Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography

Lecture 10

Lecturer: Moni Naor

Recap of Lecture 9

• Hardcore predicates with public randomness• The inner product bit: Goldreich-Levin Theorem• Applications

Pseudo-random generatorsDefinition: a function g:{0,1}* → {0,1}* is said to be a (cryptographic) pseudo-

random generator if• It is polynomial time computable • It stretches the input |g(x)|>|x|

– denote by ℓ(n) the length of the output on inputs of length n• If the input (seed) is random, then the output is indistinguishable from random

For any probabilistic polynomial time adversary A that receives input y of length ℓ(n) and tries to decide whether y= g(x) or is a random string from {0,1}ℓ(n) for any polynomial p(n) and sufficiently large n

|Prob[A=`rand’| y=g(x)] - Prob[A=`rand’| yR {0,1}ℓ(n)] | < 1/p(n)

Want to use the output a pseudo-random generator whenever long random strings are used

Especially encryption – have not defined the desired properties yet.

Anyone who considers arithmetical methods of producing random numbers is, of course, in a state of sin. J. von Neumann

Computational Indistinguishability

Definition: two sequences of distributions {Dn} and {D’n} on {0,1}n are computationally indistinguishable iffor every polynomial p(n) and sufficiently large nfor every probabilistic polynomial time adversary A that receives input y

{0,1}n and tries to decide whether y was generated by Dn or D’n

|Prob[A=‘0’ | Dn ] - Prob[A=‘0’ | D’n ] | < 1/p(n)

Without restriction on probabilistic polynomial tests: equivalent to variation distance being negligible

∑β {0,1}n |Prob[ Dn = β] - Prob[ D’n = β]| < 1/p(n)

Hardcore Predicate With Public Information

Definition: let f:{0,1}* → {0,1}* be a function. We say that h:{0,1}* x {0,1}* → {0,1} is a hardcore predicate for f if

• h(x,r) is polynomial time computable • For any probabilistic polynomial time adversary A that receives input

y=f(x) and public randomness r and tries to compute h(x,r) for any polynomial p(n) and sufficiently large n

|Prob[A(y,r)=h(x,r)] -1/2| < 1/p(n)

where the probability is over the choice y of r and the random coins of A

Alternative view: can think of the public randomness as modifying the one-way function f: f’(x,r)=f(x),r.

Inner Product Hardcore bit• The inner product bit: choose r R {0,1}n let

h(x,r) = r ∙x = ∑ xi ri mod 2

Theorem [Goldreich-Levin]: for any one-way function the inner product is a hardcore predicate

Proof structure: • There are many x’s for which A returns a correct answer on ½+ε

of the r ’s • take an algorithm A that guesses h(x,r) correctly with probability

½+ε over the r‘s and output a list of candidates for x– No use of the y info

• Choose from the list the/an x such that f(x)=y The main step!

Application: if subset is one-way, then it is a pseudo-random generator

• Subset sum problem: given – n numbers 0 ≤ a1, a2 ,…, an ≤ 2m

– Target sum y – Find subset S⊆ {1,...,n} ∑ i S ai,=y

• Subset sum one-way function f:{0,1}mn+n → {0,1}m f(a1, a2 ,…, an , x1, x2 ,…, xn ) =

(a1, a2 ,…, an , ∑ i=1n

xi ai mod 2m ) If m<n then we get out less bits then we put in.Theorem: if for m<n subset sum is a one-way function, then it is also a

family of UOWHF (was homework)If m>n then we get out more bits then we put in.Theorem: if for m>n subset sum is a one-way function, then it is also a

pseudo-random generator

Subset Sum GeneratorIdea of proof: use the distinguisher A to compute r ∙x

For simplicity: do the computation mod P for large prime P• Given r {0,1}n and (a1, a2 ,…, an ,y)Generate new problem(a’1, a’2 ,…, a’n ,y’) : • Choose c R ZP

• Let a’i = ai if ri=0 and ai =ai+c mod P if ri=1• Guess k R {o,…,n} - the value of ∑ xi ri

– the number of locations where x and r are 1• Let y’ = y+c k mod P Run the distinguisher A on (a’1, a’2 ,…, a’n ,y’)

– output what A says Xored with parity(k)Claim: if k is correct, then (a’1, a’2 ,…, a’n ,y’) is R pseudo-randomClaim: for any incorrect k, (a’1, a’2 ,…, a’n ,y’) is R random

y’= z + (k-h)c mod P where z = ∑ i=1n

xi a’i mod P and h=∑ xi ri

Therefore: probability to guess correctly r ∙x is 1/n∙(½+ε) + (n-1)/n (½)= ½+ε/n

random

pseudo-random

Prob[A=‘0’|pseudo]= ½+ε

Prob[A=‘0’|random]= ½

correct k incorrect k

Interpretations of the Goldreich-Levin Theorem

• A tool for constructing pseudo-random generatorsThe main part of the proof:• A mechanism for translating `general confusion’ into randomness

– Diffie-Hellman example • List decoding of Hadamard Codes

– works in the other direction as well (for any code with good list decoding)– List decoding, as opposed to unique decoding, allows getting much closer to

distance • `Explains’ unique decoding when prediction was 3/4+ε

• Finding all linear functions agreeing with a function given in a black-box – Learning all Fourier coefficients larger than ε

• If the Fourier coefficients are concentrated on a small set – can find them– True for AC0 circuits– Decision Trees

Composing PRGs

CompositionLet • g1 be a (ℓ1, ℓ2 )-pseudo-random generator• g2 be a (ℓ2, ℓ3)-pseudo-random generator Consider g(x) = g2(g1(x))

Claim: g is a (ℓ1, ℓ3 )-pseudo-random generator Proof: consider three distributions on {0,1}ℓ3

– D1: y uniform in {0,1}ℓ3

– D2: y=g(x) for x uniform in {0,1}ℓ1

– D3: y=g2(z) for z uniform in {0,1}ℓ2

By assumption there is a distinguisher A between D1 and D2

A must either

distinguish between D1 and D3 - can use A use to distinguish g2

ordistinguish between D2 and D3 - can use A use to distinguish g1

ℓ2

ℓ1

ℓ3

triangle inequality

Composing PRGsWhen composing • a generator secure against advantage ε1

and a• a generator secure against advantage ε2

we get security against advantage ε1+ε2

When composing the single bit expansion generator timeLoss in security ε/n

Hybrid argument: to prove that two distributions D and D’ are indistinguishable: suggest a collection of distributions D= D0, D1,… Dk =D’ such that

If D and D’ can be distinguished, there is a pair Di and Di+1 that can be distinguished.

Difference ε between D and D’ means ε/k between some Di and Di+1 Use such a distinguisher to derive a contradiction

Homework

• Let {Dn} and {D’n} be two distributions that are – Computationally indistinguishable– Polynomial time samplable

• Suppose that {y1,… ym} are all sampled according to {Dn} or all are sampled according to {D’n}

• Prove: no probabilistic polynomial time machine can tell, given {y1,… ym}, whether they were sampled from {Dn} or {D’n}

Next-bit TestDefinition: a function g:{0,1}* → {0,1}* is said to pass the next

bit test if• It is polynomial time computable • It stretches the input |g(x)|>|x|

– denote by ℓ(n) the length of the output on inputs of length n• If the input (seed) is random, then the output passes the next-bit test

For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that receives the first i bits of y= g(x) fand tries to guess the next bit, or any polynomial p(n) and sufficiently large n

|Prob[A(yi,y2,…, yi)= yi+1] – 1/2 | < 1/p(n)

Theorem: a function g:{0,1}* → {0,1}* passes the next bit test ifand only if it is a pseudo-random generator

Existence of PRGs

What we have proved:Theorem: if pseudo-random generators stretching by a single

bit exist, then pseudo-random generators stretching by any polynomial factor exist

Theorem: if one-way permutations exist, then pseudo-random generators exist

A harder theorem to proveTheorem [HILL]: if one-way functions exist, then pseudo-

random generators existHomework: show that if pseudo-random generators exist,

then one-way functions exist

Pseudo-Random Generatorsconcrete version

Gn:0,1m 0,1n

A cryptographically strong pseudo-random sequence generator - if passes all polynomial time statistical tests

(t,)-pseudo-random - no test T running in time t can distinguish with advantage

Three Basic issues in cryptography

• Identification• Authentication• EncryptionSolve in a shared key environment

S S

Identification - Remote login using pseudo-random sequence

A and B share key S0,1k

In order for A to identify itself to B• Generate sequence Gn(S)

• For each identification session - send next block of Gn(S)

G:

Gn(S)S

Problems...

• More than two parties• Malicious adversaries - add noise• Coordinating the location block number• Better approach: Challenge-Response

Challenge-Response Protocol

• B selects a random location and sends to A • A sends value at random location

What’s this ?

Desired Properties• Very long string - prevent repetitions

• Random access to the sequence

• Unpredictability - cannot guess the value at a random location– even after seeing values at many parts of the string to the

adversary’s choice. – Pseudo-randomness implies unpredictability

• Not the other way around for blocks

Authenticating Messages

• A wants to send message M0,1n to B• B should be confident that A is indeed the sender of

M

One-time application:S a,b) - where a,bR 0,1n

To authenticate M: supply aM bComputation is done in GF[2n]

Problems and Solutions

• Problems - same as for identification• If a very long random string available -

– can use for one-time authentication– Works even if only random looking

a,b

Use this !

Encryption of Messages

• A wants to send message M0,1n to B• only B should be able to learn M

One-time application:S a- where aR 0,1n

To encrypt M send a M

Encryption of Messages

• If a very long random looking string available - – can use as in one-time encryption

Use this !

Pseudo-random Functions

Concrete Treatment:F0,1k 0,1n 0,1m

key Domain Range

Denote YFS (X)

A family of functions kFS S0,1k is (t, , q)-pseudo-random if it is

• Efficiently computable - random access and...

(t,,q)-pseudo-random

The tester A that can choose adaptively– X1 and get Y1FS (X1)

– X2 and get Y2 FS (X2 )

…– Xq and get YqFS (Xq)

• Then A has to decide whether– FS R kor

– FS R R n m F F 0,1n 0,1m

(t,,q)-pseudo-random

For a function F chosen at random from(1) Fk ={FS | S0,1k

(2) R n m = F | F :0,1n 0,1m

For all t-time machines A that choose q locations and try to distinguish (1) from (2)

ProbA ‘1’ FR Fk

- ProbA ‘1’ FR R n m

Equivalent/Non-Equivalent Definitions

• Instead of next bit test: for XX1,X2 ,,

Xqchosen by A, decide whether given Y is – Y= FS (X) or

– YR0,1m

• Adaptive vs. Non-adaptive• Unpredictability vs. pseudo-randomness• A pseudo-random sequence generator g:0,1m

0,1n – a pseudo-random function on small domain 0,1log n0,1 with

key in 0,1m