update notations and fix typos
This commit is contained in:
Zheyuan Wu
@@ -98,7 +98,7 @@ $x_1\equiv x_2\mod N$
|
||||
|
||||
So it's one-to-one.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
Let $y\in \mathbb{Z}_N^*$, letting $x=y^d\mod N$, where $d\equiv e^{-1}\mod \phi(N)$
|
||||
|
||||
@@ -130,7 +130,7 @@ By RSA assumption
|
||||
|
||||
The second equality follows because for any finite $D$ and bijection $f:D\to D$, sampling $y\in D$ directly is equivalent to sampling $x\gets D$, then computing $y=f(x)$.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
#### Theorem If inverting RSA is hard, then factoring is hard.
|
||||
|
||||
|
||||
@@ -119,7 +119,7 @@ $\mathcal{D}$ can distinguish $x_{i+1}$ from a truly random $U_{i+1}$, knowing t
|
||||
|
||||
So $\mathcal{D}$ can predict $x_{i+1}$ from $x_1\dots x_i$ (contradicting with that $X$ passes NBT)
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
## Pseudorandom Generator
|
||||
|
||||
|
||||
@@ -186,4 +186,4 @@ By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i
|
||||
|
||||
For $H_0$,
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
@@ -35,7 +35,7 @@ $(r_1,F(r_1)),\ldots, (r_q,F(r_q))$
|
||||
|
||||
So $D$ distinguishing output of $r_1,\ldots, r_q$ of PRF from the RF, this contradicts with definition of PRF.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
Noe we have
|
||||
|
||||
|
||||
@@ -76,7 +76,7 @@ $$
|
||||
|
||||
This contradicts the definition of hardcore bit.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
### Public key encryption scheme (multi-bit)
|
||||
|
||||
@@ -155,5 +155,5 @@ $$
|
||||
|
||||
And proceed by contradiction. This contradicts the DDH assumption.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
|
||||
@@ -72,7 +72,7 @@ So $\mathcal{B}$ can break the discrete log assumption with non-negligible proba
|
||||
|
||||
So $h$ is a CRHF.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
To compress by more, say $h_k:{0,1}^n\to \{0,1\}^{n-k},k\geq 1$, then we can use $h: \{0,1\}^{n+1}\to \{0,1\}^n$ multiple times.
|
||||
|
||||
@@ -119,7 +119,7 @@ Case 1: $h_i(m_1)=h_i(m_2)$, Then $\mathcal{A}$ finds a collision of $h$.
|
||||
|
||||
Case 2: $h_i(m_1)\neq h_i(m_2)$, Then $\mathcal{A}$ produced valid signature on $h_i(m_2)$ after only seeing $Sign'_{sk'}(m_1)\neq Sign'_{sk'}(m_2)$. This contradicts the one-time secure of ($Gen,Sign,Ver$).
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
### Many-time Secure Digital Signature
|
||||
|
||||
|
||||
@@ -98,7 +98,7 @@ Proof:
|
||||
|
||||
Then $P[a$ inverting $g]\sim P[a$ inverts $f$ all $q(n)]$ times. $<(1-\frac{1}{p(n)})^{q(n)}=(1-\frac{1}{p(n)})^{np(n)}<(e^{-\frac{1}{p(n)}})^{np(n)}=e^{-n}$ which is negligible function.
|
||||
|
||||
EOP
|
||||
QED
|
||||
|
||||
_we can always force the adversary to invert the weak one-way function for polynomial time to reach the property of strong one-way function_
|
||||
|
||||
|
||||
Reference in New Issue
Block a user