Hard-core predicate

In cryptography, a hard-core predicate of a one-way function f is a predicate b (i.e., a function whose output is a single bit) which is easy to compute (as a function of x) but is hard to compute given f(x). In formal terms, there is no probabilistic polynomial-time (PPT) algorithm that computes b(x) from f(x) with probability significantly greater than one half over random choice of x.^[1]:34 In other words, if x is drawn uniformly at random, then given f(x), any PPT adversary can only distinguish the hard-core bit b(x) and a uniformly random bit with negligible advantage over the length of x.^[2] A hard-core function can be defined similarly. That is, if x is chosen uniformly at random, then given f(x), any PPT algorithm can only distinguish the hard-core function value h(x) and uniformly random bits of length |h(x)| with negligible advantage over the length of x.^[3][4]

A hard-core predicate captures "in a concentrated sense" the hardness of inverting f.

While a one-way function is hard to invert, there are no guarantees about the feasibility of computing partial information about the preimage c from the image f(x). For instance, while RSA is conjectured to be a one-way function, the Jacobi symbol of the preimage can be easily computed from that of the image.^[1]:121

It is clear that if a one-to-one function has a hard-core predicate, then it must be one way. Oded Goldreich and Leonid Levin (1989) showed how every one-way function can be trivially modified to obtain a one-way function that has a specific hard-core predicate.^[5] Let f be a one-way function. Define g(x,r) = (f(x), r) where the length of r is the same as that of x. Let x_j denote the j^th bit of x and r_j the j^th bit of r. Then

[math]\displaystyle{ b(x,r) := \langle x, r\rangle = \bigoplus_j x_j r_j }[/math]

is a hard core predicate of g. Note that b(x, r) = <x, r> where <·, ·> denotes the standard inner product on the vector space (Z₂)ⁿ. This predicate is hard-core due to computational issues; that is, it is not hard to compute because g(x, r) is information theoretically lossy. Rather, if there exists an algorithm that computes this predicate efficiently, then there is another algorithm that can invert f efficiently.

A similar construction yields a hard-core function with O(log |x|) output bits. Suppose f is a strong one-way function. Define g(x, r) = (f(x), r) where |r| = 2|x|. Choose a length function l(n) = O(log n) s.t. l(n) ≤ n. Let

[math]\displaystyle{ b_i(x, r) = \bigoplus_j x_j r_{i+j}. }[/math]

Then h(x, r) := b₁(x, r) b₂(x, r) ... b_l(|x|)(x, r) is a hard-core function with output length l(|x|).^[6]

It is sometimes the case that an actual bit of the input x is hard-core. For example, every single bit of inputs to the RSA function is a hard-core predicate of RSA and blocks of O(log |x|) bits of x are indistinguishable from random bit strings in polynomial time (under the assumption that the RSA function is hard to invert).^[7]

Hard-core predicates give a way to construct a pseudorandom generator from any one-way permutation. If b is a hard-core predicate of a one-way permutation f, and s is a random seed, then

[math]\displaystyle{ \{ b(f^n(s))\}_n }[/math]

is a pseudorandom bit sequence, where fⁿ means the n-th iteration of applying f on s, and b is the generated hard-core bit by each round n.^[1]:132

Hard-core predicates of trapdoor one-way permutations (known as trapdoor predicates) can be used to construct semantically secure public-key encryption schemes.^[1]:129

See also

• List-decoding (describes list decoding; the core of the Goldreich-Levin construction of hard-core predicates from one-way functions can be viewed as an algorithm for list-decoding the Hadamard code).

References

• Oded Goldreich, Foundations of Cryptography vol 1: Basic Tools, Cambridge University Press, 2001.

0.00 (0 votes) Original source: https://en.wikipedia.org/wiki/Hard-core predicate. Read more