密码学理论基础Foundations of Cryptography.pptVIP

密碼學理論基礎Foundations of Cryptography 呂學一 (中央研究院 資訊科學所) .tw/~hil/ Today 證明h.c.p正派的較弱版本 Pseudorandom generator Part I : 證明h.c.p正派的較弱版本 Theorem Theorem: If f is length-preserving and strongly one-way, then h(xr) ≡ the parity of x·r is a hard-core predicate of the (length-preserving strongly) one-way function g defined by g(xr) = f(x)r for any |x|=|r| Property: Property 1: h(xei) = the i-th bit of x Property 2: h(xα) ? h(xβ) = h(x(α?β)) Strategy of the proof Strategy of the proof: h( ) is not hard-core of g( ) →? a good 猜h →? a good 破f →矛盾 Assumption Assumption: h(xr) is not a hard-core of g(xr) ≡?猜h ?P( ) s.t. 勝(n) ≥ 1/P(n) 勝(n) ≡ Pr [猜h (f(Xn)Rn)= h(XnRn)] - ? Xn 和Rn 為兩個 independent uniform distributed random variable. Definition Def: 命中率 of 猜h on x ≡中(x) ≡ Pr [猜h (f(x)Rn)= h(xRn)] 失(x) = 1 - 中(x) Obs: E[中(Xn)] = ? + 勝(n) E[失(Xn)] = ? - 勝(n) About 好(n) Def: 好(n)= {x?{0,1}n |中(x) ≥ ?+勝(n)/2} 白話: 表示猜h用在猜 h(xRn)時的勝算有平均猜 h(XnRn)的勝算之一半 Lemma 1: Pr [Xn?好(n)] 勝(n) ≥ 1/p(n) Define 破f 破f: input=y=f(x) 0. let n=|y| and l = ?log2(2np(n)2+1) ? 1.For j = 1, 2… l select bj uniformly from {0,1} select rj uniformly from {0,1}n 2.For each non-empty J ? {1… l} compute rJ = ?j?J rj compute bJ = ?j?J bj Define 破f 3.For i = 1, 2…n compute xi = the majority of xiJ = bJ ?猜h(f(x), rJ?ei) over all nonempty J ? {1,…,l} 4.Output x1x2x3…xn Idea Rough idea: 用bj來猜h(xrj) (even if we don’t know x) Obs: 如果bj = h(xrj) ? j=1,…,l → bJ =h(xrJ) ? non-empty J?{1,…,l } Lemma 2 Lemma 2: ?x ?好(n) ?i, if bJ =h(xrJ) holds for all J then Pr [xi = h(xei)] 1- (1/2n) 若Lemma 2正確,則可推出 If x?好(n) and 2l-1式全猜對 then Pr[x=x1x2…xn] (1-(1/2n))n (1/e)?. Proving Lemma 2 Pr [xi = h(xei)] =Pr[|{J: xiJ = h(xei)}| (2l-1)/2] =Pr[|{J: 猜h(f(x), rJ?ei)= h(x, rJ?ei)}| (2l-1)/2] =Pr[|J: 猜h(f(x), UnJ)= h(x, UnJ)}| (2l-1)/2] =Pr[|J: 準J(x)=1| (2l-1)/2] =Pr[ΣJ 準J(x) (2l-1)/2] =Pr[(ΣJ 準J(x))/m?] =……≥ 1- (1/2n) 註1 h(xei) = xiJ = bJ ?猜h(f(x), rJ?ei)……...by 破f