1 / 28

On Pseudorandom Generators with Linear Stretch in NC 0

On Pseudorandom Generators with Linear Stretch in NC 0. Benny Applebaum Yuval Ishai Eyal Kushilevitz Technion. Foundations of secure. multi-party computation. and its applications. and zero-knowledge. Pseudorandom Generator (PRG). stretch. Pseudorandom or Random ?. G. Uin. G (Uin).

modesta-curtis
Download Presentation

On Pseudorandom Generators with Linear Stretch in NC 0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Pseudorandom Generators with Linear Stretch in NC0 Benny ApplebaumYuval IshaiEyal KushilevitzTechnion Foundations of secure multi-party computation and its applications and zero-knowledge

  2. Pseudorandom Generator (PRG) stretch Pseudorandom or Random? G Uin G(Uin) Rand Src. Uout Poly-time machine

  3. PRG - Parallelism vs. Stretch complexity stretch poly-time super linear NC linear sub linear Motivation parallel implementation of crypto tasks (e.g., Stream Cipher,Naor Commitment) log-space NC1 AC0 NC0 NC0ℓ ℓ

  4. Previous Work • Positive results • Super-Linear PRGfrom any PRG [Goldreich Micali 84] • Super-Linear PRG in NC1from factoring [Naor Reingold Rosen02, NR97] • Sub-Linear PRGin AC0from subset sum[Impagliazzo Naor 89] • Heuristic Super-Linear PRG in NC05[Mossel Shpilka Trevisan 03] • Sub-Linear PRGin NC04from any PRG in NC1[AIK 04] • Sub-Linear PRGin NC03from decoding random linear code [AIK] • Linear PRGin NC04 from Linear PRGin NC0[AIK 04] BB  • Negative results • No PRGs in NC02[Goldreich00, Cryan Miltersen01] • No Super-Linear PRG in NC03, NC04 [CM01, MosselShpilkaTrevisan03] • Sub-Linear PRG Linear PRG[Viola 05] AC0 factoring Open subset sum/ rand linear code impossible PRG

  5. Main Results • Algebraic assumption of [Alekhnovich 03] LPRG in NC0 • LPRG in NC0 Inapporximability of MAX 3SAT. Conclusion: Algebraic assumption of [Alekhnovich 03]  Inapporximability of MAX 3SAT. Already proven directly by [Alekhnovich 03] Open PRG

  6. Talk Outline • LPRG in NC0 Inapproximability of MAX 3SAT • Construction ofLPRG in NC0 • Take 1: Good stretchBad locality • Take 2: Bad stretchGood locality • Regaining the stretch via –biased generators • A uniform version of the construction • Conclusions and open questions

  7. Cryptography and Inapproximability • Hardness of refuting random 3SAT Newinapproximability results [Feige 02] • Hardness of determining number of satisfiable equations in a random linear system Feige’s assumption + new results [Alekhnovich 03] • Approx algorithm for MAX 2LIN  Upper bound the stretch of PRG in NC04[MosselShpilkaTrevisan03] Do not rely on standard crypto primitive

  8. NC0 Crypto and Inapproximability k-Constraint Satisfaction Problem • X1+X3 X5 =0 • X2X3 X4 =1 . . . • X2+X3 +X4 =1 • Q. how many of the constraints can be satisfied together? • List of constraints over n variables x1,…,xn • Each constraint involves k variables Corollary of PCP [ALMSS,AS 92]: If:PNP Then: Cannot distinguish • Satisfiable 3-CSP • - unsatisfiable 3-CSP Current work: If:Lin-Stretch PRG in NC0 Then: Cannot distinguish • Satisfiable 3-CSP • - unsatisfiable 3-CSP

  9. LPRG in NC0  Inapproximability • Thm.If G:{0,1}n {0,1}s is a PRG in NC0k and s-n=(n) • Then,  s.t satisfiable k-CSP and-unsat k-CSP are indistinguishable • Proof: k-CSP distinguisher  distinguisher for PRG • If yR G(Un) yissatisfiable (since x s.t G(x)=y) • If yR Us (w.h.p.)yis- unsat G1(x) =y1 G2(x) =y2 ..... Gs(x) =ys yes G(Un) satisfiable y yR A k-CSP no Us -unsat B

  10. LPRG in NC0  Inapproximability  • Claim: If yR Us (w.h.p.)yis- unsat • Proof: • Assume yis not- unsat,then x s.t H(y,G(x))<  • Hence, Pr[yis not- unsat] = Pr[H(y, Image(G))< ] •  (|Image(G)|Vol(s, s))/ 2s • 2n+H()s – s= neg(n) s=n+(n) {0,1}s -sphere G1(x) =y1 G2(x) =y2 ..... Gs(x) =ys yes G(Un) satisfiable y yR A k-CSP G(x) no Us ε-unsat B

  11. LPRG in NC0  Inapproximability  Q: So what? A: It explains why it is hard to construct LPRGs in NC0 We have an excuse…

  12. Talk Outline • LPRG in NC0 Inapproximability of MAX 3SAT • Construction ofLPRG in NC0 • Take1: Good stretchBad locality • Take2: Bad stretchGood locality • Regaining the stretch via –biased generators • A uniform version of the construction • Conclusions and open questions

  13. LPRG Construction – Take 1 fixed binary ℓ-sparse matrix Distribution C(M,) Distribution C(M,+1/m) Uniform Distribution random error vector whose weight is ·m n n x M e x U M e c + + m m=kn ℓ ones  +1/m • Assumption 1[Alekhnovich 03]: For any const. k, ℓ, 0<<1 • any family of knn ℓ-sparse matrices Mn, if Mn isexpanding Then, C(Mn,)cC(Mn, +1/kn) • Lemma[Alek 03]: Assumption C(Mn,)is pseudorandom random n-bit vector • Pros: High (linear) Stretch input: n+mH() bits, output: m bits • Mx is samplable in NC0 • Con: How to sample the noise vector in NC0?

  14. LPRG Construction – Take 2 Distribution D(M,) Distribution D(M,+1/m) iid noise vector: each bit is 1 w/prob.  n n x M e x M e c + + m m=kn  +1/m • Assumption 2: const. k, ℓ, 0<<1, family Mn of knn ℓ-sparse matrices, • if Mn isexpanding  D(Mn,)cD(Mn, +1/kn) • Assumption 1 Assumption 2 • Lemma: Assumption 2  D(Mn,)is pseudorandom

  15.       Sampling D(M,)in NC0 • For =1/2t can smaple ein NC0t • Problem: No expansion: mt+n inputs  m outputs • Observation: y has large entropy even when e is given • Sol: extract more random bits from y • Need to extract • - almost all bits of y • in NC0 • using less than m extra bits • Sol: use NC0ε-biased generator m y t e + D(M,) Mx ℓ x n

  16.       Regaining the stretch • Let [y|e] be the distribution of y given e. • Lem. 1(High Entropy) Except w/probexp(-(m/2t)) • H([y|e]) mt(1-2-(t)) • Proof: • ei=1  i-th block of y = 1t • ei=0  i-th block of y R{0,1}t \ {1t} • e has k zeroes  [y|e] is uniform over set of size> (2t-1)k • By Chernoff: Pr[# 1’s in e>2 m/2t] <exp(-(m/2t)) • Hence, w/prob 1-exp(-(m/2t)), • # 0’s in e  m(1-1/2t-1) •  [y|e] is uniform over a set of size (2t-1) m y t e m(1-2-t+1)

  17. -biased generators stretch Pseudorandom or Random? g Uin G(Uin) Rand Src. Uout Linear function -bias generator [Naor Naor 90]:  Linear distinguisher L, |Pr[L(g(Us))=1]-Pr[L(Us)=1]|

  18. Extraction via -biased generators • Lem 2. (Extraction)[Alon Roichman 94, Goldreich Wigderson 97] • - Let g:{0,1}n{0,1}s be  biased generator, • - Xs distributed over {0,1}s where s-H(Xs) . • - Then: SD( g(Un)Xs , Us)  2(-1)/2 • Lem 3. ( biased in NC0)[Mossel Shpilka Trevisan 02] •  const. c,  biased geng:{0,1}n{0,1}cn w/bias = 2-n/poly(c) in NC05.

  19.      Wrapping Up 1. Pry[H([y|e]) mt(1-neg(t))] > 1-neg(m) 2.  c, we have g:{0,1}mt/c{0,1}mtw/bias 2-mt/poly(c) in NC05 [MST 03] 3. rUtm/c then (g(r)+[y|e]) is close to uniform up to  neg(m)+2-mt/poly(c)+mtneg(t)=neg(m) [AlonRoichman94, GoldreichWigderson97] mt/c r For proper consts t,c g g(r) Uniform g(r)+y s + m y t e e e e

  20.      Wrapping Up mt/c r g g(r) Uniform g(r)+y + m y t s e e e e

  21.      Our Generator mt/c r g g(r) Uniform g(r)+y + m y t s c e e e e uniform D(,M) D(,M) + Mx Let m=kn Input: n+tm+tm/c = n(1+ tk+ tk/c) Output: m + tm = n(k+tk) For const. k and good consts. c,t have linear stretch x x n

  22. LPRG in Uniform NC0 • Non-Uniform advices: • Mn (family ofunbalanced constant degree bipartite expanders) •  c, generatorg:{0,1}n{0,1}cn w/bias = 2-n/poly(c) in non-uniform NC05. [MST03] • Uniform implementation: • Mn= explicit family of unbalanced constant degree bipartite expanders [Capalbo Reingold Vadhan Wigderson 02] • Prove a uniform version of MST:  c, generatorg:{0,1}n{0,1}cn w/bias = 2-n/polylog(c) in uniform NC0polylog(c). (Construction uses again [Capalbo Reingold Vadhan Wigderson 02] )

  23. Talk Outline • LPRG in NC0 Inapproximability of MAX 3SAT • Construction ofLPRG in NC0 • Take1: Good stretch Bad locality • Take2: Bad stretch Good locality • Regaining the stretch via –biased generators • A uniform version of the construction • Conclusions and open questions

  24. PRG Open Questions Q: Can we compile a high stretch PRG in a “relatively high” complexity class (e.g., NC1) into LPRGin NC0? PRG

  25. LPRG Open Questions Q: Can we compile a high stretch PRG in a “relatively high” complexity class (e.g., NC1) into LPRGin NC0? A: Maybe, but compiler must be “combinatorially interesting” LPRG

  26. The Necessity of Expansion • Let G:{0,1}n{0,1}s be an -strong PRG • Claim: any set T of outputs of size k<log(1/ ) touch at least k inputs • Hence the graph is expanding. • If G is not in NC0 graph hasnon-const. degree Trivial ! • If G has small stretch Trivial ! • G in NC0and has linear stretch non-trivial expansion • By dispersers LBs [Radhakrishnan, Ta-Shma] : if =2-k then, locality  ( log(s/k) / log(n/k) ) • Corollary: No 2-(n) PRGs w/super-linear stretch in NC0 • i.e., for any eff. A, advA(G(Un),Us)<  • Proof: Otherwise, • 0yG(Un) • 2-k>  yUs for some z{0,1}k , Pr[yT=z]= s outputs … n inputs

  27. Open Questions • PRG w/ super-linear stretch in NC0or even in AC0? • LPRG in NC03 ? • LPRG in NC0under standard assumptions? • sub-linear PRG NCLPRG ? • Easy: linear PRG NC1 super-linear PRG • More inapproximabilty from crypto • Not hard to extend results to other primitives… • Get inapprox results which are not followed from PCP • Use more standard assumptions Open Open PRG

  28. Thank You !

More Related