1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.

Slides:



Advertisements
Similar presentations
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Advertisements

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
CS151 Complexity Theory Lecture 8 April 22, 2004.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
A Parallel Repetition Theorem for Any Interactive Argument Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before.
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 12 June 18, 2006
Simple Extractors for All Min-Entropies and a New Pseudo-Random Generator Ronen Shaltiel (Hebrew U) & Chris Umans (MSR) 2001.
Lecturer: Moni Naor Foundations of Cryptography Lecture 4: One-time Signatures, UOWHFs.
ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,
CS151 Complexity Theory Lecture 8 April 22, 2015.
1 Streaming Computation of Combinatorial Objects Ziv Bar-Yossef U.C. Berkeley Omer Reingold AT&T Labs – Research Ronen.
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
1 Constructing Pseudo-Random Permutations with a Prescribed Structure Moni Naor Weizmann Institute Omer Reingold AT&T Research.
The Power of Randomness in Computation 呂及人中研院資訊所.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Foundations of Cryptography Lecture 10: Pseudo-Random Permutations and the Security of Encryption Schemes Lecturer: Moni Naor Announce home )deadline.
1 A New Interactive Hashing Theorem Iftach Haitner and Omer Reingold WEIZMANN INSTITUTE OF SCIENCE.
Foundations of Cryptography Lecture 9 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 2 Lecturer: Moni Naor.
Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.
GOING DOWN HILL : EFFICIENCY IMPROVEMENTS IN CONSTRUCTING PSEUDORANDOM GENERATORS FROM ONE-WAY FUNCTIONS Iftach Haitner Omer Reingold Salil Vadhan.
Completeness in Two-Party Secure Computation Revisited Danny Harnik Moni Naor Omer Reingold Alon Rosen Weizmann Institute of Science AT&T IAS.
Computational Entropy Joint works with Iftach Haitner (Tel Aviv), Thomas Holenstein (ETH Zurich), Omer Reingold (MSR-SVC), Hoeteck Wee (George Washington.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Foundations of Cryptography Lecture 6 Lecturer: Moni Naor.
XOR lemmas & Direct Product thms - Many proofs Avi Wigderson IAS, Princeton ’82 Yao ’87 Levin ‘89 Goldreich-Levin ’95 Impagliazzo ‘95 Goldreich-Nisan-Wigderson.
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Some Fundamental Insights of Computational Complexity Theory Avi Wigderson IAS, Princeton, NJ Hebrew University, Jerusalem.
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005.
Umans Complexity Theory Lectures Lecture 17: Natural Proofs.
List Decoding Using the XOR Lemma Luca Trevisan U.C. Berkeley.
Derandomized Constructions of k -Wise (Almost) Independent Permutations Eyal Kaplan Moni Naor Omer Reingold Weizmann Institute of ScienceTel-Aviv University.
Pseudo-random generators Talk for Amnon ’ s seminar.
Iftach Haitner and Eran Omri Coin Flipping with Constant Bias Implies One-Way Functions TexPoint fonts used in EMF. Read the TexPoint manual before you.
Does Privacy Require True Randomness? Yevgeniy Dodis New York University Joint work with Carl Bosley.
Pseudorandomness: New Results and Applications Emanuele Viola IAS April 2007.
Umans Complexity Theory Lectures Lecture 9b: Pseudo-Random Generators (PRGs) for BPP: - Hardness vs. randomness - Nisan-Wigderson (NW) Pseudo- Random Generator.
Pseudo-randomness. Randomized complexity classes model: probabilistic Turing Machine –deterministic TM with additional read-only tape containing “coin.
B504/I538: Introduction to Cryptography
Cryptography Lecture 5 Arpita Patra © Arpita Patra.
FOC-2 Cryptography with Low Complexity: 3
Pseudorandomness when the odds are against you
Pseudo-derandomizing learning and approximation
B504/I538: Introduction to Cryptography
A New Interactive Hashing Theorem
Cryptography Lecture 12 Arpita Patra © Arpita Patra.
On the Efficiency of 2 Generic Cryptographic Constructions
Emanuele Viola Harvard University June 2005
Pseudorandomness: New Results and Applications
Presentation transcript:

1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold

2 Pseudorandom generators. Hardness amplification. The Randomized Iterate [GKL88]

3 Pseudorandom Generators (PRG) [BM82, Yao82] Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n ) Output is computationally indistinguishable from random. G(U n ) w C U n’ Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and … x G(x)

4 Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if 1. Efficiently computable 2. Hard to invert: hard to find an inverse f -1 (f(x)) for a random f(x). If f is also a permutation on {0,1} n, then it is a one-way permutation (OWP). f:{0,1} n ! {0,1} n is regular if all images have the same preimage size for any x 2 {0,1} n it holds that |f -1 (f(x))| =  n. If  n is efficiently-computable then f is known regular. One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89]. PRG Based on General Hardness Assumptions O(n 8 ) O(n) O(n 3 ) Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. Central to the security of the construction. denote the input length of the OWF by n

5 Example: We trust a OWF to be secure only for 100 bit inputs. [BMY] is insecure for seed < 100 bits. [GKL] is insecure seed < 1,000,000 bits. [HILL] is insecure for seed < bits! Goal: Reduce input length blowup. [Holens06] One-way function with exponential hardness ( 2 -Cn for some C>0 ) O(n 5 )

6 Our Results Pseudorandom generators from: Regular one-way functions O(n log n) Any one-way function O(n 7 ) One-way function with exponential hardness O(n 2 )

7 Def:  -weak one-way functions - No PPT can invert with probability better than 1- . Goal: Strong OWF from weak OWF. General one-way functions [Yao82] O(n 2 /  ). One-way permutations [GILVZ90] O(n). Known regular one-way functions [GILVZ90] between O(n) to O(n 2 ) (depends on the hardness of the function). Regular one-way functions [DI99] O(n) in the public randomness model. Our Result: From weak (unknown) regular OWF O(n log n). Hardness amplification

8 The Plan of the Talk Present our construction of PRG from regular one-way functions. Give some highlights on the other two results:  More efficient PRG for any one-way function.  Efficient hardness amplification for regular one-way functions.

9 PRG from Regular OWF. Motivation - The BMY generator. The Randomized Iterate. PRG with seed length O(n 2 ). Derandomize the construction to get a PRG with seed length O(n log n).

10 The BMY PRG G(x) = Hardcore-predicate of f : given f(x) it is hard to predict b(x). b(x)b(f 1 ( x)) b(f 2 (x))b(f n (x)) … Claim: G is a PRG. x f f(x) ff f 2 (x)f n (x) … f n+1 (x) f OWP f:{0,1} n ! {0,1} n

11 One-Way on Iterates: [Levin]: If 8 k it is hard to invert f k Then b(x),b(f(x)),…,b(f m (x)) is pseudorandom. given z = f k (x) it is hard to find y such that f(y) = z

12 Applying BMY to any OWF When f is any OWF, inverting f i might be easy (even when f is regular). Example: Easy inputs ff

13 f 0 (x) f 0 (x, h ) h 1,...,h n 2H - a family of k- wise independent hash functions from {0,1} n ! {0,1} n s.t. 8 x 1 ,...,  x k and a random h 2H (h(x 1 ),h(x 2 ),...,h(x k )) is uniform over {0,1} nk.  The description of h i is of length O(nk). Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL]: The Randomized Iterate G(x,h) = b(f 0 (x,h)),...,b(f n (x,h)),h 1,...,h n h1h1 f x f f 1 (x, h ) … h2h2 f f 2 (x, h ) h3h3 f h = (h 1,...,h n )

14 [GKL] prove it for n -wise independent hash functions. ( O(n 3 ) bits to describe h 1,...,h n ) We simplify the proof. Apply the proof to pairwise independent hash functions, thus we need only O(n 2 ) bits to describe h 1,...,h n. Derandomized the selection of h 1,...,h n using only O(n log n) bits.

15 Lemma 1: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG with seed length O(n 2 ).

16 A' Proof of Lemma 1 A f 1 (x,h) h y Pr[f(h(y))= f 1 (x,h)] >  (  = 1/poly) f 1 (x,h) h’ Ã H y A Pr[f(h’(y))= f 1 (x,h)] >  ’ (  ’ =  2 /2) Contradition! A’ inverts f itself!

17 Def: The collision-probability of a distribution D, is the probability of choosing the same element twice while drawing two random elements from D. Claim: A inverts (f 1 (x,h),h)  A inverts (f 1 (x,h),h’)  A’ inverts f 1 (x,h). (f 1 (U n,H),H) ¼ (f 1 (U n,H),H’) CP(f 1 (U n,H),H) ¼ CP(f 1 (U n,H),H’) CP(f 1 (U n,H),H) · 2 ¢ CP(f 1 (U n,H),H’) Lemma 2: If CP(f 1 (U n,H),H) < n C. CP(f 1 (U n,H),H’) then: T is noticeable w.r.t. (f 1 (U n,H),H)  T is noticeable w.r.t. (f 1 (U n,H),H’) T = {(z,h) | A inverts (z,h)} f h f Im(f) £H T This is the only place we use the regularity of f ! H and H’ are uniform distributions over H

18 fºhfºhf CP(f 1 (U n,H),H) · 1/| H | CP(f 1 (U n,H),H’) = CP(f(U n )/| H |. ( CP(f(U n ) + CP(f(U n )) = 2 ¢ CP(f(U n )/| H |. CP(f 1 (U n,H),H) · 2 ¢ CP(f 1 (U n,H),H’)

19 Proving Lemma 2 Claim: Let D be a distribution over a set S s.t. CP(D) < n C. CP(U S ). For every T µ S if Pr x à D [T] ¸  then Pr x à U s [ T ] ¸  2 n -C. Proof: CP(D) ¸  2 ¢ 1/|T| |T| ¸  2 / CP(D) |T| ¸  2 /(n C. CP(U S )) =  2 n -C |S| Pr x à U s [T] ¸  2 n -C. the probability of hitting T twice Once inside T, the probability of hitting the same element twice S = Im(f)  H D = (f 1 (U n,H), H)

20 Lemma 1: Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG with seed length O(n 2 ).

21 Derandomizing the PRG f k (U n,H k ) = f(U n ). CP(f k (U n,H k ),H k ) =  Both properties can be “verified” by an algorithm (branching-program) that uses O(n) space. Can choose h 1,...,h k using a generator that fools bounded-space adversaries  [Nisan92],[INW94] with space bound 2n and error 2 -n. The seed length on the new generator is O(n log n).  Could be O(n) given better bounded-space generators. Collision verifier. input tape: h 1,...,h k. Choose two random elements x 1,x 2 2 {0,1} n. Return “1” iff f k (x 1,h 1,...,h k ) = f k (x 2,h 1,...,h k )

22 The Plan of the Talk Present our construction of PRG from regular one-way functions. Give some highlights on the other two results:  More efficient PRG for any one-way function.  Efficient hardness amplification for regular one-way functions.

23 PRG from Any OWF Can we apply the randomized iterate to any OWF?  No, security deteriorates with every iteration.  However: Lemma: It is hard to invert f i over a set of density at least 1/i. Does not seem enough for an efficient PRG from any OWF. 2 Cn -hard OWF implies PRG with seed O(n 2 ).

24 Pseudo-Entropy Pair (PEP) Def: A pair of a function and a predicate (g,b) is a ( ,  )-PEP if 1. H (b(U n ) | g(U n )) · . 2. b is a (  +  )-hard predicate of g. [HILL] 1. OWF  ( , 1/n )-PEP, where  is unknown. 2. ( , 1/n )-PEP  PRG, where  is known. It is hard to predict b(U n ) given g(U n ) with probability better than 1 – (  +  )/2 b has entropy  b has pseudoentropy  + 

25 8 i 2 [n], “guess” that  = i/n and construct G i. G(x 1,...,x n ) = G 1 (x 1 ) © G 2 (x 2 ) ©... © G n (x n ).  First apply standard length extending method [GGM] to each of the G i, so that its output length is n This increases the seed length by a factor of O(n) and increases the complexity by a factor of O(n 3 ). Dealing with Unknown  GG...

26 f 1 = f(h(f 0 (x,h))) = f(h(f(x))) Let b’(x,h) = b(f 0 (x,h)) and let g(x,h) = f 1 (x,h),h Lemma: (g,b’) is a (1/2,1/n) -PEP. Using the randomized iterate to construct a (1/2,1/n) -PEP xf0f0 f1f1 fºhfºhf The Goldreich-Levin predicate

27 Lemma: 1. If D f (f 0 ) ¸ D f (f 1 ) then f 0 is w.h.p. Information theoretically determined by (f 1,h). * 2. D f (f 0 ) · D f (f 1 ) implies that it is hard to compute f 0 given (f 1,h). Claim: Pr[D f (f 0 ) · D f (f 1 )] = Pr[D f (f 0 ) ¸ D f (f 1 )] ¸ ½ +1/n. “Proof”: D f (f 0 ) and D f (f 1 ) are two i.i.d. over [n]. Therefore, H (b(f(x)) | (f 1 (x,h),h)) · ½. b’ is a ( ½ +1/n )-hard predicate of g. D f (y) = d log|(f -1 (y))| e. f 1 = f(h(f 0 )) = f(h(f(x)))

28 Proving that if D f (x 0 ) ¸ D f (x 1 ) then x 0 is w.h.p. determined by ( x 1,h). x1x1 D f (x 1 ) = 100 x0x0 D f (x 0 ) = 200 fºhfºh f x 1 = f(h(x 0 )) = f(h(f(x)))

29 The Plan of the Talk Present our construction of PRG from regular one-way functions. Give some highlights on the other two results:  More efficient PRG for any one-way function.  Efficient hardness amplification for regular one-way functions.

30 From weak regular to OWF Def: an  -weak one-way function f - No PPT can invert with probability better than 1- . Claim: Any PPT A and polynomial p has a failing-set S A µ Im(f) of weight  /2  Pr y à f(U n ) [A(y) 2 f -1 (y) | y 2 S A ] · 1/p.

31 x1x1 f fºh1 fºh1 f’(x 1,x 2,...,x m ) = f(x 1 ), f(x 2 )...,f(x m ) Might be possible to find a different pre-image. From our proof for regular OWF, inverting f m (x,h 1,...,h m ) is hard even when given h 1,...,h m. The description of h 1,...,h m is too long.  Use derandomization to get O(n log n) Hitting every Failing-Set f f m (x,h 1,...,h m ) f fºhm fºhm,h 1,...,h m f fºh2 fºh2 x2x2 xmxm m = O(n/  ) A inverts f’ ! M inverts f On input y 2 Im(f): 8 i 2 [m] (x 1,...,x m ) Ã A(f(U n ),...,y,...,f(U n )) if (f(x i ) == y) retrun x i

32 Further issues Linear (O(n)) constructions for the regular OWF PRG and weak-OWF amplification. *through better bounded-space generator? BMY-like PRG for any (for any hardness) OWF? Efficient hardness amplification for any weak OWF.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.