Hard-core predicate

In cryptography, a hard-core predicate of a one-way function f is a predicate b (i.e., a function whose output is a single bit) which is easy to compute given x but is hard to compute given f(x). In formal terms, there is no probabilistic polynomial-time (PPT) algorithm that computes b(x) from f(x) with probability significantly greater than one half over random choice of x.[1]:34 In other words, if x is drawn at uniformly random, then given f(x), any PPT adversary can only distinguish the hard-core bit b(x) and a uniformly random bit with negligible advantage over the length of x. [2]

A hard-core function can be defined similarly. That is, if x is chosen at uniformly random, then given f(x), any PPT algorithm can only distinguish the hard-core function value h(x) and uniformly random bits of length |h(x)| with negligible advantage over the length of x. [3][4]

A hard-core predicate captures "in a concentrated sense" the hardness of inverting f.

While a one-way function is hard to invert, there are no guarantees about the feasibility of computing partial information about the preimage c from the image f(x). For instance, while RSA is conjectured to be a one-way function, the Jacobi symbol of the preimage can be easily computed from that of the image.[1]:121

It is clear that if a one-to-one function has a hard-core predicate, then it must be one way. Oded Goldreich and Leonid Levin (1989) showed how every one-way function can be trivially modified to obtain a one-way function that has a specific hard-core predicate.[5] Let f be a one-way function. Define

g(x, r) = (f(x), r),

where the length of r is the same as that of x. Let xj denote the jth bit of x and rj the jth bit of r. Then

b(x, r) := <x, r> = ⊕j xj · rj

is a hard core predicate of g. Note that b(x, r) = <x, r> where <·, ·> denotes the standard inner product on the vector space (Z2)n. This predicate is hard-core due to computational issues; that is, it is not hard to compute because g(x, r) is information theoretically lossy. Rather, if there exists an algorithm that computes this predicate efficiently, then there is another algorithm that can invert f efficiently.

A similar construction yields a hard-core function with O(log |x|) output bits. Suppose f is a strong one-way function. Define g(x, r) = (f(x), r) where |r| = 2|x|. Choose a length function l(n) = O(log n) s.t. l(n)n. Let

bi(x, r) = ⊕j xj · ri+j.

Then h(x, r) := b1(x, r) b2(x, r) ... bl(|x|)(x, r) is a hard-core function with output length l(|x|). [6]

It is sometimes the case that an actual bit of the input x is hard-core. For example, every single bit of inputs to the RSA function is a hard-core predicate of RSA and blocks of O(log |x|) bits of x are indistinguishable from random bit strings in polynomial time (under the assumption that the RSA function is hard to invert).[7]

Hard-core predicates give a way to construct a pseudorandom generator from any one-way permutation. If b is a hard-core predicate of a one-way permutation f, and s is a random seed, then

{b(fn(s))}n

is a pseudorandom bit sequence, where fn means the n-th iteration of applying f on s, and b is the generated hard-core bit by each round n. [1]:132

Hard-core predicates of trapdoor one-way permutations (known as trapdoor predicates) can be used to construct semantically secure public-key encryption schemes.[1]:129

See also

References

  1. 1 2 3 4 Goldwasser, S. and Bellare, M. "Lecture Notes on Cryptography". Summer course on cryptography, MIT, 1996-2001
  2. Definition 2.4 in Lindell, Yehuda. "Foundations of Cryptography 89-856" (PDF). Computer Science, Bar Ilan University. Bar Ilan University. Retrieved 11 January 2016.
  3. Goldreich's FoC, vol 1, def 2.5.5.
  4. Definition 3 in Holenstein, Thomas; et al. "Complete Classification of Bilinear Hard-Core Functions" (PDF). IACR eprint. IACR. Retrieved 11 January 2016.
  5. O. Goldreich and L.A. Levin, A Hard-Core Predicate for all One-Way Functions, STOC 1989, pp2532.
  6. Goldreich's FoC, vol 1, Theorem 2.5.6.
  7. J. Håstad, M. Naslund, The Security of all RSA and Discrete Log Bits (2004): Journal of the ACM (JACM), 2004.
This article is issued from Wikipedia - version of the Wednesday, February 17, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.