1 / 14

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems. M. Bellare S. Halevi A. Saha S. Vadhan. Introduction . One-way function Easy to compute, hard to invert Trapdoor function One-way function Hard to invert; but with trapdoor , easy to invert.

hoang
Download Presentation

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan

  2. Introduction • One-way function • Easy to compute, hard to invert • Trapdoor function • One-way function • Hard to invert; but with trapdoor, easy to invert. • Injective (one-to-one) trapdoor function suffices for a public key cryptosystem. (Proved by Yao) • Injectivity can guarantee the unique decryption

  3. Several questions arise • What’s the relationship between one-way function and trapdoor function? • Does one-way function imply trapdoor function? • Does a public key cryptosystem requires an injectivetrapdoor function? • Is a non-injective trapdoor function able to construct a public key cryptosystem? • If yes, what is the domain size of such a non-injective trapdoor function?

  4. Definitions: • PPT: • Probabilistic, polynomial time • x||y: • Concatenation of two strings x and y • x S: • Select an element from the set S. • Pre-images of y under a function f: • f -1(y) = { x Dom(f): f(x) = y}. • Injective: • A function is said to be injective if Dom(f) = Range(f). • One-wayness: • An function is said to be on-way if InvProbf(I,k) is negligible for any PPT algorithm I.

  5. Trapdoorness: • A function f is said to be trapdoor if with knowing “trapdoor information” tp, one can invert f. • Formally, there exists a PPT algorithm F– Inv (f, tp, y) for ally Range(f),which outputs an element off -1(y)with probability 1. • Predicate: • A probabilistic function with domain {0,1}, p, takes a bit b and flips coins r to generate some output y = p(b:r). • Decryption error (k) of a predicate: • If there exists a PPT algorithm P-Inv, which with knowing trapdoor fails to decrypt only with probability: • is at most (k)

  6. From on-way function to trapdoor functions • Theorem: Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions. • Proof: Given a family of one-way functions, construct a family of trapdoor one-way functions. • Given f, we construct a g which “mimics” f but embeds a trapdoor. •  = f(), where  is trapdoor of g, and  is the image of the trapdoor  under f. • Is g a one-way trapdoor function? • If knowing , a pre-image ofzunder gis(z, , ).So knowing trapdoor, one can invertg. gis a trapdoor function. • Without knowing, can we invertg? • Ifg(y,x, v) = zthen eitherf(v) = z or f(x) =  .To calculateg-1(z)requires invertingfat eitherzor , both of which are hard by one-wayness off. • gis one-way function. • g is one-way trapdoor function.

  7. Does a public key cryptosystem requires an injectivetrapdoor function? • Unapproximable trapdoor predicates and semantically secure public key cryptosystems are equivalent. • So the question becomes whether unapproximable trapdoor predicates imply injective trapdoor functions.

  8. From trapdoor functions to cryptosystem • Theorem: If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error. • Proof: Given a trapdoor one-way function F, construct an unapproximable family of trapdoor predicates P with decryption error ½ - 1/poly(k), and reduce the decryption error by repetition to get the the family claimed in the theorem.

  9. Claim: p is an unapproximable trapdoor predicate family, with decryption error at most ½ - 1/[2Q(k)] • The output ofpis (f(x),r, ) • b =   (xr) • x’ = F-Inv(f,tp,y) and b’ =   (x’r) • Since f is not injective function, even with tp, x’ may not be equal to x. • If x’ = x, then b’=b. • If x’x then b’=b with probability at most ½ since r is random chosen. The chance that x = x’ is at least 1/Q(k) ( The size of pre-image of f is Q(k)). • So

  10. To prove the theorem, we need a predicate with exponentially small decryption error. • The predicate is constructed as • Polynomial number of p(b) are concatenated to form a final predicate. • To decrypt b with tp, let bi’ = P-Inv (p, tp, (yi, ri, i)). It outputs b’ which is 1 if the majority of the bi’ are 1 and 0 otherwise. • bi’ has decryption error½ - 1/[2Q(k)], b has exponentially decryption error.

  11. Several known results so far. • Existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption. • Injective trapdoor one-way function can be used to construct unapproximable trapdoor predicates. Question • Can unapproximable trapdoorpredicates be used to construct injective trapdoor one-way functions? • If it is possible to implement using one-way functions a function G with “sufficiently” strong randomness properties” to maintain the security of this scheme, then the question would have a positive answer.

  12. From a predicate to a function, we need to de-randomization, meanwhile maintaining the one-wayness of the function. • Method 1: • It is one-way [Yao]. However, it is not a trapdoor function, because even with the trapdoor information, we cannot recover r1,r2,…rk. • Method 2: • Where G is a pseudo-random generator. • It is proved that f is not one-way either.

  13. Method 3: Use a truly random function G, ie., a random oracle. • To invert f, we need to invert p(b1;r1), p(b2; r2), …p(bk; rk). • Even knowing r1, r2, r3,…rk, since G is truly random generator, b1, b2,… bk are totally independent with r1, r2, r3,…rk. And each p is unapproximable,so f is one-way function. • Theorem: If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model.

  14. Conclusion

More Related