1. Introduction to Modern Cryptography Sharif University Spring 2015 Data and Network Security Lab Sharif University of Technology Department of Computer Engineering One-way Functions and Permutations Author & Instructor: Mohammad Sadeq Dousti 1 / 37

2. Introduction to Modern Cryptography Sharif University Spring 2015  These set of slides are licensed under Creative Commons Attribution-NonCommercial- ShareAlike (CC BY-NC-SA) 4.0.  Basically, this license allows others to use the slides verbatim, and even modify and incorporate them into their own work, as long as: 1. They credit the original author(s); 2. Their work is used non-commercially; 3. They license their work under CC BY-NC-SA 4.0.  For further information, please consult: o https://creativecommons.org/licenses/by-nc-sa/4.0 https://creativecommons.org/licenses/by-nc-sa/4.0 o https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode https://creativecommons.org/licenses/by-nc- sa/4.0/legalcode Copyright Notice 2 / ?

3. Introduction to Modern Cryptography Sharif University Spring 2015  One-way Functions (OWF)  Hard-core Predicates  One-way Permutations (OWP)  Trapdoor Permutations (TDP)  Claw-free Functions and Permutations (CFFs & CFPs)  Impagliazzo’s five worlds  Impagliazzo–Rudich theorem Outline 3 / ?

4. Introduction to Modern Cryptography Sharif University Spring 2015 One-way Functions OWF 4 / ?

5. Introduction to Modern Cryptography Sharif University Spring 2015 One-wayness: Intuition  Easy to go in one direction  Hard to go in the other direction  Example: o Easy to break a glass o Hard to reconstruct it Author: Jef Poskanzer https://commons.wikimedia.org/wiki/File:Broken_glass.jpg 5 / ?

6. Introduction to Modern Cryptography Sharif University Spring 2015  How to capture the following notion: o The function is easy to compute o It is hard to invert  Easy to compute: o Function f is easy to compute if there exists an efficient Turing machine M such that for all inputs x  {0, 1} *, we have M(x) = f (x).  Order of quantifiers:  M  x o Why not  x  M ? How to define one-way functions? Probabilistic Polynomial Time (PPT) 6 / ?

7. Introduction to Modern Cryptography Sharif University Spring 2015  How to capture the following notion: o The function is easy to compute o It is hard to invert  Hard to invert; Three approaches: o Easy case o Worst case o Average case  Easy case is meaningless… o Why? How to define one-way functions? (Cont’d) 7 / ?

8. Introduction to Modern Cryptography Sharif University Spring 2015  No PPT algorithm can invert the function for all inputs.  Formalization o Function f is hard to invert if for any efficient Turing machine M, there exist an input x  {0, 1} * such that M (f (x))  f  1 ( f (x)).  Order of quantifiers:  M  x o Why not  x  M ?  Not useful in cryptography. o Why? Hard to invert in the worst case We overlooked the fact that M is probabilistic. We should talk about the output probability of M. We overlooked the fact that f can shrink the input. M must be given the length of the input, |x|, as well. We overlooked the fact that f can shrink the input. M must be given the length of the input, |x|, as well. 8 / ?

9. Introduction to Modern Cryptography Sharif University Spring 2015  All PPT algorithms have a negligible chance of inverting the function for random inputs.  The formalization is best captured by the notion of games, as in [KL08, section 6.1]: Hard to invert in the average case Syntax Resolves shrinking problem 9 / ?

10. Introduction to Modern Cryptography Sharif University Spring 2015 The game specifies the model. Now, the definition: Hard to invert in the average case (Cont’d) 1.Why not  negl  ? 2.How many quantifiers in this definition? 1.Why not  negl  ? 2.How many quantifiers in this definition? 10 / ?

11. Introduction to Modern Cryptography Sharif University Spring 2015  There exists a negligible function… o For all c  ℕ, there exists an n 0  ℕ, such that for all n  n 0 …  So, the definition is actually: How many quantifiers? 11 / ?

12. Introduction to Modern Cryptography Sharif University Spring 2015 As has been occasionally remarked, the human mind seems limited in its ability to understand and visualize beyond four or five alternations of quantifier. Indeed, it can be argued that the inventions, subtheories, and central lemmas of various parts of mathematics are devices for assisting the mind in dealing with one or two additional alternations of quantifier. — Hartley Rogers, Jr. Quote… 12 / ?

13. Introduction to Modern Cryptography Sharif University Spring 2015  Model (experiment) and definition (goal) combined in a single formula:  Usually, the following sentence is also added: o The probability is taken over the random choice of x, as well as the internal coin tosses of.  It formalizes the probability space. o https://en.wikipedia.org/wiki/Probability_space https://en.wikipedia.org/wiki/Probability_space OWFs: A succinct definition 13 / ?

14. Introduction to Modern Cryptography Sharif University Spring 2015 OWFs are sufficient for P  NP Reduction to decider for L via binary search. 14 / ?

15. Introduction to Modern Cryptography Sharif University Spring 2015 Algorithm x = "" for i = 1 to n if A(1^n, x + '0', y) x += '0' else x += '1' return x Algorithm x = "" for i = 1 to n if A(1^n, x + '0', y) x += '0' else x += '1' return x  Input: 1 n, y  range ( f )  Output: n-bit x  f  1 (y)  Access: Deterministic decider ( , ,  ) for L Polynomial reduction for previous slide Reduction can be thought of as a procedure call 15 / ?

16. Introduction to Modern Cryptography Sharif University Spring 2015  Assume that a probabilistic (1 n, ,  ) decides L: o In time at most t (n) o With probability at least (n)  What is the (t, ) of the reduction? o t (n)  n  t (n) o (n)  ((n)) n  If t (n) is polynomial-time, so is t (n).  Even if (n)  ⅔ (the case with BPP machines):  (n) can still be negligible! A concrete analysis of the reduction Assignment: Use amplification lemma, and modify the algorithm to prove:  OWF  BPP  NP. Assignment: Use amplification lemma, and modify the algorithm to prove:  OWF  BPP  NP. 16 / ?

17. Introduction to Modern Cryptography Sharif University Spring 2015  OWFs do not necessarily conceal all information about their preimages.  Example: Assuming f is an OWF, we can construct another function g, such that: o g is an OWF. o g leaks half of its input. g(x 1, x 2 ) = (x 1, f (x 2 )), where |x 1 | = |x 2 | o g is easy to compute. o Why is g hard to invert?  Proof via reduction. OWFs and information leakage 17 / ?

18. Introduction to Modern Cryptography Sharif University Spring 2015 g(x 1, x 2 ) = (x 1, f (x 2 )), where |x 1 | = |x 2 |  Let be an adversary who inverts g in time t and with probability.  We construct an adversary ℱ who, uses as a subroutine, and inverts f in time t ℱ and with probability ℱ.  We show that (t ℱ, ℱ ) is closely related to (t, ).  Inverting f is reduced to inverting g. o If g is easy to invert, so is f. o But f is an OWF (by assumption). o So, g must be hard to invert. Why is g hard to invert: The reduction Algorithm ℱ (1 n, y 2 ) x1  {0, 1}^n (z1, x2) = (1^n, x1, y2) return x2 Algorithm ℱ (1 n, y 2 ) x1  {0, 1}^n (z1, x2) = (1^n, x1, y2) return x2 Requires O(n) time to read x 1 from random tape, and write it to 's input tape. T ℱ (n)  T(n) + O(n) ℱ (n)  (n) If T(n) is a polynomial, so is T ℱ (n). If (n) is not negligible, so is ℱ (n).  Contradiction: f is an OWF. T ℱ (n)  T(n) + O(n) ℱ (n)  (n) If T(n) is a polynomial, so is T ℱ (n). If (n) is not negligible, so is ℱ (n).  Contradiction: f is an OWF. What happens if we let x 1 = 0 n ?  The input distribution of changes.  can always fail on other input distributions! What happens if we let x 1 = 0 n ?  The input distribution of changes.  can always fail on other input distributions! 18 / ?

19. Introduction to Modern Cryptography Sharif University Spring 2015 Hard-Core Predicates 19 / ?

20. Introduction to Modern Cryptography Sharif University Spring 2015  Informally: A predicate hc, such that: o Given x, hc (x) is easy to compute; o Given f (x), the value of hc (x) is hard to guess (with probability better than ½).  Hard-core predicates for OWFs capture the hardness of inverting OWFs.  They are useful for constructing PRGs from OWFs (later in this course).  Goldreich–Levin Theorem (1989): Every OWF has a hard-core predicate. Hard-core predicates [KL08, p. 199] A general function, not necessarily an OWF. 20 / ?

21. Introduction to Modern Cryptography Sharif University Spring 2015 Goldreich–Levin Theorem Actually, Goldreich–Levin Theorem states that: Every one-way function can be trivially modified to obtain a one-way function with a specific hard-core predicate. Actually, Goldreich–Levin Theorem states that: Every one-way function can be trivially modified to obtain a one-way function with a specific hard-core predicate. 21 / ?

22. Introduction to Modern Cryptography Sharif University Spring 2015  No function is proven to be one-way. o Otherwise, we knew P  NP.  However, a few functions are conjectured to be one way. o They are easy to compute, but … o We know of no efficient algorithm which inverts such functions (on the average).  Examples: o Integer Factorization o Subset Sum o Discrete Logarithm Conjectured OWFs 22 / ?

23. Introduction to Modern Cryptography Sharif University Spring 2015  MULT1 : Given z  ℕ, compute x, y  {2, …, z  1}, such that x  y = z. o Hard in worst case. o Easy on the average! o Why?  MULT2 : The following function is conjectured to be an OWF. o Defined for all n  ℕ. o It uses (0-padded) string representation of integers. f n : {0,1} n  {0,1} n  {0,1} 2n f n (x, y) = str ( int (x)  int (y)) o What is the difference with MULT1 ? Conjectured OWF (1): Integer factorization 23 / ?

24. Introduction to Modern Cryptography Sharif University Spring 2015  Compare the syntax used for defining OWFs: f : {0,1} *  {0,1} * with the syntax for MULT2 : f n : {0,1} n  {0,1} n  {0,1} 2n f = { f n } n  ℕ  In the latter, f is an infinite family of functions, as opposed to a single function.  Natural OWFs are mostly defined as a family of functions.  [KL08, p. 238], exercise 6.6: o Prove that there exist OWFs if and only if there exist families of OWFs. Functions vs. function families We'll formally define family of OWFs later. 24 / ?

25. Introduction to Modern Cryptography Sharif University Spring 2015 Conjectured OWF (2): Subset sum Subset sum is a proven NP-complete problem. If P  NP, does it prove that OWFs exist?! Subset sum is a proven NP-complete problem. If P  NP, does it prove that OWFs exist?! Subset sum is defined as a family of functions, too. 25 / ?

26. Introduction to Modern Cryptography Sharif University Spring 2015 f p,g (x) = g x mod p  Where: o p is an n-bit prime. o g is a generator of {1, …, p  1}. That is, various exponents of g (mod p) generate this set: {g 1 mod p, …, g p  1 mod p} = {1, …, p  1} o x  {1, …, p  1}  Discrete Logarithm Problem (DLP) is defined as a family of functions.  f p,g (x) is actually a permutation. Conjectured OWF (3): Discrete logarithm 26 / ?

27. Introduction to Modern Cryptography Sharif University Spring 2015 One-way Permutations OWP 27 / ?

28. Introduction to Modern Cryptography Sharif University Spring 2015  Not all sets can be efficiently sampled. o Example: On input (1 n, y), pick a random element from {x | x  f  1 (y)}, where f is a OWF.  Problem: On input 1 n, uniformly sample the set {0, 1, 2}. o Strategy 1: Pick the first two bits of the random tape, compute the remainder modulo 3. - Outputs 0 with probability 0.5, and 1 and 2 with probability 0.25 - Unacceptable! o Strategy 2: Pick the first two bits of the random tape, and discard if it is 11 (= 3). Output otherwise. - Succeeds with probability 0.75. - n sampling results in a negligible failure probability. Interlude: Picking a random number from a set 28 / ?

29. Introduction to Modern Cryptography Sharif University Spring 2015 Families of functions & permutations: Syntax [KL08, p. 196] As discussed, not all sets can be efficiently sampled with probability 1. 29 / ?

30. Introduction to Modern Cryptography Sharif University Spring 2015 OWFs and OWPs [KL08, p. 197] Assignment [KL08, p. 238], exercise 6.6: Prove that there exist OWFs if and only if there exist families of OWFs. Discuss why your proof does not carry over to the case of OWPs. Assignment [KL08, p. 238], exercise 6.6: Prove that there exist OWFs if and only if there exist families of OWFs. Discuss why your proof does not carry over to the case of OWPs. 30 / ?

31. Introduction to Modern Cryptography Sharif University Spring 2015  Gen (1 n ) generates I = (p, g), where p is an n-bit prime, and g is a generator of {1,…, p  1}. o ℛ I = I = {1,…, p  1}.  Samp (I) picks a uniform element x from I.  f I (x) = g x mod p Example: Discrete logarithm 31 / ?

32. Introduction to Modern Cryptography Sharif University Spring 2015 Trapdoor Permutations TDP 32 / ?

33. Introduction to Modern Cryptography Sharif University Spring 2015 TDP [KL08, p. 374] 33 / ?

34. Introduction to Modern Cryptography Sharif University Spring 2015  Gen (1 n ): generates I = (N, e) and td = (N, d), such that: o |N| = n, and N is the product of two odd primes p and q of the same size. Recall that ϕ (N) = (p  1) (q  1) is Euler’s totient. o e is a number such that gcd (e, ϕ (N)) = 1. o d is the inverse of e modulo ϕ (N). o I = td = ℤ N * is the set of positive integers smaller than N and coprime to it.  Samp (I) picks a uniform element x from I.  f I (x) = x e mod N.  Inv td (y) = y d mod N. Example: RSA RSA is a TDP, not a public-key encryption. We'll define public-key encryption later. 34 / ?

35. Introduction to Modern Cryptography Sharif University Spring 2015 Claw-Free Functions/ Permutations CFF / CFP 35 / ?

36. Introduction to Modern Cryptography Sharif University Spring 2015  A claw for functions (f, g) is a triple (x, y, z) such that f (x) = g(y) = z.  Notice that x  y. Claw 36 / ?

37. Introduction to Modern Cryptography Sharif University Spring 2015 Families of pairs of functions & permutations: Syntax 37 / ?

38. Introduction to Modern Cryptography Sharif University Spring 2015 Claw-free functions/permutations 38 / ?

39. Introduction to Modern Cryptography Sharif University Spring 2015  Applications of CFFs/CFPs in cryptography: o Construction of signature schemes o Construction of commitment schemes o Construction of collision-resistant hash functions (CRHFs)  More on this later …  Assignment: Construct OWFs from CFFs, and OWPs from CFPs. Prove that your constructions work.  Fun fact [DR02]: The existence of TDPs does not by itself imply that CFPs exist. Claw-Free Functions/Permutations (CFFs/CFPs) 39 / ?

40. Introduction to Modern Cryptography Sharif University Spring 2015 Conjectured CFFs/CFPs 40 / ?

41. Introduction to Modern Cryptography Sharif University Spring 2015 Impagliazzo’s five worlds [Imp95] 41 / ?

42. Introduction to Modern Cryptography Sharif University Spring 2015  In 1995, Russell Impagliazzo identified five possible worlds: o Algorithmica o Heuristica o Pessiland o Minicrypt o Cryptomania  Studying these worlds can help in understanding cryptography. From Algorithmica to Cryptomania 42 / ? Smaller circles denote stricter conditions

43. Introduction to Modern Cryptography Sharif University Spring 2015  In Algorithmica, P = NP. o An algorithm for verifying the solution can be efficiently used for solving the problem. o Programming languages do not include instructions on how to compute the output. We only need to specify how the output is verified. o Computers can do anything humans can: Prove theorems, write papers, understand text and speech, etc. o CAPTCHA is meaningless. o No security is possible over public channels (unless resorting to physical assumptions, such as PUF). Algorithmica 43 / ?

44. Introduction to Modern Cryptography Sharif University Spring 2015  In Heuristica, P  NP, but NP is not hard on average. o NP is hard in the worst case. o If we choose any problem at random (or based on any distribution), it will be easy with very high probability. o Finding a hard problem is itself intractable! o In terms of security/cryptography, same as Algorithmica. Heuristica 44 / ?

45. Introduction to Modern Cryptography Sharif University Spring 2015  In Pessiland, there are hard-on-average problems but no OWFs. o Easy to generate hard NP problems. o No way to generate hard solved NP problems. o Why? - Let Gen(1 n ) be the algorithm generating hard NP problems with their solution. - If you have the randomness of Gen, you can generate the solution. - Gen(1 n ) is not an OWF (they don’t exist). - As such, given the problem, one can invert Gen to find the randomness. o No known way of making use of the hard problems of Pessiland in cryptography. o A problem that no one knows the answer to cannot be used to distinguish legitimate users from adversaries. Pessiland OWFs are essential for most cryptographic tasks [IL89]. 45 / ?

46. Introduction to Modern Cryptography Sharif University Spring 2015  In Minicrypt, OWFs exist, but private communications over public channels (secret-key agreement) with strangers is impossible. o Pseudo-random generators exist o Digital signatures exist - Identification and message authentication is possible o Secret-key agreement is possible using pre-shared secrets (i.e., no strangers) o Zero-knowledge protocols exist o BUT: - E-Voting is impossible - Anonymous cash is impossible -…-… Minicrypt 46 / ?

47. Introduction to Modern Cryptography Sharif University Spring 2015  In Cryptomania, secret-key agreement with strangers is possible. o Groups of people can jointly agree on a secret over a public channel. o The group can agree to jointly compute an arbitrary function of secret inputs without compromising their secrets. - E-Voting is possible - Anonymous cash is possible  If TDPs exist, we are in Cryptomania.  How about OWPs? o Next slides… Cryptomania 47 / ?

48. Introduction to Modern Cryptography Sharif University Spring 2015 Impagliazzo–Rudich theorem [IR88] 48 / ?

49. Introduction to Modern Cryptography Sharif University Spring 2015  We believe OWPs exist.  We believe secret-key agreement (with strangers) is possible.  Can we construct SKAs from OWPs?  Impagliazzo & Rudich provide strong evidence that “  OWP   SKA” is not provable by standard techniques.  Standard technique: A normal reduction (which uses the adversary as a subroutine).  [IR88] shows that proving “  OWP   SKA” is as hard as proving “P  NP”. Limits on Provable Consequences of OWPs 49 / ?

50. Introduction to Modern Cryptography Sharif University Spring 2015  Sections 6.1, 7.4.1, and 10.7 of [KL08]  Sections 1.3 and chapter 2 of [Gol01] [DR02]Y. Dodis and L. Reyzin. On the Power of Claw-Free Permutations. In SCN ’02, 2002. [Gol01] O. Goldreich. Foundations of Cryptography Volume 1: Basic Tools. Cambridge University Press, 2001. [Imp95] R. Impagliazzo. A Personal View of Average-Case Complexity. In SCT ’95, 1995. [IL89]R. Impagliazzo and M. Luby. One-way Functions are Essential for Complexity Based Cryptography. In FOCS ’89, 1989. [IR88]R. Impagliazzo and S. Rudich. Limits on the Provable Consequences of One-way Permutations. In CRYPTO ’88, 1988. [KL08] J. Katz and Y. Lindell. Introduction to Modern Cryptography: Principles and Protocols. CRC Press, 2007. References 50 / ?