Cryptography - Hardcore Bits

Let $f : {0,1}^{n} \to {0,1}^{n}$ be a permutation. A $(t, ε)$ -hardcore bit is a function $B : {0,1}^{n} \to {0,1}$ (predicate) such that for any $t$ -time algorithm $M$ we have

∣ \Pr [M (f (X)) = B (X) ∣ X \leftarrow {0,1}^{n}] - 1 / 2 ∣ < ε

(" $B (x)$ is hard to compute from $f (x)$ .")

Examples:

Hardcore bit of discrete log [Blum-Micali '81]: Let $p$ be an $n$ -bit prime, $g \in ℤ_{p}^{*}$ . Define $B : ℤ_{p}^{*} \to {0,1}$ as

B (x) = msb (x) = {\begin{matrix} 0 & if x < p / 2 \\ 1 & if x > p / 2 \end{matrix}

Theorem: $B (x)$ is a $(t, ε)$ -hardcore bit of $f (x) = g^{x} \mod p$ assuming there is no $t n^{3} / ε$ -time discrete log algorithm in $ℤ_{p}^{*}$ (that succeeds with constant probability).

Hardcore bit of RSA [ACGS '84]: Let $N = pq$ be an $n$ -bit RSA modulus and $e \geq 2$ . Define $B (x) = lsb (x) = x \mod 2$ ( $B : ℤ_{n} \to {0,1}$ .)

Theorem: $B (x)$ is a $(t, ε)$ -hardcore bit of $f (x) = x^{e} \mod N$ assuming there is no $t n^{2} / ε^{3}$ -time $e$ th root algorithm for $ℤ_{N}^{*}$ .

The Blum-Micali generator is a PRNG that is constructed from hardcore bits.

Hardcore bits for general one-way permutations

It is possible to find a hardcore bit of any given one-way permutation:

Yao's XOR Lemma ['82]
Goldreich-Levin ['87]
Naslund ['96]

Yao's Method

Let $f : {0,1}^{n} \to {0,1}^{n}$ be $(t, ε)$ -one-way.

First we note that there exists $1 \leq i \leq n$ such that for all $(t / n)$ -time algorithms $A$ ,

\Pr [A (f (x)) = x ∣_{i}] < 1 - (1 - ε) / n

(If not, then for all $i$ there exists an algorithm $A_{i}$ with $\Pr [A_{i} (f (x)) = x_{i}] \geq 1 - (1 - ε) / n$ , which would imply $\Pr [(for all i) A_{i} (f (x)) = x ∣_{i}] \geq ε$ by the union bound, a contradiction.

Yao's XOR Lemma

Theorem: Suppose $B : {0,1}^{n} \to {0,1}$ is a predicate such that for all $t$ -time algorithms $A$ , $\Pr [A (f (x)) = x] < 1 - ε$ . Define $B_{m} (x_{1}, . . ., x_{m}) = B (x_{1}) \oplus . . . \oplus B (x_{m})$ . Then if $m = ⌊ 1 / ε ⌋$ , then for all $(t / m)$ -time $A_{m}$ , we have

\Pr [A_{m} (f (x_{1}), . . ., f (x_{m})) = B_{m} (x_{1}, . . ., x_{m})] < 1 / 2 + ε

(where $x_{1}, . . ., x_{m} \leftarrow {0,1}^{n}$ ).

This implies that for $m = ⌊ 1 / ε ⌋$ , $B_{m}$ is a $(t / m, ε)$ -hardcore bit of $f (x_{1}) ∣ ∣ . . . ∣ ∣ f (x_{m})$ .

Goldreich-Levin Method

Given $x, y \in {0,1}^{n}$ , define $⟨ x, y ⟩ = \sum_{i = 1}^{n} x_{i} y_{i} mod 2$ .

Let $f : {0,1}^{n} \to {0,1}^{n}$ be a $(t, ε / 2)$ -one-way permutation. Define $g : {0,1}^{2 n} \to {0,1}^{2 n}$ by $g (x, r) = f (X) ∣ ∣ r$ . Define $B : {0,1}^{2 n} \to {0,1}$ by $B (x, r) = ⟨ x, r ⟩$ .

Theorem: Let $f$ be a $(t, ε / 2)$ -one-way permutation. Then $B$ is $(t', ε)$ -hardcore for $g$ where $t' = t / TIME (GL)$ , where GL is the Goldreich-Levin algorithm.

Proof: Suppose $B$ is not $(t', ε)$ hardcore for $g$ . Then there exists a $t'$ -time algorithm $A$ such that

\Pr [A (f (x), r) = ⟨ x, r ⟩ ∣ x, r \leftarrow {0,1}^{n}] > 1 / 2 + ε

Define the set $S \subseteq {0,1}^{n}$ by

{x \in {0,1}^{n} ∣ \Pr [A (f (x), r) = ⟨ x, r ⟩ ∣ r \leftarrow {0,1}^{n}] > 1 / 2 + ε / 2}

In other words, all $x$ 's that the algorithm works with good probability.

By a counting argument, $∣ S ∣ > (ε / 2) 2^{n}$ . We shall construct an algorithm $D$ such that for all $x \in S$ , $D (f (x)) = x$ with $E [TIME (D)] = t' TIME (GL) = O (t' (n^{2} / ε^{2}))$ .

For a fixed $x \in S$ , define $A_{x} (r) = A (f (x), r)$ . Then $\Pr_{r} [A_{x} (r) = ⟨ x, r ⟩] > 1 / 2 + ε / 2$ .

The Goldreich-Levin Algorithm: given an oracle for $A_{x}$ , the algorithm outputs all $y \in {0,1}^{n}$ such that $\Pr [A_{x} (r) = ⟨ y, r ⟩] > 1 / 2 + ε / 2$ with running time $O (n^{2} / ε^{2})$ .

It turns out there are at most $1 / ε^{2}$ such $y \in {0,1}^{n}$ .

Then $D$ works by scanning the output of the $GL$ algorithm to find $f^{- 1} (f (x))$ .

The Rackoff method for the GL algorithm corrects the predictor probability for $A$ from $1 / 2 + ε$ to $1 - ε$ . This corrected predictor can be used to find $x$ .

Every one-way permutation has an efficient hardcore bit.
The proof is based on a noisy predictor for the inner product.
The GL algorithm is found in learning theory.

Naslund Method

Let $f : 𝔽_{p} \to {0,1}^{n}$ be a one-to-one function for some $n$ -bit prime. Define $g (x, a, b) = [f (x), a, b)]$ where $a, b \in 𝔽_{p}$ . Then for $1 \leq i \leq n - Ω (\log n)$ , define $B_{i} (x, a, b) = (ax + b mod p) ∣_{i}$ . Note we ignore the $\log n$ most significant bits because they are biased.

Theorem: If $f$ is $(t, ε / 2)$ -one-way, then for all $1 \leq i \leq n - Ω (\log n)$ , $B_{i}$ is $(t', ε')$ -hardcore for $g$ where $t' = t / TIME (Naslund) = t (n^{2} / ε^{2})$ and $ε' = ε + (c / p)$ for some constant $c$ .

Proof: Suppose there exists $i, A_{i}$ such that

\Pr [A_{i} (f (x), a, b) = (ax + b) ∣_{i} > 1 / 2 + ε

Define $S \subseteq F_{p}$ by

S = {x \in 𝔽_{p} ∣ \Pr_{a, b} [A_{i} ((f (x), a, b) = (ax + b) ∣_{i}] > 1 / 2 + ε' / 2}

We shall build an algorithm $D$ such that for all $x \in S$ , $D (f (x)) = x$ and the running time of $D$ is $t (n^{2} / ε^{2})$ . Naslund's algorithm finds all such $x$ in time $n^{2} / ε^{2}$ .

Corollary: Let $p, q$ be prime, and suppose $q$ is $n$ -bits. Let $g \in ℤ_{p}^{*}$ be an element of order $q$ . Let $G = ⟨ g ⟩ ◃ 𝔽_{p}^{*}$ . Then for all $1 \leq i \leq n - Ω (\log n)$ , $x ∣_{i}$ is $(t, ε)$ -hardcore for $f (x) = g^{x} mod p$ assuming no $(t n^{2} / ε^{2})$ -time discrete logarithm algorithm exists.

Proof: Suppose there exists $i, A_{i}$ such that

\Pr_{x \in 𝔽_{p}} [A_{i} (g^{x} mod p) = x ∣_{i}] > 1 / 2 + ε

and $A_{i}$ runs in time $t$ . Then we shall construct a discrete log algorithm that outputs $x$ when given $y = g^{x} mod p$ . Define $B_{y} (a, b) = (ax + b \mod q) ∣_{i}$ .

Then $B_{y} (a, b) = {Dlog}_{g} (y^{a} g^{b}) ∣_{i}$ and

\Pr_{a, b} [A_{i} (y^{a} g^{b}) = (ax + b mod q) ∣_{i}] > 1 / 2 + ε .

Naslund's algorithm will find all $x$ 's that satisfy the above, and one of them is the discrete log of $y$ .

Subset Sum Generator [IN '88]

Let $a_{1}, . . ., a_{n} \in 𝔽_{p}$ where $p$ is an $m$ -bit prime, and let $s \in {0,1}^{n}$ . Set $b = \sum_{i = 1}^{n} s_{i} a_{i}$ . The subset sum problem is to find $s$ given $a_{1}, . . ., a_{n}, b$ . The problem is believed to be hard for $n \approx m \approx 1000$ on random instances.

Take $m = (1 + ε) n$ , for, say, $ε = 1 / 10$ .

Define a generator as follows

G (a_{1}, . . ., a_{n}, s) = (a_{1}, . . ., a_{n}, \sum_{i = 1}^{n} s_{i} a_{i}) .

On every iteration, $G$ produces $mn + m$ bits from $mn + n$ bits.

Theorem [IN]: $G$ is a $(t, ε)$ -PRNG assuming no $t n^{2} / ε^{2}$ -time subset sum algorithm exists.

Proof: Suppose there exists $A$ that $(t, ε)$ -distinguishes between

{(a_{1}, . . ., a_{n}, R) ∣ a_{1}, . . ., a_{n} \leftarrow 𝔽_{p}}

and

{(a_{1}, . . ., a_{n}, b) ∣ a_{1}, . . ., a_{n} \leftarrow 𝔽_{p}, s \leftarrow {0,1}^{n}, b = \sum_{i = 1}^{n} s_{i} a_{i}}

Then we shall construct an algorithm that takes as input $a_{1}, . . ., a_{n}, b \in 𝔽_{p}$ and whose goal is to find $s \in {0,1}^{n}$ .

To do this, we build a predictor $D$ such that

\Pr [D (a_{1}, . . ., a_{n}, b, r) = ⟨ r, s ⟩] > 1 / 2 + ε

and then use the Goldreich-Levin algorithm to find $s$ . $D$ is given $a_{1}, . ., a_{n} \in 𝔽_{p}, r \in {0,1}^{n}$ , and works as follows:

Pick random $t \leftarrow 𝔽_{p}$ , $k \leftarrow {0, . . ., n}$
Define $a'_{i} = a_{i}$ if $r_{i} = 0$ , otherwise $a'_{i} = a_{i} + t$ if $r_{i} = 1$
Run algorithm $A$ on input $(a'_{0}, . . ., a'_{n}, b + kt)$ .
If $A$ fails, output $parity (k)$ , otherwise output $1 - parity (k)$ .