Biomarcadores de nefropatía lúpica [1,43,47,82,83]

Factor de necrosis tumoral-alfa

2.8 Interés clínico de los biomarcadores en la nefropatía lúpica

2.8.1 Biomarcadores de nefropatía lúpica [1,43,47,82,83]

n x∈Z∗n ¯ ¯ ¯ ³_x n ´ = +1 o

be the elements with Jacobi symbol +1. QR_n is a proper subset of J+1 n . Consider the functions

PQR_n: J+1

n −→ {0,1},PQRn(x) := ½

1 ifx∈QRn, 0 otherwise.

The family PQR := (PQRn)n∈I is called thequadratic residuosity family. It is believed that there is no efficient algorithm which, without knowing the factors ofn, is able to decide whetherx∈J+1

n is a quadratic residue. We make this precise in the following assumption.

Definition 6.11. Let Ik := {n ∈ I | n = pq,|p| = |q| = k}, with k ∈ N, and letQ(X)∈Z[X] be a positive polynomial. LetA(n, x) be a probabilistic polynomial algorithm. Then there exists ak0∈N, such that

prob(A(n, x) = PQR_n(x) :n←u Ik, x←u J+1n )≤ 1 2 + 1 Q(k) fork≥k0.

This is called thequadratic residuosity assumption.

Remark.The assumption states that there is not a significant chance of com- puting the predicate PQRnif the factors ofnare secret. It differs a little from the previous assumptions: the adversary algorithmA now has to compute a predicate. Since exactly half of the elements in J+1

n are quadratic residues (see Proposition A.65),A can always predict the correct value with probability

1_/₂_{, simply by tossing a coin. However, her probability of success is at most}

negligibly more than1_/₂_.

Remark. The factoring assumption follows from the RSA assumption and also from the quadratic residuosity assumption. Hence, each of these two assumptions is stronger than the factoring assumption.

6.7 Formal Definition of One-Way Functions

As our examples show, one-way functions actually are families of functions. We give a formal definition of such families.

Definition 6.12. Let I = (Ik)k∈N be a key set with security parameter k. LetKbe a probabilistic polynomial sampling algorithm forI, which on input 1k _outputs_i_∈_I

k. A family

f = (fi:Di−→Ri)i∈I

of functions between finite sets Di andRi is a family of one-way functions (or, for short, aone-way function) withkey generator Kif and only if:

1. f can be computed by a Monte Carlo algorithmF(i, x).

2. There is a uniform sampling algorithm S for D := (Di)i∈I, which on inputi∈I outputsx∈Di.

3. f is not invertible by any efficient algorithm if the keys are generated byK. More precisely, for every positive polynomialQ∈Z[X] and every probabilistic polynomial algorithm A(i, y) (i ∈ I, y ∈ Ri), there is a

k0∈N, such that for allk≥k0

prob(fi(A(i, fi(x))) =fi(x) :i←K(1k), x←u Di)≤ 1

Q(k). If K is a uniform sampling algorithm for I, then we call f a family of one-way functions (or a one-way function), without explicitly referring to a key generator.

Iffi is bijective for alli∈I, thenf is called abijective one-way function, and if, in addition, the domain Di coincides with the range Ri for all i, we call f a family of one-way permutations (or simply aone-way permutation).

Examples: The examples studied earlier in this chapter are families of one- way functions, provided Assumptions 6.1, 6.7 and 6.9 are true:

1. Discrete exponential function. 2. Modular powers.

3. Modular squaring.

Our considerations on the “random generation of the key” above (Proposi- tions 6.6 and 6.8, 6.10) show that there are uniform key generators for these families. There are uniform sampling algorithmsSfor the domainsZp−1and

Z∗

n, as we have seen in the examples after Lemma 6.5. Squaring a uniformly selected x∈ Z∗

n, x7→x2, we get a uniform sampling algorithm for the do- mains QR_n of the Square family.

Modular powers is a one-way permutation, as well as the modular squaring function Square. The discrete exponential function is a bijective one-way function.

Remarks:

1. Selecting an indexi, for example, to usefi as an encryption function, is equivalent to choosing a public key. Recall from Definition 6.2 that for

i∈Ik, the security parameterkis a measure of the key length in bits. 2. Condition 3 means that pre-images ofy:=fi(x) cannot be computed in

polynomial time ifxis randomly and uniformly chosen from the domain (all inputs have the same probability), or equivalently, if y is random with respect to the image distribution induced by f. f is only called a one-way function if the random and uniform choice of elements in the domain can be accomplished by a probabilistic algorithm in polynomial time (condition 2).

6.7 Formal Definition of One-Way Functions 165

functions, where the inputs x ∈ Di are generated by any probabilistic polynomial – not necessarily uniform – sampling algorithm S (see, e.g., [Goldreich01]). The distribution x←u Di is replaced byx←S(i). In this book, we consider only families of one-way functions with uniformly distributed inputs. The keys generated by the key generator K

may be distributed in a non-uniform way.

3. The definition can be easily extended to formally definefamilies of trap- door functions (or, for short, trapdoor functions). We only sketch this definition. A bijective one-way function f = (fi)i∈I is a trapdoor function if the inverse familyf−1 _{:= (}_f−1

i )i∈I can be computed by a Monte Carlo algorithmF−1₍_{i, t}

i, y), which takes as inputs the (public) keyi, the (secret) trapdoor informationtiforfiand a function valuey:=fi(x). It is required that the key generatorKgenerates the trapdoor information

ti along withi.

The RSA and the Square families are examples of trapdoor functions (see above).

4. The probability of success of the adversaryAin the “one-way condition” (condition 3) is taken over the random choice of a key of a given security parameterk. It says that over all possibly generated keys,Ahas on average only a small probability of success. An adversaryAusually knows the public keyiwhen performing her attack. Thus, in a concrete attack the probability of success is given by the conditional probability assuming a fixedi, and this conditional probability might be high even if the average probability is negligibly small, as stated in condition 3. However, accord- ing to Proposition 6.3, the probability of such insecure keys is negligibly small. Thus, when randomly generating a key i by K, the probability of obtaining one for which A has a significant chance of succeeding is negligibly small (see Proposition 6.3 for a precise statement).

5. Condition 2 implies, in particular, that the binary length of the elements in Di is bounded by the running time ofS(i), and hence is≤P(|i|) if P is a polynomial bound for the running time ofS.

6. In all our examples, the one-way function can be computed using a deter- ministic polynomial algorithm. Computable by a Monte Carlo algorithm (see Definition 5.3) means that there is a probabilistic polynomial algo- rithmF(i, x) with

prob(F(i, x) =fi(x))≥1−2−k (i∈Ik) (see Proposition 5.6 and Exercise 5 in Chapter 5).

7. Families of one-way functions, as defined here, are also called collections of strong one-way functions. They may be considered as a single one-way function {0,1}∗ _{−→ {}₀_,₁_}∗_{, defined on the infinite domain} _{₀_,₁_}∗ _(see

[GolBel01]; [Goldreich01]). For the notion of weak one-way functions, see Exercise 3.

The key generator of a one-way function f is not uniquely determined: there are more suitable key generation algorithms (see Proposition 6.14 be- low). We call them “admissible generators”.

Definition 6.13. Let f = (fi:Di−→Ri)i∈I, I = (Ik)k∈N, be a family of one-way functions with key generator K. A probabilistic polynomial algorithm ˜K that on input 1k _{outputs a key} _i _∈ _I

k is called an admissible key

generator forf if the one-way condition 3 of Definition 6.12 is satisfied for ˜

Proposition 6.14. Let f = (fi:Di−→Ri)i∈I, I = (Ik)k∈N, be a family of

one-way functions with key generatorK. LetK˜ be a probabilistic polynomial sampling algorithm for I, which on input 1k _yields _i_∈_I

k. Assume that the

family of distributions i ← K˜(1k₎ _{is polynomially bounded by the family of}

distributionsi←K(1k₎_{(see Definition B.25).}

ThenK˜ is also an admissible key generator for f.

Proof. This is a consequence of Proposition B.26. Namely, apply Proposition B.26 toJ :=N:=S_k_∈_NJk, Jk :={1k}, Xk :={(i, x)|i ∈Ik, x∈Di} and the probability distributions (i←K˜(1k₎_{, x}_←u _D

i) and (i←K(1k), x←u Di),

k ∈ N. The first family of distributions is polynomially bounded by the second. Assume as eventEk thatfi(A(i, fi(x))) =fi(x). 2

Example. Letf = (fi:Di−→Ri)i∈I be a family of one-way functions (with uniform key generation), and let J ⊆ I with |Jk| ·Q(k) ≥ |Ik|, for some polynomialQ. Let ˜Kbe a uniform sampling algorithm forJ. Theni←K˜(1k₎ is polynomially bounded by the uniform distributioni←u Ik. Thus, ˜K is an admissible key generator forf. This fact may be restated as:

f = (fi:Di−→Ri)i∈J is also a one-way function.

Example. As a special case of the previous example, consider the RSA one- way function (Section 6.4). Take as keys only pairs (n, e)∈ Ik (notation as above), withea prime number inZ∗

ϕ(n). Since the number of primes inZϕ(n) is of the same order as ϕ(n)_/_k _{(by the Prime Number Theorem, Theorem}

A.68), we get an admissible key generator in this way. In other words, the classical RSA assumption (Assumption 6.7) implies an RSA assumption, with (n, e)←u Ik replaced by (n, e)←u Jk, where Jk :={(n, e)∈Ik|eprime}.

Example. As already mentioned in Section 6.4, the key generator that first uniformly chooses an n =pq and then, in a second step, uniformly chooses an exponent e∈Z∗

ϕ(n) is an admissible key generator for the RSA one-way function. The distribution given by this generator is polynomially bounded by the uniform distribution.

Similarly, we get an admissible key generator for the discrete exponential function (Section 6.2) if we first uniformly generate a primep(together with a factorization ofp−1) and then, for this fixedp, repeatedly selectg←u Z∗

p until ghappens to be a primitive root (see Exercise 1).

In document Biomarcadores no invasivos de actividad en lupus eritematoso sistémico (página 96-101)