Presentation is loading. Please wait.

Presentation is loading. Please wait.

GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&"— Presentation transcript:

1 GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&

2 One Way Functions One Way Functions (OWF): f:{0,1} n  {0,1} n  Easy to compute hard to invert (even on average).  The most basic, unstructured form of cryptographic hardness [IL89 …]

3 Pseudorandom Generators Eff. computable function G:{0,1} s  {0,1} m  Stretching ( m > s )  Output is computationally indistinguishable from uniform. Central in cryptography, implies pseudorandom functions [GGM86], pseudorandom permutations [LR88], bit-commitments [Naor91], … x G(x)

4 Håstad, Imagliazzo, Levin and Luby 89 Theorem Existence of OWFs Existence of PRGs  Hardness vs. Randomness in purest cryptographic form  Centerpiece in basing Cryptography on OWFs  Introduced key concepts and techniques (Pseudoentropy, Leftover Hash Lemma, …). inefficient and quite complex

5 Efficiency For this talk efficiency (and security) of construction is measured by PRG’s seed length s (as function of n )  [HILL89] O(n 10 ), [HILL89,Holens06] O(n 8 ), [HHR06a] O(n 7 ), Here O(n 4 )  From exponentially hard OWFs: [Holens06] O(n 5 ), [HHR06b] O(n 2 ), Here reprove O(n 2 )

6 Simplicity With years, [HILL] became simpler  But mainly because we got used to it (tools and techniques became “standard”).  [HILL99,Holens06] additional abstractions and more modularity (+ Holenstein's Uniform Hard-Core Lemma)  Here simpler.  Construction non-adaptive thus derive “OWFs in NC 1  PRGs in NC 0 ” (via [AIK06])

7 False Entropy Generator  Loosely, the most basic object in HILL is: G fe (x,g,i)=f(x),g,g(x) 1..i (think of g as matrix multiplication). Lemma Let k=log|f -1 (f(x))|, then when i=k+log n then g,g(x) 1..i is pseudorandom (even conditioned on f(x)).  Intuition: first k-clog n bits are statistically close to uniform (Leftover Hash Lemma) and next (c+1)log n bits are pseudorandom (GL Hard-Core Function).

8 False Entropy Generator (II) G fe (x,g,i)=f(x),g,g(x) 1..i Lemma: For the variable G fe (x,g,i) (with random inputs)  = pseudoentropy – real entropy > (log n)/n Reason: w.p 1/n over choice of i (when i=k+log n) the output G fe (x,g,i) is indistinguishable from distribution with entropy |x|+|g|+log n (whereas real entropy  |x|+|g|)  Disadvantages:  rather small, value of real entropy unknown, pseudoentropy < entropy of input

9 Our Building Block  Simply do not truncate: G nb (x,g)=f(x),g,g(x)  Nonsense: G nb (x,g) is invertible and therefore has no pseudoentropy!  Well yes but: G nb (x,g) does have psudoentropy from the point of view of an online distinguisher (getting one bit at a time).

10 Next-Bit Pseudoentropy  X has pseudoentropy  k if  Y with H(Y)  k such that X and Y are indistinguishable  X=X 1 …X n has next-bit pseudoentropy  k if  Y with   i H(Y i |X 1 …X i )  k such that  X_i and Y_i are indistinguishable conditioned on X 1 …X i-1  Remarks:  X and Y are jointly distributed  The two notions are identical for k=n [BM, Yao]  Generalizes to blocks (rather than bits)

11 Our Next-Block Pseudoentropy Generator  G nb (x,g)=f(x),g,g(x)  Next-block pseudoentropy > |x|+|g|+logn  X=G(x,g) and Y obtained from X by replacing first k+logn bits of g(x) with uniform  Advantages:   = next-block pseudoentropy –real entropy> logn  Entropy bounds known (on total entropy)  “No bit left behind”  Relates to work on inaccessible entropy [HRVW09]

12 HILL Revisited - Overview G nb x,g … … … n 2 repetitions: amplifies entropy gap and turns next-block pseudo Shannon entropy to next-block pseudo min entropy Extract next-block pseudoentropy

13 Uniform Construction and Uniform Security  Seed length so far O(n 3 ), but construction non uniform (need to know how much to extract from each block).  Using an idea from [HRVW09] get uniform construction with seed length O(n 4 ).  To carry out the hybrid (for the n 2 repetitions), need X and Y to be next-block indistinguishable even given an oracle that samples X and Y.  Just as in HILL, most elegant solution is via Holenstein's Uniform Hardcore Lemma [Holens06].

14 Final Comment  Assume f is OW-Permutation. Given f(x) hard to find x.  Intuitively, given f(x) we have that x has some computational entropy in it, (thus we can extract this entropy).  Nevertheless, given f(x), we have that x does not have any pseudoentropy in it.  However, G’ nb (x)=f(x),x is a next-block pseudoentropy generator  Does it also hold for OWFs?

15 Widescreen Test Pattern (16:9) Aspect Ratio Test (Should appear circular) 16x9 4x3

Download ppt "GOING DOWN HILL: MORE EFFICIENT PSEUDORANDOM GENERATORS FROM ANY ONE-WAY FUNCTION Joint with Iftach Haitner and Salil Vadhan Omer Reingold&"

Similar presentations

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
The Equivalence of Sampling and Searching Scott Aaronson MIT.

The Equivalence of Sampling and Searching Scott Aaronson MIT.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.

Derandomization & Cryptography Boaz Barak, Weizmann Shien Jin Ong, MIT Salil Vadhan, Harvard.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.

F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

Similar presentations

Ads by Google