Foundations of Cryptography

Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function

Lecturer: Moni Naor

Weizmann Institute of Science

Recap

• Key Idea of Cryptography: use the intractability of some problems to create secure system.

• The Identification Problem• Shannon and Min Entropies• One-way functions• Solution to the identification problem with multiple

verifiers• Cryptographic Reductions: using one adversary to

create another

Rigorous Specification of Security

To define security of a system must specify:1. What constitute a failure of the system 2. The power of the adversary

– computational – access to the system– what it means to break the system.

Why is this more relevant in cryptography than other realms?

Function and inversions

• We say that a function f is hard to invert if given y=f(x) it is hard to find x’ such that y=f(x’) – x’ need not be equal to x– We will use f-1(y) to denote the set of preimages of y

• To discuss hard must specify a computational model

• Use two flavors:– Concrete– Asymptotic

Computational Models• Asymptotic: Turing Machines with random tape

– For classical models: precise model does not matter up to polynomial factor

Random tape

0 0 01 1 1 1

Input tape

Both algorithm for evaluating f and the adversary are modeled by PTM

One-way functions - asymptoticA function f: {0,1}* → {0,1}* is called a one-way function, if• f is a polynomial-time computable function

– Also polynomial relationship between input and output length• for every probabilistic polynomial-time algorithm A, every positive

polynomial p(.), and all sufficiently large n’s

Prob[ A(f(x)) f-1(f(x)) ] ≤ 1/p(n) Where x is chosen uniformly in {0,1}n and the probability is also over

the internal coin flips of A

Computational Models• Concrete : Boolean circuits (example)

– precise model makes a difference– Time = circuit size

Output

Input

One-way functions – concrete version

A function f:{0,1}n → {0,1}n is called a (t,ε) one-way function, if

• f is a polynomial-time computable function (independent of t)• for every t-time algorithm A,

Prob[A(f(x)) f-1(f(x)) ] ≤ εWhere x is chosen uniformly in {0,1}n and the probability is also

over the internal coin flips of A

Can either think of t and ε as being fixed or as t(n), ε(n)

Boolean circuit

The two guards problem• If Alice wants to approve and Eve does not

interfere – Bob moves to state YY• If Alice does not approve, then for any behavior

from Eve and Charlie, Bob stays in N N • Similarly if Bob and Charlie are switched

Alice

Bob

Eve

Charlie

Are one-way functions essential to the two guards password problem?

• Precise definition: – for every probabilistic polynomial-time algorithm A controlling Eve

and Charlie– every polynomial p(.),– and all sufficiently large n’s

Prob[Bob moves to YY | Alice does not approve] ≤ 1/p(n)• Recall observation: what Bob and Charlie received in the

setup phase might as well be public• Claim: can get rid of interaction:

– given an interactive identification protocol possible to construct a noninteractive one. In the new protocol:

• Alice` sends Bob` the random bits Alice used to generate the setup information• Bob` simulates the conversation between Alice and Bob in original protocol and

accepts only if simulated Bob accepts.• Probability of cheating is the same

One-way functions are essential to the two guards password problem

• Are we done? Given a noninteracive identification protocol want to define a one-way function

• Define f(r): the setup phase mapping between the random bits r of Alice and the information y given to Bob and Charlie

• Problem: the function f(r) is not necessarily one-way…– Can be unlikely ways to generate it. Can be exploited to invert.– Example: Alice chooses x, x’ {0,1}n if x’= 0n set y=x o.w.

set y=f(x) – The protocol is still secure, but with probability 1/2n not complete– The resulting function f(x,x’) is easy to invert:

• given y {0,1}n set inverse as (y, 0n )

One-way functions are essential to the two guards password problem…

• However: possible to estimate the probability that Bob accepts on a given string from Alice– Should be close to 1 for most r

• Second attempt: define function f(r) as – the mapping that Alice does in the setup phase between her random

bits r and the information given to Bob and Charlie,– plus a bit indicating whether probability of Bob accepts given r is

greater than 2/3

Theorem: the two guards password problem has a solution if

and only if one-way functions exist

Arbitrary…

Examples of One-way functions

Examples of hard problems:

• Subset sum• Discrete log• Factoring (numbers, polynomials) into prime

components

How do we get a one-way function out of them?

Easy problem

Subset Sum• Subset sum problem: given

– n numbers 0 ≤ a1, a2 ,…, an ≤ 2m

– Target sum T – Find subset S⊆ {1,...,n} ∑ i S ai,=T

• (n,m)-subset sum assumption: for uniformly chosen – a1, a2 ,…, an R{0,…2m -1} and S⊆ {1,...,n}– For any probabilistic polynomial time algorithm, the probability of finding

S’⊆{1,...,n} such that ∑ i S ai= ∑ i S’ ai

is negligible, where the probability is over the random choice of the ai‘s, S and the inner coin flips of the algorithm

– Not true for very small or very large m. most difficult case m=n

• Subset sum one-way function f:{0,1}mn+n → {0,1}mn+m f(a1, a2 ,…, an , b1, b2 ,…, bn ) =

(a1, a2 ,…, an , ∑ i=1n

bi ai mod 2m )

Exercise

• Show a function f such that– if f is polynomial time invertible on all inputs, then

P=NP– f is not one-way

Discrete Log Problem

• Let G be a group and g an element in G.• Let y=gz and x the minimal non negative integer satisfying the equation.

x is called the discrete log of y to base g.• Example: y=gx mod p in the multiplicative group of Zp

• In general: easy to exponentiate via repeated squaring – Consider binary representation

• What about discrete log?– If difficult, f(g,x) = (g, gx ) is a one-way function

Why is it polynomial time computable?

Integer Factoring• Consider f(x,y) = x • y• Easy to compute• Is it one-way?

– No: if f(x,y) is even, can set inverse as (f(x,y)/2,2) • If factoring a number into prime factors is hard:

– Specifically given N= P • Q , the product of two random large (n-bit) primes, it is hard to factor

– Then somewhat hard – there are a non-negligible fraction of such numbers ~ 1/n2 from the density of primes

– Hence a weak one-way function• Alternatively:

– let g(r) be a function mapping random bits into random primes. – The function f(r1,r2) = g(r1) • g(r2) is one-way

Weak One-way function

A function f: {0,1}n → {0,1}n is called a weak one-way function, if

• f is a polynomial-time computable function • There exists a polynomial p(¢), for every probabilistic

polynomial-time algorithm A, and all sufficiently large n’s

Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n) Where x is chosen uniformly in {0,1}n and the probability

is also over the internal coin flips of A

Exercise: weak exist if strong exists

Show that if strong one-way functions exist, then there exists a a function which is a weak one-way function but not a strong one

What about the other direction?• Given

– a function f that is guaranteed to be a weak one-way• Let p(n) be such that Prob[A[f(x)] f-1(f(x)) ] ≤ 1-1/p(n)

– can we construct a function g that is (strong) one-way?An instance of a hardness amplification problem• Simple idea: repetition. For some polynomial q(n) define

g(x1, x2 ,…, xq(n) )=f(x1), f(x2), …, f(xq(n))

• To invert g need to succeed in inverting f in all q(n) places– If q(n) = p2(n) seems unlikely (1-1/p(n))p2(n) ≈ e-p(n) – But how to we show? Sequential repetition intuition – not a proof.

Want: Inverting g with low probability implies inverting f with high probability

• Given a machine B that inverts g want a machine B’ – operating in similar time bounds– inverts f with high probability

• Idea: given y=f(x) plug it in some place in g and generate the rest of the locations at random

z=(y, f(x2), …, f(xq(n)))• Ask machine B to invert g at point z• Probability of success should be at least (exactly) B’s Probability of

inverting g at a random point • Once is not enough• How to amplify?

– Repeat while keeping y fixed– Put y at random position (or sort the inputs to g )

Proof of Amplification for Repetition of TwoConcentrate on a two-repetition: g(x1, x2 )=f(x1), f(x2)• Goal: show that the probability of inverting g is roughly squared the

probability of inverting f just as would be sequentially

• Claim: Let (n) be a function that for some p(n) satisfies

1/p(n) ≤ (n) ≤ 1-1/p(n) Let ε(n) be any inverse polynomial function suppose that for every polynomial time A and sufficiently large n

Prob[A[f(x)] f-1(f(x)) ] ≤ (n)

Then for every polynomial time B and sufficiently large n

Prob[B[g(x1, x2 )] g-1(g(x1, x2 )) ] ≤ 2(n) + ε(n)

Proof of Amplification for Two Repetition

Given a better than 2+ε algorithm B for inverting g construct the following:

• B’(y): Inversion algorithm for f– Repeat t times

• Choose x’ at random and compute y’=f(x’)• Run B(y,y’).• Check the results• If correct: Halt with success

– Output failure

Inner loop

Helpful for constructive algorithm

Probability of Success

• Define S={y=f(x) | Prob[Inner loop successful| y ] >

β}• Since the choices of the x’ are independent

Prob[B’ succeeds| yS] > 1-(1- β)t

Taking t= n/β means that when yS almost surely B’ will invert it

• Hence want to show that Prob[ yS] > (n)– Probability is over the choice of x

The success of B• Fix the random bits of B. Define P={(y1, y2)| B succeeds on (y1,y2)}

y1

y2

P

P= P ⋂ {(y1,y2 )| y1,y2 S}

⋃ P ⋂ {(y1,y2 )| y1 S}

⋃ P ⋂ {(y1,y2 )| y2 S} Well behaved part

Want to bound P by a square

S is the only success...But

Prob[B[y1, y2] g-1(y1, y2) | y1 S] ≤ β and similarly

Prob[B[y1, y2] g-1(y1, y2) | y2 S] ≤ βso Prob[(y1, y2) P and y1,y2 S]

≥ Prob[(y1, y2) P ] - 2β

≥ 2+ ε - 2β Setting β =ε/3 we have

Prob[(y1, y2) P and y1,y2 S] ≥ 2 + ε/3

ContradictionBut Prob[(y1, y2) P and y1,y2 S]

≤ Prob[y1 S] Prob[y2 S]

= Prob2[y S]

SoProb[y S] ≥ √(α2+ ε/3) > α

Is there an ultimate one-way function?aka `universal’

Short of showing that P≠NP implies the existence of one-way functions, can we show a specific function f so that if some one-way exists,

then f is one-way • If f1:{0,1}* → {0,1}* and f2:{0,1}* → {0,1}*

are guaranteed to:– Be polynomial time computable– At least one of them is one-way.

then can construct a function g:{0,1}* → {0,1}* which is one-way:

g(x1, x2 ) = (f1(x1),f2 (x2 ))

Robust Combiner Can generalizes to a 1-out-m combiner

The Construction• If a 5n2 time one-way function is guaranteed to exist, can

construct an O(n2 log n) one-way function g:– Idea: enumerate Turing Machine and make sure they run 5n2

steps

g(x1, x2 ,…, xlog (n) )=M1(x1), M2(x2), …, Mlog n(xlog

(n))– Eventually get to the TM of the one-way function

• If a one-way function is guaranteed to exist, then there exists a 5n2 time one-way:– Idea: concentrate on the prefix, ignore the rest

n’ where n=p(n’)

Ultimate one-way function conclusionsOriginal proof due to L. Levin

• Be careful what you wish for• Problem with resulting one-way function:

– Cannot learn about behavior on large inputs from small inputs– Whole rational of considering asymptotic results is eroded!

• Construction does not work for non-uniform one-way functions

• Notion of robust combiner seems fundamental– See “Robust Combiners for Oblivious Transfer and Other

Primitives” by Harnik, Kilian, Naor, Reingold and Rosen, Eurocrypt 2005

Distributionally One-Way Functions• A function f:{0,1}* {0,1}* is one-way if:

– it is computable in poly-time– the probability of successfully finding an inverse in poly-time is

negligible (on a random input)

• A function f :{0,1}* {0,1}* is distributionally one-way if:– it is computable in poly-time– No poly-time algorithm can successfully find a random inverse (on a

random input)• Distribution on inverting algorithm far from uniform on the pre-images

Theorem [Impagliazzo Luby 89]: distributionally one-way functions exist iff one-way functions exists

Example: function from two guard problem