SLIDE 1
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013
SLIDE 2 One-way Functions
One-way functions are an ensemble of functions that are
Simplifying notation : Definition: f is a -one-way function (OWF) if for all
adversaries A of running time t,
Standard OWF: Folklore: OWFs can be assumed to be length-preserving, i.e., l(n)=n.
( , ) t
1 ( )
Pr [ ( ) ( )]
n
y f U
A y f y
( )
{ :{0,1 } {0,1 } }
n l n n n N
f
( )
:{0,1 } {0,1 }
n l n
f super-poly , negl t
SLIDE 3 Regular Functions
f is a regular function if for any n the preimage size
α= is fixed (independent of y).
Known-regular function: a regular function f whose regularity α is
polynomial-time computable from security parameter n.
Unknown-regular function: a regular function f whose regularity α is
inefficient to approximate from security parameter n. Note: one-way permutation is a special known-regular function.
1
| ( ) | f y
SLIDE 4 Pseudorandom Generators
is a -pseudorandom generator (PRG) with stretch s if for all distinguishers D of running time t, :{0,1 } {0,1 } ( , )
n n s
g t
| Pr[ ( ( )) 1] Pr[ ( ) 1]|
n n s
D g U D U
n n
super-poly , negl, U is uniform distribution over {0,1} t
Distinguisher D
SLIDE 5
Entropies, computational and statistical distance
SLIDE 6
Leftover Hash Lemma
Informally: universal hash functions are good randomness extractors
SLIDE 7
Unpredictability Pseudoentropy (UP)
SLIDE 8
Goldreich-Levin Theorem
SLIDE 9 A Key Oberservation about Unpredictability Pseudoentropy
Unpredictability Pseudoentropy (UP) : X has m bits of UP
given f(X) for t-time adversaries if every A of running time t wins the following game with probability no greater than 2-m
Question: what’s the UP of X given f(X) if f is a - regular
OWF with ?
Observation: X given f(X) has bits of UP
.
Rationale:
Challenger C Adversary A
; : ( ) x X y f x
y
' ( ) x A y
' x
wins iff ' A x x
( , ) t
1
| ( )| 2k f y
log(1/ ) k
1
Pr[ ( ( )) ( ( ))] A f X f f X
Pr[ ( ( )) ] 2 k A f X X
SLIDE 10
The FIRST CONSTRUCTION (from known-regular OWF)
g (X, h1, h2, hc) =(h1(f(X1)), h2(X1), hc(X1), h1, h2, hc)
A complicated proof by Goldreich in Section 3.5.2 of
SLIDE 11 PRGs from Known-Regular OWFs by three extractions (a three-line proof)
Assumption: f is -one-way and 2k-regular, i.e. Construction and Proof. 1.
extract ( ) bits using h1
2.
extract k bits using h2
3.
chain rule: extract bits using hard-core function hc
This completes the proof for the folklore construction, i.e. g (X, h1, h2, hc) =(h1(f(X1)), h2(X1), hc(X1), h1, h2, hc) is a PRG.
Parameters: seed length linear in n, and a single call to f .
( , ) t
1
| ( )| 2k f y
H ( ( )) f X n k
n k H ( | ( )) X f X k
up
H ( | ( )) log(1/ )
t
X f X k
up 2
H ( | ( ), ( )) log(1/ )
t
X f X h X
(log(1/ )) O
SLIDE 12 Tightening the security bounds
g (x, h1, h2, hc) =(h1(f(x)), h2(x), hc(x), h1, h2, hc)
The proof for 3rd extraction: consider f ‘(x,h2)=(f(x), h2(x), h2)
A tighter approach (use the tight version of Goldreich-Levin)? 1. 2.
2 2 1/3 2
is -hard to predict given '( , ) , i.e. H ( | '( , )) log(1/ ) by Goldreich-Levin Thm, ( ) is 2 ( )
)
t up m c m
x f x h X f X H h x n f x h
2
if ' is an '-hard OWF, then ( ) is (2 ') -close to U given '( , )
m c m
f h x f x h
1/5
Goldreich show ' ( ) in [Gol01,vol-1] O
We show ' 3 against -time adversaries t
2 2 2
the idea: show ' is almost 1-to-1, i.e. H ( '( , ) | ) 1 f f X H H n
SLIDE 13
The Second Construction (NEW, improving the Randomized Iterate)
SLIDE 14 The Randomized Iterate
Goldreich, Krawczyk and Luby (SICOMP 93) :
PRGs from known regular OWFs with seed length O(n3)
Haitner, Harnik and Reingold (CRYPTO 2006):
PRGs from unknown regular OWFs with seed length O(n ·log n)
f
x
1
( ) y f x
h1
1 1 1
( ) x h y
f
2 1
( ) y f x
h2
2 2 2
( ) x h y
f
( )
c
h x
1
( )
c
h x
3 2
( ) y f x
2
( )
c
h x
h1, h2, … are random pairwise independent hash, hc is hard-core function
SLIDE 15 Lower bounds by Holenstein and Sinha (FOCS12)
Asymptotic setting: Any black-box construction of PRG
must make calls to an arbitrary (including unknown regular) OWF.
Concrete setting : Any black-box construction of PRG must
make calls to an arbitrary (including unknown regular) -secure OWF.
( / log ) n n
( / log(1/ )) n
1
( , )
SLIDE 16 PRGs from unknown-regular OWFs: a new construction
Assumption: f is -one-way and 2k-regular ( k is unknown). The goal: a PRG construction oblivious of k. The idea: transform f into a known-regular OWF 1.
is also a -one-way function
2.
is a 2n-regular function, i.e.
( , ) t
define : {0,1} ( , ) ( ) where : "bitwise XOR", ( ), '
n n n
f f y r f y r y f U r U Y Y
:{0,1 } , where {0,1 }
n n
f Y Y
f f f
( , ) t
1
| ( , )| 2 regardless of
n
f y r k
SLIDE 17 PRGs from unknown-regular OWFs: a new construction (cont’d)
Given a one-way function with known pre-image size 2n Similarly, has bits of UP given . We get a special PRG Done?
No, n bits needed to sample from (i.e. ) stretch : To make it positive: iterate
In summary: a PRG from unknown regular OWF with linear seed
length (hybrid argument) and OWF calls.
Tight (Holenstein and Sinha, FOCS 2012): BB construction of PRG
requires OWF calls, and calls in general.
: {0,1 }n f Y Y ( , ) f Y R ( , ) Y R log(1/ ) n
(log(1/ ))
: {0,1 } {0,1 }
n n
g
Y Y Y
( )
n
f U
(log(1/ )) n
g
(log(1/ )) (log(1/ )) ( / log(1/ )) n
( / log(1/ )) n
( / log ) n n
SLIDE 18 Summary
PRG from any known-regular :
seed length and to the underlying OWF
PRG from any unknown-regular :
seed length and OWF calls Question: remove the dependency on ? Yes, by paying a factor in seed length and number of calls. Why? Due to the entropy loss of the Leftover Hash Lemma. Given (without knowing ) Run q= copies of f , extracting 2logn hardcore bits per copy, followed by a single extraction with entropy loss set to q · logn .
( / log(1/ )) n
(1)
( ) n ( ) n
( ) O n ( ) O n
OWF OWF
a single call
(1) calls O
( / log ) calls O n n
1
1-to-1 OWF :{0,1 } {0,1 }
n n
f
(1)
SLIDE 19
More details
Full version at eprint http://eprint.iacr.org/2013/270
SLIDE 20
Thank you!
