密码学理论基础Foundations of Cryptography

Version 1
Pr [ 破f inverts f(Un) ] 等號前後的 Un是同一個 = Pr [ 破f (f(Un)) = Un ] = Σx ∈{0,1} (1/2n) Pr [ 破f (f(x)) = x ] 上式有一個很大的問題, 上式有一個很大的問題,那即是很容易依此 公式造出OWF,但是並不是因為很困難而無 公式造出OWF,但是並不是因為很困難而無 法解,而是沒時間解, 法解,而是沒時間解,讓 |f(x)| = O ( log|x| ) ∀ x ∈ {0,1}* ,可以滿足上式所要求的條件,但 ,可以滿足上式所要求的條件, 這樣的function並不難,而且與OWF所要求之 這樣的function並不難,而且與OWF所要求之 prob. poly-time algorithm 的條件1不合. poly的條件1不合.
Two trivial inverting algorithm
電腦選號 “破f = 瞎猜” (每次號碼皆不同) 瞎猜” 每次號碼皆不同)
中獎機率: 中獎機率: Pr [ f ( 猜 (f(Un),1n) ) = f (Un) ] = Pr [ f (Un’) = f (Un) ] = Σ y ∈{0,1}m Pr [f (Un)=y ]* Pr [f (Un’)=y ] = Σ y ∈{0,1}m ( Pr [f (Un)=y ] )² ≥ (1/2m ) m = max |f(x)|, x ∈{0,1}n Σ i=1 ~ 2m ai = 1, Σ i=1 ~ 2m (ai) ² ≥ (1/2m )
Weakly OWF
Part I : One way function
Last time
One way function
f:
EASY f(x) ∈ P
x
HARD f -1 ∉ BPP
f(x)
OWF
考慮OWF的條件: 考慮OWF的條件: “f -1 ∉ BPP” BPP” BPP:
Polynomial time Success prob. ≥ ⅔
Part II : Weakly OWF
Weakly OWF
Weakly OWF definition: A function f is weakly oneone-way if ( f: {0,1}*→ {0,1}* ) 1. f ∈P [easy to evaluate] 2. ≈ f-1 ∉ BPP [slightly hard to invert] ∃ a poly P( ), s.t. ∀ 1. prob. poly-time algorithm “破f” poly2. sufficiently large n, we have Pr [ 破f inverts f (Un) ] < 1- (1/P(n)) 1-
電腦選號和明牌法哪一個中獎機率高? 電腦選號和明牌法哪一個中獎機率高?
若 m = n, 則 (1/2m ) = (1/2n ) 若 m ≥ n, 則 (1/2m ) ≤ (1/2n ) 若 m ≤ n, 則 (1/2m ) ≥ (1/2n )
Ask more about f
Can we ask more about f for the def of OWF?
密碼學理論基礎 Foundations of Cryptography
呂學一 (中央研究院 資訊科學所) 資訊科學所) http://www.iis.sinica.edu.tw/~hil/
Today
One way function
Last time OWF definition Three versions Two trivial inverting algorithm Ask more about f
Two trivial inverting algorithm
明牌 “破f = 明牌” (每次都猜相同的號碼) 明牌” 每次都猜相同的號碼)
中獎機率: 中獎機率: Pr [ f ( 牌 (f(Un),1n) ) = f (Un) ] = Pr [ f (0n) = f (Un) ] ≥ (1/2n )
白話: 上面的三個對OWF的要求, 白話: 上面的三個對OWF的要求,並不會影響 OWF的一般性. OWF的一般性.
Lemma
Lemma: If there exists an OWF f, then there exists a length-regular OWF g. length白話: OWF多要求 length白話: 對OWF多要求 length-regular 的性質,並 性質, 不會讓 OWF 的存在更困難. 的存在更困難. Proof: since f is one-way, there exists a onepolynomial P( ), such that |f(x)| ≤ P(|x|), ∀ x, let g: {0,1}*→ {0,1}* be as follow P(|x|)g(x) = f(x)10P(|x|)-|f(x)|
OWF definition
OWF definition: A function f is (strongly) oneoneway if ( f: {0,1}*→ {0,1}* ) 1. f ∈P [easy to evaluate] 2. ≈ f-1 ∉ BPP [hard to invert] 白話: 白話: Any probabilistic poly-time algorithm for polyinverting f has negligible success probability.
Conclusion: If there exists an OWF f, then there exists a length-regular OWF g. length-
Proof Q2
Assume there is an invert algorithm 破g for g ≡ Pr [g (破g (g(Un),1n ) )= g(Un)] 夠大 (破 Def: 破f (f(x), 1n)
OWF definition
For any 1. prob. poly-time algorithm “破f” poly2. polynomial P( ) 3. sufficiently large n, we have Pr [ 破f inverts f (Un) ] < 1/P(n) PS. Un是長度為n的任意字串 Un是長度為n
Strongly OWF = weakly OWF?
Lemma: If there is a weak/strong OWF f, then there is a weak OWF g that is not strongly oneoneway. Strongly OWF ≠ weakly OWF Example: g is not strong, but a weak. g(px)= px if the log2|x|-bit prefix of p |x|is not all zero. pf(x) otherwise
Q: success prob. ≥ ⅔的條件會不會要求太低?? 的條件會不會要求太低?? Ans : No!! 因為若成功機率為1/n,則失敗機 因為若成功機率為1/n,則失敗機 率為(1-(1/n)),且(1率為(1-(1/n)),且(1-(1/n))n < 1/e ∀ n ≥ 1,所以 1/e 1,所以 只要經過2n的時間,則失敗機率會小於(1/e 只要經過2n的時間,則失敗機率會小於(1/e)² < ⅓,因此此要求並不會太低. ⅓,因此此要求並不會太低.
P(|x|)Step 1: 算出 g(x) = f(x)10P(|x|)-|f(x)| Step 2: call 破g (g(x), 1n), return the output of 破g
所以g 所以g -1 ∉ BPP.
By Obs2, 若 g(x)=g(x’) 則 f(x)=f(x’) 所以可知 Pr [f (破f (f(Un),1n ) )= f(Un)] (破 ≥ Pr [g (破g (g(U百度文库),1n ) )= g(Un)] (破 因為f 因為f -1 ∉ BPP
Observable
Observable 1:
g( ) is length-regular, because |g(x)|=1+P(|x|) length-
Observable 2:
If |x|=|x’| and g(x)=g(x’) then f(x)=f(x’). |x|=|x’ g(x)=g(x’ f(x)=f(x’ 因為g(x)和g(x’ 相等,為了對齊string中的1,則將觀 因為g(x)和g(x’)相等,為了對齊string中的1,則將觀 察出 f(x)=f(x’). f(x)=f(x’
Proof lemma
Q1: g is easy to evaluate?
Yes! Because f is easy to evaluate.
Q2:g-1 is hard to evaluate? (Is it hard to invert g?)
Yes! Because f is hard to invent. Proof way: f -1 ∉ BPP → g -1 ∉ BPP
n
Version 2 & 3
為了改進Version 1的問題,因此推出Version 為了改進Version 1的問題,因此推出Version 2 Pr [ 破f inverts f(Un) ] = Pr [ 破f (f(Un),1n) = Un ] 但是真正使用的為Version 3,如下: 但是真正使用的為Version 3,如下: Pr [ 破f inverts f(Un) ] = Pr [ f ( 破f (f(Un),1n) ) = f (Un) ]
Length regular
If |x|=|x’|, then |f(x)|=|f(x’)| |x|=|x’ |f(x)|=|f(x’
Length preserving
|f(x)|=|x|, ∀ x
Defined only for some length
f(x) is defined only if |x| ∈ I ⊆ N