1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

Slides:



Advertisements
Similar presentations
Tight Bounds for Distributed Functional Monitoring David Woodruff IBM Almaden Qin Zhang Aarhus University MADALGO Based on a paper in STOC, 2012.
Advertisements

Lower Bounds for Local Search by Quantum Arguments Scott Aaronson.
Subspace Embeddings for the L1 norm with Applications Christian Sohler David Woodruff TU Dortmund IBM Almaden.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
0 - 0.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
Addition Facts
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Pseudorandom Generators for Polynomial Threshold Functions 1 Raghu Meka UT Austin (joint work with David Zuckerman)
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Sep 16, 2013 Lirong Xia Computational social choice The easy-to-compute axiom.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Computational Analogues of Entropy Boaz Barak Ronen Shaltiel Avi Wigderson.
Foundations of Cryptography Lecture 7 Lecturer:Danny Harnik.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
How to get more mileage from randomness extractors Ronen Shaltiel University of Haifa.
Deterministic extractors for bit- fixing sources by obtaining an independent seed Ariel Gabizon Ran Raz Ronen Shaltiel Seedless.
Addition 1’s to 20.
Test B, 100 Subtraction Facts
Sep 15, 2014 Lirong Xia Computational social choice The easy-to-compute axiom.
Week 1.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
1 Complexity ©D.Moshkovitz Cryptography Where Complexity Finally Comes In Handy…
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
1 A Graph-Theoretic Network Security Game M. Mavronicolas , V. Papadopoulou , A. Philippou  and P. Spirakis § University of Cyprus, Cyprus  University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS151 Complexity Theory Lecture 8 April 22, 2004.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Time vs Randomness a GITCS presentation February 13, 2012.
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
The Bright Side of Hardness Relating Computational Complexity and Cryptography Oded Goldreich Weizmann Institute of Science.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
CS151 Complexity Theory Lecture 8 April 22, 2015.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.
GOING DOWN HILL : EFFICIENCY IMPROVEMENTS IN CONSTRUCTING PSEUDORANDOM GENERATORS FROM ONE-WAY FUNCTIONS Iftach Haitner Omer Reingold Salil Vadhan.
Simulating independence: new constructions of Condensers, Ramsey Graphs, Dispersers and Extractors Boaz Barak Guy Kindler Ronen Shaltiel Benny Sudakov.
Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
Pseudo-random generators Talk for Amnon ’ s seminar.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.
Umans Complexity Theory Lectures Lecture 9b: Pseudo-Random Generators (PRGs) for BPP: - Hardness vs. randomness - Nisan-Wigderson (NW) Pseudo- Random Generator.
B504/I538: Introduction to Cryptography
Randomness.
B504/I538: Introduction to Cryptography
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
On the Efficiency of 2 Generic Cryptographic Constructions
Cryptography Lecture 5.
Cryptography Lecture 8.
Pseudorandomness: New Results and Applications
Presentation transcript:

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold

2 Pseudorandom Generators (PRG) [BM82, Yao82] Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n ) Output is computationally indistinguishable from random. G(U n ) w C U n’ Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and … x G(x)

3 Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) If f is also a permutation on {0,1} n, then it is a one-way permutation (OWP). One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89]. PRG Based on General Hardness Assumptions O(n 8 ) O(n) O(n 3 ) Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. Central to the security of the construction. denote the input length of the OWF by n f:{0,1} n ! {0,1} n is regular if all images have the same preimage size for any x 2 {0,1} n it holds that |f -1 (f(x))| =  n.

4 Example: We trust a OWF to be secure only for 100 bit inputs. [BMY] is insecure for seed < 100 bits. [HILL] is insecure for seed < bits! Goal: Reduce input length blowup. [Holenstein 06] One-way function with exponential hardness ( 2 -Cn for some C>0 ) O(n 5 ) Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) Def: f:{0,1} n ! {0,1} n is an exponentially hard one-way function if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] < 2 -Cn for some constant C> 0

5 Our Results O(n 7 ) Any OWF [HHR05] O(n 2 ) Exponentially Hard OWF This work O(n 5 ) Exponentially Hard OWF [Holens06] O(n 8 ) Any OWF [HILL89] O(n log n) Regular OWF [HHR05] O(n 3 ) Regular OWF [GKL88] n +o(n) One-way Permutations [BM82][Y82] Seed lengthRestrictionPaper

6 PRG from exponentially hard OWF [Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2 -Φn  Seed length is a function Φ, with optimal results when Φ is a constant C. Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs.  Works only for Φ> Ω (1/log n)

7 Plan of the talk: Motivation - The BMY generator. The Randomized Iterate. A PRG from regular OWFs. The randomized iterate of a general OWF. The construction for exponentially hard OWFs.

8 The BMY PRG G(x) = Hardcore-predicate of f : given f(x) it is hard to predict b(x). b(x)b(f 1 ( x)) b(f 2 (x))b(f n (x)) … Claim: G is a PRG. x f f(x) ff f 2 (x)f n (x) … f n+1 (x) f OWP f:{0,1} n ! {0,1} n

9 One-Way on Iterates: [Levin]: If 8 k it is hard to invert f k Then b(x),b(f(x)),…,b(f m (x)) is pseudorandom. given z = f k (x) it is hard to find y such that f(y) = z

10 Applying BMY to any OWF When f is any OWF, inverting f i might be easy (even when f is regular). Example: Easy inputs ff

11 f 0 (x) f 0 (x, h ) Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL],[HHR]: The Randomized Iterate G(x, h ) = b(f 0 (x, h )),...,b(f n (x, h )),h 1,...,h n h1h1 f x f f 1 (x, h ) … h2h2 f f 2 (x, h ) h3h3 f h = (h 1,...,h n ) random pairwise independent hash functions H is a family of pairwise independent hash functions from {0,1} n ! {0,1} n if 8 x 1  x 2 and a random h 2H (h(x 1 ),h(x 2 )) is uniform over {0,1} 2n.  Use H where description of h is of length O(n).

12 Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG.

13 Randomized Iterate of general OWF Can we apply the construction to any OWF?  No, security deteriorates with every iteration. Lemma: It is hard to invert f k (given h ) over a set of density at least 1/k. (x, h ) ! f 0 (x, h ), f 1 (x, h ), …, f k (x, h ) f k is hard to invert whenever the last iteration is at least as heavy as all the iterations in the sequence. By Symmetry happens with probability ¸ 1/k. Note: for regular functions always true…

14 b b1b1 f k (x, h )f k+1 (x, h ) f k (x 1, h 1 )f k+1 (x 1, h 1 ) With probability 1/k the bit b is pseudorandom when given f k+1 (x, h ) and h. Idea: repeat m independent times Use a randomness extractor to get O (m/k) pseudorandom bits f k (x 2, h 2 )f k+1 (x 2, h 2 ) b2b2 f k (x 3, h 3 )f k+1 (x 3, h 3 ) b3b3 f k (x m, h m )f k+1 (x m, h m ) bmbm Pseudoentropy source: at least m/k of the bits are pseudorandom given f k+1 and h Ext m/2k bits

15 random output pseudorandom output high entropy distribution high pseudoentropy distribution Randomness Extractors [NZ93] Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the seed is known. Extractor seed Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL] New proof of the uniform extraction Lemma given in [Holens06] & [HHR05].  Based on the uniform hardcore set proof of Holenstein (FOCS 2005).

16 We can extract m/2k pseudorandom bits at each iteration. Total pseudorandom bits: ∑ k (m/2k) ¼ m/2 log t For the generator to stretch this should be more than the mn bits of x 1,…,x m t>2 n is too large !!!  x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm    m/4m/6m/8m/10m/12 t

17 Exponential hardness Theorem [GL89]: if a one-way function f has hardness 2 -Cn then it has O(Cn) hard-core bits. We can take out more pseudorandom bits at every iteration!

18 We extract C’mn/k pseudorandom bits at the k th iteration. Total number of pseudorandom bits: ∑ k (C’nm/k) ¼ C’mn log t Take t to be a constant such that ∑ k (1/k) > C’ Total seed length is O(tmn) bits (description size of the hash functions).  Take m=n, the seed length becomes O(n 2 ). x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm    t  mn/4mn/6mn/8mn/10mn/12

19 Questions and Further Issues Holenstein achieves seed O(n 4 log 2 n) if the resulting PRG need only have standard hardness (super- polynomial). Accordingly, we get O(n log 2 n) in such a case. Can such methods work for general OWFs? Could work if the deterioration in security in each iteration where somehow limited. Other applications of exponentially hard OWFs? Recent results of [GI06],[HR06].

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.