one-way function - Weizmann Institute of Science
advertisement
Foundations of Cryptography
Lecture 2: One-way functions are essential for identification.
Amplification: from weak to strong one-way functions
Lecturer: Moni Naor
Weizmann Institute of Science
Recap
• Key Idea of Cryptography: use the intractability of
some problems to create secure system.
• The Identification Problem
• Shannon and Min Entropies
• One-way functions
• Solution to the identification problem with multiple
verifiers
• Cryptographic Reductions: using one adversary to
create another
Rigorous Specification of Security
To define security of a system must specify:
1. What constitute a failure of the system
2. The power of the adversary
– computational
– access to the system
– what it means to break the system.
Why is this more relevant in cryptography than other realms?
Function and inversions
• We say that a function f is hard to invert if given y=f(x) it
is hard to find x’ such that y=f(x’)
– x’ need not be equal to x
– We will use f-1(y) to denote the set of preimages of y
• To discuss hard must specify a computational model
• Use two flavors:
– Concrete
– Asymptotic
Computational Models
• Asymptotic: Turing Machines with random tape
– For classical models: precise model does not matter up to
polynomial factor
Random tape
1 0
Both algorithm for
evaluating f and the
adversary are
modeled by PTM
1 1 0
1 0
Input tape
One-way functions - asymptotic
A function f: {0,1}* → {0,1}* is called a one-way function, if
• f is a polynomial-time computable function
– Also polynomial relationship between input and output length
• for every probabilistic polynomial-time algorithm A, every positive
polynomial p(.), and all sufficiently large n’s
Prob[ A(f(x)) f-1(f(x)) ] ≤ 1/p(n)
Where x is chosen uniformly in {0,1}n and the probability is also over
the internal coin flips of A
Computational Models
• Concrete : Boolean circuits (example)
– precise model makes a difference
– Time = circuit size
Input
Output
One-way functions – concrete version
A function f:{0,1}n → {0,1}n is called a (t,ε) one-way
function, if
• f is a polynomial-time computable function (independent of t)
• for every t-time algorithm A,
Boolean circuit
Prob[A(f(x)) f-1(f(x)) ] ≤ ε
Where x is chosen uniformly in {0,1}n and the probability is also
over the internal coin flips of A
Can either think of t and ε as being fixed or as t(n), ε(n)
The two guards problem
Perfect completeness
Or
1-ε completeness
Completeness: If Alice wants to `approve’ and Eve
does not interfere – Bob moves to state Y
Soundness: If Alice does not `approve’, then for any
behavior from Eve and Charlie, Bob stays in N
• Similarly if Bob and Charlie are switched
Charlie
Alice
Bob
Eve
Solution to the password problem
• Assume that
– f: {0,1}n → {0,1}n is a (t,ε) one-way function
– Adversary’s run times is bounded by t
Setup phase:
– Alice chooses xR {0,1}n
– computes y=f(x)
– Gives y to Bob and Charlie
Alice
Bob
Approval phase: when Alice wants to approve – she sends x
• If Bob gets any symbols on channel – call them z; compute
f(z) and compares to y
– If equal moves to state Y
– If not equal moves permanently to state N
Are one-way functions essential to the two
guards password problem?
Suppose that we have a solution to the two guards problem
Alice, Bob and Charlie can be implemented by polynomial time
machines
– for every probabilistic polynomial-time algorithm A controlling Eve
and Charlie
– every polynomial p(.),
– and all sufficiently large n’s
Prob[Bob moves to Y | Alice does not approve] ≤ 1/p(n)
Already saw
Theorem: the two guards password problem has a solution if and
only if one-way functions exist
One-way functions are essential to the two
guards password problem
Want to put protocol in canonical form
• Recall observation: what Bob and Charlie received in the
setup phase might as well be public
With Alice and bob
• Claim: can get rid of interaction:
– given an interactive identification protocol possible to construct a
noninteractive one. In the new protocol:
• Alice` sends Bob` the random bits Alice used to generate the
setup information
• Bob` simulates the conversation between Alice and Bob in
original protocol and accepts only if simulated Bob accepts.
Claim: Probability of cheating remains
the same in both protocols
With Alice’ and Bob’
One-way functions are essential to the two
guards password problem
• Given a noninteracive identification protocol want to define
a one-way function:
random bits
Alice
r
setup
y
Charlie
Bob
• Define g(r): the setup phase mapping between the random
bits r of Alice and the information y given to Bob and Charlie
One-way functions are essential to the two
guards password problem
• Define g(r): the setup phase mapping between the random
bits r of Alice and the information y given to Bob and Charlie
• Are we done?
• Yes: if we have perfect completeness
• But, the function g(r) is not necessarily one-way without
perfect completeness…
– Can be unlikely ways to generate it. Can be exploited to invert.
– Example: Alice chooses x, x’{0,1}n. If x’= 0n, set y=x, o.w. set
y=f(x).
– The protocol is still secure, but with probability 1/2n not complete
– The resulting function g(x,x’) is easy to invert:
• given y {0,1}n set inverse as (y, 0n )
One-way functions are essential to the two
guards password problem…
• However: possible to estimate the probability that Bob
accepts on a given string from Alice
– Should be close to 1 for most r
• Second attempt: define function g(r) as
– the mapping that Alice does in the setup phase between her random
bits r and the information given to Bob and Charlie,
– plus a bit indicating whether probability of Bob accepts given r is
greater than 2/3
Arbitrary…
Theorem: the two guards password problem has a solution if
and only if one-way functions exist
Examples of One-way functions
Examples of hard problems:
• Subset sum
• Discrete log
• Factoring (numbers, polynomials) into prime
components
Easy problem
How do we get a one-way function out of them?
Subset Sum
• Subset sum problem: given
– n numbers 0 ≤ a1, a2 ,…, an ≤ 2m
– Target sum T
– Find subset S⊆ {1,...,n} ∑ i S ai,=T
• (n,m)-subset sum assumption: for uniformly chosen
– a1, a2 ,…, an R{0,…2m -1} and S⊆ {1,...,n}
– For any probabilistic polynomial time algorithm, the probability of finding
S’⊆{1,...,n} such that
∑ i S ai= ∑ i S’ ai
is negligible, where the probability is over the random choice of the ai‘s, S and the
inner coin flips of the algorithm
– Not true for very small or very large m. most difficult case m=n
• Subset sum one-way function f:{0,1}mn+n → {0,1}mn+m
f(a1, a2 ,…, an , b1, b2 ,…, bn ) =
(a1, a2 ,…, an , ∑ i=1n bi ai mod 2m )
Exercise
• Show a function f such that
– if f is polynomial time invertible on all inputs, then
P=NP
– f is not one-way
Discrete Log Problem
• Let G be a group and g an element in G.
• Let y=gz and x the minimal non negative
integer satisfying the equation.
x is called the discrete log of y to base g.
• Example: y=gx mod p in the multiplicative group of Zp
• In general: easy to exponentiate via repeated squaring
– Consider binary representation
• What about discrete log?
– If difficult, f(g,x) = (g, gx ) is a one-way function
Weak One-way function
A function f: {0,1}n → {0,1}n is called a weak one-way
function, if
• f is a polynomial-time computable function
• There exists a polynomial p(¢), for every probabilistic
polynomial-time algorithm A, and all sufficiently large n’s
Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n)
Where x is chosen uniformly in {0,1}n and the probability is
also over the internal coin flips of A
Integer Factoring
• Consider f(x,y) = x • y
• Easy to compute
• Is it one-way?
– No: if f(x,y) is even, can set inverse as (f(x,y)/2,2)
• If factoring a number into prime factors is hard:
– Specifically given N= P • Q , the product of two random large (n-bit) primes, it
is hard to factor
– Then somewhat hard – there are a non-negligible fraction of such numbers ~
1/n2 from the density of primes
– Hence a weak one-way function
• Alternatively:
– let g(r) be a function mapping random bits into random primes.
– The function f(r1,r2) = g(r1) • g(r2) is one-way
Why is it polynomial time
computable?
Exercise: weak exist if strong exists
Show that if strong one-way functions exist, then
there exists a function which is a weak one-way
function but not a strong one
What about the other direction?
• Given
– a function f that is guaranteed to be a weak one-way
• Let p(n) be such that Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n)
– can we construct a function g that is (strong) one-way?
An instance of a hardness amplification problem
• Simple idea: repetition. For some polynomial q(n) define
g(x1, x2 ,…, xq(n) )=f(x1), f(x2), …, f(xq(n))
• To invert g need to succeed in inverting f in all q(n) places
– If q(n) = p2(n) seems unlikely (1-1/p(n))p2(n) ≈ e-p(n)
– But how to we show? Sequential repetition intuition – not a proof.
Want: Inverting g with low probability implies
inverting f with high probability
• Given a machine B that inverts g want a machine B’
– operating in similar time bounds
– inverts f with high probability
• Idea: given y=f(x) plug it in some place in g and generate the rest
of the locations at random
z=(y, f(x2), …, f(xq(n)))
• Ask machine B to invert g at point z
• Probability of success should be at least (exactly) B’s Probability of
inverting g at a random point
• Once is not enough
• How to amplify?
– Repeat while keeping y fixed
– Put y at random position (or sort the inputs to g )
Proof of Amplification for Repetition of Two
Concentrate on a two-repetition: g(x1, x2 ) = f(x1), f(x2)
• Goal: show that the probability of inverting g is roughly squared the
probability of inverting f
just as would be sequentially
• Claim:
Let (n) be a function that for some p(n) satisfies
1/p(n) ≤ (n) ≤ 1-1/p(n)
Let ε(n) be any inverse polynomial function
Suppose that for every polynomial time A and sufficiently large n
Prob[A[f(x)] f-1(f(x)) ] ≤ (n)
Then for every polynomial time B and sufficiently large n
Prob[B[g(x1, x2 )] g-1(g(x1, x2 )) ] ≤ 2(n) + ε(n)
Proof of Amplification for Two Repetition
Given a better than 2+ε algorithm B for inverting g
construct the following:
• B’(y): Inversion algorithm for f
– Repeat t times
•
•
•
•
Choose x’ at random and compute y’=f(x’)
Run B(y,y’).
Check the results
Helpful for
constructive
If correct: Halt with success
algorithm
– Output failure
Inner
loop
Probability of Success
•
Define
•
Since the choices of the x’ are independent
Prob[B’ succeeds| yS] > 1-(1- β)t
S={y=f(x) | Prob[Inner loop successful| y ] > β}
Taking t= n/β means that when yS almost surely B’ will
invert it
•
Hence want to show that Prob[yS] > (n)
–
Probability is over the choice of x
The success of B
• Fix the random bits of B.
Define P={(y1, y2)| B succeeds on (y1,y2)}
P= P ⋂ {(y1,y2 )| y1,y2 S}
⋃ P ⋂ {(y1,y2 )| y1 S}
y1
⋃ P ⋂ {(y1,y2 )| y2 S}
Well behaved
part
y2
P
Want to bound P
by a square
S is the only success...
But
Prob[B[y1, y2] g-1(y1, y2) | y1 S] ≤ β
and similarly
Prob[B[y1, y2] g-1(y1, y2) | y2 S] ≤ β
so
Prob[(y1, y2) P and y1,y2 S]
≥ Prob[(y1, y2) P ] - 2β
≥ 2+
ε - 2β
Setting β =ε/3 we have
Prob[(y1, y2) P and y1,y2 S] ≥ 2 +
ε/3
Contradiction
But
Prob[(y1, y2) P and y1,y2 S]
≤ Prob[y1 S] Prob[y2 S]
= Prob2[y S]
So
Prob[y S] ≥ √(α2+ ε/3) > α
Is there an ultimate one-way function?
aka `universal’
Do not know: P≠NP implies the existence of one-way functions,
Can we show a specific function f so that if some one-way exists, then
f is one-way?
• If f1:{0,1}* → {0,1}* and f2:{0,1}* → {0,1}* are
guaranteed to:
– Be polynomial time computable
– At least one of them is one-way.
then can construct a function g:{0,1}* → {0,1}* which is oneway:
g(x1, x2 ) = (f1(x1),f2 (x2 ))
Robust Combiner
Can generalizes to a 1-out-m combiner
The Construction
• If a 5n2 time one-way function is guaranteed to exist, can
construct an O(n2 log n) one-way function g:
– Idea: enumerate Turing Machine and make sure they run 5n2
steps
g(x1, x2 ,…, xlog (n) )=M1(x1), M2(x2), …, Mlog n(xlog (n))
– Eventually get to the TM of the one-way function
• If a one-way function is guaranteed to exist, then there
exists a 5n2 time one-way:
– Idea: concentrate on the prefix, ignore the rest
n’ where n=p(n’)
Ultimate one-way function conclusions
Original proof due to L. Levin
• Be careful what you wish for
• Problem with resulting one-way function:
– Cannot learn about behavior on large inputs from small inputs
– Whole rational of considering asymptotic results is eroded!
• Construction does not work for non-uniform one-way
functions
• Notion of robust combiner seems fundamental
– See “Robust Combiners for Oblivious Transfer and Other
Primitives” by Harnik, Kilian, Naor, Reingold and Rosen,
Eurocrypt 2005
Distributionally One-Way Functions
• A function f:{0,1}* {0,1}* is one-way if:
– it is computable in poly-time
– the probability of successfully finding an inverse in poly-time is
negligible (on a random input)
• A function f :{0,1}* {0,1}* is distributionally one-way if:
– it is computable in poly-time
– No poly-time algorithm can successfully find a random inverse (on a
random input)
• Distribution on inverting algorithm far from uniform on the pre-images
Example: function from two guards problem
Theorem [Impagliazzo Luby 89]: distributionally one-way
functions exist iff one-way functions exists
