1 / 19

Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions

Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions. Iftach Haitner, Danny Harnik, Omer Reingold. Pseudorandom Generators (PRG) [BM82, Yao82]. Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n )

rana-hanson
Download Presentation

Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner,Danny Harnik, Omer Reingold

  2. Pseudorandom Generators (PRG)[BM82, Yao82] Eff. computable function G:{0,1}n! {0,1}n’ • Increases Length (n’ > n) • Output is computationally indistinguishable from random. G(Un)wCUn’ • Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88]and … x G(x)

  3. PRG Based on General Hardness Assumptions • One-way permutations [BM82,Yao82]. • Regular one-way functions[GKL88]. • Any one-way function[HILL89]. O(n) O(n3) Def:f:{0,1}n!{0,1}n is a one-way function (OWF) if • Efficiently computable • Hard to invert: for any PPTAPrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n) If f is also a permutation on {0,1}n, then it is a one-way permutation (OWP). f:{0,1}n!{0,1}n is regular if all images have the same preimage size • for any x2{0,1}n it holds that |f-1(f(x))| =n. O(n8) • Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. • Central to the security of the construction. • denote the input length of the OWF by n

  4. Def:f:{0,1}n!{0,1}n is a one-way function (OWF) if: • Efficiently computable • Hard to invert: for any PPTAPrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n) Def:f:{0,1}n!{0,1}n is an exponentially hardone-way function if: • Efficiently computable • Hard to invert: for any PPTAPrxÃUn[A(f(x),1n) 2 f-1(f(x))] < 2-Cn for some constant C> 0 Example: We trust a OWF to be secure only for 100 bit inputs. • [BMY] is insecure for seed < 100 bits. • [HILL] is insecure for seed < 1016 bits! Goal: Reduce input length blowup. • [Holenstein 06]One-way function with exponential hardness (2-Cn for some C>0) O(n5)

  5. Our Results Paper Restriction Seed length [BM82][Y82] One-way Permutations n +o(n) [GKL88] Regular OWF O(n3) [HHR05] Regular OWF O(n log n) [HILL89] Any OWF O(n8) [HHR05] Any OWF O(n7) [Holens06] Exponentially Hard OWF O(n5) This work Exponentially Hard OWF O(n2)

  6. PRG from exponentially hard OWF • [Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2-Φn • Seed length is a function Φ, with optimal results when Φ is a constant C. • Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs. • Works only for Φ> Ω (1/log n)

  7. Plan of the talk: • Motivation - The BMY generator. • The Randomized Iterate. • A PRG from regular OWFs. • The randomized iterate of a general OWF. • The construction for exponentially hard OWFs.

  8. f f f … f x f(x) f2(x) fn(x) fn+1(x) … b(f2(x)) b(fn(x)) b(x) b(f1(x)) The BMY PRG OWP f:{0,1}n!{0,1}n G(x) = Claim:G is a PRG. Hardcore-predicate of f: given f(x) it is hard to predict b(x).

  9. given z = fk(x) it is hard to find y such that f(y) = z One-Way on Iterates: [Levin]: If8k it is hard to invert fk Then b(x),b(f(x)),…,b(fm(x)) is pseudorandom.

  10. Applying BMY to any OWF When f is any OWF, inverting fi might be easy (even when f is regular). Example: f f Easy inputs

  11. f1(x,h) f2(x,h) x f h1 f h2 f h3 f … The Randomized Iterate Idea:use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL],[HHR]: f0(x,h) f0(x) h = (h1,...,hn) random pairwise independent hash functions H is a family of pairwise independent hash functions from {0,1}n! {0,1}n if 8x1x2and a random h2H(h(x1),h(x2)) is uniform over {0,1}2n. • Use H where description of his of length O(n). G(x,h) =b(f0(x,h)),...,b(fn(x,h)) ,h1,...,hn

  12. Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert fkgiven h1,...,hk. Corollary:Let fbe a regular OWF and H be family of pairwise independent hash functions, then G(x,h) = b(f0(x,h)),b(f1(x,h)),…,b(fn(x,h)),h is a PRG.

  13. Randomized Iterate of general OWF Can we apply the construction to any OWF? • No, security deteriorates with every iteration. Lemma: It is hard to invert fk (given h) over a set of density at least 1/k. (x,h) ! f0(x,h), f1(x,h) , … , fk(x,h) • fk is hard to invert whenever the last iteration is at least as heavy as all the iterations in the sequence. • By Symmetry happens with probability ¸1/k. Note: for regular functions always true…

  14. fk(x,h) fk+1(x,h) b fk(x2,h2) fk+1(x2,h2) b2 fk(x3,h3) fk+1(x3,h3) b3 fk(xm,hm) fk+1(xm,hm) bm Ext m/2k bits fk(x1,h1) fk+1(x1,h1) b1 • With probability 1/k the bit b is pseudorandom when given fk+1(x,h) and h. • Idea: repeat m independent times • Use a randomness extractor to get O(m/k) pseudorandom bits Pseudoentropy source: at least m/k of the bits are pseudorandom given fk+1 and h

  15. Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the seed is known. Extractor seed random output Randomness Extractors [NZ93] high pseudoentropy distribution high entropy distribution pseudorandom output • Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL] • New proof of the uniform extraction Lemma given in [Holens06] & [HHR05]. • Based on the uniform hardcore set proof of Holenstein (FOCS 2005).

  16. t x1,h1 x2,h2 x3,h3 x4,h4     xm,hm m/4 m/6 m/8 m/10 m/12 • We can extract m/2k pseudorandom bits at each iteration. • Total pseudorandom bits: ∑k(m/2k) ¼ m/2 log t • For the generator to stretch this should be more than the mn bits of x1,…,xm • t>2nis too large !!!

  17. Exponential hardness Theorem [GL89]: if a one-way function f has hardness 2-Cn then it has O(Cn) hard-core bits. We can take out more pseudorandom bits at every iteration!

  18. t x1,h1 x2,h2 x3,h3 x4,h4     xm,hm mn/4 mn/6 mn/8 mn/10 mn/12 • We extract C’mn/k pseudorandom bits at the kth iteration. • Total number of pseudorandom bits: ∑k(C’nm/k) ¼ C’mn log t • Take t to be a constant such that ∑k (1/k) > C’ • Total seed length is O(tmn) bits (description size of the hash functions). • Take m=n, the seed length becomes O(n2).

  19. Questions and Further Issues • Holenstein achieves seed O(n4log2n) if the resulting PRG need only have standard hardness (super-polynomial). Accordingly, we get O(n log2n) in such a case. • Can such methods work for general OWFs? • Could work if the deterioration in security in each iteration where somehow limited. • Other applications of exponentially hard OWFs? • Recent results of [GI06],[HR06].

More Related