2. Defined Hardcore bits (HCB).
• 3. Goldreich-Levin Theorem: every OWF has a HCB.
• 4. Show that one-way permutations (OWP) ⇒ PRG

(showed proof for an important special case) (in fact, one-way functions ⇒ PRG, but that’s a much harder theorem)

Next Lecture: Back to PRGs