Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions
-
Upload
rana-hanson -
Category
Documents
-
view
41 -
download
0
description
Transcript of Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions
1
Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions
Iftach Haitner, Danny Harnik, Omer Reingold
2
Pseudorandom Generators (PRG) [BM82, Yao82]
Eff. computable function G:{0,1}n ! {0,1}n’
Increases Length (n’ > n) Output is computationally indistinguishable from
random.
G(Un) wC Un’
Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and …
x G(x)
3
Def: f:{0,1}n!{0,1}n is a one-way function (OWF) if
1. Efficiently computable
2. Hard to invert: for any PPT APrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n)
If f is also a permutation on {0,1}n, then it is a one-way permutation (OWP).
One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89].
PRG Based on General Hardness Assumptions
O(n8)
O(n)
O(n3)
Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF.
• Central to the security of the construction.
• denote the input length of the OWF by n
f:{0,1}n!{0,1}n is regular if all images have the same preimage size
for any x2{0,1}n it holds that |f-1(f(x))| = n.
4
Example: We trust a OWF to be secure only for 100 bit inputs.
[BMY] is insecure for seed < 100 bits. [HILL] is insecure for seed < 1016 bits!
Goal: Reduce input length blowup.
[Holenstein 06] One-way function with exponential hardness (2-Cn for some C>0)
O(n5)
Def: f:{0,1}n!{0,1}n is a one-way function (OWF) if:
1. Efficiently computable
2. Hard to invert: for any PPT APrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n)
Def: f:{0,1}n!{0,1}n is an exponentially hard one-way function if:
1. Efficiently computable
2. Hard to invert: for any PPT APrxÃUn[A(f(x),1n) 2 f-1(f(x))] < 2-Cn
for some constant C> 0
5
Our Results
O(n7)Any OWF[HHR05]
O(n2)Exponentially Hard OWFThis work
O(n5)Exponentially Hard OWF[Holens06]
O(n8)Any OWF[HILL89]
O(n log n)Regular OWF[HHR05]
O(n3)Regular OWF[GKL88]
n +o(n)One-way Permutations[BM82][Y82]
Seed lengthRestrictionPaper
6
PRG from exponentially hard OWF
[Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2-Φn
Seed length is a function Φ, with optimal results when Φ is a constant C.
Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs. Works only for Φ> Ω (1/log n)
7
Plan of the talk: Motivation - The BMY generator. The Randomized Iterate. A PRG from regular OWFs. The randomized iterate of a general OWF. The construction for exponentially hard
OWFs.
8
The BMY PRG
G(x) =
Hardcore-predicate of f: given f(x) it is hard to predict b(x).
b(x) b(f1(x)) b(f2(x)) b(fn(x))…
Claim: G is a PRG.
x ff(x)f ff2(x) fn(x)… fn+1(x)
f
OWP f:{0,1}n!{0,1}n
9
One-Way on Iterates:
[Levin]: If 8k it is hard to invert fk
Then
b(x),b(f(x)),…,b(fm(x)) is pseudorandom.
given z = fk(x) it is hard to find y such that f(y) = z
10
Applying BMY to any OWF
When f is any OWF, inverting fi might be easy (even when f is regular). Example:
Easy inputs
f f
11
f0(x)f0(x,h)
Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances.
The Randomized Iterate [GKL],[HHR]:
The Randomized Iterate
G(x,h) = b(f0(x,h)),...,b(fn(x,h)),h1,...,hn
h1fx
ff1(x,h) …
h2 ff2(x,h)
h3 f
h = (h1,...,hn) random pairwise independent hash functions
H is a family of pairwise independent hash functions from {0,1}n ! {0,1}n if 8x1x2 and a random h2H (h(x1),h(x2)) is uniform over {0,1}2n.
Use H where description of h is of length O(n).
12
Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert fk given h1,...,hk.
Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x,h) = b(f0(x,h)),b(f1(x,h)),…,b(fn(x,h)),h is a PRG.
13
Randomized Iterate of general OWF
Can we apply the construction to any OWF? No, security deteriorates with every iteration.
Lemma: It is hard to invert fk (given h) over a set of density at least 1/k.
(x,h) ! f0(x,h), f1(x,h) , … , fk(x,h) fk is hard to invert whenever the last iteration is at least as
heavy as all the iterations in the sequence. By Symmetry happens with probability ¸ 1/k.
Note: for regular functions always true…
14
bb1
fk(x,h) fk+1(x,h)fk(x1,h1) fk+1(x1,h1) With probability 1/k the bit b is pseudorandom when given fk+1(x,h) and h.
Idea: repeat m independent times
Use a randomness extractor to get O(m/k) pseudorandom bits
fk(x2,h2) fk+1(x2,h2)
b2fk(x3,h3) fk+1(x3,h3)
b3
fk(xm,hm) fk+1(xm,hm)
bm
Pseudoentropy source: at least m/k of the bits are
pseudorandom given fk+1 and hExt
m/2k bits
15
random output pseudorandom output
high entropy distribution high pseudoentropy distribution
Randomness Extractors [NZ93] Extract randomness from
distributions which contain sufficient (min)-entropy.
Use a short seed of truly random bits.
Output is (close to) uniform even when the seed is known.
Extractor seed
Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL]
New proof of the uniform extraction Lemma given in [Holens06] & [HHR05]. Based on the uniform hardcore set proof of Holenstein (FOCS 2005).
16
We can extract m/2k pseudorandom bits at each iteration.
Total pseudorandom bits:
∑k(m/2k) ¼ m/2 log t
For the generator to stretch this should be more than the mn bits of x1,…,xm
t>2n is too large !!!
x1,h1
x2,h2
x3,h3
x4,h4
xm,hm
m/4 m/6 m/8 m/10 m/12
t
17
Exponential hardness
Theorem [GL89]: if a one-way function f has hardness 2-Cn then it has O(Cn) hard-core bits.
We can take out more pseudorandom bits at every iteration!
18
We extract C’mn/k pseudorandom bits at the kth iteration.
Total number of pseudorandom bits:
∑k(C’nm/k) ¼ C’mn log t
Take t to be a constant such that ∑k (1/k) > C’
Total seed length is O(tmn) bits (description size of the hash functions). Take m=n, the seed
length becomes O(n2).
x1,h1
x2,h2
x3,h3
x4,h4
xm,hm
t
mn/4 mn/6 mn/8 mn/10 mn/12
19
Questions and Further Issues Holenstein achieves seed O(n4log2n) if the resulting
PRG need only have standard hardness (super-polynomial). Accordingly, we get O(n log2n) in such a case.
Can such methods work for general OWFs? Could work if the deterioration in security in each iteration where
somehow limited.
Other applications of exponentially hard OWFs? Recent results of [GI06],[HR06].