1 / 20

Performance Improvement for the GGM-Construction of Pseudorandom Functions

Performance Improvement for the GGM-Construction of Pseudorandom Functions. Yu-Sheng Chen Gwoboa Horng Chao-Liang Liu NCS 2005. Abstract. The GGM (Goldreich Goldwasser Micali) -construction is a method to construct pseudorandom functions.

brick
Download Presentation

Performance Improvement for the GGM-Construction of Pseudorandom Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Performance Improvement for the GGM-Construction of Pseudorandom Functions Yu-Sheng Chen Gwoboa Horng Chao-Liang Liu NCS 2005

  2. Abstract • The GGM (Goldreich Goldwasser Micali) -construction is a method to construct pseudorandom functions. • We propose a simple variant of the GGM-construction that works faster than the original one. • Our construction is optimal under a reasonable assumption.

  3. Outline • Introduction • Pseudorandom function • Pseudorandom generator • The GGM-construction • Performance Analysis • The Variant of the GGM-construction • Performance Analysis • Proof of Correctness • Conclusion

  4. Pseudorandom function x f(x) Random function x f(x) Introduction-Pseudorandom Function • Informally, a pseudorandom function is a function that cannot be efficiently distinguished from a truly random function. Pseudorandom function: Input-output behavior is computationally indistinguishable from that of a random function. On query x, a random function returns a random value.

  5. Introduction-PseudorandomFunction f query AF 0 or 1

  6. Introduction-Pseudorandom Generator • A pseudorandom generator is a polynomial-time algorithm that can stretch its random input to a polynomial long pseudorandom string. Pseudorandom Generator x (secret seed) 01001100111110100100010…… Computationally Indistinguishable! truly random string

  7. Introduction-Pseudorandom Generator g Uk AG 0 or 1

  8. The GGM-Construction of Pseudorandom Functions • Let G :{0,1}k→{0,1}2k be a pseudorandom generator. • Denote • G(x)=b1b2…bkbk+1…b2k • G0(x)=b1…bk • G1(x)=bk+1…b2k • Construct a pseudorandom function GGMx: • Choose a random k-bit string x as a key. • Define GGMx(α)=Gαk(…Gα2(Gα1(x))), where α=α1α2…αk is an input (query) to GGMx.

  9. The GGM-Construction of Pseudorandom Functions x α1=0 α1=1 G0(x) G1(x) α2 G(x)=b1b2…bkbk+1…b2k G0(x)=b1b2…bk G1(x)=bk+1…b2k αk GGMx(α)=Gαk(…Gα2(Gα1(x))) Illustration: The Computation of GGMx(α)

  10. Performance Analysis forThe GGM construction • Notation • T0 is the cost of generating G0(x). • T1 is the cost of generating G1(x). • TGGM is the cost of computing GGMx(α) • Assumption • The cost of generating pseudorandom bits by G is , i.e. T1=2T0.

  11. Performance Analysis forThe GGM construction (Conti.) • For a randomly chosen α • On average, one evaluation of GGMx() takes . x α1=0 α1=1 G0(x) G1(x) α2 αk GGMx(α)

  12. The Variant of the GGM-construction • Let G :Ik→I4k be a pseudorandom generator. • Denote • G(x)=b1b2…b4k • G(0,0)(x)=b1…bk G(0,1)(x)=bk+1…b2k • G(1,0) (x)=b2k+1…b3k G(1,1)(x)=b3k+1…b4k • Construct a pseudorandom function GGMx’ : • Choose a random k-bit string x as a key. • Define GGMx’(α)=G(αk,αk-1)(…G(α4,α3)(G(α2,α1)(x))) if k is even ; GGMx’(α)=G(0,αk)(…G(α4,α3)(G(α2,α1)(x))) if k is odd, where α=α1α2…αk is an input (query) to GGMx’.

  13. The GGM-Construction of Pseudorandom Functions x 11 α2α1=00 01 10 G(1,0)(x) G(1,1)(x) G(0,0)(x) G(0,1)(x) α3α4 αk-1 αk if k is even αk if k ie odd GGMx’(α) Illustration: The Computation of GGMx’(α)

  14. Performance Analysis forThe Variant • Notation • T0 is the cost of generating G(0,0)(x). • TGGM’ is the cost of evaluating GGMx’(α) • Assumption • The cost of generating pseudorandom bits by G is .

  15. Performance Analysis forThe Variant (Conti.)

  16. Extension to the Generalized 2c-ary-tree Construction x αc…α2α1=0…00 ……. 1…11 0…01 …….

  17. Proof of Correctness • Theorem:The functions constructed by GGM’ are pseudorandom functions. • Proof Sketch

  18. Proof of Correctness (Illustration) Oracle Ai Ai stores random k-bit strings in all nodes of level i. In the nodes of succeeding levels, it stores k-bit string output by G. A0 Ai Ai+1 G(0,0) G(0,1) G(1,0) G(1,1) pki≡ Pr[ AG outputs 1 | AG can query Ai] Then pk0= pkF and pkk/2= pkH. Ak/2 AG : (1) Choose a random i, . (2) Use strings in Uk to “pave” the nodes of level i+1 and answer AF’s queries. (3) Output AF’s output. If Uk consists strings generated by G, AG acts for Ai. If Uk consists random strings, AG acts for Ai+1.

  19. Proof of Correctness (Conti.)

  20. Conclusion • We propose a variant of the GGM-construction GGM’ and prove its correctness. • GGM’ has the best performance under the assumption that the cost of generating pseudorandom bits by G is .

More Related