B504/I538: Introduction to Cryptography Spring 2017 • Lecture 15 (2017—02—28)

Assignment 3 is due! Assignment 4 is out and is due in three weeks! (2017—03—21) (Please get started early!!)

Recall: One-way functions (OWFs) Intuitively, a one-way function (OWF) is a function that is easy to compute but hard to invert Challenger (C) Inverter (A) 1 s 1 s x ∈ 𝑅 {0, 1}s y := f(x) y x’ Let E be the event that f(x’) = y Define A’s advantage to be Advf -1(A) := Pr[E]

Hard-core predicates Strong OWFs are hard to invert in their entirety Want to say: f(x) reveals “nothing” about x Q: Do OWFs satisfy this requirement? A: In general, NO! (But why?) - Suppose g is an OWF, then it is easy to prove that f(x1 11 x2) = x1 11 g(x2) is also an OWF! A relaxation: Can we say f(x) reveals “nothing” about h(x), for some particular function h that depends on f but not x?

Hard-core predicates Let h: {0, 1}* → {0, 1} be an efficiently computable function Think of h(x) as indicating whether x has some property (h(x)=1) or not (h(x)=0) Intuitively, we call h a hard-core predicate for f if f(x) reveals nothing about h(x) Challenger (C) Inverter (A) 1 s 1 s x ∈ 𝑅 {0, 1}s y := f(x) y b ∈ {0, 1} Let E be the event that h(x) = b Define A’s advantage to be Advh,f(A) := 1 Pr[E]- 1/2 1

Hard-core predicates Defn: Let f: {0, 1}* → {0, 1}* and let h: {0, 1}* → {0, 1} be an efficiently computable Boolean-valued function. Then h is a hard-core predicate for f if, for every PPT algorithm A, there exists a negligible function 𝜀:ℕ→ ℝ + such that Advh,f(A) ≤ 𝜀(s). h is easy to compute from x but hard to predict from f(x) Equivalently: h(x) looks random given f(x) If h(x) equal some bit of x, then we call h a hard-core bit for f

Hard-core predicate examples Let f: {0, 1}* → {0, 1}* be an OWF and define h(x) := ⊕ i=1 1x1 xi Q: Is h a hard-core predicate for f? A: In general, NO! (If g is a OWF, then f(x):=g(x) 11 ⊕ i=1 1x1 xi is an OWF for which h(x) is not hard-core!) Let g: {0, 1}* → {0, 1}* be the function that just “drops” the lsb of its input and define h(x) := lsb(x) A: Yes! (But not a very useful/interesting one…)

Goldreich-Levin Theorem Thm: If there exists an OWF, then there exists a pair of functions (g, h) such that g is an OWF and h is a hard-core predicate for g. Specifically, if f is an OWF, then the function g(x 11 r) := f(x) 11 r with 1x1 = 1r1 is an OWF and h(x) = ⊕ i=1 1x1 (xi · ri) is a hard-core predicate for f. x 11 r ∈ 𝑅 {0, 1}2s → r ∈ 𝑅 {0, 1}s xi = i th bit of x and ri = i th bit of r Note: Goldreich-Levin does not claim that every OWF has a hard-core predicate!

Proving Goldreich-Levin’s Theorem The full proof of Goldreich-Levin is long and involved The textbook devotes 7 full pages to the proof! We prove a super-simplified case Thm (A super-simplified Goldreich-Levin): Let f: {0, 1}* → {0, 1}* and define, as in the Goldreich-Levin construction, (i) g(x 11 r) := f(x) 11 r (with 1x1 = 1r1), and (ii) h(x) = ⊕ i=1 1x1 (xi · ri) If there exists a PPT algorithm A such that ∀n ∈ℕ and ∀x 11 r ∈ {0, 1}2n, A(g(x 11 r), 1n) = h(x 11 r), then there also exists a PPT algorithm A’ such that ∀n ∈ℕ and ∀x ∈ {0, 1}n A’(f(x), 1n) ∈ f-1(x).

Proof sketch for super-simplified Goldreich-Levin’s Theorem Let A be a PPT algorithm that computes h(x) = ⊕ i=1 1x1 (xi · ri) given g(x 11 r) := f(x) 11 r and 1n. For each i = 1, . . ., n, let ei denote the n-bit string with a 1 in its i th bit and 0s elsewhere Goal: Construct a PPT algorithm A’ to computes x’ ∈ f-1(x) given (f(x), 1n) and oracle access to A For each i = 1, . . ., n, A’( f(x), 1n ) invokes A( g(x 11 ei), 1n ) to get xi A’ outputs x = x1 11 x2 11 ⋯ 11 xn

One-way permutations Intuitively, 𝜋: {0, 1}* → {0, 1}* is a one-way permutation if it is an OWF that is length-preserving and a bijection Challenger (C) Inverter (A) 1 s 1 s x ∈ 𝑅 {0, 1}s y := 𝜋(x) y x Let E be the event that 𝜋(x) = y Define A’s advantage to be Adv𝜋 -1(A) := Pr[E]

One-way permutation Defn: A function 𝜋: {0, 1}* → {0, 1}* is a one-way permutation (OWP) if it is easy to compute: there exists an efficient algorithm that , on input x ∈ {0, 1}*, outputs 𝜋(x); length-preserving: for all x ∈ {0, 1}*, 1 x 1 = 1 𝜋(x) 1; one-to-one: for all x1, x2 ∈ {0, 1}*, 𝜋(x) = 𝜋(y) implies x = y; and hard to invert: for every PPT algorithm A, there exists a negligible function 𝜀:ℕ→ ℝ + such that Adv𝜋 -1(A) ≤ 𝜀(s).

Fixed-length PRGs from OWPs Thm: If OWPs exist , then fixed-length PRGs also exist . Specifically, given any OWP 𝜋 and a hard-core predicate h for 𝜋, define G: {0, 1}* → {0, 1}* such that ∀x ∈ {0, 1}*, G(x) := 𝜋(x) 11 h(x). (Note: By Goldreich-Levin, if there exists an OWP, then there exists an OWP with a hard-core predicate) Then G is a PRG with expansion factor ℓ(s) = s+1.

Variable-length PRGs from fixed-length PRGs Thm: If there exists a fixed-length PRG with expansion factor ℓ(s)=s+1, then there exists a variable-length PRG. Idea: Given a PRG G: {0, 1}* → {0, 1}* with expansion factor ℓ(s) = s+1, we construct a PRG G’ with expansion factor ℓ’(s) = s+2 via G’(x) := G(x1) 11 δ 1, where G(x) = x1 11 δ 1 . Given G’, we construct a PRG G’’ with expansion factor ℓ’’(s) = s+3 via G’’(x) := G’(x2) 11 δ 2, where G’(x) = x2 11 δ 1 11 δ 2 . And so on… We can repeat this any polynomial number of times!

PRFs from variable-length PRGs Let G: {0, 1}* × 1ℕ → {0, 1}* be a variable-length PRG Construct a length-doubling PRG G’(k) := G(k, 121k1) and set GL(k) and GR(k) equal to the first and last 1x1 bits of G’ PRF F is represented as a binary tree To evaluate F(k,x), input k to PRG in root node At each layer i, if xi = 0, go left; else, go right Each input x corresponds to a distinct leaf Evaluating F(k,x) requires 1x1 calls to G k G GL(k) GR(k) x1=1 G G GL(GL(k)) GR(GL(k)) GL(GR(k)) GR(GR(k)) x2=0 G G G G x3=1 G G G G G G G G

Existence of PR*s and OW*s OWF OWP Fixed-length PRG Variable-length PRG PRF PRP

That’s all for today, folks!