proof format updates using gfm
This commit is contained in:
Trance-0
@@ -86,7 +86,10 @@ f(N,e):\mathbb{Z}_N^*\to \mathbb{Z}_N^*
|
||||
$$
|
||||
is a bijection.
|
||||
|
||||
Proof: Suppose $x_1^e\equiv x_2^e\mod n$
|
||||
<details>
|
||||
<summary>Proof</summary>
|
||||
|
||||
Suppose $x_1^e\equiv x_2^e\mod n$
|
||||
|
||||
Then let $d=e^{-1}\mod \phi(N)$ (exists b/c $e\in\phi(N)^*$)
|
||||
|
||||
@@ -98,13 +101,14 @@ $x_1\equiv x_2\mod N$
|
||||
|
||||
So it's one-to-one.
|
||||
|
||||
QED
|
||||
</details>
|
||||
|
||||
Let $y\in \mathbb{Z}_N^*$, letting $x=y^d\mod N$, where $d\equiv e^{-1}\mod \phi(N)$
|
||||
|
||||
$x^e\equiv (y^d)^e \equiv y\mod n$
|
||||
|
||||
Proof:
|
||||
<details>
|
||||
<summary>Proof</summary>
|
||||
|
||||
It's easy to sample from $I$:
|
||||
|
||||
@@ -130,7 +134,7 @@ By RSA assumption
|
||||
|
||||
The second equality follows because for any finite $D$ and bijection $f:D\to D$, sampling $y\in D$ directly is equivalent to sampling $x\gets D$, then computing $y=f(x)$.
|
||||
|
||||
QED
|
||||
</details>
|
||||
|
||||
#### Theorem If inverting RSA is hard, then factoring is hard.
|
||||
|
||||
|
||||
@@ -82,7 +82,10 @@ The NBT(Next bit test) is complete.
|
||||
|
||||
If $\{X_n\}$ on $\{0,1\}^{l(n)}$ passes NBT, then it's pseudorandom.
|
||||
|
||||
Ideas of proof: full proof is on the text.
|
||||
<details>
|
||||
<summary>Ideas of proof</summary>
|
||||
|
||||
Full proof is on the text.
|
||||
|
||||
Our idea is that we want to create $H^{l(n)}_n=\{X_n\}$ and $H^0_n=\{U_{l(n)}\}$
|
||||
|
||||
@@ -119,7 +122,7 @@ $\mathcal{D}$ can distinguish $x_{i+1}$ from a truly random $U_{i+1}$, knowing t
|
||||
|
||||
So $\mathcal{D}$ can predict $x_{i+1}$ from $x_1\dots x_i$ (contradicting with that $X$ passes NBT)
|
||||
|
||||
QED
|
||||
</details>
|
||||
|
||||
## Pseudorandom Generator
|
||||
|
||||
|
||||
@@ -115,7 +115,8 @@ $$
|
||||
|
||||
#### Theorem PRG exists then PRF family exists.
|
||||
|
||||
Proof:
|
||||
<details>
|
||||
<summary>Proof</summary>
|
||||
|
||||
Let $g:\{0,1\}^n\to \{0,1\}^{2n}$ be a PRG.
|
||||
|
||||
@@ -184,6 +185,6 @@ Assume that $D$ distinguishes $f_s$ and $F\gets RF_n$ with non-negligible probab
|
||||
|
||||
By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i$ and $H_{i+1}$ with non-negligible probability.
|
||||
|
||||
For $H_0$,
|
||||
For $H_0$, $D$ distinguishes $H_0$ and $H_1$ with non-negligible probability.
|
||||
|
||||
QED
|
||||
</details>
|
||||
|
||||
@@ -88,7 +88,8 @@ $$
|
||||
|
||||
is a strong one-way function.
|
||||
|
||||
Proof:
|
||||
<details>
|
||||
<summary>Proof</summary>
|
||||
|
||||
1. Since $\exist P.P.T.$ that computes $f(x),\forall x$ we use this $q(n)$ polynomial times to compute $g$.
|
||||
2. (Idea) $a$ has to succeed in inverting $f$ all $q(n)$ times.
|
||||
@@ -98,7 +99,7 @@ Proof:
|
||||
|
||||
Then $P[a$ inverting $g]\sim P[a$ inverts $f$ all $q(n)]$ times. $<(1-\frac{1}{p(n)})^{q(n)}=(1-\frac{1}{p(n)})^{np(n)}<(e^{-\frac{1}{p(n)}})^{np(n)}=e^{-n}$ which is negligible function.
|
||||
|
||||
QED
|
||||
</details>
|
||||
|
||||
_we can always force the adversary to invert the weak one-way function for polynomial time to reach the property of strong one-way function_
|
||||
|
||||
|
||||
Reference in New Issue
Block a user