1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold
2 Pseudorandom Generators (PRG) [BM82, Yao82] Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n ) Output is computationally indistinguishable from random. G(U n ) w C U n’ Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and … x G(x)
3 Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) If f is also a permutation on {0,1} n, then it is a one-way permutation (OWP). One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89]. PRG Based on General Hardness Assumptions O(n 8 ) O(n) O(n 3 ) Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. Central to the security of the construction. denote the input length of the OWF by n f:{0,1} n ! {0,1} n is regular if all images have the same preimage size for any x 2 {0,1} n it holds that |f -1 (f(x))| = n.
4 Example: We trust a OWF to be secure only for 100 bit inputs. [BMY] is insecure for seed < 100 bits. [HILL] is insecure for seed < bits! Goal: Reduce input length blowup. [Holenstein 06] One-way function with exponential hardness ( 2 -Cn for some C>0 ) O(n 5 ) Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] = neg(n) Def: f:{0,1} n ! {0,1} n is an exponentially hard one-way function if: 1. Efficiently computable 2. Hard to invert: for any PPT A Pr x à Un [A(f(x),1 n ) 2 f -1 (f(x))] < 2 -Cn for some constant C> 0
5 Our Results O(n 7 ) Any OWF [HHR05] O(n 2 ) Exponentially Hard OWF This work O(n 5 ) Exponentially Hard OWF [Holens06] O(n 8 ) Any OWF [HILL89] O(n log n) Regular OWF [HHR05] O(n 3 ) Regular OWF [GKL88] n +o(n) One-way Permutations [BM82][Y82] Seed lengthRestrictionPaper
6 PRG from exponentially hard OWF [Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2 -Φn Seed length is a function Φ, with optimal results when Φ is a constant C. Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs. Works only for Φ> Ω (1/log n)
7 Plan of the talk: Motivation - The BMY generator. The Randomized Iterate. A PRG from regular OWFs. The randomized iterate of a general OWF. The construction for exponentially hard OWFs.
8 The BMY PRG G(x) = Hardcore-predicate of f : given f(x) it is hard to predict b(x). b(x)b(f 1 ( x)) b(f 2 (x))b(f n (x)) … Claim: G is a PRG. x f f(x) ff f 2 (x)f n (x) … f n+1 (x) f OWP f:{0,1} n ! {0,1} n
9 One-Way on Iterates: [Levin]: If 8 k it is hard to invert f k Then b(x),b(f(x)),…,b(f m (x)) is pseudorandom. given z = f k (x) it is hard to find y such that f(y) = z
10 Applying BMY to any OWF When f is any OWF, inverting f i might be easy (even when f is regular). Example: Easy inputs ff
11 f 0 (x) f 0 (x, h ) Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL],[HHR]: The Randomized Iterate G(x, h ) = b(f 0 (x, h )),...,b(f n (x, h )),h 1,...,h n h1h1 f x f f 1 (x, h ) … h2h2 f f 2 (x, h ) h3h3 f h = (h 1,...,h n ) random pairwise independent hash functions H is a family of pairwise independent hash functions from {0,1} n ! {0,1} n if 8 x 1 x 2 and a random h 2H (h(x 1 ),h(x 2 )) is uniform over {0,1} 2n. Use H where description of h is of length O(n).
12 Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG.
13 Randomized Iterate of general OWF Can we apply the construction to any OWF? No, security deteriorates with every iteration. Lemma: It is hard to invert f k (given h ) over a set of density at least 1/k. (x, h ) ! f 0 (x, h ), f 1 (x, h ), …, f k (x, h ) f k is hard to invert whenever the last iteration is at least as heavy as all the iterations in the sequence. By Symmetry happens with probability ¸ 1/k. Note: for regular functions always true…
14 b b1b1 f k (x, h )f k+1 (x, h ) f k (x 1, h 1 )f k+1 (x 1, h 1 ) With probability 1/k the bit b is pseudorandom when given f k+1 (x, h ) and h. Idea: repeat m independent times Use a randomness extractor to get O (m/k) pseudorandom bits f k (x 2, h 2 )f k+1 (x 2, h 2 ) b2b2 f k (x 3, h 3 )f k+1 (x 3, h 3 ) b3b3 f k (x m, h m )f k+1 (x m, h m ) bmbm Pseudoentropy source: at least m/k of the bits are pseudorandom given f k+1 and h Ext m/2k bits
15 random output pseudorandom output high entropy distribution high pseudoentropy distribution Randomness Extractors [NZ93] Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the seed is known. Extractor seed Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL] New proof of the uniform extraction Lemma given in [Holens06] & [HHR05]. Based on the uniform hardcore set proof of Holenstein (FOCS 2005).
16 We can extract m/2k pseudorandom bits at each iteration. Total pseudorandom bits: ∑ k (m/2k) ¼ m/2 log t For the generator to stretch this should be more than the mn bits of x 1,…,x m t>2 n is too large !!! x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm m/4m/6m/8m/10m/12 t
17 Exponential hardness Theorem [GL89]: if a one-way function f has hardness 2 -Cn then it has O(Cn) hard-core bits. We can take out more pseudorandom bits at every iteration!
18 We extract C’mn/k pseudorandom bits at the k th iteration. Total number of pseudorandom bits: ∑ k (C’nm/k) ¼ C’mn log t Take t to be a constant such that ∑ k (1/k) > C’ Total seed length is O(tmn) bits (description size of the hash functions). Take m=n, the seed length becomes O(n 2 ). x1,h1x1,h1 x2,h2x2,h2 x3,h3x3,h3 x4,h4x4,h4 xm,hmxm,hm t mn/4mn/6mn/8mn/10mn/12
19 Questions and Further Issues Holenstein achieves seed O(n 4 log 2 n) if the resulting PRG need only have standard hardness (super- polynomial). Accordingly, we get O(n log 2 n) in such a case. Can such methods work for general OWFs? Could work if the deterioration in security in each iteration where somehow limited. Other applications of exponentially hard OWFs? Recent results of [GI06],[HR06].