Trance-0/NoteNextra-origin
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

partial update on notes

Browse Source 
remove large base64 image
This commit is contained in:
Zheyuan Wu
2024-11-18 14:56:01 -06:00
parent 5281b8270f
commit 85d274fa22
2 changed files with 72 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pages/CSE347/CSE347_L7.md
View File

File diff suppressed because one or more lines are too long

70
pages/CSE442T/CSE442T_L20.md
View File

@@ -1 +1,69 @@
# Lecture 20
# Lecture 20
## Construction of CRHF (Compression Resistant Hash Function)
Let $h: \{0, 1\}^{n+1} \to \{0, 1\}^n$ be a CRHF.
Base on the discrete log assumption, we can construct a CRHF $H: \{0, 1\}^{n+1} \to \{0, 1\}^n$ as follows:
$Gen(1^n):(g,p,y)$
$p\in \tilde{\Pi}_n(p=2q+1)$
$g$ generator for group of sequence $\mod p$ (G_q)
$y$ is a random element in $G_q$
$h_{g,p,y}(x,b)=y^bg^x\mod p$, $y^bg^x\mod p \in \{0,1\}^n$
$g^x\mod p$ if $b=0$, $y\cdot g^x\mod p$ if $b=1$.
Under the discrete log assumption, $H$ is a CRHF.
- It is easy to sample $(g,p,y)$
- It is easy to compute
- Compressing by 1 bit
Proof it is a CRHF:
Suppose there exists an adversary $\mathcal{A}$ that can break $h$ with non-negligible probability $\mu$.
$$
P[(p,g,y)\gets Gen(1^n);(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y):y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p\land (x_1,b_1)\neq (x_2,b_2)]=\mu(n)>\frac{1}{p(n)}
$$
Where $y^{b_1}g^{x_1}=y^{b_2}g^{x_2}\mod p$ is the collision of $H$.
Suppose $b_1=b_2$.
Then $y^{b_1}g^{x_1}\equiv y^{b_2}g^{x_2}\mod p$ implies $g^{x_1}\equiv g^{x_2}\mod p$.
So $x_1=x_2$ and $(x_1,b_1)=(x_2,b_2)$.
So $b_1\neq b_2$, Without loss of generality, say $b_1=1$ and $b_2=0$.
$y\cdot g^{x_1}\equiv g^{x_2}\mod p$ implies $y\equiv g^{x_2-x_1}\mod p$.
We can create a adversary $\mathcal{B}$ that can break the discrete log assumption with non-negligible probability $\mu(n)$ using $\mathcal{A}$.
Let $g,p$ be chosen and set random $x$ such that $y=g^x\mod p$.
Let the algorithm $\mathcal{B}$ defined as follows:
```pseudocode
function B(p,g,y):
(x_1,b_1),(x_2,b_2)\gets \mathcal{A}(p,g,y)
If (x_1,1) and (x_2,0) and there is a collision:
y=g^{x_2-x_1}\mod p
return x_2-x_1 for b=1
Else:
return "Failed"
```
$$
P[B\text{ succeeds}]\geq P[A\text{ succeeds}]-\frac{1}{p(n)}>\frac{1}{p(n)}
$$
So $\mathcal{B}$ can break the discrete log assumption with non-negligible probability $\mu(n)$, which contradicts the discrete log assumption.
So $h$ is a CRHF.