Skip to Content
CSE442TIntroduction to Cryptography (Lecture 5)

CSE442T Introduction to Cryptography (Lecture 5)

Chapter 2: Computational Hardness

Proving that there are one-way functions relies on assumptions.

Factoring Assumption: A,ϵ(n)\forall \mathcal{A}, \exist \epsilon (n), let p,qΠn,p,q<2np,q\in \Pi_n,p,q<2^n

P[pΠn;qΠn;N=pq:A(N){p,q}]<ϵ(n)P[p\gets \Pi_n;q\gets \Pi_n;N=p\cdot q:\mathcal{A}(N)\in \{p,q\}]<\epsilon(n)

Evidence: To this point, best known procedure to always factor has run time O(2nlog(n))O(2^{\sqrt{n}\sqrt{log(n)}})

Distribution of prime numbers:

  • We have infinitely many prime
  • Prime Number Theorem π(n)nln(n)\pi(n)\approx\frac{n}{\ln(n)}, that means, 1lnn\frac{1}{\ln n} of all integers are prime.

We want to (guaranteed to) find prime:

π(n)>2n2n\pi(n)>\frac{2^n}{2n}

e.g.

P[x{0,1}n:xprime]2n2n2n=12nP[x\gets \{0,1\}^n:x\in prime]\geq {\frac{2^n}{2n}\over 2^n}=\frac{1}{2n}

Theorem:

fmult:{0,1}2n{0,1}2n,fmult(x1,x2)=x1x2f_{mult}:\{0,1\}^{2n}\to \{0,1\}^{2n},f_{mult}(x_1,x_2)=x_1\cdot x_2

Idea: There are enough pairs of primes to make this difficult.

Reminder: Weak on-way if easy to compute and p(n)\exist p(n), P[A inverts=success]<11p(n)P[\mathcal{A}\ \text{inverts=success}]<1-\frac{1}{p(n)} P[A inverts=failure]>1p(n)P[\mathcal{A}\ \text{inverts=failure}]>\frac{1}{p(n)} high enough

Prove one-way function (under assumptions)

To prove ff is on-way (under assumption)

  1. Show p.p.t\exists p.p.t solves f(x),xf(x),\forall x.
  2. Proof by contradiction.
    • For weak: Provide p(n)p(n) that we know works.
      • Assume A\exists \mathcal{A} such that P[A inverts]>11p(n)P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{p(n)}
    • For strong: Provide p(n)p(n) that we know works.
      • Assume A\exists \mathcal{A} such that P[A inverts]>1p(n)P[\mathcal{A}\ \text{inverts}]>\frac{1}{p(n)}

Construct p.p.t B\mathcal{B} which uses A\mathcal{A} to solve a problem, which contradicts assumption or known fact.

Back to Theorem:

We will show that p(n)=8n2p(n)=8n^2 works.

We claim A\forall \mathcal{A},

P[(x1,x2){0,1}2n;y=fmult(x1,x2):f(A(y))=y]<118n2P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2}

For the sake of contradiction, suppose

A such thatP[A inverts]>118n2\exists \mathcal{A} \textup{ such that} P[\mathcal{A}\ \text{inverts}]>1-\frac{1}{8n^2}

We will use this A\mathcal{A} to design p.p.t BB which can factor 2 random primes with non-negligible prob.

def A(y):
    # the adversary algorithm
    # expecting N to be product of random integer, don't need to be prime
 
def is_prime(x):
    # test if x is a prime
 
def gen(n):
    # generate number up to n bits
 
def B(y):
    # N is the input cipher
    x1,x2=gen(n),gen(n)
    p=x1*x2
    if is_prime(x1) and is_prime(x2):
        return A(p)
    return A(y)

How often does B\mathcal{B} succeed/fail?

B\mathcal{B} fails to factor N=pq˙N=p\dot q, if:

  • xx and yy are not both prime
    • Pe=1P(xΠn)P(yΠn)1(12n)2=114n2P_e=1-P(x\in \Pi_n)P(y\in \Pi_n)\leq 1-(\frac{1}{2n})^2=1-\frac{1}{4n^2}
  • if A\mathcal{A} fails to factor
    • Pf<18n2P_f<\frac{1}{8n^2}

So

P[B fails]P[EF]P[E]+P[F](114n2+18n2)=118n2P[\mathcal{B} \text{ fails}]\leq P[E\cup F]\leq P[E]+P[F]\leq (1-\frac{1}{4n^2}+\frac{1}{8n^2})=1-\frac{1}{8n^2}

So

P[B succeed]18n2(non-negligible)P[\mathcal{B} \text{ succeed}]\geq \frac{1}{8n^2} (\text{non-negligible})

This contradicting factoring assumption. Therefore, our assumption that A\mathcal{A} exists was wrong.

Therefore A\forall \mathcal{A}, P[(x1,x2){0,1}2n;y=fmult(x1,x2):f(A(y))=y]<118n2P[(x_1,x_2)\gets \{0,1\}^{2n};y=f_{mult}(x_1,x_2):f(\mathcal{A}(y))=y]<1-\frac{1}{8n^2} is wrong.

Last updated on
Introduction to Cryptography (Lecture 4)Introduction to Cryptography (Lecture 6)