Pseudorandom Generators from Regular One-way

Functions: New Constructions with Improved Parameters

Yu Yu

Joint work with Xiangxue Li and Jian Weng

Asiacrypt 2013

One-way Functions

One-way functions are an ensemble of functions

that are

Simplifying notation :

Definition: f is a -one-way function (OWF) if for all

adversaries A of running time t,

Standard OWF:

Folklore: OWFs can be assumed to be length-preserving, i.e., l(n)=n.

( , )t 1

( )Pr [ ( ) ( )]

ny f UA y f y

( ){ :{0,1} {0,1} }n l n

n n Nf

( ):{0,1} {0,1}n l nf

super-poly , neglt

Regular Functions

f is a regular function if for any n the preimage size

α= is fixed (independent of y).

Known-regular function: a regular function f whose regularity α is

polynomial-time computable from security parameter n.

Unknown-regular function: a regular function f whose regularity α is

inefficient to approximate from security parameter n.

Note: one-way permutation is a special known-regular function.

1| ( ) |f y

Pseudorandom Generators

is a -pseudorandom generator (PRG)

with stretch s if for all distinguishers D of running time t, :{0,1} {0,1} ( , )n n sg t

| Pr[ ( ( )) 1] Pr[ ( ) 1] |n n sD g U D U n

n super-poly , negl, U is uniform distribution over {0,1}t

Distinguisher D

Entropies, computational and statistical distance

Leftover Hash Lemma

Informally: universal hash functions are good randomness extractors

Unpredictability Pseudoentropy (UP)

Goldreich-Levin Theorem

A Key Oberservation about Unpredictability Pseudoentropy

Unpredictability Pseudoentropy (UP) : X has m bits of UP

given f(X) for t-time adversaries if every A of running time t

wins the following game with probability no greater than 2-m

Question: what’s the UP of X given f(X) if f is a - regular

OWF with ?

Observation: X given f(X) has bits of UP.

Rationale:

Challenger C Adversary A

; : ( )x X y f x y

' ( )x A y'x wins iff 'A x x

( , )t 1| ( ) | 2kf y

log(1/ )k

1Pr[ ( ( )) ( ( ))]A f X f f X Pr[ ( ( )) ] 2 kA f X X

The FIRST CONSTRUCTION

(from known-regular OWF)

g (X, h1, h2, hc) =(h1(f(X1)), h2(X1), hc(X1), h1, h2, hc)

A complicated proof by Goldreich in Section 3.5.2 of

PRGs from Known-Regular OWFs by

three extractions (a three-line proof)

Assumption: f is -one-way and 2k-regular, i.e.

Construction and Proof.

1. extract ( ) bits using h1

2. extract k bits using h2

3. chain rule:

extract bits using hard-core function hc

This completes the proof for the folklore construction, i.e.

g (X, h1, h2, hc) =(h1(f(X1)), h2(X1), hc(X1), h1, h2, hc) is a PRG.

Parameters: seed length linear in n, and a single call to f .

( , )t 1| ( ) | 2kf y

H ( ( ))f X n k n k

H ( | ( ))X f X k

upH ( | ( )) log(1/ )t X f X k up 2H ( | ( ), ( )) log(1/ )t X f X h X

(log(1/ ))O

Tightening the security bounds

g (x, h1, h2, hc) =(h1(f(x)), h2(x), hc(x), h1, h2, hc)

The proof for 3rd extraction: consider f ‘(x,h2)=(f(x), h2(x), h2)

A tighter approach (use the tight version of Goldreich-Levin)?

1.

2.

2 2

1/3

2

is -hard to predict given '( , ) , i.e. H ( | '( , )) log(1/ )

by Goldreich-Levin Thm, ( ) is 2 ( ) -close to U given '( , )

t

up

m

c m

x f x h X f X H

h x n f x h

2if ' is an '-hard OWF, then ( ) is (2 ') -close to U given '( , )m

c mf h x f x h 1/5Goldreich show ' ( ) in [Gol01,vol-1]O

We show ' 3 against -time adversariest

2 2 2the idea: show ' is almost 1-to-1, i.e. H ( '( , ) | ) 1f f X H H n

The Second Construction

(NEW, improving the Randomized Iterate)

The Randomized Iterate

Goldreich, Krawczyk and Luby (SICOMP 93) :

PRGs from known regular OWFs with seed length O(n3)

Haitner, Harnik and Reingold (CRYPTO 2006):

PRGs from unknown regular OWFs with seed length O(n ·log n)

f

x1 ( )y f x

h1

1 1 1( )x h yf

2 1( )y f xh2

2 2 2( )x h yf

output ( )ch x 1( )ch x

3 2( )y f x

2( )ch x

h1, h2, … are random pairwise independent hash, hc is hard-core function

Lower bounds by Holenstein and Sinha

(FOCS12)

Asymptotic setting: Any black-box construction of PRG

must make calls to an arbitrary (including

unknown regular) OWF.

Concrete setting : Any black-box construction of PRG must

make calls to an arbitrary (including unknown

regular) -secure OWF.

( / log )n n

( / log(1/ ))n 1( , )

PRGs from unknown-regular OWFs:

a new construction Assumption: f is -one-way and 2k-regular ( k is unknown).

The goal: a PRG construction oblivious of k.

The idea: transform f into a known-regular OWF

1. is also a -one-way function

2. is a 2n-regular function, i.e.

( , )t

define : {0,1}

( , ) ( )

where : "bitwise XOR", ( ), '

n

n n

f

f y r f y r

y f U r U

Y Y

:{0,1} , where {0,1}n nf Y Y

f

f

f

( , )t 1

| ( , ) | 2 regardless of nf y r k

PRGs from unknown-regular OWFs:

a new construction (cont’d) Given a one-way function with known pre-image size 2n

Similarly, has bits of UP given .

We get a special PRG

Done?

No, n bits needed to sample from (i.e. )

stretch :

To make it positive: iterate

In summary: a PRG from unknown regular OWF with linear seed

length (hybrid argument) and OWF calls.

Tight (Holenstein and Sinha, FOCS 2012): BB construction of PRG

requires OWF calls, and calls in general.

: {0,1}nf Y Y( , )f Y R( , )Y R log(1/ )n

(log(1/ )): {0,1} {0,1}n ng Y Y

Y ( )nf U

(log(1/ ))n

g

(log(1/ )) (log(1/ ))

( / log(1/ ))n

( / log(1/ ))n ( / log )n n

Summary PRG from any known-regular :

seed length and to the underlying OWF

PRG from any unknown-regular :

seed length and OWF calls

Question: remove the dependency on ?

Yes, by paying a factor in seed length and number of calls.

Why? Due to the entropy loss of the Leftover Hash Lemma.

Given (without knowing )

Run q= copies of f , extracting 2logn hardcore bits per copy,

followed by a single extraction with entropy loss set to q · logn .

( / log(1/ ))n

(1)

-hard OWF

-hard OWF

( )n

( )n

( )O n

( )O n

OWF

OWF

a single call(1) callsO

( / log ) callsO n n

11-to-1 OWF :{0,1} {0,1}n nf

(1)

More details

Full version at eprint http://eprint.iacr.org/2013/270

Thank you!