Download presentation
Presentation is loading. Please wait.
1
GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&
2
One Way Functions One Way Functions (OWF): f:{0,1} n {0,1} n Easy to compute hard to invert (even on average). The most basic, unstructured form of cryptographic hardness [IL89 …]
3
Pseudorandom Generators Eff. computable function G:{0,1} s {0,1} m Stretching ( m > s ) Output is computationally indistinguishable from uniform. Central in cryptography, implies pseudorandom functions [GGM86], pseudorandom permutations [LR88], bit-commitments [Naor91], … x G(x)
4
Håstad, Imagliazzo, Levin and Luby 89 Theorem Existence of OWFs Existence of PRGs Hardness vs. Randomness in purest cryptographic form Centerpiece in basing Cryptography on OWFs Introduced key concepts and techniques (Pseudoentropy, Leftover Hash Lemma, …). inefficient and quite complex
5
Efficiency For this talk efficiency (and security) of construction is measured by PRG’s seed length s (as function of n ) [HILL89] O(n 10 ), [HILL89,Holens06] O(n 8 ), [HHR06a] O(n 7 ), Here O(n 4 ) From exponentially hard OWFs: [Holens06] O(n 5 ), [HHR06b] O(n 2 ), Here reprove O(n 2 )
6
Simplicity With years, [HILL] became simpler But mainly because we got used to it (tools and techniques became “standard”). [HILL99,Holens06] additional abstractions and more modularity (+ Holenstein's Uniform Hard-Core Lemma) Here simpler. Construction non-adaptive thus derive “OWFs in NC 1 PRGs in NC 0 ” (via [AIK06])
7
False Entropy Generator Loosely, the most basic object in HILL is: G fe (x,g,i)=f(x),g,g(x) 1..i (think of g as matrix multiplication). Lemma Let k=log|f -1 (f(x))|, then when i=k+log n then g,g(x) 1..i is pseudorandom (even conditioned on f(x)). Intuition: first k-clog n bits are statistically close to uniform (Leftover Hash Lemma) and next (c+1)log n bits are pseudorandom (GL Hard-Core Function).
8
False Entropy Generator (II) G fe (x,g,i)=f(x),g,g(x) 1..i Lemma: For the variable G fe (x,g,i) (with random inputs) = pseudoentropy – real entropy > (log n)/n Reason: w.p 1/n over choice of i (when i=k+log n) the output G fe (x,g,i) is indistinguishable from distribution with entropy |x|+|g|+log n (whereas real entropy |x|+|g|) Disadvantages: rather small, value of real entropy unknown, pseudoentropy < entropy of input
9
Our Building Block Simply do not truncate: G nb (x,g)=f(x),g,g(x) Nonsense: G nb (x,g) is invertible and therefore has no pseudoentropy! Well yes but: G nb (x,g) does have psudoentropy from the point of view of an online distinguisher (getting one bit at a time).
10
Next-Bit Pseudoentropy X has pseudoentropy k if Y with H(Y) k such that X and Y are indistinguishable X=X 1 …X n has next-bit pseudoentropy k if Y with i H(Y i |X 1 …X i ) k such that X_i and Y_i are indistinguishable conditioned on X 1 …X i-1 Remarks: X and Y are jointly distributed The two notions are identical for k=n [BM, Yao] Generalizes to blocks (rather than bits)
11
Our Next-Block Pseudoentropy Generator G nb (x,g)=f(x),g,g(x) Next-block pseudoentropy > |x|+|g|+logn X=G(x,g) and Y obtained from X by replacing first k+logn bits of g(x) with uniform Advantages: = next-block pseudoentropy –real entropy> logn Entropy bounds known (on total entropy) “No bit left behind” Relates to work on inaccessible entropy [HRVW09]
12
HILL Revisited - Overview G nb x,g … … … n 2 repetitions: amplifies entropy gap and turns next-block pseudo Shannon entropy to next-block pseudo min entropy Extract next-block pseudoentropy
13
Uniform Construction and Uniform Security Seed length so far O(n 3 ), but construction non uniform (need to know how much to extract from each block). Using an idea from [HRVW09] get uniform construction with seed length O(n 4 ). To carry out the hybrid (for the n 2 repetitions), need X and Y to be next-block indistinguishable even given an oracle that samples X and Y. Just as in HILL, most elegant solution is via Holenstein's Uniform Hardcore Lemma [Holens06].
14
Final Comment Assume f is OW-Permutation. Given f(x) hard to find x. Intuitively, given f(x) we have that x has some computational entropy in it, (thus we can extract this entropy). Nevertheless, given f(x), we have that x does not have any pseudoentropy in it. However, G’ nb (x)=f(x),x is a next-block pseudoentropy generator Does it also hold for OWFs?
15
Widescreen Test Pattern (16:9) Aspect Ratio Test (Should appear circular) 16x9 4x3
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.