Pseudorandom Generators with Long Stretch and Low locality ...
Pseudorandom Generators from Regular One-way Functions ...
Transcript of Pseudorandom Generators from Regular One-way Functions ...
Pseudorandom Generators from Regular One-way
Functions: New Constructions with Improved Parameters
Yu Yu
Joint work with Xiangxue Li and Jian Weng
Asiacrypt 2013
One-way Functions
One-way functions are an ensemble of functions
that are
Simplifying notation :
Definition: f is a -one-way function (OWF) if for all
adversaries A of running time t,
Standard OWF:
Folklore: OWFs can be assumed to be length-preserving, i.e., l(n)=n.
( , )t 1
( )Pr [ ( ) ( )]
ny f UA y f y
( ){ :{0,1} {0,1} }n l n
n n Nf
( ):{0,1} {0,1}n l nf
super-poly , neglt
Regular Functions
f is a regular function if for any n the preimage size
α= is fixed (independent of y).
Known-regular function: a regular function f whose regularity α is
polynomial-time computable from security parameter n.
Unknown-regular function: a regular function f whose regularity α is
inefficient to approximate from security parameter n.
Note: one-way permutation is a special known-regular function.
1| ( ) |f y
Pseudorandom Generators
is a -pseudorandom generator (PRG)
with stretch s if for all distinguishers D of running time t, :{0,1} {0,1} ( , )n n sg t
| Pr[ ( ( )) 1] Pr[ ( ) 1] |n n sD g U D U n
n super-poly , negl, U is uniform distribution over {0,1}t
Distinguisher D
Entropies, computational and statistical distance
Leftover Hash Lemma
Informally: universal hash functions are good randomness extractors
Unpredictability Pseudoentropy (UP)
Goldreich-Levin Theorem
A Key Oberservation about Unpredictability Pseudoentropy
Unpredictability Pseudoentropy (UP) : X has m bits of UP
given f(X) for t-time adversaries if every A of running time t
wins the following game with probability no greater than 2-m
Question: what’s the UP of X given f(X) if f is a - regular
OWF with ?
Observation: X given f(X) has bits of UP.
Rationale:
Challenger C Adversary A
; : ( )x X y f x y
' ( )x A y'x wins iff 'A x x
( , )t 1| ( ) | 2kf y
log(1/ )k
1Pr[ ( ( )) ( ( ))]A f X f f X Pr[ ( ( )) ] 2 kA f X X
The FIRST CONSTRUCTION
(from known-regular OWF)
g (X, h1, h2, hc) =(h1(f(X1)), h2(X1), hc(X1), h1, h2, hc)
A complicated proof by Goldreich in Section 3.5.2 of
PRGs from Known-Regular OWFs by
three extractions (a three-line proof)
Assumption: f is -one-way and 2k-regular, i.e.
Construction and Proof.
1. extract ( ) bits using h1
2. extract k bits using h2
3. chain rule:
extract bits using hard-core function hc
This completes the proof for the folklore construction, i.e.
g (X, h1, h2, hc) =(h1(f(X1)), h2(X1), hc(X1), h1, h2, hc) is a PRG.
Parameters: seed length linear in n, and a single call to f .
( , )t 1| ( ) | 2kf y
H ( ( ))f X n k n k
H ( | ( ))X f X k
upH ( | ( )) log(1/ )t X f X k up 2H ( | ( ), ( )) log(1/ )t X f X h X
(log(1/ ))O
Tightening the security bounds
g (x, h1, h2, hc) =(h1(f(x)), h2(x), hc(x), h1, h2, hc)
The proof for 3rd extraction: consider f ‘(x,h2)=(f(x), h2(x), h2)
A tighter approach (use the tight version of Goldreich-Levin)?
1.
2.
2 2
1/3
2
is -hard to predict given '( , ) , i.e. H ( | '( , )) log(1/ )
by Goldreich-Levin Thm, ( ) is 2 ( ) -close to U given '( , )
t
up
m
c m
x f x h X f X H
h x n f x h
2if ' is an '-hard OWF, then ( ) is (2 ') -close to U given '( , )m
c mf h x f x h 1/5Goldreich show ' ( ) in [Gol01,vol-1]O
We show ' 3 against -time adversariest
2 2 2the idea: show ' is almost 1-to-1, i.e. H ( '( , ) | ) 1f f X H H n
The Second Construction
(NEW, improving the Randomized Iterate)
The Randomized Iterate
Goldreich, Krawczyk and Luby (SICOMP 93) :
PRGs from known regular OWFs with seed length O(n3)
Haitner, Harnik and Reingold (CRYPTO 2006):
PRGs from unknown regular OWFs with seed length O(n ·log n)
f
x1 ( )y f x
h1
1 1 1( )x h yf
2 1( )y f xh2
2 2 2( )x h yf
output ( )ch x 1( )ch x
3 2( )y f x
2( )ch x
h1, h2, … are random pairwise independent hash, hc is hard-core function
Lower bounds by Holenstein and Sinha
(FOCS12)
Asymptotic setting: Any black-box construction of PRG
must make calls to an arbitrary (including
unknown regular) OWF.
Concrete setting : Any black-box construction of PRG must
make calls to an arbitrary (including unknown
regular) -secure OWF.
( / log )n n
( / log(1/ ))n 1( , )
PRGs from unknown-regular OWFs:
a new construction Assumption: f is -one-way and 2k-regular ( k is unknown).
The goal: a PRG construction oblivious of k.
The idea: transform f into a known-regular OWF
1. is also a -one-way function
2. is a 2n-regular function, i.e.
( , )t
define : {0,1}
( , ) ( )
where : "bitwise XOR", ( ), '
n
n n
f
f y r f y r
y f U r U
Y Y
:{0,1} , where {0,1}n nf Y Y
f
f
f
( , )t 1
| ( , ) | 2 regardless of nf y r k
PRGs from unknown-regular OWFs:
a new construction (cont’d) Given a one-way function with known pre-image size 2n
Similarly, has bits of UP given .
We get a special PRG
Done?
No, n bits needed to sample from (i.e. )
stretch :
To make it positive: iterate
In summary: a PRG from unknown regular OWF with linear seed
length (hybrid argument) and OWF calls.
Tight (Holenstein and Sinha, FOCS 2012): BB construction of PRG
requires OWF calls, and calls in general.
: {0,1}nf Y Y( , )f Y R( , )Y R log(1/ )n
(log(1/ )): {0,1} {0,1}n ng Y Y
Y ( )nf U
(log(1/ ))n
g
(log(1/ )) (log(1/ ))
( / log(1/ ))n
( / log(1/ ))n ( / log )n n
Summary PRG from any known-regular :
seed length and to the underlying OWF
PRG from any unknown-regular :
seed length and OWF calls
Question: remove the dependency on ?
Yes, by paying a factor in seed length and number of calls.
Why? Due to the entropy loss of the Leftover Hash Lemma.
Given (without knowing )
Run q= copies of f , extracting 2logn hardcore bits per copy,
followed by a single extraction with entropy loss set to q · logn .
( / log(1/ ))n
(1)
-hard OWF
-hard OWF
( )n
( )n
( )O n
( )O n
OWF
OWF
a single call(1) callsO
( / log ) callsO n n
11-to-1 OWF :{0,1} {0,1}n nf
(1)
Thank you!