lecture 2: from owfs to prgs and prfs - stanford university · 2020. 4. 14. · lecture 2: from...
TRANSCRIPT
lecture2-fromowfstoPRGQuicklogis.fias reminder
Today CS255
The existence of owe is equivalent to the existence of private - key cryptography.
• Don't know how to build symmetric crypto unconditionally • But can reduce security to simple , well - studied problems First course module - Foundations of Crypto Goals :
d) Expose to the theoretical point of view÷:÷:÷÷÷÷÷÷÷÷i÷(2) Learning proof techniques, basic tools
( will be useful even in the more practical later parts of course)
One Way functions -
Det : f : Yo, if * → {0,15 is one-way if :
d) There exists a poly .
time alg .
M that
.
A slightly more formal statement of the
2nd condition:ti:c:in:::c:*:*:.io?..:.:::.t
d) flx , y) -- x. y for equal - length primes x,y .
(2) ftp.glxkg " mod p → permutation on 4,2, . .,p- i}
based on subset -sum:
fun . . ,xn , s) :'-(xn . . .in , Eg Xi)
4) Levin's Universal OWF :
One-way permutation (owp) :
Ini:÷÷÷yn→go5isapermnt
PRG
is ⇒ Otis - -w
J t uniformly we want Ks) random
to "
Given fad for a owe , finding X is hard .
What about finding the first bit Xi ? This isn't necessary hard . e.g . fun . ..in/=xe.gLxz...xn)
But it cannot be the case that all x. . . .,xn are
easy to compute .
Defni b : to, if *
→ for } is a hard core predicate of a function f:{ 0,1g
* → do, if if :
(1) bad can be computed in poly . time given X. VPPT alg . A
Pr [Aft , fed) - Kx) : x E " doily
"] Eyztnegkn)
Question : why do we allow llztneglln) , and not just neg kn) , as for owe ?
Thin (Goldreich - Levin) Every ONE has a HC bit .
Idea : a random linear combination of the bits
Tf x should be hard to compute .
First extend the function to
g (x, r) = (fad , r) where lxklrl
g is still one - way .
Then take : for x. r Elo,y
"
b ( x. r) = (X, D= . # Xi - ri mod 2 ← inner product mod 2
Details in Homework 1 .
Thin Let f be a owp with HC bit b .
Then GCS) : = FISH bls) is a 1- bit stretch PRG .
Main idea : if given fig , can dist .
bls) from random
then can also predict bls) from FCS) .
Proofi Suppose there exists a PPT alg . A and a non- negligible Ecn) sit .
/PrfA(Gls)) =L :S ⇐ fois) - Prftfrt. t.rc-f.MY/ZECn)t
flake
Two steps : bint- b
t (1) Claim# Prs (AHHH 619--11 - Prsftffklllblsl) -1) HE (2) Use claim to construct an alg .
that predicts b .
" :
"
E. a 1- b
" } up . % :{ ref HE IS) : s Edo, if}
⇒ PrfAlr ) =D:={ PIAF 11401=11+12 -PIANOHE HI
We now plug this into :
Es /PrfAKlsD=If - P:[Acr ) I =3 Alfio Holst ) Prs (Alf HIGH - Ef)
B
B that breaks the
AIg.by On input y -- fig Ego, 1g!
d) Choose CE fo, 1) Run Alyllc ) .
- if A outputs 1 , output c - else
, output I
s ' '
probability +12 - Ps,rfB(FISH - bls) ) CEB)) { fPg[Alflslllblsl) - 1) + Prs LAKEHEAD -
- o)) by construction -
-
Z ITE 1
by claim we get that alg . B predicts blog with non - neg ! prob . ECM , which
contradict the assumption that bist. B
PARF2o.fromstretcht.to/ooly.stretc TheBlum-MicaliPRG
be a PRG ,
""
- output babe . . . been
I I t' ? be 62 be
Theorem : G is a secure PRG ⇒ G ' secure PRG
.
in dist .
hybrid distributions :
63
I b.
- bean,-9911
pi := Pr ( A- (g) =L : y ←Di ] want to show Ipo - pekneglln)
Ipo-pet Ip. -pipe - pztpzt . . - tpe.ipeki.IQ/Pi-n - Pil
Claim: Viele ) lpi.in - pit Ehegkh) First, note that claim ⇒ Theorem , since
Ipo- Pelt .§µ, lpi-pi.ie/gllnl-heglCn)=negKn1 kn) is poly .
Proofofctaim Suppose for the sake of contradiction that :
/Pia -pit = Echl is not negligible .
We construct a distinguisher B for G, and we need to analyze :PRGAdvfB.GE/PrfBlGlsD:seRgoiyY-PrfBlyl:yego.igmY// Distinguishes : on input ZE fogy
"' :
"
(2) choose 6 . . . . . , bichon} compute bin
, Sir ← G(Sia) . . . . be See G Gen) 4) set y ← be, . . . be
run and output Aly)
Picture: si → Be
" '
'
b.Hay . . . ii. go.gs?!?f-simk?-.bie2 This is exactly Di
zedo.ly "'
")) > - =/ PRAIA-1 : yedif-Prftlyt-tiyc-Di.nl/-fpi+a-pi/--Eln)
,
. %,
Par-l3:PRG→PRF(6oHreich-6oHwasser-kia Suppose we have a length -doubling PRG G : {o, I}
" → {o, 13
we write G(s)→ (so, s .) = ( Good, G. Cs)) single -bit
E. domain rinse
claim: G can be viewed as a secure PRF F : Eo, B "
x Eo.B→ {o, 13 "
, 1) = Ge Cs)
/
?
binarxhdeconposition of inputConstruction : Ffs , x. xz . .. xn) = Ga ( Gxn.. ( i . - Gals) - - - l )
Picture ( lorn -- z) : Js
FCS , Oo) FCS
, 11)
How do we prove this is a secure PELF ? (see section 4.f of the cryptobook if interested) * Assume G is a secure PRG
* show that if an adversary has non-negligible advantage on the PRF, then there exists an adversary with non -negligible advantage on the PRG G Econtradiction
this step uses a hybrid argument
worst-casevs.average-casehardnes.SI NP hardness
b d all but negl . fraction of instances are hard
Note : can define " mild "
instances are hard .
(" hardness amplification ").
Today CS255
The existence of owe is equivalent to the existence of private - key cryptography.
• Don't know how to build symmetric crypto unconditionally • But can reduce security to simple , well - studied problems First course module - Foundations of Crypto Goals :
d) Expose to the theoretical point of view÷:÷:÷÷÷÷÷÷÷÷i÷(2) Learning proof techniques, basic tools
( will be useful even in the more practical later parts of course)
One Way functions -
Det : f : Yo, if * → {0,15 is one-way if :
d) There exists a poly .
time alg .
M that
.
A slightly more formal statement of the
2nd condition:ti:c:in:::c:*:*:.io?..:.:::.t
d) flx , y) -- x. y for equal - length primes x,y .
(2) ftp.glxkg " mod p → permutation on 4,2, . .,p- i}
based on subset -sum:
fun . . ,xn , s) :'-(xn . . .in , Eg Xi)
4) Levin's Universal OWF :
One-way permutation (owp) :
Ini:÷÷÷yn→go5isapermnt
PRG
is ⇒ Otis - -w
J t uniformly we want Ks) random
to "
Given fad for a owe , finding X is hard .
What about finding the first bit Xi ? This isn't necessary hard . e.g . fun . ..in/=xe.gLxz...xn)
But it cannot be the case that all x. . . .,xn are
easy to compute .
Defni b : to, if *
→ for } is a hard core predicate of a function f:{ 0,1g
* → do, if if :
(1) bad can be computed in poly . time given X. VPPT alg . A
Pr [Aft , fed) - Kx) : x E " doily
"] Eyztnegkn)
Question : why do we allow llztneglln) , and not just neg kn) , as for owe ?
Thin (Goldreich - Levin) Every ONE has a HC bit .
Idea : a random linear combination of the bits
Tf x should be hard to compute .
First extend the function to
g (x, r) = (fad , r) where lxklrl
g is still one - way .
Then take : for x. r Elo,y
"
b ( x. r) = (X, D= . # Xi - ri mod 2 ← inner product mod 2
Details in Homework 1 .
Thin Let f be a owp with HC bit b .
Then GCS) : = FISH bls) is a 1- bit stretch PRG .
Main idea : if given fig , can dist .
bls) from random
then can also predict bls) from FCS) .
Proofi Suppose there exists a PPT alg . A and a non- negligible Ecn) sit .
/PrfA(Gls)) =L :S ⇐ fois) - Prftfrt. t.rc-f.MY/ZECn)t
flake
Two steps : bint- b
t (1) Claim# Prs (AHHH 619--11 - Prsftffklllblsl) -1) HE (2) Use claim to construct an alg .
that predicts b .
" :
"
E. a 1- b
" } up . % :{ ref HE IS) : s Edo, if}
⇒ PrfAlr ) =D:={ PIAF 11401=11+12 -PIANOHE HI
We now plug this into :
Es /PrfAKlsD=If - P:[Acr ) I =3 Alfio Holst ) Prs (Alf HIGH - Ef)
B
B that breaks the
AIg.by On input y -- fig Ego, 1g!
d) Choose CE fo, 1) Run Alyllc ) .
- if A outputs 1 , output c - else
, output I
s ' '
probability +12 - Ps,rfB(FISH - bls) ) CEB)) { fPg[Alflslllblsl) - 1) + Prs LAKEHEAD -
- o)) by construction -
-
Z ITE 1
by claim we get that alg . B predicts blog with non - neg ! prob . ECM , which
contradict the assumption that bist. B
PARF2o.fromstretcht.to/ooly.stretc TheBlum-MicaliPRG
be a PRG ,
""
- output babe . . . been
I I t' ? be 62 be
Theorem : G is a secure PRG ⇒ G ' secure PRG
.
in dist .
hybrid distributions :
63
I b.
- bean,-9911
pi := Pr ( A- (g) =L : y ←Di ] want to show Ipo - pekneglln)
Ipo-pet Ip. -pipe - pztpzt . . - tpe.ipeki.IQ/Pi-n - Pil
Claim: Viele ) lpi.in - pit Ehegkh) First, note that claim ⇒ Theorem , since
Ipo- Pelt .§µ, lpi-pi.ie/gllnl-heglCn)=negKn1 kn) is poly .
Proofofctaim Suppose for the sake of contradiction that :
/Pia -pit = Echl is not negligible .
We construct a distinguisher B for G, and we need to analyze :PRGAdvfB.GE/PrfBlGlsD:seRgoiyY-PrfBlyl:yego.igmY// Distinguishes : on input ZE fogy
"' :
"
(2) choose 6 . . . . . , bichon} compute bin
, Sir ← G(Sia) . . . . be See G Gen) 4) set y ← be, . . . be
run and output Aly)
Picture: si → Be
" '
'
b.Hay . . . ii. go.gs?!?f-simk?-.bie2 This is exactly Di
zedo.ly "'
")) > - =/ PRAIA-1 : yedif-Prftlyt-tiyc-Di.nl/-fpi+a-pi/--Eln)
,
. %,
Par-l3:PRG→PRF(6oHreich-6oHwasser-kia Suppose we have a length -doubling PRG G : {o, I}
" → {o, 13
we write G(s)→ (so, s .) = ( Good, G. Cs)) single -bit
E. domain rinse
claim: G can be viewed as a secure PRF F : Eo, B "
x Eo.B→ {o, 13 "
, 1) = Ge Cs)
/
?
binarxhdeconposition of inputConstruction : Ffs , x. xz . .. xn) = Ga ( Gxn.. ( i . - Gals) - - - l )
Picture ( lorn -- z) : Js
FCS , Oo) FCS
, 11)
How do we prove this is a secure PELF ? (see section 4.f of the cryptobook if interested) * Assume G is a secure PRG
* show that if an adversary has non-negligible advantage on the PRF, then there exists an adversary with non -negligible advantage on the PRG G Econtradiction
this step uses a hybrid argument
worst-casevs.average-casehardnes.SI NP hardness
b d all but negl . fraction of instances are hard
Note : can define " mild "
instances are hard .
(" hardness amplification ").