GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

One Way Functions One Way Functions (OWF): f:{0,1} n  {0,1} n  Easy to compute hard to invert (even on average).  The most basic, unstructured form of cryptographic hardness [IL89 …]

Pseudorandom Generators Eff. computable function G:{0,1} s  {0,1} m  Stretching ( m > s )  Output is computationally indistinguishable from uniform. Central in cryptography, implies pseudorandom functions [GGM86], pseudorandom permutations [LR88], bit-commitments [Naor91], … x G(x)

Håstad, Imagliazzo, Levin and Luby 89 Theorem Existence of OWFs Existence of PRGs  Hardness vs. Randomness in purest cryptographic form  Centerpiece in basing Cryptography on OWFs  Introduced key concepts and techniques (Pseudoentropy, Leftover Hash Lemma, …). inefficient and quite complex

Efficiency For this talk efficiency (and security) of construction is measured by PRG’s seed length s (as function of n )  [HILL89] O(n 10 ), [HILL89,Holens06] O(n 8 ), [HHR06a] O(n 7 ), Here O(n 4 )  From exponentially hard OWFs: [Holens06] O(n 5 ), [HHR06b] O(n 2 ), Here reprove O(n 2 )

Simplicity With years, [HILL] became simpler  But mainly because we got used to it (tools and techniques became “standard”).  [HILL99,Holens06] additional abstractions and more modularity (+ Holenstein's Uniform Hard-Core Lemma)  Here simpler.  Construction non-adaptive thus derive “OWFs in NC 1  PRGs in NC 0 ” (via [AIK06])

False Entropy Generator  Loosely, the most basic object in HILL is: G fe (x,g,i)=f(x),g,g(x) 1..i (think of g as matrix multiplication). Lemma Let k=log|f -1 (f(x))|, then when i=k+log n then g,g(x) 1..i is pseudorandom (even conditioned on f(x)).  Intuition: first k-clog n bits are statistically close to uniform (Leftover Hash Lemma) and next (c+1)log n bits are pseudorandom (GL Hard-Core Function).

False Entropy Generator (II) G fe (x,g,i)=f(x),g,g(x) 1..i Lemma: For the variable G fe (x,g,i) (with random inputs)  = pseudoentropy – real entropy > (log n)/n Reason: w.p 1/n over choice of i (when i=k+log n) the output G fe (x,g,i) is indistinguishable from distribution with entropy |x|+|g|+log n (whereas real entropy  |x|+|g|)  Disadvantages:  rather small, value of real entropy unknown, pseudoentropy < entropy of input

Our Building Block  Simply do not truncate: G nb (x,g)=f(x),g,g(x)  Nonsense: G nb (x,g) is invertible and therefore has no pseudoentropy!  Well yes but: G nb (x,g) does have psudoentropy from the point of view of an online distinguisher (getting one bit at a time).

Next-Bit Pseudoentropy  X has pseudoentropy  k if  Y with H(Y)  k such that X and Y are indistinguishable  X=X 1 …X n has next-bit pseudoentropy  k if  Y with   i H(Y i |X 1 …X i )  k such that  X_i and Y_i are indistinguishable conditioned on X 1 …X i-1  Remarks:  X and Y are jointly distributed  The two notions are identical for k=n [BM, Yao]  Generalizes to blocks (rather than bits)

Our Next-Block Pseudoentropy Generator  G nb (x,g)=f(x),g,g(x)  Next-block pseudoentropy > |x|+|g|+logn  X=G(x,g) and Y obtained from X by replacing first k+logn bits of g(x) with uniform  Advantages:   = next-block pseudoentropy –real entropy> logn  Entropy bounds known (on total entropy)  “No bit left behind”  Relates to work on inaccessible entropy [HRVW09]

HILL Revisited - Overview G nb x,g … … … n 2 repetitions: amplifies entropy gap and turns next-block pseudo Shannon entropy to next-block pseudo min entropy Extract next-block pseudoentropy

Uniform Construction and Uniform Security  Seed length so far O(n 3 ), but construction non uniform (need to know how much to extract from each block).  Using an idea from [HRVW09] get uniform construction with seed length O(n 4 ).  To carry out the hybrid (for the n 2 repetitions), need X and Y to be next-block indistinguishable even given an oracle that samples X and Y.  Just as in HILL, most elegant solution is via Holenstein's Uniform Hardcore Lemma [Holens06].

Final Comment  Assume f is OW-Permutation. Given f(x) hard to find x.  Intuitively, given f(x) we have that x has some computational entropy in it, (thus we can extract this entropy).  Nevertheless, given f(x), we have that x does not have any pseudoentropy in it.  However, G’ nb (x)=f(x),x is a next-block pseudoentropy generator  Does it also hold for OWFs?

Widescreen Test Pattern (16:9) Aspect Ratio Test (Should appear circular) 16x9 4x3