Presentation is loading. Please wait.

Presentation is loading. Please wait.

GOING DOWN HILL : EFFICIENCY IMPROVEMENTS IN CONSTRUCTING PSEUDORANDOM GENERATORS FROM ONE-WAY FUNCTIONS Iftach Haitner Omer Reingold Salil Vadhan.

Published byWillis Foster Modified over 9 years ago

Similar presentations

Presentation on theme: "GOING DOWN HILL : EFFICIENCY IMPROVEMENTS IN CONSTRUCTING PSEUDORANDOM GENERATORS FROM ONE-WAY FUNCTIONS Iftach Haitner Omer Reingold Salil Vadhan."— Presentation transcript:

1 GOING DOWN HILL : EFFICIENCY IMPROVEMENTS IN CONSTRUCTING PSEUDORANDOM GENERATORS FROM ONE-WAY FUNCTIONS Iftach Haitner Omer Reingold Salil Vadhan

2 Cryptography  Rich array of applications and powerful implementations.  In some cases (e.g Zero-Knowledge), more than we would have dared to ask for.

3 Cryptography  Proofs of security very important  BUT, almost entirely based on computational hardness assumptions (factoring is hard, cannot find collisions in SHA-1, …)

4 One Way Functions (OWF)  Easy to compute  Hard to invert (even on the average) The most basic, unstructured form of cryptographic hardness [Impagliazzo-Luby ‘95] Major endeavor: base as much of Crypto on existence of OWFs – Great success (even if incomplete) xf(x) f Intermediate primitives

5 Pseudorandom Generators [BM,Yao] Efficiently computable function G:{0,1} s  {0,1} m  Stretching (m > s)  Output is computationally indistinguishable from uniform x G(x)

6 (Private-key) Encryption m k k m k © k’ GG

7 Håstad, Imagliazzo, Levin and Luby ‘90 Theorem Existence of OWFs ) Existence of PRGs  Centerpiece in basing Cryptography on OWFs  Introduced key concepts and techniques (Pseudoentropy, Leftover Hash Lemma, …)  Inefficient and quite complex 7

8 Simplicity With years, [HILL] became simpler  But mainly because we got used to it (tools and techniques became “standard”).  [HILL99,Holens06] additional abstractions and more modularity (+ Holenstein's Uniform Hard-Core Lemma)

9 Our Result 9 New construction of PRG from OWF  Simpler  Improve efficiency/security  Non-adaptive, OWFs in NC 1  PRGs in NC 1  Derive (via [AIK 06]) OWFs in NC 1  PRGs in NC 0

10 Efficiency f:{0,1} n   {0,1} n ) G:{0,1} s(n)   {0,1} m(n ) For this talk efficiency (and security) of construction is measured by PRG’s seed length s(n)  [HILL90, Hol06] O(n 8 ), [HHR06a] O(n 7 ) Here O(n 4 ) Assume that f is secure on 100 bits input, the PRG of [HHR06a] is secure on O(10 14 ) bits input Here on O(10 8 ) From exponentially hard OWFs:  [Hol06] Õ(n 4 ), [HHR06b] Õ(n) Here Õ(n) 10

11 The HILL Construction 11

12 The basic object in HILL: G pe (x,h) = f(x), h, h(x) 1.. d (x)+1 f :{0,1} n  {0,1} n is a OWF, h is random n £ n matrix and d(x) = log|f -1 (f(x))| The entropy of G pe (x,h) (over a random (x,h)): Pseudoentropy Generator f(x)h h(x) 1… d (x)+1 Leftover Hash Lemma* Goldreich-Levin hardcore bit Looks uniform H(f(x)) +|h| bits of entropy 12 n+|h| bits of entropy n+|h| + 1 bits of pseudoentropy X has pseudoentropy  k if 9 Y 1.X ≈ C Y 2.H(Y) = k The (Shannon) entropy of X is H(X) = E x à X [log(1/Pr[X=x)] G pe (x,h) =  = output pseudoentropy – output (real) entropy = 1 d(x) bits of entropy

13 Proof 13 Claim: g’(x,h) = f(x), h, h(x) 1..d(x) is almost-injective OWF Proof: (f(x),h,U 1..d(x) ) “dominates” (f(x), h, h(x) 1..d(x) ) Corollary: G pe (x,h) ≈ C (f(x),h,h(x) 1..d(x),U) and thus has pseudoentropy n+|h| + 1 Proof: Goldreich-Levin Remark: Any pairwise ind. hash function (or strong extractor) for the first part of h will do, achieving |h| 2 O(n) G pe (x,h)=f(x),h,h(x) 1..d(x)+ 1 d(x)= log|f -1 (f(x))|

14 f(x 1 )h1h1 h 1 (x 1 ) 1…d(x 1 )+1 Pseudoentropy Generator ! PRG 14 G pe (x 1,h 1 )= n+|h|+ 1 bits of pseudoentropy G pe (x 2,h 2 )= G pe (x t,h t ) = f(x 2 )h2h2 h 2 (x 2 ) 1…i(x 2 )+1 f(x t )htht h t (x t ) 1…d(x t ) + 1 … Extractor pseudoentropy pseudo min-entropy G(x 1,h 1 …,h t,x t ) Problem: G pe might not be efficiently computable (since d(x) = |f -1 (f(x))| might not be)

15  = output pseudoentropy – output (real) entropy = 1/n “Proof”: Disadvantages: 1.  rather small 2.Output pseudoentropy < entropy of input 3.Value of output pseudoentropy is unknown ) Less efficient and more complicate overall construction G pe (x,h) = f(x), h, h(x) 1..d(x)+ 1 G pe (x,h,i) = f(x), h, h(x) 1..i Pseudoentropy Generator – Actual Construction 15 f(x)h h(x) 1…d(x) + 1 n+|h| + 1bits of pseudoentropy G pe (x,h) = ii n+|h| bits of entropy < n+|h| bits of entropy i

16 Our Construction 16

17 Our Building Block  Simply do not truncate: G nb (x,h) = f(x), h, h(x)  Nonsense: G nb (x,h) is invertible and therefore has no pseudoentropy!  Well yes, but: G nb (x,h) does have psudoentropy from the point of view of an online (eff.) predictor (getting one bit at a time). 17 f(x)h h(x) pseudoentropy = entropy G nb (x,h) = n +|h| + 1 bits of next-bit pseudoentropy

18 X=(X 1 …X n ) has next-bit pseudoentropy  k if  {Y 1,…,Y n } (jointly distributed with X) with 1. 8 i (X 1 …X i-1,X i ) ≈ C (X 1 …X i-1,Y i ) 2.  i H(Y i |X 1 …X i-1 )  k Hence, Pr[P(X 1 …X i-1 )=X i )] is “small” for any eff. P Remarks:  Quantitative generalization of unpredictability  For k=n, same as pseudorandmness [BM, Yao, GGM]  Generalizes to blocks and to min entropy Next-Bit Pseudoentropy 18 ???????X1X1 X2X2 X3X3...XnXn Pr[P(X 1 …X i-1 )=X i )] ≈ Pr[P(X 1 …X i-1 )=Y i )] = “small”

19 Claim: G nb has next-block pseudoentropy n +|h|+ 1 Proof: X = G nb (x,h) = Y obtained from X by replacing h(x) d(x)+1 with a uniform bit Advantages:   = output next-block pseudoentropy – output (real) entropy = 1  Output next-block pseudoentropy > input entropy  Pseudoentropy bound is known Our Next-Block Pseudoentropy Generator 19 f(x)h h(x) looks uniform to online observer n+|h| bits of entropy d(x)=log|f -1 (f(x))|

20 Shorter h 20 Cannot simply split h into pairs-wise ind. hash + hard core bit Hence, naïve implementation requires |h| 2 O(n 2 )  Does not effect the overall complexity Better codes achieve |h| 2 O(n)

21 Next-Block Pseudoentropy ! PRG … f(x 1 )h h(x 1 ) 21 n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h(x 2 )f(x t )h h(x t ) G nb (x t,h t )= G nb (x 2,h 2 )= G nb (x 1,h 1 )= G(x 1,h 1 …,x t,h t )  [BM, Yao, GGM]: Distinguisher for G ) next-bit predictor for G ) (hybrid) next-bit predictor for G nb ) G nb does not have high next-bit pseudoentropy  Seed length O(n 3 ), but construction is (highly) non-uniform  “Entropy equalization” ) uniform construction with seed length O(n 4 ) extractors …

22 Entropy Equalization 22 Task: Given X=(X 1 …X n ) with next-block-entropy k, construct X’ =(X’ 1 …X’ n’ ) for which  Y’=(Y’ 1 …Y’ n’ ) with 1. 8 i (X’ 1 …X’ i-1,X’ i ) ≈ C (X’ 1 …X’ i-1,Y’ i ) 2. 8 i H(Y’ i |X’ 1 …X’ i-1 ) = k/n - ± Y’ = (X (1) j,X (1) j+1 …X (1) n,X (2) 1, …X (t) j-n ) where j à [n] 8 i H(Y’ i |X’ 1 …X’ i-1 ) = k/n - k/(t-1)n X (1) 1 X (1) 2 …X (1) n X (1) 1 X (2) 2 …X (2) n … X (t) 1 X (t) n … jn-j A Very similar Idea used in the work of [HRVW 09] on Accessible Entropy

23 Conclusion: Simple form of PRGs in OWFs For OWF f:{0,1} n  {0,1} n & (appropriate) pair-wise independent hash function h:{0,1} n  {0,1} n  Has pseudoentropy in the eyes of an online distinguisher (i.e., next-bit pseudoentropy)  Question: do we need h at all? x f(x), h, h(x)

24 Open Questions Have we reached optimal seed length? Length-doubling PRG with low adaptivity

25 More Details

26 The Uniform Case 26 X = G nb (x,h)= (f(x),h,h(x)), Y = (f(x), h, h*(x)) h*(x) i =   i H(Y i |X 1 …X i-1 ) = n+|h|+1  8 i (X 1 …X i-1,X i ) ≈ C (X 1 …X i-1,Y i ) But Y might be distinguishable from X given oracle access to (X,Y)  Use Holenstein’s uniform hardcore lemma: For every distinguisher D, there exists a good Y D U i = d(x)+1, where d(x) = log|f -1 (f(x))| h(x) i o/w

27 The Uniform Case cont. 27 Lemma [Holenstein 05’]: Let g and b be eff. function and predicate over {0,1} t (1) Assume Pr[M(g(U t )) = b(U)] · 1- ± /2 for every eff. M Then, for every eff. M exists S ½ {0,1} t of density ± s.t (2) Pr x à S [M 1 S (g(x)) = b(x)] · ½ + neg(t) Let g(x,h,i) = f(x),h,h(x) 1…,i and b(x,h,i)= h(x) i+1, then (1) holds w.r.t. ± = (n-H(f(U n ))+1)/n For S ½ {0,1} n £ {h} £ [n] of density ±, let Y S =(f(x),h,h*(x)) where h*(x) i =   i H(Y S i |X 1 …X i-1 )  n+|h|+ 1  9 eff. M s.t |Pr[A X,Y S (X 1 …X i-1,X i )] =1]-Pr[A X,Y S (X 1 …X i-1,Y S i )] =1] ½ + neg U (x,h,i) 2 S h(x) i o/w

28 More Efficient Codes 28 We use C: {0,1} n  {0,1} poly(n), s.t 1. H = {h i : h i (x) = C(x) i } is (almost) pairwise independent 2. Efficient list decoding for distance (½ – 1/n) Question: find a pairwise code with (small) list decoding for distance (½ – 1/poly(n))

Download ppt "GOING DOWN HILL : EFFICIENCY IMPROVEMENTS IN CONSTRUCTING PSEUDORANDOM GENERATORS FROM ONE-WAY FUNCTIONS Iftach Haitner Omer Reingold Salil Vadhan."

Similar presentations

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University

Randomness Extractors & their Cryptographic Applications Salil Vadhan Harvard University
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.

Many-to-one Trapdoor Functions and their Relations to Public-key Cryptosystems M. Bellare S. Halevi A. Saha S. Vadhan.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann Institute Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.

1 Reducing Complexity Assumptions for Statistically-Hiding Commitment Iftach Haitner Omer Horviz Jonathan Katz Chiu-Yuen Koo Ruggero Morselli Ronen Shaltiel.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.

1 Adam O’Neill Leonid Reyzin Boston University A Unified Approach to Deterministic Encryption and a Connection to Computational Entropy Benjamin Fuller.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.

F(x 1 )h h( x 1 ) 1 … n+|h|+ 1 bits of next-block pseudoentropy f(x 2 )h h( x 2 )f(x t )h h( x t ) g(x t,h t )= g(x 2,h 2 )= g(x 1,h 1 )= G(x 1,h 1 …,x.
Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.

Inaccessible Entropy Iftach Haitner Microsoft Research Omer Reingold Weizmann & Microsoft Hoeteck Wee Queens College, CUNY Salil Vadhan Harvard University.
The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.

The Many Entropies of One-Way Functions Thomas Holenstein Iftach Haitner Salil VadhanHoeteck Wee Joint With Omer Reingold.
Complexity Theory Lecture 11 Lecturer: Moni Naor.

Complexity Theory Lecture 11 Lecturer: Moni Naor.
Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.

Derandomized parallel repetition theorems for free games Ronen Shaltiel, University of Haifa.
Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.

Using Nondeterminism to Amplify Hardness Emanuele Viola Joint work with: Alex Healy and Salil Vadhan Harvard University.
Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 12 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.
On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

On the (Im)Possibility of Key Dependent Encryption Iftach Haitner Microsoft Research TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Similar presentations

Ads by Google