In Chapter 3 we introduced the notion of pseudorandomness, and defined the basic cryptographic primitives of pseudorandom generators and pseudoran-dom functions. In addition, we showed that these objects are the basic build-ing blocks for constructbuild-ing secure encryption schemes (in Chapter 4 we also saw that they can be used for constructing message authentication codes).
Finally, in Chapter 5 we studied how pseudorandom functions can be con-structed heuristically. Thus, all of our constructions of encryption schemes and message authentication codes can be proven secure under the assump-tion that pseudorandom generators and functions exist (and thus under the assumption that constructions like the AES block cipher indeed constitute pseudorandom functions). Since these objects form the basis of essentially all of “private-key cryptography”, it is of great importance to enhance our understanding of them from a theoretical (and more rigorous) point of view.
In this chapter we study pseudorandom generators and functions and show under what (minimal) assumptions they can be constructed, and how.
That material in this chapter is for the most part theoretical, and we do not suggest that the constructions presented here should (or could) be used in practice. Indeed, they are far too inefficient for that. Nevertheless, a strong theoretical understanding of pseudorandomness greatly deepens our under-standing of how security is achieved, and what assumptions are necessary. In addition, a strong theoretical understanding is often beneficial when analyzing schemes used in practice.
A note regarding this chapter. This chapter is somewhat more advanced and more theoretical than the others in the book. The chapter may be skipped entirely and is not relied on in the rest of the book. (The one exception to this rule is that we do mention one-way functions later on. Nevertheless, if desired, they can be taken at the intuitive level.) Having said this, we have made great efforts to make the material here suitable for an advanced undergraduate or beginning graduate audience. This is especially true for Sections 6.1 and 6.2 that we believe are suitable for a general undergraduate audience. We believe that familiarity with at least some of the topics covered here is important enough to warrant the effort involved.
181
6.1 One Way Functions
As we have mentioned, the basic aim of this chapter is to understand the minimal assumption required for constructing pseudorandom generators and functions, and how this assumption is used in those constructions. But, why is any assumption necessary? Why can’t we construct a pseudorandom function from scratch, and just prove mathematically that it is indeed pseudorandom?
The answer to this question is simply that an unconditional proof of the exis-tence of pseudorandom generators or functions would involve breakthroughs in complexity theory that seem far beyond reach today.
Given that some assumption is necessary, at least with our current under-standing of complexity, a natural goal is to try to base our constructions on the “minimal assumption” possible. Formally, a minimal assumption is one that is both necessary and sufficient for achieving constructions of pseudo-random generators and functions. As it turns out, the minimal assumption here is that of the existence of one-way functions. Loosely speaking, such a function has the property that it is easy to compute, but (almost always) hard to invert. The fact that this assumption is indeed minimal will be proven throughout this chapter, and in particular in Section 6.7.
We remark that one-way functions are in fact a minimal assumption for almost all of cryptography, and not just for obtaining pseudorandom genera-tors and functions. (The only exception are cryptographic tasks for which no computational assumptions are needed.) Furthermore, on an intuitive level they constitute a far weaker assumption than the existence of pseudorandom generators or functions (although technically speaking, as we show in this chapter they are actually equivalent and either they both exist or they both do not exist).
6.1.1 Definitions
One-way functions have the property that they are easy to compute, but hard to invert. Since we are interested in a computational task that is almost always hard to solve, the hard-to-invert requirement is formalized by saying that a polynomial-time adversary will fail to invert the function (i.e., find some preimage), except with negligible probability. (Note that it is always possible to succeed with negligible probability, by just guessing a preimage of the appropriate length. Likewise, given exponential-time, it is always possible to search the entire domain for a preimage.)
Simplifying convention. Throughout this entire chapter, we will assume that the input and output lengths of every one-way function (or variant) f arepolynomially related. This means that there exist two constantsc1andc2
such that for everyx, it holds that |x|1/c1 ≤ |f(x)| ≤ |x|c2. We remark that the requirement that f(x) be at most of length |x|c2 is given in any case by
the fact that f must be efficiently computable (a polynomial-time algorithm cannot write more than polynomially many bits). In contrast, the requirement thatf(x) be at least of length|x|1/c1 is a simplifying convention. We remark that there are ways of dealing with one-way functions for which this doesn’t hold. However, this convention simplifies the notation and so we adopt it.
DEFINITION 6.1 (one-way functions): A functionf :{0,1}∗→ {0,1}∗ is calledone-wayif the following two conditions hold:
1. Easy to compute: There exists a polynomial-time algorithm Mf such that on input anyx∈ {0,1}∗,Mf outputsf(x)(i.e., Mf(x) =f(x)for everyx).
2. Hard to invert: For every probabilistic polynomial-time inverting algo-rithmA, there exists a negligible function neglsuch that
Pr
A(f(x))∈f−1(f(x))
≤negl(n) (6.1)
where the probability is taken over the uniform choice of x in {0,1}n and the random coin tosses ofA.
We stress that it is only guaranteed that a one-way function is hard to invert when the input is uniformly distributed. Thus, there may be many inputs (albeit a negligible fraction) for which the function can be inverted.
Furthermore, as usual for asymptotic definitions, it is only guaranteed that it be hard to invert for all long enough values ofx.
Successful inversion of one-way functions. A very important point to note also that a function that isnot one-way is not necessarily easy to invert all the time (or even “often”). Rather, the converse of Definition 6.1 is that there exists a probabilistic polynomial-time algorithmAand a non-negligible function εsuch that Ainvertsf(x) forx ∈ {0,1}n with probability at least ε(n). What this actually means is that there exists a positive polynomialq(·) such that forinfinitely manyn’s, the algorithmAinvertsf with probability at least 1/q(n). Thus, if there exists anAthat invertsf with probabilityn−10for all even values ofn, then the function is not one-way. This holds even though Aonly succeeds on half of the values ofnand even though when it succeeds, it is only with probabilityn−10. We also stress that the inverting algorithm is not required to find the exactx used in computingy=f(x). Rather, if it finds any value x0 such that f(x0) = y = f(x), then it has succeeded in its task.
Exponential-time inversion. As we have mentioned, any one-way function can be inverted given enough time. Specifically, given a valuey, it is always possible to simply try all valuesxof increasing length (up to some bound) until a valuexis found such thatf(x) =y. This algorithm runs in exponential time
and always succeeds. Thus, the existence of one-way functions is inherently an assumption about computational complexity and computational hardness.
That is, it considers a problem that can be solved in principle. However, it cannot be solved efficiently.
One-way permutations. We will often be interested in one-way functions with special properties. One particular category of interest is that of one-way functions that are bijections. We call such functions “one-way permutations”.
Since we are considering infinite domains (i.e., functions that receive inputs of all lengths), we should explain in more detail what we mean. We will call a function over an infinite domain a permutation if for everyn, the function restricted to inputs of length nis a bijection.
DEFINITION 6.2 (one-way permutations): Let f be a function with domain {0,1}∗ and define the function fn to be the restriction of f to the domain {0,1}n (i.e., for every x∈ {0,1}n, fn(x) =f(x)). Then, a one-way function f is called a one-way permutation if for every n, the function fn is 1–1 and onto{0,1}n.
An interesting property of one-way permutations is that any valueyuniquely determines its preimagex. This is due to the fact that a permutationf is a bijection, and so there exists only one preimage. Thus, even though y fully determinesx, it is still hard to find xin polynomial-time.
We remark that a more involved notion called “families of one-way permu-tations” is typically considered in the cryptography literature. Nevertheless, for the sake of clarity, we will consider the above simpler notion and remark that it makes almost no difference to the material presented in this chapter.
Families of one-way functions and permutations. The above defini-tions of one-way funcdefini-tions and permutadefini-tions are very convenient in that they consider a single function over an infinite domain and range. However, most candidates that we have for one-way functions and permutations actually don’t fit into this type of formalization. Rather, for everynthere is a differ-ent function with a finite domain and range containing inputs of sizepoly(n).
Furthermore, the inputs and outputs may not be mere strings of size nbut may have a certain form. For example, for every primepwe may consider a permutationfp over Zp. The collection of allfp then constitutes afamily of functions. This brings us to the following definition:
DEFINITION 6.3 A tupleΠ = (Gen,Samp, f)of probabilistic, polynomial-time algorithms is afamily of functions if the following hold:
1. Theparameter generation algorithm Gen, on input1n, outputs parameters Iwith|I| ≥n. Each value ofI output byGendefines setsDIandRI that constitute the domain and range, respectively, of a function we define next.
2. Thesampling algorithm Samp, on inputI, outputs a uniformly distributed element ofDI (except possibly with probability negligible in|I|).
3. The deterministicevaluation algorithmf, on inputI andx∈ DI, outputs an elementy∈ RI. We write this asy:=fI(x).
Πis afamily of permutationsif for each value ofI output byGen(1n), it holds that DI =RI and the functionfI :DI → DI is a bijection.
Consider a functionfp that is defined for every prime pas follows: fp(x) = gxmodp. Then, one can define a family of functions where Gen chooses a random prime of the appropriate length n (in this case I = p), Samp(I) chooses a random element x within Zp, and f(x) computes gxmodp. It is not hard to see that this is actually a family of permutations. We now proceed to define one-wayness for a family of functions or permutations. We begin by defining an “inversion” experiment:
The inverting experiment InvertA,Π(n):
1. Gen(1n)is run to obtainI, and thenSamp(I)is run to obtain a random x← DI. Finally, y=fI(x) is computed.
2. A is givenI andy as input, and outputsx0.
3. The output of the experiment is defined to be 1 iffI(x0) =y, and 0 otherwise.
A function is one-way if success in the above experiment occurs with at most negligible probability. That is:
DEFINITION 6.4 A family of functions/permutations Π = (Gen, Samp, f)is calledone-wayif for all probabilistic polynomial-time algorithms Athere exists a negligible function neglsuch that
Pr[InvertA,Π(n) = 1]≤negl(n).
6.1.2 Candidates
One-way functions are only of interest if they actually exist. Since we do not know how to prove that they exist (because this would imply a major breakthrough in complexity theory), we conjecture or assume their existence.
This conjecture (assumption) is based on some very natural computational problems that have received much attention, and have yet to yield polynomial-time algorithms. Perhaps the most famous of these problems is that ofinteger factorization. This problem relates to the difficulty of finding the prime factors of a number that is the product of long uniformly distributed primes of similar length. This leads us to define the function fmult(xky) =x·y. Now, if there is no restriction on the lengths of xand y, thenfmult is easy to invert (with
high probabilityx·y will have a small prime factorpthat can be found, and then it is possible to return (p, xy/p) as a preimage). Nevertheless, there are two ways to modify fmult so that it yields a one-way function. The first is to require that |x|=|y|(this prevents finding a small prime factor), and the other is to use the input to sample two primes of approximately the same size (see Section 7.2.1). The integer factorization problem is discussed in greater length in Chapters 7 and 8.
Another candidate one-way function is based on the subset-sum problem and is defined by f(x1, . . . , xn, J) = (x1, . . . , xn,P
j∈Jxj), where allxi’s are of length n, andJ is a subset of{1, . . . , n}. Note that when given an image (x1, . . . , xn, y) of this function, the task of inverting it is exactly that of finding a subsetJ0 of{1, . . . , n}such thatP
j∈Jxj=y.1
We conclude with a family of permutations that is widely believed to be one-way. This family is based on the so-calleddiscrete logarithm problem and is defined byfp(x) =gxmodpfor any primep. We described this family above and remark here that it is believed to be one-way. This is called the discrete logarithm because the logarithm function is the inverse of exponentiation; it is “discrete” because we work overZp and not the reals.
In summary, one-way functions and one-way permutations are assumed to exist, and we have a number of concrete candidates for their existence. We will study some of these in detail in Chapters 7, 8 and 11.
6.1.3 Hard-Core Predicates
By the definition, a one-way function is hard to invert. Stated differently, given a value y = f(x), the value of x is unknown to any polynomial-time inverting algorithm. Thus, f hides information about x, even when f(x) is known. Recall that when f is a permutation, f(x) fully determines x.
Nevertheless,x is still hidden to any polynomial-time algorithm.
One may have the impression that this means thatxis completely unknown, even givenf(x). However, this isnot the case. Indeed, a one-way functionf may yield a lot of information about its input, and yet still be hard to invert.
For example, letf be a one-way function and define g(x1, x2) = (f(x1), x2), where|x1|=|x2|. Then, it is easy to show thatg is also a one-way function, even though it reveals half of its input (the proof thatg is one-way is left as an exercise). For our applications, we will need to classify what information is truly hidden byf. This is exactly the purpose of a hard-core predicate.
1We remark that students who have taken a course in complexity or who have studied N P-completeness may be familiar with the subset-sum problem and the fact that it is N P-complete. We stress thatN P-completeness does not imply one-wayness becauseN P-completeness relates to worst-case complexity and not average case as we consider here.
Thus, our belief that this function is one-way is based on the lack of known algorithms to solve this problem, and not on the fact that the general problem isN P-complete.