[...]... introduce the reader to the theoretical foundations of cryptography As argued above, such foundations are necessary for sound practice of cryptography Indeed, practice requires more than theoretical foundations, whereas the current primer makes no attempt to provide anything beyond the latter However, given a sound foundation, one can learn and evaluate various practical suggestions that appear elsewhere... manifest a gap between the ease of one task and the difficulty of a related one) 13 14 Computational Difficulty and One-way Functions easy x f(x) HARD Fig 2.1 One-way functions – an illustration 2.1 One-way functions One-way functions are functions that are efficiently computable but infeasible to invert (in an average-case sense) That is, a function f : {0, 1}∗ → {0, 1}∗ is called one-way if there is an... the latter is a collection of one-way permutations augmented with an efficient algorithm that allows for inverting the permutation when given adequate auxiliary information (called a trapdoor) Definition 2.3 (trapdoor permutations): A collection of permutations as in Definition 2.2 is called a trapdoor permutation if there are two auxiliary probabilistic polynomial-time algorithms I and F −1 such that (1)... This partial information can be considered as a “hard core” of the difficulty of inverting f Loosely speaking, a polynomial-time computable (Boolean) predicate b, is called a hard-core of a function f if no feasible algorithm, given f (x), can guess b(x) with success probability that is non-negligibly better than one half Definition 2.4 (hard-core predicates (31)): A polynomial-time computable predicate... task This means that we do not only know (or assume) that the new task is solvable but we also have a solution based on a primitive that, being well-known, typically has several candidate implementations Prerequisites and structure Our aim is to present the basic concepts, techniques and results in cryptography As stated above, our emphasis is on the clarification of fundamental concepts and the relationship... correctly on three quarters of the pairs (f (x), r), and always err on the remaining quarter) What is required is an alternative way of using the algorithm B, a way that does not double the original error probability of B The key idea is to generate the r’s in a way that allows to apply algorithm B only once per each r (and i), instead of twice Specifically, we will use algorithm B to obtain a “guess” for... violating its weak one-wayness) to the task of “weakly inverting” F (i.e., violating its strong one-wayness) We hint that, on input y = f (x), the reduction 18 Computational Difficulty and One-way Functions invokes the F -inverter (polynomially) many times, each time feeding it with a sequence of random f -images that contains y at a random location (Indeed such a sequence corresponds to a random image of. .. n) Finally, if b is a hard-core of a 1-1 function f that is polynomial-time computable then f is a one-way function Theorem 2.5 ((72), see simpler proof in (65, Sec 2.5.2)): For any one-way function f , the inner-product mod 2 of x and r is a hard-core of f (x, r) = (f (x), r) The proof is by a so-called “reducibility argument” (which is used to prove all conditional results in the area) Specifically,... analysis of this reduction, presented in (65, Sec 2.3), demonstrates that dealing with computational difficulty is much more involved than the analogous combinatorial question An alternative demonstration of the difficulty of reasoning about computational difficulty (in comparison to an analogous purely probabilistic situation) is provided in the proof of Theorem 2.5 2.2 Hard-core predicates Loosely speaking,... satisfied at all) is to construct a solution based on a better understood assumption (i.e., one that is more common and widely believed) For example, looking at the definition of zero-knowledge proofs, it is not a- priori clear that such proofs exist at all (in a non-trivial sense) The non-triviality of the notion was first demonstrated by presenting a zero-knowledge proof system for statements, regarding Quadratic . reader to the theoretical foundations of cryptography. As argued above, such founda- tions are necessary for sound practice of cryptography. Indeed, practice requires more than theoretical foundations, . speaking, one-way functions are functions that are easy to evaluate but hard (on the average) to invert. Such functions can be thought of as an efficient way of generating “puzzles” that are infeasible to. adversary. Furthermore, the design of cryptographic sys- tems has to be based on firm foundations; whereas ad-hoc approaches and heuristics are a very dangerous way to go. A heuristic may make sense