cryptography - sjtuyuxi/teaching... · synopsis 1. computationally secure encryption 2....
TRANSCRIPT
![Page 1: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/1.jpg)
Cryptography
![Page 2: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/2.jpg)
Modern cryptography was born in 1970’s when computationally easy-to-verify but‘hard-to-solve’ problems were discovered.
Computational Complexity, by Fu Yuxi Cryptography 1 / 75
![Page 3: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/3.jpg)
Cryptography is closely related to some advanced topics in computational complexity.
Computational Complexity, by Fu Yuxi Cryptography 2 / 75
![Page 4: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/4.jpg)
Synopsis
1. Computationally Secure Encryption
2. Pseudorandom Generator
3. Pseudorandom Function
4. One-Way Function
5. Zero Knowledge Proof
6. Remark
Computational Complexity, by Fu Yuxi Cryptography 3 / 75
![Page 5: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/5.jpg)
Computationally Secure Encryption
Computational Complexity, by Fu Yuxi Cryptography 4 / 75
![Page 6: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/6.jpg)
An encryption scheme is a pair (E, D) of algorithms such that
Dk(Ek(x)) = x
for all key k and plaintext x . Obviously Ek is one-one for every k .
Computational Complexity, by Fu Yuxi Cryptography 5 / 75
![Page 7: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/7.jpg)
Shannon’s Perfect Secrecy
(E, D) is perfectly secret if for every pair x , x ′ ∈ {0, 1}m, the distributions EUn(x) andEUn(x ′) are identical.
I n is the key length.
I Un is the uniform distribution over {0, 1}n.
Computational Complexity, by Fu Yuxi Cryptography 6 / 75
![Page 8: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/8.jpg)
One Time Pad Encryption Scheme, Vernan 1917
Encryption:
I Plaintext x ∈ {0, 1}n.
I Generate a key k ∈R {0, 1}n, encrypt x by x ⊕ k .
Decryption:
I Ciphertext y ∈ {0, 1}n.
I The plaintext is recovered by y ⊕ k .
If a key k is used twice, useful information can be derived.
Computational Complexity, by Fu Yuxi Cryptography 7 / 75
![Page 9: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/9.jpg)
One Time Pad Encryption Scheme
Fact. The one time pad encryption scheme is perfectly secure.
It is crucial that the key is as long as the message.
Computational Complexity, by Fu Yuxi Cryptography 8 / 75
![Page 10: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/10.jpg)
Shannon Theorem. Suppose (E, D) is an encryption scheme. If n < m, then thereexist x , x ′ such that EUn(x) and EUn(x ′) differ.
Proof.A proof can be read off from the proof of Lemma.
I Perfectly secret encryption scheme is not a practical scenario.
I Modern cryptography offers a solution.
Computational Complexity, by Fu Yuxi Cryptography 9 / 75
![Page 11: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/11.jpg)
Negligible Functions
A function ε : N→ [0, 1] is negligible if
∀c .∃N.∀n ≥ N.ε(n) <1
nc.
In other words ε is negligible if it tends to 0 faster than 1p(n) for every polynomial p(n).
I Events with negligible probability can be practically ignored.
I ε is not negligible if ∃c . ε(n) ≥ 1nc for infinitely many n.
Computational Complexity, by Fu Yuxi Cryptography 10 / 75
![Page 12: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/12.jpg)
Computationally Secure Encryption Scheme
An encryption scheme (E, D) for keys of length n and messages of length m iscomputationally secure if for every P-time PTM A there is a negligible functionε : N→ [0, 1] such that∣∣∣∣Prk∈R{0,1}n,x∈R{0,1}m [A(Ek(x)) = (i , b) ∧ xi = b]− 1
2
∣∣∣∣ ≤ ε(n).
Computational Complexity, by Fu Yuxi Cryptography 11 / 75
![Page 13: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/13.jpg)
Is there a computationally secure encryption scheme? The answer is conditional.
Computational Complexity, by Fu Yuxi Cryptography 12 / 75
![Page 14: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/14.jpg)
Lemma. Suppose P = NP. Let (E, D) be a P-time encryption scheme with key shorterthan message. A P-time algorithm A exists such that for every message length m,there is a pair x0, x1 ∈ {0, 1}m satisfying
Prb∈R{0,1},k∈R{0,1}n [A(Ek(xb)) = b] ≥ 3/4
where n is the key length and n<m.
1. Let S be defined as follows:
y ∈ S iff ∃k .y = Ek(x0), where x0 = 0m.
2. If P = NP then S is P-time decidable by some algorithm A.
I A(x) = 0 iff x ∈ S .
3. Let Dx = distribution EUn(x). Then Pr[A(Dx0)=0] = 1.
Computational Complexity, by Fu Yuxi Cryptography 13 / 75
![Page 15: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/15.jpg)
If Pr[Dx∈S ] > 12 for all x then one would have
1
2< Prx [Pr[Dx∈S ]] = Prk [Prx [Ek(x)∈S ]] ≤ 1
2,
where ≤ holds because |S | ≤ 2n ≤ 2m−1 by the definition of S and Ek is injective.
It follows that Pr[Dx1∈S ] ≤ 12 for some x1 ∈ {0, 1}m. According to the definition of A,
one has Pr[A(Dx1)=0] ≤ 12 . Hence
Prb,k [A(Ek(xb))=b] =1
2Pr[A(Dx0)=0] +
1
2Pr[A(Dx1)=1]
=1
2+
1
2Pr[A(Dx1)=1]
≥ 3
4.
Computational Complexity, by Fu Yuxi Cryptography 14 / 75
![Page 16: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/16.jpg)
P 6= NP is necessary for modern cryptography. We do not know if it is sufficient.
Computational Complexity, by Fu Yuxi Cryptography 15 / 75
![Page 17: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/17.jpg)
Pseudorandom Generator
Computational Complexity, by Fu Yuxi Cryptography 16 / 75
![Page 18: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/18.jpg)
Modern cryptography addresses the long key issue by studying how to generate longkeys from short ones.
I An observer cannot detect efficiently any useful difference between apseudorandom key and a truly random key.
Computational Complexity, by Fu Yuxi Cryptography 17 / 75
![Page 19: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/19.jpg)
What is a pseudorandom string? How do we characterize pseudorandom strings?
I For modern cryptography it suffices that encrypted messages are distributed in away that looks random to all efficient observers.
Computational Complexity, by Fu Yuxi Cryptography 18 / 75
![Page 20: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/20.jpg)
Pseudorandom Generator
Let G : {0, 1}∗ → {0, 1}∗ and ` : N→ N be P-time computable such that `(n) > n forall n and |G (x)| = `(|x |) for all x ∈ {0, 1}∗.
G is a computationally secure pseudorandom generator of stretch `(n) if, for everyP-time PTM A, there exists a negligible function ε : N→ [0, 1] such that∣∣Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1]
∣∣ ≤ ε(n).
1. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.
Computational Complexity, by Fu Yuxi Cryptography 19 / 75
![Page 21: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/21.jpg)
A pseudorandom generator says nothing about how it is constructed.
Computational Complexity, by Fu Yuxi Cryptography 20 / 75
![Page 22: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/22.jpg)
Unpredictability
Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch `(n), where ` : N→ N isP-time computable such that ∀n.`(n) > n.
We say that G is unpredictable if for every P-time PTM B there is a negligible functionε : N→ [0, 1] such that∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−
1
2
∣∣∣∣ ≤ ε(n).
1. M. Blum, S. Micali. How to Generate Cryptographically Strong Sequences of Pseudorandom Bits. FOCS 1982.
Computational Complexity, by Fu Yuxi Cryptography 21 / 75
![Page 23: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/23.jpg)
Unpredictability ⇐ Pseudorandomness
Suppose G is a pseudorandom generator. If it is not unpredictable then there is some csuch that ∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−
1
2
∣∣∣∣ ≥ 1
nc
holds for a P-time PTM B for infinitely many n. Some i exists such that∣∣∣∣Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ]−1
2
∣∣∣∣ ≥ 1
nc`(n)
for infinitely many n. It follows from Pr[B(U`(n)) = 1] = 12 that
Pr[B(G (Un)) = 1]− Pr[B(U`(n)) = 1] ≥ 1
nc`(n)
for infinitely many n, which is a contradiction.
Computational Complexity, by Fu Yuxi Cryptography 22 / 75
![Page 24: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/24.jpg)
Unpredictability ⇒ Pseudorandomness
Theorem (Yao, 1982). If G is unpredictable, then it is a pseudorandom generator.
1. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.
Computational Complexity, by Fu Yuxi Cryptography 23 / 75
![Page 25: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/25.jpg)
Unpredictability ⇒ Pseudorandomness
Let ` : N→ N be P-time computable such that `(n) ≥ n.Let G : {0, 1}∗ → {0, 1}∗ be P-time computable unpredictable function with stretch `.
Suppose G is not a pseudorandom generator. Then there is some constant c and someP-time PTM A such that, wlog,
Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1] ≥ 1
nc
for infinitely many n.
Computational Complexity, by Fu Yuxi Cryptography 24 / 75
![Page 26: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/26.jpg)
Unpredictability ⇒ Pseudorandomness
For i ≤ `(n), the hybrid distribution Di is defined as follows:
1. choose x ∈R {0, 1}n and compute y = G (x);
2. output y1, . . . , yi , zi+1, . . . , z`(n) with zi+1, . . . , z`(n) ∈R {0, 1}.
We notice that D0 = U`(n) and D`(n) = G (Un).
Let pi = Pr[A(Di ) = 1]. By assumption for infinitely many n,
p`(n) − p0 = (p`(n) − p`(n)−1) + (p`(n)−1 − p`(n)−2) + . . .+ (p1 − p0) ≥ 1
nc.
Computational Complexity, by Fu Yuxi Cryptography 25 / 75
![Page 27: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/27.jpg)
Unpredictability ⇒ Pseudorandomness
Algorithm B asserts that everything A says is correct.
I Input 1n, i ∈ [`(n)] and y1, . . . , yi−1.
1. randomly generate zi , . . . , z`(n);2. compute a = A(y1, . . . , yi−1, zi , . . . , z`(n));3. output zi if a = 1 and 1− zi if a = 0.
We are done if we can prove the following inequality
Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−1
2≥ 1
nc`(n),
which can be derived if the following holds for every i ∈ [`(n)]:
Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ] =1
2+ (pi − pi−1).
Computational Complexity, by Fu Yuxi Cryptography 26 / 75
![Page 28: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/28.jpg)
Unpredictability ⇒ Pseudorandomness
B predicts yi correctly if a = 1 ∧ zi = yi or a = 0 ∧ zi = 1− yi . This event happenswith probability
1
2Prx,y=G(x)[a = 1|zi = yi ] +
1
2
(1− Prx,y=G(x)[a = 1|zi = 1− yi ]
).
Now Prx∈R{0,1}n,y=G(x)[a = 1|zi = yi ] = pi . On the other hand,
pi−1 = Pr[A(Di−1) = 1]
= Pr[a = 1|zi = yi ]/2 + Pr[a = 1|zi = 1− yi ]/2
= pi/2 + Pr[a = 1|zi = 1− yi ]/2. (1)
We get Pr[a = 1|zi = 1− yi ] = 2pi−1 − pi from (1).
Computational Complexity, by Fu Yuxi Cryptography 27 / 75
![Page 29: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/29.jpg)
Theorem Given a pseudorandom generator with stretch nc , one can design acomputationally secure encryption scheme (E, D) using n-length keys for nc -lengthmessages.
Given a random key of length n, generate a key of length nc using the pseudorandomgenerator, and then apply the one-time pad encryption scheme.
Computational Complexity, by Fu Yuxi Cryptography 28 / 75
![Page 30: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/30.jpg)
Application: Derandomization
If pseudorandom generator exists, then we can construct subexponential deterministicalgorithms for problems in BPP.
I This is the derandomization of BPP.
The basic idea:
I Let L be decided by an nd -time PTM P with bounded error.
I For every small ε let c be such that 0 < dc < ε < 1.
I Apply to all strings of length ndc the pseudorandom generator with stretch nc and
then execute P by following the choices prescribed by the produced pseudorandomstrings of length nd .
I The algorithm runs in time O(2nε)
Computational Complexity, by Fu Yuxi Cryptography 29 / 75
![Page 31: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/31.jpg)
Pseudorandom Function
Computational Complexity, by Fu Yuxi Cryptography 30 / 75
![Page 32: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/32.jpg)
Let Fn denote the set of all functions of type {0, 1}n → {0, 1}n.
1. Generally n2n bits are necessary to specify a function in Fn.
2. Consequently its computation is not efficient.
We look for an efficient subset Gn of Fn that appears random.
1. Every element of Gn is specified by n bits.
2. Every element of Gn is P-time computable.
3. Yet no P-time PTM can detect noticeable difference between a random elementof Gn and a random element of Fn.
I There are 2n2n elements in Fn.
I There are only 2n elements in Gn.
Computational Complexity, by Fu Yuxi Cryptography 31 / 75
![Page 33: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/33.jpg)
Pseudorandom functions are pseudorandom generators with exponential stretch.
I A pseudofunction is a blackbox, a distinguisher can only ask for the values of thefunction at a small number of inputs.
Computational Complexity, by Fu Yuxi Cryptography 32 / 75
![Page 34: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/34.jpg)
Pseudorandom Function
Let {fk}k∈{0,1}∗ be a family of functions such that
I fk : {0, 1}|k| → {0, 1}|k| for every k ∈ {0, 1}∗, and
I fk(x) is P-time computable from k , x .
The family {fk}k∈{0,1}∗ is pseudorandom if for every P-time probabilistic OTM A thereis a negligible function ε : N→ [0, 1] such that for all n,∣∣∣Prk∈R{0,1}n [Afk (1n) = 1]− Prg∈RFn [Ag (1n) = 1]
∣∣∣ ≤ ε(n).
A needs no input. The string 1n marks the input length.
Computational Complexity, by Fu Yuxi Cryptography 33 / 75
![Page 35: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/35.jpg)
Pseudorandom Generator ⇐ Pseudorandom Function
Suppose {fk}k∈{0,1}∗ is a pseudorandom family of functions. It follows from definition
I that for every polynomial `(n), the map G defined by
k ∈ {0, 1}n 7→ fk(1), . . . , fk(`(n)) ∈ {0, 1}n`(n)
is a pseudorandom generator.
Computational Complexity, by Fu Yuxi Cryptography 34 / 75
![Page 36: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/36.jpg)
Goldreich-Goldwasser-Micali Theorem.
Suppose that there exists a pseudorandom generator G with stretch `(n) = 2n. Thenthere exists a pseudorandom function family.
1. O. Goldreich, S. Goldwasser, S. Micali. How to Construct Random Functions. FOCS 1984.
Computational Complexity, by Fu Yuxi Cryptography 35 / 75
![Page 37: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/37.jpg)
Pseudorandom Generator ⇒ Pseudorandom Function
Let G be a pseudorandom generator with stretch 2n.
I G0(x) is the first n bits of G (x);
I G1(x) is the last n bits of G (x).
For each seed k ∈ {0, 1}n the function fk is defined by
fk(x) = Gxn(Gxn−1(. . .Gx1(k) . . .)).
We will prove that {fk}k∈{0,1}∗ is a pseudorandom function family.
Computational Complexity, by Fu Yuxi Cryptography 36 / 75
![Page 38: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/38.jpg)
x1= 0 x
1 = 1
x2=0 x
2 =1 x2
=0 x
2 =1
......
......
......
......
k
G0(k) G1(k)
G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))
Figure: The Algorithm that Calculates fk(x).
Computational Complexity, by Fu Yuxi Cryptography 37 / 75
![Page 39: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/39.jpg)
Pseudorandom Generator ⇒ Pseudorandom Function
Let A be a T -time PTM that distinguishes {fk}k∈{0,1}n and Fn. Ie. some c exists suchthat the following inequality holds for infinitely many n,
Prg∈RFn [Ag (1n) = 1]− Prk∈R{0,1}n [Afk (1n) = 1] ≥ 1
nc.
We construct a P-time PTM B that distinguishes U2n and G (Un) with 1nT ·
1nc bias.
I Define a random implementation O of the oracles fUn in terms of G .
1. generate a seed k ∈R {0, 1}n randomly;2. run the algorithm that calculates fk on all queries.
I We then modify O to get {Oi}i≤nT using hybrid approach.
Computational Complexity, by Fu Yuxi Cryptography 38 / 75
![Page 40: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/40.jpg)
Pseudorandom Generator ⇒ Pseudorandom Function
For i ≤ nT the random oracle Oi is defined as follows:
1. In the first i-th steps generate children randomly.
2. After the first i-steps generate children pseudo-randomly using G .
3. The random answers must be consistent!
Clearly O0 is O, and OnT is a random function.
Let pi = Pr[AOi (1n) = 1]. Observe that
I p0 = Prk∈R{0,1}n [Afk (1n) = 1] and pnT = Prg∈RFn [Ag (1n) = 1].
By assumption pnT − p0 ≥ 1nc .
Computational Complexity, by Fu Yuxi Cryptography 39 / 75
![Page 41: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/41.jpg)
Algorithm B.
1. Input k ∈ {0, 1}2n.
2. Generate i ∈R [nT ].
3. Run AOi (1n), with the modification of Oi that in the i-th invocation the twochildren are the first respectively the last n bits of k.
The following can be easily verified.
I If k ∈R U2n, then B’s output is distributed as AOi (1n).
I If k ∈R G (Un), then B’s output is distributed as AOi−1(1n).
Using hybrid argument, Pr[B(U2n) = 1]− Pr[B(G (Un)) = 1] is
∑i∈[nT ]
Pr[AOi (1n) = 1]
nT−∑
i∈[nT ]
Pr[AOi−1 (1n) = 1]
nT=
pnTnT− p0
nT≥ 1
nT· 1
nc.
Computational Complexity, by Fu Yuxi Cryptography 40 / 75
![Page 42: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/42.jpg)
Application: One Key for Many Messages
By Goldreich-Goldwasser-Micali Theorem and Yao’s Theorem, the string
fk(r1)fk(r2)fk(r3) . . . fk(r`(k))
is unpredictable.
1. Alice encrypts a message x ∈ {0, 1}n by choosing r ∈R {0, 1}n and sends(r , fk(r)⊕ x) to Bob, where k ∈ {0, 1}n is the key.
2. Bob receives (r , y) and calculates fk(r)⊕ y to recover x .
Computational Complexity, by Fu Yuxi Cryptography 41 / 75
![Page 43: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/43.jpg)
Application: Message Authentication Code
For the same reason the following protocol is secure.
1. Alice sends x to Bob.
2. Bob sends (x , fk(x)) to Alice.
3. Alice receives (x , y) and checks if y = fk(x) to verify that the message has notbeen corrupted.
Computational Complexity, by Fu Yuxi Cryptography 42 / 75
![Page 44: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/44.jpg)
Application: Lower Bound for Machine Learning
In machine learning the goal is to learn a function f from a sequence of examples(r1, f (r1)), . . . , (rk , f (rk)).
I The existence of pseudorandom function implies that even if f is P-timecomputable, there is no way to learn it in P-time.
Computational Complexity, by Fu Yuxi Cryptography 43 / 75
![Page 45: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/45.jpg)
One-Way Function
Computational Complexity, by Fu Yuxi Cryptography 44 / 75
![Page 46: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/46.jpg)
Suppose G : {0, 1}∗ → {0, 1}∗ is a pseudorandom generator.
For every P-time PTM A there must be a negligible function ε : N→ [0, 1] such thatthe following holds for every n,
Prx∈R{0,1}n [A(1n,G (x)) = x ′ ∧ G (x ′) = G (x)] ≤ ε(n).
Computational Complexity, by Fu Yuxi Cryptography 45 / 75
![Page 47: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/47.jpg)
One-Way Function
A P-time function f : {0, 1}∗ → {0, 1}∗ is a one-way function if for every P-time PTMA there is a negligible function ε : N→ [0, 1] such that for every n,
Prx∈R{0,1}n,y=f (x)[A(1n, y) = x ′ ∧ f (x ′) = y ] ≤ ε(n).
Computational Complexity, by Fu Yuxi Cryptography 46 / 75
![Page 48: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/48.jpg)
Let f : {0, 1}∗ → {0, 1}∗ be a P-time computable function such that ∀x .|x | ≤ |f (x)|.I If P = NP then {(l , u, y) | ∃x .f (x) = y ∧ l ≤ x ≤ u} ∈ P.
I By divide-and-conquer one can compute f −1 in P-time.
The existence of one way function implies P 6= NP.
Computational Complexity, by Fu Yuxi Cryptography 47 / 75
![Page 49: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/49.jpg)
Integer multiplication is believed to be one-way.
Computational Complexity, by Fu Yuxi Cryptography 48 / 75
![Page 50: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/50.jpg)
Theorem. If one-way permutations exist, then for every c ∈ N, there exists apseudorandom generator with stretch S(n) = nc .
1. Q. Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.
Theorem. If one-way functions exist, then for every c ∈ N, there exists apseudorandom generator with stretch S(n) = nc .
1. J. Hastad, R. Impagliazzo, L. Levin and M. Luby. A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing,28:1364-1396, 1999.
Computational Complexity, by Fu Yuxi Cryptography 49 / 75
![Page 51: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/51.jpg)
The crucial step is to obtain a pseudorandom generator that extends input by one bit.
I If f is a one-way permutation, then G (x , r) = f (x), r , x � r is a pseudorandomgenerator. Intuitively r is random, f (x) is pseudorandom, and the (2n+1)-th bitcannot be predicted with probability noticeably larger than 1/2.
We shall prove Theorem using Goldreich-Levin Theorem.
Computational Complexity, by Fu Yuxi Cryptography 50 / 75
![Page 52: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/52.jpg)
Goldreich-Levin Theorem. Suppose f : {0, 1}∗ → {0, 1}∗ is a one-way permutation.Then for every P-time PTM A there is a negligible function ε : N→ [0, 1] such that∣∣∣∣Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1
2
∣∣∣∣ ≤ ε(n),
where x � r =∑n
i=1 xi ri (mod 2).
1. O. Goldreich, L. Levin. A Hard-Core Predicate for All One-Way Functions. STOC 1989.
We call x � r the hard core bit of the function xr 7→ f (x)r .
Computational Complexity, by Fu Yuxi Cryptography 51 / 75
![Page 53: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/53.jpg)
Scenario:
I We know f (x) and that A(f (x), r) approximates x � r to some extent.
I We hope to recover x .
1. If A(f (x), r) = x � r for all r , then it is easy to recover x by the following algorithm:
I Run A(f (x), e1), . . . , A(f (x), en).
I Paste the resulting n bits to get x .
Computational Complexity, by Fu Yuxi Cryptography 52 / 75
![Page 54: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/54.jpg)
2. Suppose Prr∈R{0,1}n [A(f (x), r) = x � r ] ≥ 0.9.
Now x � r is uniformly distributed if r is uniformly distributed. So by union bound
Prr∈R{0,1}n [(A(f (x), r) 6= x � r) ∨ (A(f (x), r ⊕ e i ) 6= x � (r ⊕ e i ))] ≤ 0.2.
The equality (x � r)⊕ (x � (r ⊕ e i )) = x � (r ⊕ r ⊕ e i ) = x � e i = xi implies that
Prr∈R{0,1}n [A(f (x), r)⊕ A(f (x), r ⊕ e i ) = xi ] ≥ 0.8, (2)
which can be amplified to 1− 1/10n by majority vote.
I If we decrease 0.9 to 0.75, then 0.8 goes down to 0.5, rendering the lower boundin (2) utterly useless.
Computational Complexity, by Fu Yuxi Cryptography 53 / 75
![Page 55: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/55.jpg)
Algorithm B: The input is y = f (x).
1. m := 200n.
2. Choose r1, . . . , rm ∈R {0, 1}n.
3. For i from 1 to n do
3.1 z1 := A(f (x), r1), z ′1 := A(f (x), r1 ⊕ e i ),. . . ,zm := A(f (x), rm), z ′m := A(f (x), rm ⊕ e i ).
3.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].
Computational Complexity, by Fu Yuxi Cryptography 54 / 75
![Page 56: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/56.jpg)
Analysis of B:
1. Let the indicator random variable Zj be defined by
Zj(rj) =
{1, if A(f (x), r j) = x � r j and A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.
2. Clearly Z1, . . . ,Zm are independent. Let Z = Z1 + . . .+ Zm.
3. E[Zj ] ≥ 0.8 and E[Z ] ≥ 0.8m.
4. Pr[|Z−E[Z ]| ≥ 0.3m] ≤ 1/(0.3√m)2 by Chebychev inequality.
5. It follows from m = 200n that Pr[Z ≤ 0.5m] ≤ 1/10n.
I Chebychev inequality: Pr[|Z−E[Z ]| ≥ k
√Var(Z )
]≤ 1/k2.
I Var(Z ) =∑m
j=1 Var(Zj) ≤ m since Var(Zj) ≤ 1 for all j .
Computational Complexity, by Fu Yuxi Cryptography 55 / 75
![Page 57: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/57.jpg)
3. Suppose there are constant c ∈ N and P-time PTM A such that
Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1
2≥ 1
nc
for infinitely many n. There is at least a 12nc fragment of x ’s, the good x ’s, such that
Prr∈R{0,1}n [A(f (x), r) = x � r ]− 1
2≥ 1
2nc
for infinitely many n.
Lemma. Suppose a1, a2, . . . , an ∈ [0, 1] and ρ = (∑
i∈[n] ai )/n. There is at least ρ2
fraction of ai ’s such that ai ≥ ρ2 .
Computational Complexity, by Fu Yuxi Cryptography 56 / 75
![Page 58: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/58.jpg)
The point is that we cannot afford to applying A twice for probabilistic reason.
Instead of calculating A(f (x), r1), . . . , A(f (x), rm), we guess x � r1, . . . , x � rm.Because we are guessing the values of these expressions, we do not need to know x .
I Choose randomly distinct seeds s1, . . . , sk ∈R {0, 1}n.
I {⊕
R}R⊆{s1,...,sk} are random and pairwise independent.
I {x �⊕
R}R⊆{s1,...,sk} are completely determined by x � s1, . . . , x � sk .
We can afford exhaustive guessing if k = logm.
Computational Complexity, by Fu Yuxi Cryptography 57 / 75
![Page 59: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/59.jpg)
Algorithm C: The input is y = f (x).
1. Input y ∈ {0, 1}n. Think of y as f (x) for some x .
2. m := 10n2c+1;
3. k := log(m);
4. Generate s1, . . . , sk ∈R {0, 1}n;
5. Let R1, . . . ,Rm be subsets of {s1, . . . , sk} in a canonical way;
6. For each guess w ∈ {0, 1}k do
6.1 for each i ∈ [n] do
6.1.1 x � s1 := w1, . . . , x � sk := wk ;
z1 :=⊕
t∈R1
(x � s t
), . . . , zm :=
⊕t∈Rm
(x � s t
);
z ′1 := A(y ,⊕
R1 ⊕ e i), . . . , z ′m := A
(y ,⊕
Rm ⊕ e i);
6.1.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].
6.2 x := x1 . . . xn;
6.3 if f (x) = y , output x and halt.
Computational Complexity, by Fu Yuxi Cryptography 58 / 75
![Page 60: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/60.jpg)
Analysis of C:
1. Let the indicator random variable Zj be defined by
Zj(rj) =
{1, if A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.
2. Z1, . . . ,Zm are pairwise independent and E[Zj ] ≥ 1/2 + 1/nc .
3. Hence E[Z ] ≥ m/2 + m/nc , where Z = Z1 + . . .+ Zm.
4. Using Var(Z ) =∑m
j=1 Var(Zj) ≤ m, we derive
Pr[|Z−E[Z ]| ≥ m/nc ] ≤ Pr[|Z−E[Z ]| ≥√m
nc
√Var(Z )]
≤ n2c
m=
n2c
10n2c+1=
1
10n.
5. Now Pr[Z ≤ m/2] ≤ 110n follows from 3 and 4.
Computational Complexity, by Fu Yuxi Cryptography 59 / 75
![Page 61: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/61.jpg)
Theorem. Let f be a one-way permutation. The function mapping x , r ∈ {0, 1}n onto
r , f nc(x)� r , f n
c−1(x)� r , . . . , f 1(x)� r
is a pseudorandom generator of stretch n + nc for every c ∈ N.
Let A be a P-time PTM such that for x , r ∈R {0, 1}n and i ∈R [nc ],
Pr[A(r , f nc
(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ]− 1
2≥ 1
nd
for some d ∈ N and infinitely many n.
continued on the next slide.
Computational Complexity, by Fu Yuxi Cryptography 60 / 75
![Page 62: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/62.jpg)
B(y , r), where y , r ∈ {0, 1}n, is designed as follows:
1. Generate i ∈R [nc ];
2. Output A(r , f nc−i (y)� r , . . . , f 1(y)� r , y � r).
The probability that B(f (x), r) outputs x � r is the same as
Pr[A(r , f nc
(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ].
Hence
Prx,r∈R{0,1}n [B(f (x), r) = x � r ]− 1
2≥ 1
nd,
contradicting to Goldreich-Levin Theorem.
Since f is a permutation r , f nc−i (x)� r , . . . , f 1(x)� r , x � r is the same distribution
as r , f nc(x)� r , . . . , f i+1(x)� r , f i (x)� r .
Computational Complexity, by Fu Yuxi Cryptography 61 / 75
![Page 63: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/63.jpg)
one-way function ⇔ pseudorandom generator ⇔ unpredictability
Computational Complexity, by Fu Yuxi Cryptography 62 / 75
![Page 64: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/64.jpg)
Application: Tossing Coin Over Phone
Suppose A and B want to toss a coin over phone. We can apply the following protocol.
1. A chooses x , r ∈R {0, 1}n and sends (fn(x), r) to B, where fn is a one-way permutationknown to both parties.
2. B chooses b ∈R {0, 1} and sends it to A.
3. A sends x to B.
4. A and B agree to use b ⊕ (x � r).
A cannot manipulate the result because it cannot change x .
B cannot manipulate the result because it did not know x .
A can make sure that the result is random as long as x is.
B can make sure that the result is random as long as b is.
Computational Complexity, by Fu Yuxi Cryptography 63 / 75
![Page 65: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/65.jpg)
Zero Knowledge Proof
Computational Complexity, by Fu Yuxi Cryptography 64 / 75
![Page 66: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/66.jpg)
In an interactive proof for an NP problem, say GI, a certificate usually reveals morethan the mere fact that a statement is true.
Computational Complexity, by Fu Yuxi Cryptography 65 / 75
![Page 67: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/67.jpg)
It turns out that it is possible to design an interactive proof system such that a verifierdoes not learn anything from interaction apart from the fact that a statement is true.
I In the following definition, Perfect Zero Knowledge requires that no matter what averifier learns after participating a proof for a statement x , it could have derivedthe same thing by itself without participating in any interaction.
1. S. Goldwasser, S. Micali and C. Rackoff The Knowledge Complexity of Interactive Proof Systems. STOC, 186-208, 1985.
Computational Complexity, by Fu Yuxi Cryptography 66 / 75
![Page 68: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/68.jpg)
Zero Knowledge Proof of NP Language
Suppose L ∈ NP and M is a P-time TM such that x ∈ L if and only if
∃u ∈ {0, 1}p(|x |).M(x , u) = 1
for some polynomial p.
Computational Complexity, by Fu Yuxi Cryptography 67 / 75
![Page 69: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/69.jpg)
Zero Knowledge Proof of NP Language
A pair P,V of interactive P-time PTM’s is called a zero knowledge proof for L if theyenjoy the following properties.
I Completeness. If M(x , u) = 1, then Pr[outV(P(x , u),V(x))] ≥ 23 .
I Soundness. If x /∈ L, then Pr[outV(P∗(x , u),V(x))] ≤ 13 for all P∗ and u.
I Perfect Zero Knowledge. For every P-time interactive PTM V∗ there is anexpected P-time PTM S∗, called a simulator, such that for every x ∈ L and acertificate u for x ∈ L, the following holds:
outV∗(P(x , u),V∗(x)) ≡ S∗(x),
meaning that the two random variables are identical even though S∗ does nothave any access to u.
Computational Complexity, by Fu Yuxi Cryptography 68 / 75
![Page 70: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/70.jpg)
The idea of simulation to demonstrate security is central to many aspects ofcryptography.
Computational Complexity, by Fu Yuxi Cryptography 69 / 75
![Page 71: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/71.jpg)
Zero Knowledge Proof for Graph Isomorphism
Public Input: G0,G1 with n vertices.
P knows: A permutation π ∈ [n]→ [n] such that G1 = π(G0).
P sends H = π′(G1) with a random permutation π′ ∈R [n]→ [n].
V sends a random bit b ∈R {0, 1}.
P sends π′′ =
{π′, if b = 1,π′π, if b = 0.
V checks if H = π′′(Gb).
If G0 ' G1, V accepts with probability one.
If G0 6' G1, V rejects with probability 12 .
Computational Complexity, by Fu Yuxi Cryptography 70 / 75
![Page 72: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/72.jpg)
Zero Knowledge Proof for Graph Isomorphism
Let V∗ be some verifier’s strategy.
I If G0 ' G1, then P’s first message has the same distribution as the message sentby the following simulator S∗:
I Generate b′ ∈R {0, 1} and π′ ∈R [n]→ [n];
I Send H = π′(Gb′) to V∗;I Get some b from V∗;I If b = b′ then send π′ to V∗ and output whatever V∗ outputs, otherwise restart S∗.
I The key point is that H reveals nothing about b′ if G0 ' G1.
If V∗ runs in P-time, then S∗ runs in expected P-time.
Computational Complexity, by Fu Yuxi Cryptography 71 / 75
![Page 73: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/73.jpg)
Secure Multiparty Computation
Ten people working in a firm want to calculate their average salaries without revealingthe salary of any of them.
Computational Complexity, by Fu Yuxi Cryptography 72 / 75
![Page 74: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/74.jpg)
Remark
Computational Complexity, by Fu Yuxi Cryptography 73 / 75
![Page 75: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/75.jpg)
Cryptography on weaker assumption (say P 6= NP) ?
Computational Complexity, by Fu Yuxi Cryptography 74 / 75
![Page 76: Cryptography - SJTUyuxi/teaching... · Synopsis 1. Computationally Secure Encryption 2. Pseudorandom Generator 3. Pseudorandom Function 4. One-Way Function 5. Zero Knowledge Proof](https://reader033.vdocument.in/reader033/viewer/2022042212/5eb4ccaf5df56b18411b11f3/html5/thumbnails/76.jpg)
Modern cryptography is founded on something not provable.
Computational Complexity, by Fu Yuxi Cryptography 75 / 75