Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold.

Published byDarrell Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold."— Presentation transcript:

1 1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold

2 2 Pseudorandom generators. Hardness amplification. The Randomized Iterate [GKL88]

3 3 Pseudorandom Generators (PRG) [BM82, Yao82] Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n ) Output is computationally indistinguishable from random. G(U n ) w C U n’ Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and … x G(x)

4 4 Def: f:{0,1} n ! {0,1} n is a one-way function (OWF) if 1. Efficiently computable 2. Hard to invert: hard to find an inverse f -1 (f(x)) for a random f(x). If f is also a permutation on {0,1} n, then it is a one-way permutation (OWP). f:{0,1} n ! {0,1} n is regular if all images have the same preimage size for any x 2 {0,1} n it holds that |f -1 (f(x))| =  n. If  n is efficiently-computable then f is known regular. One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89]. PRG Based on General Hardness Assumptions O(n 8 ) O(n) O(n 3 ) Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. Central to the security of the construction. denote the input length of the OWF by n

5 5 Example: We trust a OWF to be secure only for 100 bit inputs. [BMY] is insecure for seed < 100 bits. [GKL] is insecure seed < 1,000,000 bits. [HILL] is insecure for seed < 10 16 bits! Goal: Reduce input length blowup. [Holens06] One-way function with exponential hardness ( 2 -Cn for some C>0 ) O(n 5 )

6 6 Our Results Pseudorandom generators from: Regular one-way functions O(n log n) Any one-way function O(n 7 ) One-way function with exponential hardness O(n 2 )

7 7 Def:  -weak one-way functions - No PPT can invert with probability better than 1- . Goal: Strong OWF from weak OWF. General one-way functions [Yao82] O(n 2 /  ). One-way permutations [GILVZ90] O(n). Known regular one-way functions [GILVZ90] between O(n) to O(n 2 ) (depends on the hardness of the function). Regular one-way functions [DI99] O(n) in the public randomness model. Our Result: From weak (unknown) regular OWF O(n log n). Hardness amplification

8 8 The Plan of the Talk Present our construction of PRG from regular one-way functions. Give some highlights on the other two results:  More efficient PRG for any one-way function.  Efficient hardness amplification for regular one-way functions.

9 9 PRG from Regular OWF. Motivation - The BMY generator. The Randomized Iterate. PRG with seed length O(n 2 ). Derandomize the construction to get a PRG with seed length O(n log n).

10 10 The BMY PRG G(x) = Hardcore-predicate of f : given f(x) it is hard to predict b(x). b(x)b(f 1 ( x)) b(f 2 (x))b(f n (x)) … Claim: G is a PRG. x f f(x) ff f 2 (x)f n (x) … f n+1 (x) f OWP f:{0,1} n ! {0,1} n

11 11 One-Way on Iterates: [Levin]: If 8 k it is hard to invert f k Then b(x),b(f(x)),…,b(f m (x)) is pseudorandom. given z = f k (x) it is hard to find y such that f(y) = z

12 12 Applying BMY to any OWF When f is any OWF, inverting f i might be easy (even when f is regular). Example: Easy inputs ff

13 13 f 0 (x) f 0 (x, h ) h 1,...,h n 2H - a family of k- wise independent hash functions from {0,1} n ! {0,1} n s.t. 8 x 1 ,...,  x k and a random h 2H (h(x 1 ),h(x 2 ),...,h(x k )) is uniform over {0,1} nk.  The description of h i is of length O(nk). Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL]: The Randomized Iterate G(x,h) = b(f 0 (x,h)),...,b(f n (x,h)),h 1,...,h n h1h1 f x f f 1 (x, h ) … h2h2 f f 2 (x, h ) h3h3 f h = (h 1,...,h n )

14 14 [GKL] prove it for n -wise independent hash functions. ( O(n 3 ) bits to describe h 1,...,h n ) We simplify the proof. Apply the proof to pairwise independent hash functions, thus we need only O(n 2 ) bits to describe h 1,...,h n. Derandomized the selection of h 1,...,h n using only O(n log n) bits.

15 15 Lemma 1: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG with seed length O(n 2 ).

16 16 A' Proof of Lemma 1 A f 1 (x,h) h y Pr[f(h(y))= f 1 (x,h)] >  (  = 1/poly) f 1 (x,h) h’ Ã H y A Pr[f(h’(y))= f 1 (x,h)] >  ’ (  ’ =  2 /2) Contradition! A’ inverts f itself!

17 17 Def: The collision-probability of a distribution D, is the probability of choosing the same element twice while drawing two random elements from D. Claim: A inverts (f 1 (x,h),h)  A inverts (f 1 (x,h),h’)  A’ inverts f 1 (x,h). (f 1 (U n,H),H) ¼ (f 1 (U n,H),H’) CP(f 1 (U n,H),H) ¼ CP(f 1 (U n,H),H’) CP(f 1 (U n,H),H) · 2 ¢ CP(f 1 (U n,H),H’) Lemma 2: If CP(f 1 (U n,H),H) < n C. CP(f 1 (U n,H),H’) then: T is noticeable w.r.t. (f 1 (U n,H),H)  T is noticeable w.r.t. (f 1 (U n,H),H’) T = {(z,h) | A inverts (z,h)} f h f Im(f) £H T This is the only place we use the regularity of f ! H and H’ are uniform distributions over H

18 18 fºhfºhf CP(f 1 (U n,H),H) · 1/| H | CP(f 1 (U n,H),H’) = CP(f(U n )/| H |. ( CP(f(U n ) + CP(f(U n )) = 2 ¢ CP(f(U n )/| H |. CP(f 1 (U n,H),H) · 2 ¢ CP(f 1 (U n,H),H’)

19 19 Proving Lemma 2 Claim: Let D be a distribution over a set S s.t. CP(D) < n C. CP(U S ). For every T µ S if Pr x à D [T] ¸  then Pr x à U s [ T ] ¸  2 n -C. Proof: CP(D) ¸  2 ¢ 1/|T| |T| ¸  2 / CP(D) |T| ¸  2 /(n C. CP(U S )) =  2 n -C |S| Pr x à U s [T] ¸  2 n -C. the probability of hitting T twice Once inside T, the probability of hitting the same element twice S = Im(f)  H D = (f 1 (U n,H), H)

20 20 Lemma 1: Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert f k given h 1,...,h k. Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x, h ) = b(f 0 (x, h )),b(f 1 (x, h )),…,b(f n (x, h )), h is a PRG with seed length O(n 2 ).

21 21 Derandomizing the PRG f k (U n,H k ) = f(U n ). CP(f k (U n,H k ),H k ) =  Both properties can be “verified” by an algorithm (branching-program) that uses O(n) space. Can choose h 1,...,h k using a generator that fools bounded-space adversaries  [Nisan92],[INW94] with space bound 2n and error 2 -n. The seed length on the new generator is O(n log n).  Could be O(n) given better bounded-space generators. Collision verifier. input tape: h 1,...,h k. Choose two random elements x 1,x 2 2 {0,1} n. Return “1” iff f k (x 1,h 1,...,h k ) = f k (x 2,h 1,...,h k )

22 22 The Plan of the Talk Present our construction of PRG from regular one-way functions. Give some highlights on the other two results:  More efficient PRG for any one-way function.  Efficient hardness amplification for regular one-way functions.

23 23 PRG from Any OWF Can we apply the randomized iterate to any OWF?  No, security deteriorates with every iteration.  However: Lemma: It is hard to invert f i over a set of density at least 1/i. Does not seem enough for an efficient PRG from any OWF. 2 Cn -hard OWF implies PRG with seed O(n 2 ).

24 24 Pseudo-Entropy Pair (PEP) Def: A pair of a function and a predicate (g,b) is a ( ,  )-PEP if 1. H (b(U n ) | g(U n )) · . 2. b is a (  +  )-hard predicate of g. [HILL] 1. OWF  ( , 1/n )-PEP, where  is unknown. 2. ( , 1/n )-PEP  PRG, where  is known. It is hard to predict b(U n ) given g(U n ) with probability better than 1 – (  +  )/2 b has entropy  b has pseudoentropy  + 

25 25 8 i 2 [n], “guess” that  = i/n and construct G i. G(x 1,...,x n ) = G 1 (x 1 ) © G 2 (x 2 ) ©... © G n (x n ).  First apply standard length extending method [GGM] to each of the G i, so that its output length is n 2 +1. This increases the seed length by a factor of O(n) and increases the complexity by a factor of O(n 3 ). Dealing with Unknown  GG...

26 26 f 1 = f(h(f 0 (x,h))) = f(h(f(x))) Let b’(x,h) = b(f 0 (x,h)) and let g(x,h) = f 1 (x,h),h Lemma: (g,b’) is a (1/2,1/n) -PEP. Using the randomized iterate to construct a (1/2,1/n) -PEP xf0f0 f1f1 fºhfºhf The Goldreich-Levin predicate

27 27 Lemma: 1. If D f (f 0 ) ¸ D f (f 1 ) then f 0 is w.h.p. Information theoretically determined by (f 1,h). * 2. D f (f 0 ) · D f (f 1 ) implies that it is hard to compute f 0 given (f 1,h). Claim: Pr[D f (f 0 ) · D f (f 1 )] = Pr[D f (f 0 ) ¸ D f (f 1 )] ¸ ½ +1/n. “Proof”: D f (f 0 ) and D f (f 1 ) are two i.i.d. over [n]. Therefore, H (b(f(x)) | (f 1 (x,h),h)) · ½. b’ is a ( ½ +1/n )-hard predicate of g. D f (y) = d log|(f -1 (y))| e. f 1 = f(h(f 0 )) = f(h(f(x)))

28 28 Proving that if D f (x 0 ) ¸ D f (x 1 ) then x 0 is w.h.p. determined by ( x 1,h). x1x1 D f (x 1 ) = 100 x0x0 D f (x 0 ) = 200 fºhfºh f x 1 = f(h(x 0 )) = f(h(f(x)))

29 29 The Plan of the Talk Present our construction of PRG from regular one-way functions. Give some highlights on the other two results:  More efficient PRG for any one-way function.  Efficient hardness amplification for regular one-way functions.

30 30 From weak regular to OWF Def: an  -weak one-way function f - No PPT can invert with probability better than 1- . Claim: Any PPT A and polynomial p has a failing-set S A µ Im(f) of weight  /2  Pr y à f(U n ) [A(y) 2 f -1 (y) | y 2 S A ] · 1/p.

31 31 x1x1 f fºh1 fºh1 f’(x 1,x 2,...,x m ) = f(x 1 ), f(x 2 )...,f(x m ) Might be possible to find a different pre-image. From our proof for regular OWF, inverting f m (x,h 1,...,h m ) is hard even when given h 1,...,h m. The description of h 1,...,h m is too long.  Use derandomization to get O(n log n) Hitting every Failing-Set f f m (x,h 1,...,h m ) f fºhm fºhm,h 1,...,h m f fºh2 fºh2 x2x2 xmxm m = O(n/  ) A inverts f’ ! M inverts f On input y 2 Im(f): 8 i 2 [m] (x 1,...,x m ) Ã A(f(U n ),...,y,...,f(U n )) if (f(x i ) == y) retrun x i

32 32 Further issues Linear (O(n)) constructions for the regular OWF PRG and weak-OWF amplification. *through better bounded-space generator? BMY-like PRG for any (for any hardness) OWF? Efficient hardness amplification for any weak OWF.

Download ppt "1 On the Power of the Randomized Iterate Iftach Haitner, Danny Harnik, Omer Reingold."

Similar presentations

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.

Pseudorandomness from Shrinkage David Zuckerman University of Texas at Austin Joint with Russell Impagliazzo and Raghu Meka.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner www.wisdom.weizmann.ac.il/~iftachh WEIZMANN INSTITUTE.

Implementing Oblivious Transfer Using a Collection of Dense Trapdoor Permutations Iftach Haitner WEIZMANN INSTITUTE.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Similar presentations

Ads by Google