150 likes | 346 Views
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems. M. Bellare S. Halevi A. Saha S. Vadhan. Introduction . One-way function Easy to compute, hard to invert Trapdoor function One-way function Hard to invert; but with trapdoor , easy to invert.
E N D
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan
Introduction • One-way function • Easy to compute, hard to invert • Trapdoor function • One-way function • Hard to invert; but with trapdoor, easy to invert. • Injective (one-to-one) trapdoor function suffices for a public key cryptosystem. (Proved by Yao) • Injectivity can guarantee the unique decryption
Several questions arise • What’s the relationship between one-way function and trapdoor function? • Does one-way function imply trapdoor function? • Does a public key cryptosystem requires an injectivetrapdoor function? • Is a non-injective trapdoor function able to construct a public key cryptosystem? • If yes, what is the domain size of such a non-injective trapdoor function?
Definitions: • PPT: • Probabilistic, polynomial time • x||y: • Concatenation of two strings x and y • x S: • Select an element from the set S. • Pre-images of y under a function f: • f -1(y) = { x Dom(f): f(x) = y}. • Injective: • A function is said to be injective if Dom(f) = Range(f). • One-wayness: • An function is said to be on-way if InvProbf(I,k) is negligible for any PPT algorithm I.
Trapdoorness: • A function f is said to be trapdoor if with knowing “trapdoor information” tp, one can invert f. • Formally, there exists a PPT algorithm F– Inv (f, tp, y) for ally Range(f),which outputs an element off -1(y)with probability 1. • Predicate: • A probabilistic function with domain {0,1}, p, takes a bit b and flips coins r to generate some output y = p(b:r). • Decryption error (k) of a predicate: • If there exists a PPT algorithm P-Inv, which with knowing trapdoor fails to decrypt only with probability: • is at most (k)
From on-way function to trapdoor functions • Theorem: Suppose there exists a family of one-way functions. Then there exists a family of trapdoor, one-way functions. • Proof: Given a family of one-way functions, construct a family of trapdoor one-way functions. • Given f, we construct a g which “mimics” f but embeds a trapdoor. • = f(), where is trapdoor of g, and is the image of the trapdoor under f. • Is g a one-way trapdoor function? • If knowing , a pre-image ofzunder gis(z, , ).So knowing trapdoor, one can invertg. gis a trapdoor function. • Without knowing, can we invertg? • Ifg(y,x, v) = zthen eitherf(v) = z or f(x) = .To calculateg-1(z)requires invertingfat eitherzor , both of which are hard by one-wayness off. • gis one-way function. • g is one-way trapdoor function.
Does a public key cryptosystem requires an injectivetrapdoor function? • Unapproximable trapdoor predicates and semantically secure public key cryptosystems are equivalent. • So the question becomes whether unapproximable trapdoor predicates imply injective trapdoor functions.
From trapdoor functions to cryptosystem • Theorem: If there exist trapdoor one-way function families with polynomially bounded pre-image size, then there exists a family of unapproximable trapdoor predicates with exponentially small decryption error. • Proof: Given a trapdoor one-way function F, construct an unapproximable family of trapdoor predicates P with decryption error ½ - 1/poly(k), and reduce the decryption error by repetition to get the the family claimed in the theorem.
Claim: p is an unapproximable trapdoor predicate family, with decryption error at most ½ - 1/[2Q(k)] • The output ofpis (f(x),r, ) • b = (xr) • x’ = F-Inv(f,tp,y) and b’ = (x’r) • Since f is not injective function, even with tp, x’ may not be equal to x. • If x’ = x, then b’=b. • If x’x then b’=b with probability at most ½ since r is random chosen. The chance that x = x’ is at least 1/Q(k) ( The size of pre-image of f is Q(k)). • So
To prove the theorem, we need a predicate with exponentially small decryption error. • The predicate is constructed as • Polynomial number of p(b) are concatenated to form a final predicate. • To decrypt b with tp, let bi’ = P-Inv (p, tp, (yi, ri, i)). It outputs b’ which is 1 if the majority of the bi’ are 1 and 0 otherwise. • bi’ has decryption error½ - 1/[2Q(k)], b has exponentially decryption error.
Several known results so far. • Existence of unapproximable trapdoor predicates is equivalent to the existence of semantically secure public-key encryption. • Injective trapdoor one-way function can be used to construct unapproximable trapdoor predicates. Question • Can unapproximable trapdoorpredicates be used to construct injective trapdoor one-way functions? • If it is possible to implement using one-way functions a function G with “sufficiently” strong randomness properties” to maintain the security of this scheme, then the question would have a positive answer.
From a predicate to a function, we need to de-randomization, meanwhile maintaining the one-wayness of the function. • Method 1: • It is one-way [Yao]. However, it is not a trapdoor function, because even with the trapdoor information, we cannot recover r1,r2,…rk. • Method 2: • Where G is a pseudo-random generator. • It is proved that f is not one-way either.
Method 3: Use a truly random function G, ie., a random oracle. • To invert f, we need to invert p(b1;r1), p(b2; r2), …p(bk; rk). • Even knowing r1, r2, r3,…rk, since G is truly random generator, b1, b2,… bk are totally independent with r1, r2, r3,…rk. And each p is unapproximable,so f is one-way function. • Theorem: If there exists a family of unapproximable trapdoor predicates, then there exists a family of injective trapdoor one-way functions in the random oracle model.