Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Pseudorandom Generators with Linear Stretch in NC 0 Benny Applebaum Yuval Ishai Eyal Kushilevitz Technion Foundations of secure multi-party computation.

Published byAdrian McKinney Modified over 9 years ago

Similar presentations

Presentation on theme: "On Pseudorandom Generators with Linear Stretch in NC 0 Benny Applebaum Yuval Ishai Eyal Kushilevitz Technion Foundations of secure multi-party computation."— Presentation transcript:

1 On Pseudorandom Generators with Linear Stretch in NC 0 Benny Applebaum Yuval Ishai Eyal Kushilevitz Technion Foundations of secure multi-party computation and zero-knowledge and its applications

2 Pseudorandom Generator (PRG) Rand Src. G(Uin) Uout Poly-time machine Uin Pseudorandom or Random? stretch G

3 PRG - Parallelism vs. Stretch poly-time NC log-space NC 1 AC 0 NC 0 NC 0 ℓ ℓ super linear linear sub linear complexity stretch Motivation parallel implementation of crypto tasks (e.g., Stream Cipher, Naor Commitment)

4 Positive results –Super-Linear PRG from any PRG [Goldreich Micali 84] –Super-Linear PRG in NC 1 from factoring [Naor Reingold Rosen02, NR97] –Sub-Linear PRG in AC 0 from subset sum [Impagliazzo Naor 89] –Heuristic Super-Linear PRG in NC 0 5 [Mossel Shpilka Trevisan 03] –Sub-Linear PRG in NC 0 4 from any PRG in NC 1 [AIK 04] –Sub-Linear PRG in NC 0 3 from decoding random linear code [AIK] –Linear PRG in NC 0 4 from Linear PRG in NC 0 [AIK 04] Negative results –No PRGs in NC 0 2 [Goldreich00, Cryan Miltersen01] –No Super-Linear PRG in NC 0 3, NC 0 4 [CM01, MosselShpilkaTrevisan03] –Sub-Linear PRG Linear PRG [Viola 05] Previous Work PRG factoring subset sum/ rand linear code impossible  AC 0 BB NC 0 2 NC 0 3 NC 0 4 NC 0 AC 0 NC 1 P sub linear linear super linear Open

5 Algebraic assumption of [Alekhnovich 03]  LPRG in NC 0 LPRG in NC 0  Inapporximability of MAX 3SAT. Main Results Conclusion: Algebraic assumption of [Alekhnovich 03]  Inapporximability of MAX 3SAT. Already proven directly by [Alekhnovich 03] PRG NC 0 2 NC 0 3 NC 0 4 NC 0 AC 0 NC 1 P sub linear linear super linear Open

6 LPRG in NC 0  Inapproximability of MAX 3SAT Construction of LPRG in NC 0 - Take 1: Good stretch Bad locality - Take 2: Bad stretch Good locality - Regaining the stretch via  –biased generators - A uniform version of the construction Conclusions and open questions Talk Outline

7 Hardness of refuting random 3SAT  New inapproximability results [Feige 02] Hardness of determining number of satisfiable equations in a random linear system  Feige’s assumption + new results [Alekhnovich 03] Approx algorithm for MAX 2LIN  Upper bound the stretch of PRG in NC 0 4 [MosselShpilkaTrevisan03] Cryptography and Inapproximability Do not rely on standard crypto primitive

8 NC 0 Crypto and Inapproximability k-Constraint Satisfaction Problem –X 1 + X 3  X 5 =0 – X 2  X 3  X 4 =1... -X 2 + X 3 + X 4 =1 Q. how many of the constraints can be satisfied together? List of constraints over n variables x 1,…,x n Each constraint involves k variables Current work: If: Lin-Stretch PRG in NC 0 Then: Cannot distinguish –Satisfiable 3-CSP –  - unsatisfiable 3-CSP Corollary of PCP [ALMSS,AS 92] : If: P  NP Then: Cannot distinguish –Satisfiable 3-CSP –  - unsatisfiable 3-CSP

9 LPRG in NC 0  Inapproximability Thm. If G:{0,1} n  {0,1} s is a PRG in NC 0 k and s-n=  (n) Then,   s.t satisfiable k-CSP and  -unsat k-CSP are indistinguishable Proof: k-CSP distinguisher  distinguisher for PRG If y  R G(Un)   y is satisfiable (since  x s.t G(x)=y) If y  R Us  (w.h.p.)  y is  - unsat B y Ry R A yes no satisfiable  -unsat k-CSP G(Un) Us G 1 (x) =y 1 G 2 (x) =y 2..... G s (x) =y s yy

10 LPRG in NC 0  Inapproximability  Claim: If y  R Us  (w.h.p.)  y is  - unsat Proof: Assume  y is not  - unsat, then  x s.t  H (y,G(x))<  Hence, Pr[  y is not  - unsat ] = Pr[  H (y, Image(G))<  ]  (| Image(G)|  Vol(s,  s))/ 2 s  2 n+H(  )s – s = neg(n) G(x)  -sphere B y Ry R A yes no satisfiable ε-unsat k-CSP G(Un) Us G 1 (x) =y 1 G 2 (x) =y 2..... G s (x) =y s yy {0,1} s s=n+  (n)

11 LPRG in NC 0  Inapproximability Q: So what? A: It explains why it is hard to construct LPRGs in NC 0 We have an excuse… 

12 LPRG in NC 0  Inapproximability of MAX 3SAT Construction of LPRG in NC 0 - Take 1: Good stretch Bad locality - Take 2: Bad stretch Good locality - Regaining the stretch via  –biased generators - A uniform version of the construction Conclusions and open questions Talk Outline

13 Assumption 1 [Alekhnovich 03]: For any const. k, ℓ, 0<  <1 any family of kn  n ℓ-sparse matrices M n, if M n is expanding Then, C(M n,  )  c C(M n,  +1/kn) Lemma [Alek 03] : Assumption  C(M n,  ) is pseudorandom LPRG Construction – Take 1 M x e n m=kn fixed binary ℓ-sparse matrix random n-bit vector random error vector whose weight is  ·m Distribution C(M,  ) +  M x e m +  +1/m cc Distribution C(M,  +1/m) ℓ ones  n Pros: High (linear) Stretch input: n+mH(  ) bits, output: m bits M  x is samplable in NC 0 Con: How to sample the noise vector in NC 0 ? U Uniform Distribution

14 Assumption 2 :  const. k, ℓ, 0<  <1, family M n of kn  n ℓ-sparse matrices, if M n is expanding  D(M n,  )  c D(M n,  +1/kn) Assumption 1  Assumption 2 Lemma: Assumption 2  D(M n,  ) is pseudorandom LPRG Construction – Take 2 M x e n m=kn iid noise vector: each bit is 1 w/prob.   Distribution D(M,  ) +  M x e m +  +1/m cc Distribution D(M,  +1/m) n

15 Sampling D(M,  ) in NC 0 n m For  =1/2 t can smaple e in NC 0 t Problem: No expansion: mt+n inputs  m outputs Observation: y has large entropy even when e is given Sol: extract more random bits from y Need to extract - almost all bits of y - in NC 0 - using less than m extra bits Sol: use NC 0 ε-biased generator + t     y x e Mx D(M,  ) ℓ

16 Let [y|e] be the distribution of y given e. Lem. 1 (High Entropy) Except w/prob exp(-  (m/2 t )) H  ([y|e])  mt(1-2 -  (t) ) Proof: - e i =1  i-th block of y = 1 t - e i =0  i-th block of y  R {0,1} t \ {1 t } - e has k zeroes  [y|e] is uniform over set of size> (2 t -1) k - By Chernoff: Pr[# 1’s in e>2  m/2 t ] <exp(-  (m/2 t )) - Hence, w/prob 1-exp(-  (m/2 t )), # 0’s in e  m(1-1/2 t-1 )  [y|e] is uniform over a set of size  (2 t -1) y Regaining the stretch m t     e m(1-2 -t+1 )

17  -biased generators Rand Src. G(Uin) Uout Linear function Uin Pseudorandom or Random? stretch g  -bias generator [Naor Naor 90]:  Linear distinguisher L, |Pr[L(g(U s ))=1]-Pr[L(U s )=1]| 

18 Extraction via  -biased generators Lem 2. (Extraction) [Alon Roichman 94, Goldreich Wigderson 97] - Let g:{0,1} n  {0,1} s be  biased generator, - X s distributed over {0,1} s where s-H  (X s ) . - Then: SD( g(U n )  X s, U s )   2 (  -1)/2 Lem 3. (  biased in NC 0 ) [Mossel Shpilka Trevisan 02]  const. c,   biased gen g:{0,1} n  {0,1} cn w/bias  = 2 -n/poly(c) in NC 0 5.

19 3. r  U tm/c then (g(r)+[y|e]) is close to uniform up to   neg(m)+2 -mt/poly(c)+mt  neg(t) =neg(m) 1. Pr y [ H   ([y|e])  mt(1-neg(t)) ] > 1-neg(m) m t    y e g(r) + g mt/c r e Wrapping Up For proper consts t,c g(r)+y e e Uniform ss 2.  c, we have g:{0,1} mt/c  {0,1} mt w/bias 2 -mt/poly(c) in NC 0 5 [MST 03] [AlonRoichman94, GoldreichWigderson97]

20 m t    y e g(r) + g mt/c r e Wrapping Up g(r)+y e e Uniform ss

21 m t    y e g(r) + g mt/c r e Our Generator g(r)+y e e Uniform ss D( ,M) uniform n x x Mx + Let m=kn Input: n+tm+tm/c = n(1+ tk+ tk/c) Output: m + tm = n(k+tk) For const. k and good consts. c,t have linear stretch D( ,M) cc

22 LPRG in Uniform NC 0 Non-Uniform advices: 1.M n (family of unbalanced constant degree bipartite expanders) 2.  c, generator g:{0,1} n  {0,1} cn w/bias  = 2 -n/poly(c) in non-uniform NC 0 5. [MST03] Uniform implementation: 1.M n = explicit family of unbalanced constant degree bipartite expanders [Capalbo Reingold Vadhan Wigderson 02] 2.Prove a uniform version of MST:  c, generator g:{0,1} n  {0,1} cn w/bias  = 2 -n/polylog(c) in uniform NC 0 polylog(c). (Construction uses again [Capalbo Reingold Vadhan Wigderson 02] )

23 LPRG in NC 0  Inapproximability of MAX 3SAT Construction of LPRG in NC 0 - Take 1: Good stretch Bad locality - Take 2: Bad stretch Good locality - Regaining the stretch via  –biased generators - A uniform version of the construction Conclusions and open questions Talk Outline

24 Q: Can we compile a high stretch PRG in a “relatively high” complexity class (e.g., NC 1 ) into LPRG in NC 0 ? Open Questions PRG

25 Q: Can we compile a high stretch PRG in a “relatively high” complexity class (e.g., NC 1 ) into LPRG in NC 0 ? A: Maybe, but compiler must be “combinatorially interesting” Open Questions LPRG

26 Let G:{0,1} n  {0,1} s be an  -strong PRG Claim: any set T of outputs of size k<log(1/  ) touch at least k inputs Hence the graph is expanding. If G is not in NC 0  graph has non-const. degree  Trivial ! If G has small stretch  Trivial ! G in NC 0 and has linear stretch  non-trivial expansion By dispersers LBs [Radhakrishnan, Ta-Shma] : if  =2 -k then, locality   ( log(s/k) / log(n/k) ) Corollary: No 2 -  (n) PRGs w/super-linear stretch in NC 0 Proof: Otherwise, 0y  G(U n ) 2 -k >  y  U s The Necessity of Expansion n inputs s outputs … i.e., for any eff. A, adv A (G(U n ),U s )<  for some z  {0,1} k, Pr[y T =z]=

27 Open Questions PRG w/ super-linear stretch in NC 0 or even in AC 0 ? LPRG in NC 0 3 ? LPRG in NC 0 under standard assumptions? sub-linear PRG  NC LPRG ? - Easy: linear PRG  NC1 super-linear PRG More inapproximabilty from crypto - Not hard to extend results to other primitives… - Get inapprox results which are not followed from PCP - Use more standard assumptions PRG NC 0 2 NC 0 3 NC 0 4 NC 0 AC 0 NC 1 P sub linear linear super linear Open

28 Thank You !

Download ppt "On Pseudorandom Generators with Linear Stretch in NC 0 Benny Applebaum Yuval Ishai Eyal Kushilevitz Technion Foundations of secure multi-party computation."

Similar presentations

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions............

Randomness Conductors Expander Graphs Randomness Extractors Condensers Universal Hash Functions
Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.

Impagliazzos Worlds in Arithmetic Complexity: A Progress Report Scott Aaronson and Andrew Drucker MIT 100% QUANTUM-FREE TALK (FROM COWS NOT TREATED WITH.
Hardness Amplification within NP against Deterministic Algorithms Parikshit Gopalan U Washington & MSR-SVC Venkatesan Guruswami U Washington & IAS.

Hardness Amplification within NP against Deterministic Algorithms Parikshit Gopalan U Washington & MSR-SVC Venkatesan Guruswami U Washington & IAS.
On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.

On the Complexity of Parallel Hardness Amplification for One-Way Functions Chi-Jen Lu Academia Sinica, Taiwan.
On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols Iftach Haitner, Alon Rosen and Ronen Shaltiel 1.
Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.

Cryptography in Constant Parallel Time Talk based on joint works with Yuval Ishai and Eyal Kushilevitz (FOCS 04, CCC 05, RANDOM 06, CRYPTO 07) Benny Applebaum.
Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.

Linear-Degree Extractors and the Inapproximability of Max Clique and Chromatic Number David Zuckerman University of Texas at Austin.
Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.

Randomness Extractors: Motivation, Applications and Constructions Ronen Shaltiel University of Haifa.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
Average-case Complexity Luca Trevisan UC Berkeley.

Average-case Complexity Luca Trevisan UC Berkeley.
Extracting Randomness David Zuckerman University of Texas at Austin.

Extracting Randomness David Zuckerman University of Texas at Austin.
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.

Talk for Topics course. Pseudo-Random Generators pseudo-random bits PRG seed Use a short “ seed ” of very few truly random bits to generate a long string.
Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.

Simple extractors for all min- entropies and a new pseudo- random generator Ronen Shaltiel Chris Umans.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
MaxClique Inapproximability Seminar on HARDNESS OF APPROXIMATION PROBLEMS by Dr. Irit Dinur Presented by Rica Gonen.

MaxClique Inapproximability Seminar on HARDNESS OF APPROXIMATION PROBLEMS by Dr. Irit Dinur Presented by Rica Gonen.
Hardness amplification proofs require majority Ronen Shaltiel University of Haifa Joint work with Emanuele Viola Columbia University June 2008.

Hardness amplification proofs require majority Ronen Shaltiel University of Haifa Joint work with Emanuele Viola Columbia University June 2008.
Introduction to PCP and Hardness of Approximation Dana Moshkovitz Princeton University and The Institute for Advanced Study 1.

Introduction to PCP and Hardness of Approximation Dana Moshkovitz Princeton University and The Institute for Advanced Study 1.
Learning Submodular Functions Nick Harvey, Waterloo C&O Joint work with Nina Balcan, Georgia Tech.

Learning Submodular Functions Nick Harvey, Waterloo C&O Joint work with Nina Balcan, Georgia Tech.
Analysis of Algorithms: Random Satisfiability Benny Applebaum Introduction.

Analysis of Algorithms: Random Satisfiability Benny Applebaum Introduction.

Similar presentations

Ads by Google