Presentation is loading. Please wait.

Presentation is loading. Please wait.

Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein, Makrand Sinha Black Box Impossibility Summer School.

Published byJulia Thompson Modified over 7 years ago

Similar presentations

Presentation on theme: "Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein, Makrand Sinha Black Box Impossibility Summer School."— Presentation transcript:

1 Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein, Makrand Sinha Black Box Impossibility Summer School

2 PRG and OWF A OWF is a function f: {0,1} n → {0,1} n such that for all PPT A: Pr[f(A(f(x))) = f(x)] is negligible. A PRG is a function g: {0,1} m → {0,1} m+1 such that for all PPT A: Pr[A(g(v))] – Pr[A(w)] is negligible. Theorem: [HILL, HRV, VZ] There is a fully BB construction of a PRG from a OWF with m = O(n 3 ) and which does O(n 3 ) calls to the OWF. ~ ~

3 OWF and PRG Theorem: [HILL, HRV, VZ] There is a fully BB construction of a PRG from a OWF with m = O(n 3 ) and which does O(n 3 ) calls to the OWF. Our Result: Any such construction must do at least Ω(n/log(n)) calls. ~ ~

4 Proof sketch 1.Prove the result for r = 1 (30 % of the work) (Pseudo-uniform OWF. Requires us to distinguish two cases) 2.Prove the result for r = 2 (50 % of the work) (Uses additionally a Chernoff-Bound) 3.Prove the result for r = n/log(n) (20% of the work) (Uses a version of the Chernoff-Bound for polynomials)

5 Quick Remark The black box separation is weak: we make the OWF f dependent on the construction g (f). Let’s do this on a few examples! We start with r = 1.

6 Case r = 1 Input Output y z Invert every 2 nd bit. x z f How to distinguish g(v) from a uniform w? g v = (x,z)

7 Case r = 1 Input Output y f z How to distinguish g(v) from a uniform w? zx

8 Case r = 1 Input Output y f z How to distinguish g(v) from a uniform w? zx

9 Our result in more detail

10 Pseudouniform one-way functions Always saying “left part stuff” gets annoying… A function g (f) :{0,1} m → {0,1} m is a pseudouniform one-way function if – It is a one-way function – The output is indistinguishable from uniform. Exercise: if g (f) :{0,1} m → {0,1} m+1 is a PRG, then chopping off the last bit gives a PU-OWF function (Hint: show first that every PRG is a OWF).

11 Next up… Plan: we give an inverter which works sometimes. Show that if it does not work, then the second case applies. Now: how does the inverter work?

12 Invert Carefully! z x z y Input Output This is a pseudouniform function (for every f!) Hence – we need to invert!But not always!

13 BreakOW(w): // Finds v with g(v) = w – sometimes For all v: if g (f) (v) = w and SafeToAnswer(w, y) // y is the answer of the query to f in g (f) (v) return v SafeToAnswer(w,y): false if #{v | g(v) = w if f(.) answers y} > 2 n/30 Our Inverter If this does not invert g, it is because SafeToAnswer returns true too often. But then: making some y’s common will make some w’s common!

14 Gennaro-Trevisan Technique: Lemma: BreakOW does not help invert a random f. Proof: How does the decoder work? Decoder: Simulate A (f) (y). When A queries BreakOW(w) evaluate g (f) (v) for all v. If only one query is unknown, check if answering it with y makes BreakOW(w) return v. If yes continue the simulation with this answer, otherwise take the next v. The preimage of y is the output of A (f) (y).

15 Should we store (x *,f(x * )) explicitly? Decoder: Simulate A (f) (y). When A queries BreakOW(w) evaluate g (f) (v) for all v. If only one query is unknown, check if answering it with y makes BreakOW(w) return v. If yes continue the simulation with this answer, otherwise take the next v. The preimage of y is the output of A (f) (y). We have to store (x *,f(x * )) explicitly if: A (f) (y) queries BreakOW with w for which: BreakOW (f) (w) ≠ BreakOW (f*) (w) We have to store (x *,f(x * )) explicitly if: A (f) (y) queries BreakOW with w for which: BreakOW (f) (w) ≠ BreakOW (f*) (w)

16 BreakOW(w): // Finds v with g(v) = w – sometimes For all v: if g (f) (v) = w and SafeToAnswer(w, y) // y is the answer of the query to f in g (f) (v) return v SafeToAnswer(w,y): false if #{v | g(v) = w if f(.) answers y} > 2 n/30 Our Inverter Fix w, y. There can only be 2 n/30 x * for which BreakOW (f) (w) ≠ BreakOW (f*) (w) because each such x* gives rise to a different v.

17 Remarks for r = 2 For r = 2 and our breaker, the Gennaro- Trevisan encoding can get huge, if the function f is chosen in an unlucky way! We don’t know how to avoid this. Instead, a Chernoff Bound shows that there are only few such functions (see paper for an example).

18 Thanks!

19 A condition on BreakOW We can give a condition on BreakOW: it should be that for every w, y, there are only few (say 2 n/30 ) values x * s.t. BreakOW (f) (w) ≠ BreakOW (f*) (w) Unfortunately, for r > 1, we can only show that our Breaker has this property for almost all f.

Download ppt "Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein, Makrand Sinha Black Box Impossibility Summer School."

Similar presentations

Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,

Finding Collisions in Interactive Protocols A Tight Lower Bound on the Round Complexity of Statistically-Hiding Commitments Iftach Haitner, Jonathan Hoch,
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
QuickSort Average Case Analysis An Incompressibility Approach Brendan Lucier August 2, 2005.

QuickSort Average Case Analysis An Incompressibility Approach Brendan Lucier August 2, 2005.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.

Complexity 26-1 Complexity Andrei Bulatov Interactive Proofs.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.
מבנה המחשב + מבוא למחשבים ספרתיים תרגול 5# Topics: 1.Encoders and decoders 2.Shifters.

מבנה המחשב + מבוא למחשבים ספרתיים תרגול 5# Topics: 1.Encoders and decoders 2.Shifters.
Randomized algorithm Tutorial 1 Hint for homework 1.

Randomized algorithm Tutorial 1 Hint for homework 1.
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.

1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
1 Recap (I) n -qubit quantum state: 2 n -dimensional unit vector Unitary op: 2 n  2 n linear operation U such that U † U = I (where U † denotes the conjugate.

1 Recap (I) n -qubit quantum state: 2 n -dimensional unit vector Unitary op: 2 n  2 n linear operation U such that U † U = I (where U † denotes the conjugate.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Linear-Time Encodable and Decodable Error-Correcting Codes Jed Liu 3 March 2003.

Linear-Time Encodable and Decodable Error-Correcting Codes Jed Liu 3 March 2003.
1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.

1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.

Similar presentations

Ads by Google