Pseudo random Number generators Flashcards
If families of UOWHF exist
then signature schemes existentially unforgeable under adaptive chosen message attacks exist
If one-way permutations exist
then signature schemes existentially unforgeable under adaptive chosen message attacks exist.
If one-time public-key identification is possible (equivalent to existence of one-way functions)
then signature schemes existentially unforgeable under adaptive chosen message attacks exist.
Trapdoor function
In theoretical computer science and cryptography, a trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the “trapdoor”. Trapdoor functions are a special case of one-way functions and are widely used in public-key cryptography.
Pseudo-random generators
Definition: a function g:{0,1}* → {0,1}* is said to be a (cryptographic) pseudo-random generator if
It is polynomial time computable
It stretches the input |g(x)|>|x|
If the input (seed) is random, then the output is indistinguishable from random
Hardcore Predicate
Definition: for f:{0,1}* → {0,1}* we say that h:{0,1}* → {0,1} is a hardcore predicate for f if:
h is polynomial time computable
For any probabilistic polynomial time adversary A that receives input y=f(x) and tries to compute h(x) for any polynomial p(n) and sufficiently large n
|Prob[A(y)=h(x)] - 1/2| < 1/p(n)
where the probability is over the choice x and the random coins of A
Sources of hardcoreness:
not enough information about x
not of interest for generating pseudo-randomness
enough information about x but hard to compute it
Hardcore Predicate Layman’s definition
Recall that f(x) does not necessarily hide everything about x even if f is a one-way function. E.g. if f is the RSA function then it preserves the Jacobi symbol of x, and if f is the discrete logarithm function EXP then it is easy to compute the least significant bit of x from f(x) by a simple Legendre symbol calculation. Yet, it seems likely that there is at least one bit about x which is hard to “guess” from f(x), given that x in its entirety is hard to compute. The question is: can we point to specific bits of x which are hard to compute, and how hard to compute are they. The answer is encouraging. A number of results are known which give a particular bit of x which is hard to guess given f(x) for some particular f’s such as RSA and the discrete logarithm function. We will survey these results in subsequent sections.
More generally, we call a predicate about x which is impossible to compute from f(x) better than guessing it at random a hard-core predicate for f.
Hybrid argument - show pseudo randomness
To prove that two distributions D and D’ are indistinguishable:
suggest a collection of distributions
D= D0, D1,… Dk =D’
If D and D’ can be distinguished, then there is a pair Di and Di+1 that can be distinguished.
Advantage ε in distinguishing between D and D’ means advantage ε/k between some Di and Di+1
Use a distinguisher for the pair Di and Di+1 to derive a contradiction
Next-bit Test - show pseudorandomness
Definition: a function g:{0,1}* → {0,1}* is said to pass the next bit test if:
It is polynomial time computable
It stretches the input |g(x)|>|x|
denote by ℓ(n) the length of the output on inputs of length n
If the input (seed) is random, then the output passes the next-bit test
For any prefix 0≤ i< ℓ(n), for any probabilistic polynomial time adversary A that is a predictor: receives the first i bits of y= g(x) and tries to guess the next bit, for any polynomial p(n) and sufficiently large n
|Prob[A(y1,y2,…, yi) = yi+1] – 1/2 | < 1/p(n)
Theorem: a function g:{0,1}* → {0,1}* passes the next bit test if
and only if it is a pseudo-random generator
Components of a Signature Scheme
- public and private key
- Signing algorith,, given a message m Alice can produce signature s
- anyone who is given Alice’s public key and the (message, signature) can verify it.
- all algorithms should be polynomial time
Single bit expansion
-Let f:{0,1}^n → {0,1}^n be a one-way permutation
-Let h:{0,1}^n → {0,1} be a hardcore predicate for f
Consider g:{0,1}n → {0,1}n+1 where
g(x)=(f(x), h(x))
Claim: g is a pseudo-random generator
Proof: can use a distinguisher for g to guess h(x)
Theorem Hill
if one-way functions exist, then pseudo-random generators exist.
Goldreich Levin Theorem
It is clear that if a one-to-one function has a hard-core predicate, then it must be one way.
Oded Goldreich and Leonid Levin (1989) showed how every one-way function can be trivially modified to obtain a one-way function that has a specific hard-core predicate.[5] Let f be a one-way function. Define g(x,r) = (f(x), r) where the length of r is the same as that of x. Let xj denote the jth bit of x and rj the jth bit of r. Then
b(x,r):=dotproduct(x,r)=xor_j x_{j}r_{j}}b(x,r):=dotproduct(x,r) =xor_j x_{j}r_{j}}
is a hard core predicate of g.
one way functions imply
p not equal np
all imply both ways
Universal one way hash function <=> Signature Schemes<=> one way functions <=> Pseudo random number generators <=> two gaurd indentification problem
