Hardcore predicate

From CRYPTUTOR

A hardcore predicate (or hardcore bit) of a one-way function $f$ is a boolean predicate that is easy to compute given $x$ , but hard to compute given $f (x)$ .

[edit]

Definition

Let $f$ be a one-way function, and $B$ be a boolean predicate. $B$ is a hardcore predicate of $f$ if:

Efficiently computable: $B (x)$ can be computed in polynomial time in $| x |$ .
Hard to guess given $f (x)$ : For all non-uniform PPT (polynomial in the security parameter $k$ ) adversaries $A$ , the advantage of $A$ in the following experiment is negligible in $k$ :

Hardcore Predicate Guessing Experiment:

We choose a random $x \gets \{0,1\}^k$ .
We compute $z = f (x)$ and give it to the adversary $A$ .
$A$ outputs a bit $b$ (a guess for $B (x)$ ).
We say that the advantage of $A$ in this experiment is $\Pr[ B(x) = b ] - \frac12$ .

Another interpretation of the second requirement is that $B (x)$ is pseudorandom given $f (x)$ .

[edit]

Existence

Any one-way function can be slightly modified to give another one-way function that has a hardcore predicate, using the Goldreich-Levin construction.

[edit]

Hardcore functions

Instead of a single bit, we can also consider longer functions of $x$ which are hard to guess given $f (x)$ . For such a function $H:\{0,1\}^k\rightarrow\{0,1\}^t$ , we modify the hardcore experiment in the following way:

Hardcore Function Experiment:
As before, given $f (x)$ for a random $x$ , the adversary tries to guess a value $h$ for $H (x)$ . We say that the advantage of $A$ in this experiment is $\Pr[ H(x) = h ] - \frac{1}{2^t}$ .

A function $H$ is called a hardcore function of $f$ if for all adversaries $A$ , the advantage of $A$ in the above experiment is negligible.

Using a longer hardcore function can often improve the efficiency in constructions that use hardcore bits, such as the construction of a PRG from a OWP.

Retrieved from "http://crypto.cs.uiuc.edu/wiki/index.php/Hardcore_predicate"

Category: Standard primitives