Hard-core Predicate of a One Way Function

Recall thatf(x) does not necessarily hide everything aboutxeven iff is a one-way function. E.g. if f is the RSA function then it preserves the Jacobi symbol ofx, and iff is the discrete logarithm function EXP then it is easy to compute the least significant bit ofxfrom f(x) by a simple Legendre symbol calculation. Yet, it seems likely that there is at least one bit aboutxwhich is hard to “guess” fromf(x), given thatxin its entirety is hard to compute. The question is: can we point to specific bits ofxwhich are hard to compute, and how hard to compute are they. The answer is encouraging. A number of results are known which give a particular bit ofxwhich is hard to guess givenf(x) for some particularf’s such as RSA and the discrete logarithm function. We will survey these results in subsequent sections.

More generally, we call a predicate aboutxwhich is impossible to compute fromf(x) better than guessing it at random ahard-core predicate forf.

We first look at a general result by Goldreich and Levin [94] which gives for any one-way function f a predicateB such that it is as hard to guessB(x) fromf(x) as it is to invert f.

Historical Note: The idea of a hard-core predicate for one-way functions was introduced by Blum, Goldwasser and Micali. It first appears in a paper by Blum and Micali [40] on pseduo random number generation. They showed that a if the EXP function (fp,g(x) =g^x (mod p)) is hard to invert then it is hard to even guess better than guessing at random the most significant bit ofx. Under the assumption that quadratic residues are hard to distinguish from quadratic non-residues modulo composite moduli, Goldwasser and Micali in [98] showed that the squaring function has a hard core perdicate as well. Subsequently, Yao [201] showed a general result that given any one way function, there is a predicate B(x) which is as hard to guess from f(x) as to invert f for any function f. Goldreich and Levin’s result is a significantly simpler construction than Yao’s earlier construction.

2.4.1 Hard Core Predicates for General One-Way Functions

We now introduce the concept of ahard-core predicateof a function and show by explicit construction that any strong one way function can be modified to have a hard-core predicate.

Note: Unless otherwise mentioned, the probabilities during this section are calculated uniformly over all coin tosses made by the algorithm in question.

Definition 2.48 A hard-core predicate of a function f : {0,1}^∗ → {0,1}^∗ is a boolean predicate B : {0,1}^∗→ {0,1}, such that

(1) ∃P P T A,such that∀x A(x) =B(x) (2) ∀PPTG, ∀constantsc, ∃k0, s.t.∀k>k₀

Pr[G(f(x)) =B(x)]< 1 2 + 1

k^c.

The probability is taken over the random coin tosses of G, and random choices ofxof lengthk.

Intuitively, the definition guarantees that givenx,B(x) is efficiently computable, but given onlyf(x), it is hard to even “guess”B(x); that is, to guessB(x) with a probability significantly better than ¹₂.

Yao, in [201], showed that the existence of any trapdoor length-preserving permutation implies the existence of a trapdoor predicate. Goldreich and Levin greatly simplified Yao’s construction and show that any one-way function can be modified to have a trapdoor predicate as follows (we state a simple version of their general result).

Theorem 2.49 [94] Let f be a (strong) length preserving one-way function. Define f⁰(x◦r) =f(x)◦r, where|x|=|r|=k, and◦is the concatenation function. Then

B(x◦r) = Σ^k_i=1x_ir_i(mod 2).

is a hard-core predicate forf⁰.

Note: v◦w denotes concatenation of strings v and w. ComputingB from f⁰ is trivial as f(x) andr are easily recoveravle fromf⁰(x, r). Finaly notice that iff is one-way then so isf⁰.

For a full proof of the theorem we refer the reader to [94].

It is trivial to extend the definition of a hard-core predicate for a one way function, to a collection of hard core predicates for a collection of one-way functions.

Definition 2.50 A hard-core predicate of a one-way function collectionF ={fi:Di→Ri}i∈Iis a collection of boolean predicatesB ={Bi:Di→Ri}i∈I such that

(1) ∃P P T A,such that∀i, x A(i, x) =B_i(x) (2) ∀PPTG, ∀constantsc, ∃ , k0, s.t.∀k>k₀

Pr[G(i, fi(x)) =Bi(x)]< 1 2+ 1

k^c.

The probability is taken over the random coin tosses of G, random choices ofi∈I∩ {0,1}^k and random x∈Di.

2.4.2 Bit Security Of The Discrete Logarithm Function

Let us examine the bit security of the EXP collection of functions directly rather than through the Goldreich Levin general construction.

We will be interested in the most significant bit of the discrete logarithmxofy modulop.

For (p, g)∈Iandy∈Z^∗_p, letBp,g(y) =











0 ify=g^x modp where 0≤x < ^p−₂¹ 1 ify=g^x modp

where ^p−₂¹ ≤x < p−1 .

Cryptography: Lecture Notes 37

We want to show that if forpa prime andga generator ofZ^∗_p, EXPp,g(x)≡g^xmodpis hard to invert, then giveny = EXPp,g(x),Bp,g(y) is hard to compute in a very strong sense; that is, in attempting to compute B_p,g(y) we can do no better than essentially guessing its value randomly. The proof will be by way of a reduction. It will show that if we can compute B_p,g(y) in polynomial time with probability greater than

1

2+ for some non-negligible > 0 then we can invert EXP_p,g(x) in time polynomial in |p|, |g|, and ⁻¹. The following is a formal statement of this fact.

Theorem 2.51 LetS be a subset of the prime integers. Suppose there is a polynomial Qand a PTM G such that for all primesp∈S and for all generatorsg ofZ^∗_p

Pr[G(p, g, y) =Bp,g(y)]>1

2 + 1

Q(|p|)

(where the probability is taken overy∈Z^∗_pand the coin tosses of G). Then for every polynomialP, there is a PTM I such that for all primesp∈S, generatorsgofZ^∗_p, andy∈Z^∗_p

Pr[I(p, g, y) =xsuch thaty≡g^x modp]>1− 1 P(|p|) (where the probability is taken over the coin tosses of I).

We point to [40] for a proof of the above theorem.

As a corollary we immediately get the following.

Definition 2.52 Define M SBp,g(x) = 0 if 1 ≤ x < ^p−₂¹ and 1 otherwise for x ∈ Zp−1, and M SB = {M SBp,g(x) :Zp−1→ {0,1}}_(p,g)∈I. forI={(p, g) :pis prime andgis a generator ofZ^∗_p}.

Corollary 2.53 Under the strong DLA, MSB is a collection of hard-core predicates for EXP.

It can be shown that actuallyO(log logp) of the most significant bits ofx∈Zp−1are hidden by the function EXPp,g(x). We state this result here without proof.

Theorem 2.54 For a PTM A, let

α=P r[A(p, g, g^x, xlog logpxlog logp−1. . . x0) = 0|x=x_|p|. . . x0] (where the probability is taken overx∈Z^∗_n and the coin tosses of A) and let

β=P r[A(p, g, g^x, rlog logprlog logp−1. . . r0) = 0|ri∈R{0,1}]

(where the probability is taken overx∈Z^∗_n, the coin tosses of A, and the bitsr_i). Then under the Discrete Logarithm Assumption, we have that for every polynomial Qand every PTM A, ∃k0 such that ∀k > k0,

|α−β|<_Q(k)¹ .

Corollary 2.55 Under the Discrete Logarithm Assumption we have that for every polynomialQand every PTM A,∃k0 such that∀k > k0 and∀kp<log logp

Pr[A(p, g, g^x, xk_p. . . x0) =xk_p+1]<1 2 + 1

Q(k)

(where the probability is taken over the primespsuch that|p|=k, the generators gofZ^∗_p,x∈Z^∗_p, and the coin tosses of A).

For further information on the simultaneous or individual security of the bits associated with the discrete logarithm see [131, 108].

2.4.3 Bit Security of RSA and SQUARING functions

LetI ={< n, e >—n=pq |p|=|q|,(e, φ(n)) = 1} , andRSA={RSA<n,e> :Z_n^∗ →Z_n^∗}<n,e>∈I be the collection of functions as defined in 2.17.

Alexi, Chor, Goldreich and Schnoor [6] showed that guessing the least significant bit ofxfromRSA<n,e>(x) better than at random is as hard as inverting RSA.

Theorem 2.56 [6] LetS ⊂I. Letc >0. If there exists a probabilistic polynomial-time algorithmO such that for (n, e)∈S,

prob(O(n, e, x^emodn) = least significant bit ofxmodn)≥ 1 2+ 1

k^c

(taken over coin tosses of O and random choices of x ∈ Z_n^∗) Then there exists a probabilistic expected polynomial time algorithmA such that for alln, e∈S, for allx∈Z_n^∗,A(n, e, x^emodn) =xmodn.

Now defineLSB={LSB<n,e> :Z_n^∗→Z_n^∗}<n,e>∈I where LSB<n,e>(x) =least significant bit ofx.

A direct corollary to the above theorem is.

Corollary 2.57 Under the (strong) RSA assumption, LSBis a collection of hard core predicates for RSA.

A similar result can be shown for the most signifant bit of xand in fact for the log logn least (and most) significant bits of x simultaneously. Moreover, similar results can be shown for the RABIN and BLUM-WILLIAMS collections. We refer to [6], [199] for the detailed results and proofs. Also see [80] for reductions of improved security.