Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

Published byKeagan Wintle Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold."— Presentation transcript:

1 1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold

2 2 Pseudorandom Generators (PRG) [BM82, Yao82] Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n ) Output is computationally indistinguishable from random. G(U n ) w C U n’ Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and … x G(x)

3 3 Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) If f is also a permutation on {0,1} n, then it is a one-way permutation (OWP). One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89]. PRG Based on General Hardness Assumptions O(n 8 ) O(n) O(n 3 ) Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. Central to the security of the construction. denote the input length of the OWF by n f:{0,1} n ! {0,1} n is regular if all images have the same preimage size for any x 2 {0,1} n it holds that |f -1 (f(x))| =  n.

4 4 Example: We trust a OWF to be secure only for 100 bit inputs. [BMY] is insecure for seed < 100 bits. [HILL] is insecure for seed < 10 16 bits! Goal: Reduce input length blowup. [Holenstein 06] One-way function with exponential hardness ( 2 -Cn for some C>0 ) O(n 5 ) Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) Def: f:{0,1} n ! {0,1} n is an exponentially hard one-way function if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] < 2 -Cn for some constant C> 0

5 5 Our Results O(n 7 ) Any OWF [HHR05] O(n 2 ) Exponentially Hard OWF This work O(n 5 ) Exponentially Hard OWF [Holens06] O(n 8 ) Any OWF [HILL89] O(n log n) Regular OWF [HHR05] O(n 3 ) Regular OWF [GKL88] n +o(n) One-way Permutations [BM82][Y82] Seed lengthRestrictionPaper

6 6 PRG from exponentially hard OWF [Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2 -Φn  Seed length is a function Φ, with optimal results when Φ is a constant C. Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs.  Works only for Φ> Ω (1/log n)

7 7 Plan of the talk: Motivation - The BMY generator. The Randomized Iterate. A PRG from regular OWFs. The randomized iterate of a general OWF. The construction for exponentially hard OWFs.

8 8 The BMY PRG G(x) = Hardcore-predicate of f : given f(x) it is hard to predict b(x). b(x)b(f 1 ( x)) b(f 2 (x))b(f n (x)) … Claim: G is a PRG. x f f(x) ff f 2 (x)f n (x) … f n+1 (x) f OWP f:{0,1} n ! {0,1} n

9 9 One-Way on Iterates: [Levin]: If 8 k it is hard to invert f k Then b(x),b(f(x)),…,b(f m (x)) is pseudorandom. given z = f k (x) it is hard to find y such that f(y) = z

10 10 Applying BMY to any OWF When f is any OWF, inverting f i might be easy (even when f is regular). Example: Easy inputs ff

11 11 f 0 (x) f 0 (x, h ) Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL],[HHR]: The Randomized Iterate G(x, h ) = b(f 0 (x, h )),...,b(f n (x, h )),h 1,...,h n h1h1 f x f f 1 (x, h ) … h2h2 f f 2 (x, h ) h3h3 f h = (h 1,...,h n ) random pairwise independent hash functions H is a family of pairwise independent hash functions from {0,1} n ! {0,1} n if 8 x 1  x 2 and a random h 2H (h(x 1 ),h(x 2 )) is uniform over {0,1} 2n.  Use H where description of h is of length O(n).

12 12 Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG.

13 13 Randomized Iterate of general OWF Can we apply the construction to any OWF?  No, security deteriorates with every iteration. Lemma: It is hard to invert f k (given h ) over a set of density at least 1/k. (x, h ) ! f 0 (x, h ), f 1 (x, h ), …, f k (x, h ) f k is hard to invert whenever the last iteration is at least as heavy as all the iterations in the sequence. By Symmetry happens with probability ¸ 1/k. Note: for regular functions always true…

14 14 b b1b1 f k (x, h )f k+1 (x, h ) f k (x 1, h 1 )f k+1 (x 1, h 1 ) With probability 1/k the bit b is pseudorandom when given f k+1 (x, h ) and h. Idea: repeat m independent times Use a randomness extractor to get O (m/k) pseudorandom bits f k (x 2, h 2 )f k+1 (x 2, h 2 ) b2b2 f k (x 3, h 3 )f k+1 (x 3, h 3 ) b3b3 f k (x m, h m )f k+1 (x m, h m ) bmbm Pseudoentropy source: at least m/k of the bits are pseudorandom given f k+1 and h Ext m/2k bits

15 15 random output pseudorandom output high entropy distribution high pseudoentropy distribution Randomness Extractors [NZ93] Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the seed is known. Extractor seed Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL] New proof of the uniform extraction Lemma given in [Holens06] & [HHR05].  Based on the uniform hardcore set proof of Holenstein (FOCS 2005).

16 16 We can extract m/2k pseudorandom bits at each iteration. Total pseudorandom bits: ∑ k (m/2k) ¼ m/2 log t For the generator to stretch this should be more than the mn bits of x 1,…,x m t>2 n is too large !!!  x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm    m/4m/6m/8m/10m/12 t

17 17 Exponential hardness Theorem [GL89]: if a one-way function f has hardness 2 -Cn then it has O(Cn) hard-core bits. We can take out more pseudorandom bits at every iteration!

18 18 We extract C’mn/k pseudorandom bits at the k th iteration. Total number of pseudorandom bits: ∑ k (C’nm/k) ¼ C’mn log t Take t to be a constant such that ∑ k (1/k) > C’ Total seed length is O(tmn) bits (description size of the hash functions).  Take m=n, the seed length becomes O(n 2 ). x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm    t  mn/4mn/6mn/8mn/10mn/12

19 19 Questions and Further Issues Holenstein achieves seed O(n 4 log 2 n) if the resulting PRG need only have standard hardness (super- polynomial). Accordingly, we get O(n log 2 n) in such a case. Can such methods work for general OWFs? Could work if the deterioration in security in each iteration where somehow limited. Other applications of exponentially hard OWFs? Recent results of [GI06],[HR06].

Download ppt "1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold."

Similar presentations

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.

Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 1 23 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.

Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.

Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
0 - 0.

0 - 0.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
Addition Facts 1 - 20.

Addition Facts
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Pseudorandom Generators for Polynomial Threshold Functions 1 Raghu Meka UT Austin (joint work with David Zuckerman)

Pseudorandom Generators for Polynomial Threshold Functions 1 Raghu Meka UT Austin (joint work with David Zuckerman)
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Sep 16, 2013 Lirong Xia Computational social choice The easy-to-compute axiom.

Sep 16, 2013 Lirong Xia Computational social choice The easy-to-compute axiom.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.

Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.

Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.

How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.

Similar presentations

Ads by Google