1 / 23

# 密碼學理論基礎 Foundations of Cryptography - PowerPoint PPT Presentation

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## 密碼學理論基礎 Foundations of Cryptography

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### 密碼學理論基礎Foundations of Cryptography

http://www.iis.sinica.edu.tw/~hil/

Today
• Three questions (assumption:  a weakly OWF f and f is length preserving)
• Q1: All OWFs are strong? (i.e. 會不會 f  strong OWF↔ f  weakly OWF?)
• Q2: All OWFs are weak? (i.e. 會不會不存在strong OWF, 而只有 weakly OWF?)
• Q3: Universal OWF?
Strong OW vs. weakly OW
• Strong one-way f:
•  polynomial P( ) Pr [ 破f inverts f (Un) ] < 1/P(n) 破f
• Weakly one-way f:
•  polynomial P( ) Pr [ 破f inverts f (Un) ] < 1-(1/P(n)) 破f
Part I : Three questions-Q1

All OWFs are strong?

Ans to Q1
• Ans to Q1: There exists a weakly one-way function g, that is not strongly one-way.
• 首先定義 g為何,再證明 g is a weakly one-way function 但不是 a strongly one-way, 依此分兩部分證明:
• Claim 1: g is not strongly one-way.
• Claim 2: g is still weakly one-way.
Definition
• Def: A string z is 零頭字串, if the first log2|z| bits of z are all zero.
• Q: {0,1}n中有幾個零頭string? Ans: 2n/n個
• Def: For any string zx with |z|=|x| let g(zx)= zf(x), if z is 零頭string

zx, otherwise

Proof: Claim 1
• Idea: 因為 g(zx)中, 若 z不是零頭字串,則input=output, 所以令”破ID (y)=y”.
• Pr [ 破ID inverts g (U2n) ]

= Pr [ g(破ID (g (U2n)) )= g (U2n) ]

= Pr [ g( g (U2n) )= g (U2n) ]

≥ 1-(1/n) ≥ 1/n

Proof: Claim 2
• Recall:

Pr [A|B] = Pr[A∩B]/P[B] ≥ Pr[A]-Pr[¬B]/P[B]

• Idea: 利用反證法, g is not weakly one-way, 推導到neither is f.
• 由 g is not weakly one-way此句話可寫為  polynomial p( ),  破gp , s.t. Pr [破gp inverts g(U2n)] ≥ 1 - (1/p(2n))
Proof: Claim 2
• Define 破fp (y) as follows:
• Uniformly select 零頭 string y’ with |y’|=|y|
• Let zx = 破gp (y’y)
• Return x;
• Goal:  polynomial q( ),  破*fq , s.t. Pr[破*fq inverts f(Un)] ≥ 1-(1/q(n))
Proof: Claim 2
•  q( ) 令p( ) be a polynomial with p(2n)/n≥q(n)
• 令破*fq≡破fp

Pr[破*fq inverts f(Un)] = Pr[破fp inverts f(Un)]

≥ Pr[破gp inverts g(Un’Un)|Un’為零頭字串]

≥{Pr[破gp inverts g(Un’Un)]–Pr[Un’非零頭字串]}/ Pr[Un’是零頭字串]

=n Pr[破gp inverts g(Un’Un)] – n+1

≥ n -(n/p(2n)) -n+1≥ 1-(n/p(2n)) ≥ 1 -(1/q(n))

Definition
• Ans to Q2: There exists a strongly one-way function g, that is not weakly one-way.
• Def: t(n) = np(n)
• Def: g( x1x2x3…xt(n) )=f(x1) f(x2)… f(xt(n))
• Input or output length = n²p(n) bits
• |x1|=|x2|=|x3|=…=|xt(n)|= n
Naïve
• Pr [破g inverts g(Un²p(n))]

=Πi=1t(n) Pr[破f(i)inverts f(Un(i))]

<Πi=1t(n) ( 1-(1/p(n)) )

= ( 1 -(1/p(n)) )np(n)

<(1/e)n < (½)n

• 不夠嚴謹的證明方法, 因為第一個等號要成立,需要將g(Un²p(n))拆成f(x1) f(x2)… f(xt(n))來計算,但在這裡並沒有保證一定會拆開來算.
Proof way
• Approach:利用反證法證明,先假設g is not a strongly OWF, 推出 f也不是weakly OWF,和前提不合產生矛盾.
• 由g is not strongly one-way此句話可寫為 破g s.t.polynomial q( ), Pr [破g inverts g(Un²p(n))] ≥ 1/(q(n²p(n)))
Definition
• Def: 破f (y)如下: repeat a(n)=2n²p(n)q(n²p(n)) times
• Def: 小破f (y) :
• For i=1 to t(n)
• Select uniformly x1x2x3…xt(n) in {0,1}n
• Compute x1’x2’x3’…xt(n) ’

= 破g( f(x1) f(x2)… f(xi-1) y f(xi+1)… f(xt(n)) )

• If f(xi’)=y then output xi and halt
• 破f (y)=小破f (y)重複 a(n)次
• Def: 好n= { x{0,1}n | Pr[f(小破f(f(x)) )=f(x)] >( n/a(n) ) }
• 推導出  x 好n ,

Pr[ f( 破f(f(x)) )=f(x) ] > 1 - (1-(n/a(n)) )a(n) > 1 -(1/e)n>1-(½)n

• Claim: |好n|>( 1- ( 1/(2p(n)) ) )2n
Proof Q2
• 由claim推出

Pr [ 破f inverts f (Un) ]

>( 1- ( 1/(2p(n)) ) ) (1 -(½)n)

>( 1- ( 1/(2p(n)) ) ) ( 1- ( 1/(2p(n)) ) )

>1- (1/p(n))

• 由上式知 f 不為weakly OWF,和三個問題的假設相矛盾.
Proof of the claim
• Assume |好n|≤ ( 1- ( 1/(2p(n)) ) )2n
• Pr [破g inverts g(Un²p(n))]

= Pr [破g inverts g(Un(1) Un(2) … Un(t(n))) ]

= Pr [破g inverts g(Un(1) Un(2) … Un(t(n))) AND  i s.t. Un(i) 好n]………………..機率 1

+Pr [破g inverts g(Un(1) Un(2) … Un(t(n))) AND  i s.t. Un(i) 好n]………………..機率 2

< 1/2q(n²p(n))+ 1/2q(n²p(n)) = 1/(q(n²p(n)))

• Pr [破g inverts g(Un(1) Un(2) … Un(t(n))) AND  i s.t. Un(i) 好n]

= Pr [  i s.t. (1)破g inverts g(Un(1) Un(2) … Un(t(n)))

(2) Un(i) 好n ]

≤ Σi=1t(n) Pr [ (1) and (2) ]

≤ Σi=1t(n)Σx{0,1}^n -好n Pr [ (1) and (2)’ Un(i)=x]

≤ Σi=1t(n)Σx{0,1}^n -好n Pr [Un(i)=x ]Pr[(1)|(2)’ ]

≤ Σi=1t(n) maxx{0,1}^n -好n Pr [ (1)|(2)’]

≤ Σi=1t(n) maxx{0,1}^n -好n Pr [f(小破f(f(x)) )=f(x)]

≤ t(n) ( n/a(n) )

= n²p(n)/a(n)

= n²p(n)/2n²p(n)q(n²p(n))

= 1/( 2q(n²p(n)) )

• Pr [破g inverts g(Un(1) Un(2) … Un(t(n))) AND  i s.t. Un(i) 好n]

≤ Pr [ i Un(i) 好n ]

≤ ( 1- ( 1/(2p(n)) ) )t(n)

≤ (1/e)(n/2)

< 1/( 2q(n²p(n)) )

Universal OWF?
• Universal OWF? Yes!!
• 假設: code (M) = encoding of TM M

M (x) = the output of M on x, if executable in

|x|³ steps

x, otherwise

• F (code (M), x )= (code (M), M (x) )
• F is Universal OWF