Negligible function

Abstract: In theoretical cryptography, one formalizes the notion of an adversary's success probability being ``too small to matter'' by asking that it be a negligible function of the security parameter. We argue that the issue that really arises is what it might mean for a collection of functions to be ``negligible.'' We consider (and define) two such notions, and prove them equivalent. Roughly, this enables us to say that any cryptographic primitive has a specific associated ``security level.'' In particular we say this for any one-way function. We also reconcile different definitions of negligible error arguments and computational proofs of knowledge that have appeared in the literature. Although the motivation is cryptographic, the main result is purely about negligible functions.

Abstract: We consider the task of amplifying the security of a weak pseudorandom permutation (PRP), called an e-PRP, for which the computational distinguishing advantage is only guaranteed to be bounded by some (possibly non-negligible) quantity e > 1. We prove that the cascade (i.e., sequential composition) of m e-PRPs (with independent keys) is an ((m - (m - 1)e)em + V)-PRP, where V is a negligible function. In the asymptotic setting, this implies security amplification for all e > 1-1/poly, and the result extends to two-sided PRPs, where the inverse of the given permutation is also queried. Furthermore, we show that this result is essentially tight. This settles a long-standing open problem due to Luby and Rackoff (STOC '86). Our approach relies on the first hardcore lemma for computational indistinguishability of interactive systems: Given two systems whose states do not depend on the interaction, and which no efficient adversary can distinguish with advantage better than e, we show that there exist events on the choices of the respective states, occurring each with probability at least 1-e, such that the two systems are computationally indistinguishable conditioned on these events.

Abstract: Let \(\mathbb{G}\) be a group of prime order q, and let g 1,…,g n be random elements of \(\mathbb{G}\). We say that a vector x = \((x_1,\ldots,x_n)\in \mathbb{Z}_q^n\) is a discrete log representation of some some element \(y\in\mathbb{G}\) (with respect to g 1,…,g n ) if \(g_1^{x_1}\cdots g_n^{x_n} = y\). Any element y has many discrete log representations, forming an affine subspace of \(\mathbb{Z}_q^n\). We show that these representations have a nice continuous leakage-resilience property as follows. Assume some attacker \(\mathcal{A}(g_1,\ldots,g_n,y)\) can repeatedly learn L bits of information on arbitrarily many random representations of y. That is, \(\mathcal{A}\) adaptively chooses polynomially many leakage functions \(f_i:\mathbb{Z}_q^n\rightarrow \{0,1\}^L\), and learns the value f i (x i ), where x i is a fresh and random discrete log representation of y. \(\mathcal{A}\) wins the game if it eventually outputs a valid discrete log representation x* of y. We show that if the discrete log assumption holds in \(\mathbb{G}\), then no polynomially bounded \(\mathcal{A}\) can win this game with non-negligible probability, as long as the leakage on each representation is bounded by \(L\approx (n-2)\log q = (1-\frac{2}{n})\cdot\) |x|.

Abstract: If we have a problem that is mildly hard, can we create a problem that is significantly harder? A natural approach to hardness amplification is the "direct product"; instead of asking an attacker to solve a single instance of a problem, we ask the attacker to solve several independently generated ones. Interestingly, proving that the direct product amplifies hardness is often highly non-trivial, and in some cases may be false. For example, it is known that the direct product (i.e. "parallel repetition") of general interactive games may not amplify hardness at all. On the other hand, positive results show that the direct product does amplify hardness for many basic primitives such as one-way functions, weakly-verifiable puzzles, and signatures. Even when positive direct product theorems are shown to hold for some primitive, the parameters are surprisingly weaker than what we may have expected. For example, if we start with a weak one-way function that no poly-time attacker can break with probability > 1/2, then the direct product provably amplifies hardness to some negligible probability. Naturally, we would expect that we can amplify hardness exponentially, all the way to 2−n probability, or at least to some fixed/known negligible such as n−logn in the security parameter n, just by taking sufficiently many instances of the weak primitive. Although it is known that such parameters cannot be proven via black-box reductions, they may seem like reasonable conjectures, and, to the best of our knowledge, are widely believed to hold. In fact, a conjecture along these lines was introduced in a survey of Goldreich, Nisan and Wigderson (ECCC '95). In this work, we show that such conjectures are false by providing simple but surprising counterexamples. In particular, we construct weakly secure signatures and one-way functions, for which standard hardness amplification results are known to hold, but for which hardness does not amplify beyond just negligible. That is, for any negligible function e(n), we instantiate these primitives so that the direct product can always be broken with probability e(n), no matter how many copies we take.