Download presentation

Presentation is loading. Please wait.

Published byKeagan Wintle Modified over 2 years ago

1
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold

2
2 Pseudorandom Generators (PRG) [BM82, Yao82] Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n ) Output is computationally indistinguishable from random. G(U n ) w C U n’ Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and … x G(x)

3
3 Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x Ã Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) If f is also a permutation on {0,1} n, then it is a one-way permutation (OWP). One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89]. PRG Based on General Hardness Assumptions O(n 8 ) O(n) O(n 3 ) Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. Central to the security of the construction. denote the input length of the OWF by n f:{0,1} n ! {0,1} n is regular if all images have the same preimage size for any x 2 {0,1} n it holds that |f -1 (f(x))| = n.

4
4 Example: We trust a OWF to be secure only for 100 bit inputs. [BMY] is insecure for seed < 100 bits. [HILL] is insecure for seed < 10 16 bits! Goal: Reduce input length blowup. [Holenstein 06] One-way function with exponential hardness ( 2 -Cn for some C>0 ) O(n 5 ) Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x Ã Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) Def: f:{0,1} n ! {0,1} n is an exponentially hard one-way function if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x Ã Un [A(f(x),1 n ) 2 f -1 (f(x))] < 2 -Cn for some constant C> 0

5
5 Our Results O(n 7 ) Any OWF [HHR05] O(n 2 ) Exponentially Hard OWF This work O(n 5 ) Exponentially Hard OWF [Holens06] O(n 8 ) Any OWF [HILL89] O(n log n) Regular OWF [HHR05] O(n 3 ) Regular OWF [GKL88] n +o(n) One-way Permutations [BM82][Y82] Seed lengthRestrictionPaper

6
6 PRG from exponentially hard OWF [Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2 -Φn Seed length is a function Φ, with optimal results when Φ is a constant C. Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs. Works only for Φ> Ω (1/log n)

7
7 Plan of the talk: Motivation - The BMY generator. The Randomized Iterate. A PRG from regular OWFs. The randomized iterate of a general OWF. The construction for exponentially hard OWFs.

8
8 The BMY PRG G(x) = Hardcore-predicate of f : given f(x) it is hard to predict b(x). b(x)b(f 1 ( x)) b(f 2 (x))b(f n (x)) … Claim: G is a PRG. x f f(x) ff f 2 (x)f n (x) … f n+1 (x) f OWP f:{0,1} n ! {0,1} n

9
9 One-Way on Iterates: [Levin]: If 8 k it is hard to invert f k Then b(x),b(f(x)),…,b(f m (x)) is pseudorandom. given z = f k (x) it is hard to find y such that f(y) = z

10
10 Applying BMY to any OWF When f is any OWF, inverting f i might be easy (even when f is regular). Example: Easy inputs ff

11
11 f 0 (x) f 0 (x, h ) Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL],[HHR]: The Randomized Iterate G(x, h ) = b(f 0 (x, h )),...,b(f n (x, h )),h 1,...,h n h1h1 f x f f 1 (x, h ) … h2h2 f f 2 (x, h ) h3h3 f h = (h 1,...,h n ) random pairwise independent hash functions H is a family of pairwise independent hash functions from {0,1} n ! {0,1} n if 8 x 1 x 2 and a random h 2H (h(x 1 ),h(x 2 )) is uniform over {0,1} 2n. Use H where description of h is of length O(n).

12
12 Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG.

13
13 Randomized Iterate of general OWF Can we apply the construction to any OWF? No, security deteriorates with every iteration. Lemma: It is hard to invert f k (given h ) over a set of density at least 1/k. (x, h ) ! f 0 (x, h ), f 1 (x, h ), …, f k (x, h ) f k is hard to invert whenever the last iteration is at least as heavy as all the iterations in the sequence. By Symmetry happens with probability ¸ 1/k. Note: for regular functions always true…

14
14 b b1b1 f k (x, h )f k+1 (x, h ) f k (x 1, h 1 )f k+1 (x 1, h 1 ) With probability 1/k the bit b is pseudorandom when given f k+1 (x, h ) and h. Idea: repeat m independent times Use a randomness extractor to get O (m/k) pseudorandom bits f k (x 2, h 2 )f k+1 (x 2, h 2 ) b2b2 f k (x 3, h 3 )f k+1 (x 3, h 3 ) b3b3 f k (x m, h m )f k+1 (x m, h m ) bmbm Pseudoentropy source: at least m/k of the bits are pseudorandom given f k+1 and h Ext m/2k bits

15
15 random output pseudorandom output high entropy distribution high pseudoentropy distribution Randomness Extractors [NZ93] Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the seed is known. Extractor seed Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL] New proof of the uniform extraction Lemma given in [Holens06] & [HHR05]. Based on the uniform hardcore set proof of Holenstein (FOCS 2005).

16
16 We can extract m/2k pseudorandom bits at each iteration. Total pseudorandom bits: ∑ k (m/2k) ¼ m/2 log t For the generator to stretch this should be more than the mn bits of x 1,…,x m t>2 n is too large !!! x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm m/4m/6m/8m/10m/12 t

17
17 Exponential hardness Theorem [GL89]: if a one-way function f has hardness 2 -Cn then it has O(Cn) hard-core bits. We can take out more pseudorandom bits at every iteration!

18
18 We extract C’mn/k pseudorandom bits at the k th iteration. Total number of pseudorandom bits: ∑ k (C’nm/k) ¼ C’mn log t Take t to be a constant such that ∑ k (1/k) > C’ Total seed length is O(tmn) bits (description size of the hash functions). Take m=n, the seed length becomes O(n 2 ). x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm t mn/4mn/6mn/8mn/10mn/12

19
19 Questions and Further Issues Holenstein achieves seed O(n 4 log 2 n) if the resulting PRG need only have standard hardness (super- polynomial). Accordingly, we get O(n log 2 n) in such a case. Can such methods work for general OWFs? Could work if the deterioration in security in each iteration where somehow limited. Other applications of exponentially hard OWFs? Recent results of [GI06],[HR06].

Similar presentations

Presentation is loading. Please wait....

OK

CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on bluetooth hacking device Ppt on earth and space Ppt on bluetooth communication system Ppt on quality education by design Ppt on annotating text in math class Ppt on suspension type insulation tool Ppt on time management training Ppt on tsunami 2004 in india Ppt on conic sections for class 11 free download Ppt on product advertising