Transcript Document 7779499
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare A. Saha S. Halevi S. Vadhan
Introduction • One-way
function – Easy to compute, hard to invert
• Trapdoor
function – One-way function – Hard to invert; but with trapdoor , easy to invert.
–
Injective
(one-to-one) trapdoor function suffices for a public key cryptosystem. (Proved by Yao) • Injectivity can guarantee the unique decryption
Several questions arise
• What’s the relationship between one-way function and trapdoor function?
– Does one-way function imply trapdoor function?
• Does a
public key cryptosystem
requires an injective
trapdoor
function?
– Is a non-injective trapdoor function able to construct a public key cryptosystem ?
– If yes, what is the
domain size
of such a non-injective trapdoor function?
Definitions:
• • • • • • PPT: – Probabilistic, polynomial time
x||y: x
– Concatenation of two strings
x
and
y
S:
– Select an element from the set S.
Pre-images
– of
f -1 (y) = { x
y
under a function
Dom(f): f(x) = y}.
f: Injective:
– A function is said to be injective if
Dom(f) = Range(f).
One-wayness:
– An function is said to be
on-way
if
InvProb f (I,k)
is negligible for any PPT algorithm
I.
• Trapdoorness: – A function
f
is said to be trapdoor if with knowing “
trapdoor information
”
tp
, one can invert
f
. – Formally, there exists a PPT algorithm
F– Inv (f, tp, y)
for all which outputs an element of
f -1 (y)
with probability 1
.
y
Range(f),
• Predicate
:
– A probabilistic function with domain {0,1},
p
, takes a bit
b
and flips coins
r
to generate some output
y = p(b:r).
• Decryption error
(k)
of a predicate: – If there exists a PPT algorithm
P-Inv
, which with knowing trapdoor fails to decrypt only with probability: – is at most
(k)
From on-way function to trapdoor functions
•
Theorem
: Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions.
– Proof: Given a family of one-way functions, construct a family of trapdoor one-way functions.
– Given
f
, we construct a
g
which “mimics”
f
but embeds a trapdoor .
• =
f(
),
where under
f.
is trapdoor of
g
, and is the image of the trapdoor – Is
g
a one-way trapdoor function?
• If knowing
,
a pre-image of
z
under
g
is
(z,
,
).
So knowing trapdoor, one can invert
g . g
is a trapdoor function
.
• Without knowing
,
can we invert
g ?
– If
g(y,x, v) = z
then either requires inverting
f f(v) = z
at either
z
or
or f(x) =
. To calculate
g -1 (z) ,
both of which are hard by one wayness of
f .
–
g
is one-way function
.
•
g is one-way trapdoor function.
Does a public key cryptosystem requires an injective trapdoor function?
•
Unapproximable trapdoor predicates
and
semantically secure public key cryptosystems
are equivalent. • So the question becomes whether
unapproximable trapdoor predicates
imply
injective trapdoor functions.
From trapdoor functions to cryptosystem
•
Theorem
:
If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error.
• Proof: Given a trapdoor one-way function
F
, construct an unapproximable family of trapdoor predicates
P ½ - 1/poly(k),
with decryption error and reduce the decryption error by repetition to get the the family claimed in the theorem.
• Claim:
p
is an unapproximable trapdoor predicate family, with decryption error at most ½ -
1/[2Q(k)]
– The output of
p
–
b
= (
x r
) – is
(f(x),r,
)
x’
=
F-Inv(f,tp,y) and b’ =
(
x’ r
) – Since
f
is
not
injective function, even with
tp
,
x’
may not be equal to
x
.
– If
x’ = x
, then
b’=b
. – If
x’
x
then
b’=b
with probability at most ½ since
r
The chance that
x = x’
is at least
1/Q(k)
is random chosen. ( The size of pre-image of
f
is
Q(k)).
–
So
• To prove the theorem, we need a predicate with exponentially small decryption error.
– The predicate is constructed as • Polynomial number of p(b) are concatenated to form a final predicate.
– To decrypt
b
with
tp
, let
b i ’
is 1 if the majority of the
b i ’
=
P-Inv (p, tp, (y i , r i ,
are 1 and 0 otherwise.
i )).
It outputs
b’
which –
b i ’
has decryption error ½ error.
1/[2Q(k)], b
has exponentially decryption
Several known results so far.
1.
2.
Existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption.
Injective trapdoor one-way function can be used to construct unapproximable trapdoor predicates.
Question
• • Can
unapproximable trapdoor predicates
be used to construct
injective trapdoor one-way functions
?
If it is possible to implement using one-way functions a function G with “sufficiently” strong randomness properties” to maintain the security of this scheme, then the question would have a positive answer.
• From a predicate to a function, we need to
de-randomization,
meanwhile maintaining the one-wayness of the function.
– Method 1: • It is one-way [Yao]. However, it is not a trapdoor function, because even with the trapdoor information, we cannot recover
r 1 ,r 2 ,…r k
.
– Method 2: • Where G is a pseudo-random generator.
• It is proved that
f
is not one-way either.
• Method 3: Use a truly random function G, ie., a random oracle.
• To invert f, we need to invert
p(b 1 ;r 1 ), p(b 2 ; r 2 ), …p(b k ; r k ).
• Even knowing
r 1 , r 2 , r 3 ,…r k
, since G is truly random generator,
b 1 , b 2 ,… b k
are totally independent with
r 1 , r 2 , r 3 ,…r k.
And each
p
is unapproximable,so
f
is one-way function
.
•
Theorem
:
If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model
.