On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005
Poly(n)-time Computable Stretch s(n) ¸ 1 (e.g., s(n) = 1, s(n) = n) Fools efficient adversaries: 8 PPT A Pr X, |X| = n+s(n) [A(X) = 1] ¼ Pr , | | = n [A(PRG( )) = 1] Pseudorandom Generator (PRG) [BM,Y] PRG
PRG, One-Way Functions (OWF) [BM,Y,GL,…,HILL] (f OWF if easy to compute but hard to invert, i.e. 8 PPT M, almost never M(f(X)) 2 f(X) -1 ) Applications of PRG: cryptography, derandomization need stretch s(n) = poly(n) Stretch s(n) only makes sense relative to n –E.g. G : {0,1} n ! {0,1} n+s(n) ) G : {0,1} n 2 ! {0,1} n 2 + n¢s(n) –Two main cases s(n) = 1, or s(n) = n Background on PRG
PRG Constructions We study complexity of constructing PRG with big stretch from OWF f Def.: black-box PRG constructions G f : for every (comput.-unbounded) function f, adversary A A breaks G f ) 9 PPT M : M f,A inverts f Most constructions are black-box [BM,Y,…,HILL] Many negat. results for black-box model [IR,…,GT,RTV] –Cannot make sense of negat. result in non-black-box model
STEP 1: OWF f ) G f : {0,1} n ! {0,1} n+1 –Think e.g. f : {0,1} n ! {0,1} n STEP 2: G f ) PRG with stretch s(n) = poly(n) [GM] Stretch s ) s adaptive queries to f ) circuit depth ¸ s Question [this work]: stretch s vs. adaptivity & depth? E.g., can have s = n, circuit depth O(log n)? Standard Constructions w/ big stretch GfGf Input GfGf GfGf GfGf GfGf GfGf Output …
Previous Results [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!) However, any stretch ) stretch s = 1 [GT] s vs. number q of queries to OWF (Thm: q ¸ s) [This work] s vs. adaptivity & circuit depth [ …,IN,NR] O(1)-depth PRG from specific assumptions [This work] general assumptions Context: [V] studies complexity of NW-type PRG
Outline Our model Our results Proof sketch of main negative result Other: new negative result on worst-case vs. average-case connections in NP, PH
Parallel PRG G f : {0,1} n ! {0,1} n+s(n) from OWF f Our Model of PRG construction Input , | | = n f ÆÆÆÆÆÆÆÆ Ç ÇÇÇÇÇ ÆÆÆÆÆÆÆÆ ff Constant Depth Circuit (AC 0 ) Output, n+s(n) bits f q 1 q 2 q 3 q 4 Nonadaptive Queries to f
Our Results on PRG Constructions Parallel construction G f : {0,1} n ! {0,1} n+s(n) From one-way function f ( e.g. f : {0,1} n ! {0,1} n f arbitraryf one-to-onef permutation Neg.s(n) · o(n) ? Pos.?s(n) ¸ 1
Thm[this work]: Parallel black-box PRG constructions G f : {0,1} n ! {0,1} n+s(n) satisfy s(n) · o(n) Proof: Exhibit comput.-unbounded f, A such that: (1) A breaks G f when s(n) = (n) (2) f one-way, i.e. hard to invert. We show distribution on f s. t. (1) & (2) hold w.h.p. Proof Sketch of Negative Result
Def. of f and (1) break G f Restriction [FSS,H,…] maps bits to {0,1,*} Def. distribution on f apply to truth-table of f – known to adversary A replace * with random bits (1) A breaks G f : 8 , G f ( ) is AC function of truth-table of f ) makes G f ( ) biased ) A breaks G f ( ). –If s(n) = (n) can union bound over all . 01** 1*0* 1**0 f(0) f(1) f(111) 1110
(2) f one-way Problem: f not one-way : leaks info about x E.g. First bit f(x) = 0 ) x Solution: Force many x’s to share same restriction Compose f with hash function Many preimages ) f one-way Low collision prob. ) A still breaks G f Q.E.D. f(0) f(1) f(10) f(111) 01** 1*0* 1*** 1**0 hash 01** 1*0* 1*** 1**0 f =
Question: given f 2 NP worst-case hard (f 2 P/poly), can build f 0 2 NP average-case hard? I.e. 8 small circuit A : Pr x [A(x) f 0 (x)] ¸ 1/3 Thm[V]: no black-box construction of f 0 using both function f and adversary A as black-box Thm[BT]: no construction using A as black-box –Also uses A ``non-adaptively’’ Thm[this work]: no construction using f as black-box –Proof uses pseudorandom restrictions Our Result on Average Case Complexity
Conclusion Thm[this work]: Parallel black-box construction G f : {0,1} n ! {0,1} n+s(n) satisfy Average-case complexity Thm[this work]: given f 2 NP worst-case hard no construction of average-case hard f 0 2 NP using f as black-box f arbitraryf one-to-onef permutation Neg.s(n) · o(n) ? Pos.?s(n) ¸ 1