Presentation is loading. Please wait.

Presentation is loading. Please wait.

B504/I538: Introduction to Cryptography

Published byGwendoline McDonald Modified over 6 years ago

Similar presentations

Presentation on theme: "B504/I538: Introduction to Cryptography"— Presentation transcript:

1 B504/I538: Introduction to Cryptography
Spring • Lecture 15 (2017—02—28)

2 Assignment 3 is due! Assignment 4 is out and is due in three weeks!
(2017—03—21) (Please get started early!!)

3 Recall: One-way functions (OWFs)
Intuitively, a one-way function (OWF) is a function that is easy to compute but hard to invert Challenger (C) Inverter (A) 1 s 1 s x ∈ 𝑅 {0, 1}s y := f(x) y x’ Let E be the event that f(x’) = y Define A’s advantage to be Advf -1(A) := Pr[E]

4 Hard-core predicates Strong OWFs are hard to invert in their entirety
Want to say: f(x) reveals “nothing” about x Q: Do OWFs satisfy this requirement? A: In general, NO! (But why?) - Suppose g is an OWF, then it is easy to prove that f(x1 11 x2) = x1 11 g(x2) is also an OWF! A relaxation: Can we say f(x) reveals “nothing” about h(x), for some particular function h that depends on f but not x?

5 Hard-core predicates Let h: {0, 1}* → {0, 1} be an efficiently computable function Think of h(x) as indicating whether x has some property (h(x)=1) or not (h(x)=0) Intuitively, we call h a hard-core predicate for f if f(x) reveals nothing about h(x) Challenger (C) Inverter (A) 1 s 1 s x ∈ 𝑅 {0, 1}s y := f(x) y b ∈ {0, 1} Let E be the event that h(x) = b Define A’s advantage to be Advh,f(A) := 1 Pr[E]- 1/2 1

6 Hard-core predicates Defn: Let f: {0, 1}* → {0, 1}* and let h: {0, 1}* → {0, 1} be an efficiently computable Boolean-valued function. Then h is a hard-core predicate for f if, for every PPT algorithm A, there exists a negligible function 𝜀:ℕ→ ℝ + such that Advh,f(A) ≤ 𝜀(s). h is easy to compute from x but hard to predict from f(x) Equivalently: h(x) looks random given f(x) If h(x) equal some bit of x, then we call h a hard-core bit for f

7 Hard-core predicate examples
Let f: {0, 1}* → {0, 1}* be an OWF and define h(x) := ⊕ i=1 1x1 xi Q: Is h a hard-core predicate for f? A: In general, NO! (If g is a OWF, then f(x):=g(x) 11 ⊕ i=1 1x1 xi is an OWF for which h(x) is not hard-core!) Let g: {0, 1}* → {0, 1}* be the function that just “drops” the lsb of its input and define h(x) := lsb(x) A: Yes! (But not a very useful/interesting one…)

8 Goldreich-Levin Theorem
Thm: If there exists an OWF, then there exists a pair of functions (g, h) such that g is an OWF and h is a hard-core predicate for g. Specifically, if f is an OWF, then the function g(x 11 r) := f(x) 11 r with 1x1 = 1r1 is an OWF and h(x) = ⊕ i=1 1x1 (xi · ri) is a hard-core predicate for f. x 11 r ∈ 𝑅 {0, 1}2s → r ∈ 𝑅 {0, 1}s xi = i th bit of x and ri = i th bit of r Note: Goldreich-Levin does not claim that every OWF has a hard-core predicate!

9 Proving Goldreich-Levin’s Theorem
The full proof of Goldreich-Levin is long and involved The textbook devotes 7 full pages to the proof! We prove a super-simplified case Thm (A super-simplified Goldreich-Levin): Let f: {0, 1}* → {0, 1}* and define, as in the Goldreich-Levin construction, (i) g(x 11 r) := f(x) 11 r (with 1x1 = 1r1), and (ii) h(x) = ⊕ i=1 1x1 (xi · ri) If there exists a PPT algorithm A such that ∀n ∈ℕ and ∀x 11 r ∈ {0, 1}2n, A(g(x 11 r), 1n) = h(x 11 r), then there also exists a PPT algorithm A’ such that ∀n ∈ℕ and ∀x ∈ {0, 1}n A’(f(x), 1n) ∈ f-1(x).

10 Proof sketch for super-simplified Goldreich-Levin’s Theorem
Let A be a PPT algorithm that computes h(x) = ⊕ i=1 1x1 (xi · ri) given g(x 11 r) := f(x) 11 r and 1n. For each i = 1, . . ., n, let ei denote the n-bit string with a 1 in its i th bit and 0s elsewhere Goal: Construct a PPT algorithm A’ to computes x’ ∈ f-1(x) given (f(x), 1n) and oracle access to A For each i = 1, . . ., n, A’( f(x), 1n ) invokes A( g(x 11 ei), 1n ) to get xi A’ outputs x = x1 11 x2 11 ⋯ 11 xn

11 One-way permutations Intuitively, 𝜋: {0, 1}* → {0, 1}* is a one-way permutation if it is an OWF that is length-preserving and a bijection Challenger (C) Inverter (A) 1 s 1 s x ∈ 𝑅 {0, 1}s y := 𝜋(x) y x Let E be the event that 𝜋(x) = y Define A’s advantage to be Adv𝜋 -1(A) := Pr[E]

12 One-way permutation Defn: A function 𝜋: {0, 1}* → {0, 1}* is a one-way permutation (OWP) if it is easy to compute: there exists an efficient algorithm that , on input x ∈ {0, 1}*, outputs 𝜋(x); length-preserving: for all x ∈ {0, 1}*, 1 x 1 = 1 𝜋(x) 1; one-to-one: for all x1, x2 ∈ {0, 1}*, 𝜋(x) = 𝜋(y) implies x = y; and hard to invert: for every PPT algorithm A, there exists a negligible function 𝜀:ℕ→ ℝ + such that Adv𝜋 -1(A) ≤ 𝜀(s).

13 Fixed-length PRGs from OWPs
Thm: If OWPs exist , then fixed-length PRGs also exist . Specifically, given any OWP 𝜋 and a hard-core predicate h for 𝜋, define G: {0, 1}* → {0, 1}* such that ∀x ∈ {0, 1}*, G(x) := 𝜋(x) 11 h(x). (Note: By Goldreich-Levin, if there exists an OWP, then there exists an OWP with a hard-core predicate) Then G is a PRG with expansion factor ℓ(s) = s+1.

14 Variable-length PRGs from fixed-length PRGs
Thm: If there exists a fixed-length PRG with expansion factor ℓ(s)=s+1, then there exists a variable-length PRG. Idea: Given a PRG G: {0, 1}* → {0, 1}* with expansion factor ℓ(s) = s+1, we construct a PRG G’ with expansion factor ℓ’(s) = s+2 via G’(x) := G(x1) 11 δ 1, where G(x) = x1 11 δ 1 . Given G’, we construct a PRG G’’ with expansion factor ℓ’’(s) = s+3 via G’’(x) := G’(x2) 11 δ 2, where G’(x) = x2 11 δ 1 11 δ 2 . And so on… We can repeat this any polynomial number of times!

15 PRFs from variable-length PRGs
Let G: {0, 1}* × 1ℕ → {0, 1}* be a variable-length PRG Construct a length-doubling PRG G’(k) := G(k, 121k1) and set GL(k) and GR(k) equal to the first and last 1x1 bits of G’ PRF F is represented as a binary tree To evaluate F(k,x), input k to PRG in root node At each layer i, if xi = 0, go left; else, go right Each input x corresponds to a distinct leaf Evaluating F(k,x) requires 1x1 calls to G k G GL(k) GR(k) x1=1 G G GL(GL(k)) GR(GL(k)) GL(GR(k)) GR(GR(k)) x2=0 G G G G x3=1 G G G G G G G G

16 Existence of PR*s and OW*s
OWF OWP Fixed-length PRG Variable-length PRG PRF PRP

17 That’s all for today, folks!

Download ppt "B504/I538: Introduction to Cryptography"

Similar presentations

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.

Cryptography: The Landscape, Fundamental Primitives, and Security David Brumley Carnegie Mellon University.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.

The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.

1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.

Communication vs. Computation S Venkatesh Univ. Victoria Presentation by Piotr Indyk (MIT) Kobbi Nissim Microsoft SVC Prahladh Harsha MIT Joe Kilian NEC.
Foundation of Computing Systems

Foundation of Computing Systems
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Dan Boneh Stream ciphers PRG Security Defs Online Cryptography Course Dan Boneh.

Dan Boneh Stream ciphers PRG Security Defs Online Cryptography Course Dan Boneh.
CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.

CS555Spring 2012/Topic 81 Cryptography CS 555 Topic 8: Pseudorandom Functions and CPA Security.
FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY 15-453 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA.

FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AA.
CSCI 2670 Introduction to Theory of Computing December 2, 2004.

CSCI 2670 Introduction to Theory of Computing December 2, 2004.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.
Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Ryan Henry I 538 /B 609 : Introduction to Cryptography.

Similar presentations

Ads by Google