Multiplication, Primes, and Factoring

Our eventual goal is to show that weak one-way functions can be used to construct strong one-way functions. Before showing this, let us consider some examples.

2.3 Multiplication, Primes, and Factoring

In this section, we consider examples of one-way functions. A first candidate is the function f_mult :N²→_Ndefined by

f_mult(x,y) =

1 ifx =1∨y=1 x·y otherwise

Is this a one-way function? Clearly, by the multiplication algo-rithm, f_mult is easy to compute. But f_mult is not always hard to invert. If at least one ofx andyis even, then their product will be even as well. This happens with probability ³₄ if the input (x,y)is picked uniformly at random fromN². So the following attack Awill succeed with probability ³₄:

A(z) =

(2,^z₂) ifzeven (0, 0) otherwise.

Something is not quite right here, since f_mult is conjectured to be hard to invert onsome, but not all, inputs² . The strong definition of a one-way function is too restrictive to capture this notion, so we now determine whether the function satisfies the weak notion of one-wayness. In order to do so, we must first introduce an assumption and some basic facts from number theory.

2.3.1 The Factoring Assumption

Denote the (finite) set of primes that are smaller than 2ⁿas Πn={q|q<2ⁿandqis prime}

Consider the following assumption, which we shall assume for the remainder of this course:

2Notice that by the way we have defined f_mult, (1,xy) will never be a pre-image ofxy. That is why some instances might be hard to invert.

.Assumption30.1(Factoring) For every adversaryA, there exists a negligible functionesuch that

Pr[p←_Πn;q←_Πn;N ← pq:A(N)∈ {p,q}]<e(n) The factoring assumption is a very important, well-studied conjecture. The best provable algorithm for factorization runs in time 2^{O((nlogn)1/2)}, and the best heuristic algorithm runs in time 2^{O(n1/3log2/3n)}. Factoring composites that are a product of two primes is hard in a concrete way as well: In May2005, the research team of F. Bahr, M. Boehm, J. Franke, and T. Klein-jung were able to factor a663-bit challenge number (of the form described above). In particular, they started in2003 and com-pleted in May2005and estimate to have used the equivalent of 55years of computing time of a single2.2 GHz Opteron CPU.

See [bbfk05] for details. In January2010, Kleinjung and12 col-leagues [kaf⁺10] announced the factorization of the RSA-768 challenge modulus. They describe the amount of work required for this task as follows:

We spent half a year on80processors on polynomial selection. This was about 3% of the main task, the sieving, which was done on many hundreds of ma-chines and took almost two years. On a single core 2.2GHz AMD Opteron processor with2GB RAM per core, sieving would have taken about fifteen hundred years.

They go on to mention that factoring a1024-bit modulus “would be about a thousand times harder.”

2.3.2 There are many primes

The problem of characterizing the set of prime numbers has been considered since antiquity. Euclid, in Book IX, Proposition 20, noted that there are an infinite number of primes. However, merely having an infinite number of them is not reassuring, since perhaps they are distributed in such a haphazard way as to make finding them extremely difficult. An empirical way to approach

2.3. Multiplication, Primes, and Factoring 31

the problem is to define the function

π(x) =number of primes≤x

and graph it for reasonable values ofx as we have done in Fig.2 below. By inspecting this curve, at age15, Gauss conjectured that π(x) ≈ x/ logx. Since then, many people have answered the question with increasing precision; notable are Chebyshev’s theo-rem (upon which our argument below is based), and the famous Prime Number Theoremwhich establishes thatπ(N)approaches

N

lnN as Ngrows to infinity. Here, we will prove a much simpler theorem which only lower-boundsπ(x):

.Theorem31.3(Chebyshev) For x>1,π(x)> _{2 log}^x _x

Observe that X > 2^x (since each term is greater than 2) and that the largest prime dividing Xis at most 2x (since the largest numerator in the product is 2x). By these facts and unique factorization, we can write

X=

∏

p<2x

p^νp(X) >2^x

where the product is over primes p less than 2x andνp(X) de-notes the integral power of p in the factorization ofX. Taking logs on both sides, we have

p

∑

<2x

ν_p(X)logp> x

We now employ the following claim proven below.

.Claim32.4 ^{log 2x}_logp >ν_p(X)

Notice that the second sum is preciselyπ(2x); thus π(2x)> ^x

log 2x = ¹ 2· ^2x

log 2x

which establishes the theorem for even values. For odd values, notice that

π(2x) =π(2x−1)> ^2x

2 log 2x > (2x−1) 2 log(2x−1) since x/ logx is an increasing function forx≥3.

Proof.[Proof Of Claim32.4] Notice that νp(X) =

∑

numerator ofX; similarly the productx!·x! in the denominator of X removes it exactly 2bx/pⁱc times. The second line follows because each term in the summation is at most 1 and after pⁱ >

2x, all of the terms will be zero.

2.3. Multiplication, Primes, and Factoring 33

An important corollary of Chebyshev’s theorem is that at least a¹/2n-fraction ofn-bit numbers are prime. As we shall see in§2.6.5, primality testing can be done in polynomial time—i.e., we can efficiently check whether a number is prime or com-posite. With these facts, we can show that, under the factoring assumption, f_mult is a weak one-way function.

.Theorem33.5 If the factoring assumption is true, then f_multis a weak one-way function.

Proof.As already mentioned, f_mult(x,y)is clearly computable in polynomial time; we just need to show that it is hard to invert.

Consider a certain input length 2n(i.e,|x| =|y|= n). Intu-itively, by Chebyshev’s theorem, with probability¹/4n² a random input pairx,ywill consists of two primes; in this case, by the fac-toring assumption, the function should be hard to invert (except with negligible probability).

We proceed to a formal proof. Letq(n) =8n²; we show that non-uniform p.p.t. cannot invert f_mult with probability greater than 1− _q(¹_n) for sufficiently large input lengths. Assume, for contradiction, that there exists a non-uniform p.p.t.Athat inverts

f_multwith probability at least 1− ¹

q(n) for infinitely manyn ∈_N.

That is, the probability that A, when given input z = xy for randomly chosenn-bit strings,xand y, produces eitherxoryis:

Pr

x,y ← {0, 1}ⁿ,z= xy: A(1²ⁿ,z)∈ {x,y}≥1− ¹

8n² (33.2) We construct a non-uniform p.p.t machine A⁰ which uses Ato break the factoring assumption. The description of A⁰ follows:

algorithm 33.6: A⁰(z): Breaking the factoring assumption 1: Samplex,y ← {0, 1}ⁿ

2: ifxandyare both primethen

3: z⁰ ←z

4: else

5: z⁰ ←xy

6: end if

7: w← A(1ⁿ,z⁰)

8: Returnwifx andyare both prime.

Note that since primality testing can be done in polynomial time, and sinceAis a non-uniform p.p.t.,A⁰ is also a non-uniform p.p.t. Suppose we now feedA⁰ the product of a pair of random n-bit primes,z. In order to give Aa uniformly distributed input (i.e. the product of a pair of randomn-bit numbers), A⁰ samples a pair(x,y)uniformly, and replaces the product xywith the input z if both x and y are prime. By Chebychev’s Theorem (31.3), A⁰ fails to pass z to A with probability at most 1− ¹

4n². From Eq. (33.2), A fails to factor its input with probability at most

1/8n². Using the union bound, we conclude that A⁰ fails with

for largen. In other words, A⁰ factorsz with probability at least

1

8n² for infinitely many n. In other words, there does not exist a negligible function that bounds the success probability of A⁰, which contradicts the factoring assumption.

Note that in the above proof we relied on the fact that primal-ity testing can be done in polynomial time. This was done only for ease of exposition, as it is unnecessary. Consider a machine A⁰⁰ that proceeds just as A⁰, but always lets z = z⁰ and always outputs w. Such a machine succeeds in factoring with at least the same if not greater probability. ButA⁰⁰never needs to check ifx andy are prime.

Dans le document a Course in Cryptography (Page 41-46)