Com Sci 282A: Foundations of Cryptography Prof. Rafail Ostrosky Lecture 7 Lecture date: Wednesday, 4 of February, 2004 Scribe: Jiejun Kong

1 Examples of pseudorandom generator

1. RSA: RSA scheme employs a collection of functions indexed on (N, e), where N is a 1 product of two ( 2 · log2 N)-bit primes, denoted P and Q, and e is an integer smaller than N and relatively prime to φ(N) = (P −1)·(Q−1). d is e’s multiplicative inverse such that e·d≡1 (mod φ(N)).

RSA encryption/verification is defined as

f(x)= xe mod N.

RSA decryption/signing is defined as

1 f − (x)= xd mod N.

Given the fact that d, e are relatively prime to (P − 1) · (Q − 1), it can be shown that the functions are in fact permutation over its domain. In other words, the RSA collection is a collection of permutations. An RSA pseudorandom generator produces a pseudorandom ensemble as below: (1) ∗ choose x from ZN in uniform distribution; (2) output least significant bit of x; (3) substitute x with xe mod N. Go back to (2).

2. Rabin: Let P ≡Q≡3 mod 4 and N = P ·Q. An Rabin pseudorandom generator pro- ∗ duces a pseudorandom ensemble as below: (1) choose x from ZN in uniform distribu- tion; (2) output least significant bit of x; (3) substitute x with x2 mod N. Go back to (2).

It is known that if factoring is broken then RSA is broken, but the other direction is not known. It is known that factoring and Rabin are equally hard.

7-1 2 Pseudorandom generator versus one-time pad

A pseudorandom ensemble G(s) can be used as a substitution of one-time pad. To prove this point, we need to show that if the enemy can differentiate G(s) from truly random ensemble used in one-time pad, then it contradicts the fact that G(s) is pseudorandom.

More formally, we want to prove G(s)⊕M and G(s)⊕M 0 on any two distinct mes- sages M and M 0 is polynomially indistinguishable. In other words, ∀ two strings M = 0 0 0 0 (m1,m2,...,mn) and M = (m1,m2,...,mn), ∀c, ∀ probabilistic polynomial-time algo- rithm A, ∃N, such that ∀n > N, 1 | Prob [A(Xn) = 1] − Prob [A(Yn) = 1] | < c {Xn,coins of A} {Yn,coins of A} n

To prove this property, we need to compare four different encryption cases:

• Real encryption on M: we use G(s) = (s1,s2,...,sn) to encrypt M.

ciphertexta = m1⊕s1 m2⊕s2 ··· mn⊕sn

• Ideal encryption on M: we use truly random coin-flips R = (r1, r2,...,rn) to encrypt M.

ciphertextb = m1⊕r1 m2⊕r2 ··· mn⊕sn

0 0 0 0 0 • Ideal encryption on M : we use truly random coin-flips R = (r1, r2,...,rn) to encrypt M 0.

0 0 0 0 0 0 ciphertextc = m1⊕r1 m2⊕r2 ··· mn⊕rn

0 0 • Real encryption on M : we use G(s) = (s1,s2,...,sn) to encrypt M .

0 0 0 ciphertextd = m1⊕s1 m2⊕s2 ··· mn⊕sn

Sketch: Between ciphertexta and ciphertextb we use the definition of pseudorandomness. This strategy also applies to the difference between ciphertextc and ciphertextd. We then can use information theoretic argument to handle the difference between ciphertextb and ciphertextc.

Proof By definition we have ∀c, ∀ probabilistic polynomial-time algorithm A, ∃N1, such that ∀n > N1, 1 | Prob [A(ciphertexta)=1] − Prob [A(ciphertextb)=1] | < c {ciphertexta,coins of A} {ciphertextb,coins of A} n

7-2 Similarly, ∀c, ∀ probabilistic polynomial-time algorithm A, ∃N2, such that ∀n > N2, 1 | Prob [A(ciphertextc)=1] − Prob [A(ciphertextd)=1] | < c {ciphertextc,coins of A} {ciphertextd,coins of A} n

By information theoretic argument, we know that ∀c, ∀ probabilistic polynomial-time algo- rithm A, ∃N3, such that ∀n > N3, 1 1 | Prob [A(ciphertextb)=1]− Prob [A(ciphertextc)=1] | = n < c {ciphertextb,coins of A} {ciphertextc,coins of A} 2 n

Combine this inequations together, we have ∀c, ∀ probabilistic polynomial-time algorithm A, ∃N4 = 3·max(N1, N2, N3), such that ∀n > N4,

| Prob [A(ciphertexta)=1] − Prob [A(ciphertextd)=1] | {ciphertexta,coins of A} {ciphertextd,coins of A} 1 1 1 1 < + + = 3·nc 3·nc 3·nc  nc

3 Application of pseudorandom generator: Bit commitment

These notes explain two versions of Bit Commitment and the construction of Bit Commit- ment protocols based on cryptographic protocols.

Let’s recall the problem of Bit Commitment (BC). There are two communicating parties, a sender S, and a receiver R. BC takes place in two stages. First, in the commit stage, a bit b is committed to, then in the reveal stage the bit is revealed. In order to make this protocol effective we want it to possess the following two properties:

1. R has no knowledge of the value of b until S wishes him to know it. 2. S cannot change the value of his commitment, i.e., decommit to a different value after commiting to it.

There are two properties of a BC protocol:

1. Security: The complexity of R knowing the value of b, i.e., how well b is “hidden”. 2. Binding: The complexity of S being able to “cheat” (change the value of his commit- ment without R detecting it), i.e., how “binding” is the commitment to the sender.

7-3 3.1 Computationally Secure/Perfectly Binding BC (CS/PB)

Computationally Secure/Perfectly Binding BC has the following properties:

1. After commitment b is well defined, i.e., sender will never be able to cheat and de- commit both a 0 and a 1.

2. b is hidden only computationally.

Here S is an unbounded adversary having arbitrary complexity but R must be bounded in polynomial-time complexity. The following is an example of a CS/PB BC protocol. Let f be a one-way permutation. Let HCB(x) be a Hard Core Bit of a string x generated using f, then the following is a CS/PB BC protocol of bit b:

S communication R Generate a random string x. Let c = b⊕HCB(x). Commitment →f(x), c→ Decommitment →x,b→ Verify c = b⊕HCB(x).

Let’s examine the protocol in detail and see why it is in fact CS/PB. In order to cheat the sender has to be able to find a value of x with the property that

1 HCB(f − (f(x))) = {0, 1}.

But f is a permutation so this is impossible. Therefore the protocol is Perfectly Binding.

On the receiver’s side, we can use contrapositive argument. If R predicts b, then it can predicts HCB(x) by computing b⊕c. This contradicts the fact that HCB(x) is hard-core bit for a BPP adversary. Therefore, the protocol is Computationally Secure.

3.2 Extending CS/PB BC Protocol Construction to all One-Way Func- tions

We have seen a CS/PB BC protocol that requires the use of one-way permutations. We now show that such a protocol can be devised using any one-way function f.

The first step of the construction uses the fact established in [1] that any one-way function can be used to build a Pseudo-Random Number Generator (PRG). [2] completes the con- struction with the result that any PRG can be used to construct a CS/PB BC protocol. We now prove this result.

7-4 Let G : {0, 1}n→{0, 1}3n be a PRG. Let C(g, r)= c where g, r, c∈{0, 1}3n and the bits of c are defined as follows: g⊕r if b = 1 c =  g if b = 0

Now consider the following BC protocol of bit b.

S communication R ←r← Choose a random 3n-bit string r. Choose a random n-bit seed s Let g = G(s), c = C(g,r) Commitment →c→ Decommitment →b,s→ Verify c

Let’s examine the properties of this protocol. First, we claim that BPP receiver R cannot distinguish c from a truly random sequence, i.e., the sequence c is pseudo-random. To see this, observe that if b = 0, then c is just the output of a PRG. If b = 1, then c is the output of a PRG with a random set of flipped bits. The latter case is pseudo-random since if it was not, i.e., we could construct a distinguisher to distringuish between c and a truly random value, we could use this distinguisher to distinguish all pseudo-random numbers, which contradicts the assumption of PRG existence. Since c is pseudo-random, b is computationally hidden, and the protocol is Computationally Secure.

Next, we claim that unbounded sender S cannot cheat. More formally, for any two seeds s1, s2, S can cheat if there exists a unique r such that R sees no difference between s1 and s2. There must be a r, such that G(s1) agrees with G(s2) on all bit positions for ri = 0 and disagrees with G(s2) on all bit positions where ri = 1. For example,

G(s0) = 01100100011 . . . G(s1) = 00111001110 . . . r = 01011101101 . . .

A simple counting argument will show that given a random r the probability of the existence of such a pair is exponentially small. We observe that each pair of seeds corresponds to a single choice of r (since the bits of r are defined according to the corresponding bits of s1 2n and s2 as described above). Next, number of combinations of a pair of n-bit seeds is 2 . The correspondence between seed pairs and r implies that there exist at most 22n values of r for which there exist a pair of seeds s1 and s2 that can be used to cheat. However, there exist 23n 3n-bit strings for r so that the probability that given a random r there exist any 22n 1 pair of seeds s1 and s2 that can be used to cheat is 23n = 2n . Therefore we have have shown that any one-way function can be used to construct a CS/PB BC protocol.

7-5 References

[1] J. H˙astad, R. Impagliazzo, L. A. Levin, and M. Luby. A Pseudorandom Generator from any One-way Function. SIAM Journal on Computing, 28(4):1364–1396, 1999.

[2] M. Naor. Bit Commitment Using Pseudorandomness. Journal of Cryptology, 4(2):151– 158, 1991.

7-6