Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013
One-way Functions One-way functions are an ensemble of functions ( ) n l n { :{0,1 } {0,1 } } f n n N that are Simplifying notation : ( ) n l n :{0,1 } {0,1 } f t Definition: f is a -one-way function (OWF) if for all ( , ) 1 adversaries A of running time t , Pr [ ( ) ( )] A y f y ( ) y f U n Standard OWF: super-poly , negl t Folklore: OWFs can be assumed to be length-preserving, i.e., l ( n )= n .
Regular Functions f is a regular function if for any n the preimage size α = is fixed (independent of y ). 1 | ( ) | f y Known-regular function: a regular function f whose regularity α is polynomial-time computable from security parameter n. Unknown-regular function: a regular function f whose regularity α is inefficient to approximate from security parameter n. Note: one-way permutation is a special known-regular function.
Pseudorandom Generators t is a -pseudorandom generator (PRG) n n s :{0,1 } {0,1 } ( , ) g with stretch s if for all distinguishers D of running time t , | Pr[ ( ( )) 1] Pr[ ( ) 1]| D g U D U n n s n super-poly , negl, U is uniform distribution over {0,1} t n Distinguisher D
Entropies, computational and statistical distance
Leftover Hash Lemma Informally: universal hash functions are good randomness extractors
Unpredictability Pseudoentropy (UP)
Goldreich-Levin Theorem
A Key Oberservation about Unpredictability Pseudoentropy Unpredictability Pseudoentropy (UP) : X has m bits of UP given f(X) for t -time adversaries if every A of running time t wins the following game with probability no greater than 2 - m Challenger C Adversary A y ; : ( ) x X y f x ' ( ) x A y ' wins iff ' x A x x t Question: what’s the UP of X given f ( X ) if f is a - regular ( , ) OWF with ? 1 ( )| 2 k | f y Observation: X given f(X) has bits of UP . log(1/ ) k Rationale: 1 2 k Pr[ ( ( )) ( ( ))] Pr[ ( ( )) ] A f X f f X A f X X
The FIRST CONSTRUCTION (from known-regular OWF) g ( X , h 1 , h 2 , h c ) =( h 1 ( f ( X 1 )), h 2 ( X 1 ), h c ( X 1 ), h 1 , h 2 , h c ) A complicated proof by Goldreich in Section 3.5.2 of
PRGs from Known-Regular OWFs by three extractions (a three-line proof) Assumption: f is -one-way and 2 k -regular, i.e. 1 ( )| 2 k t | f y ( , ) Construction and Proof. extract ( ) bits using h 1 1. H ( ( )) n k f X n k extract k bits using h 2 2. H ( | ( )) X f X k chain rule: 3. t t H ( | ( )) log(1/ ) H ( | ( ), ( )) log(1/ ) X f X k X f X h X up up 2 extract bits using hard-core function h c (log(1/ )) O This completes the proof for the folklore construction, i.e. g ( X , h 1 , h 2 , h c ) =( h 1 ( f ( X 1 )), h 2 ( X 1 ), h c ( X 1 ), h 1 , h 2 , h c ) is a PRG. Parameters: seed length linear in n , and a single call to f .
Tightening the security bounds g ( x , h 1 , h 2 , h c ) =( h 1 ( f ( x )), h 2 ( x ), h c ( x ), h 1 , h 2 , h c ) The proof for 3 rd extraction: consider f ‘ ( x , h 2 )=( f ( x ), h 2 ( x ), h 2 ) t is -hard to predict given '( , ) , i.e. H ( | '( , )) log(1/ ) x f x h X f X H 2 2 up 1/3 m by Goldreich-Levin Thm, ( ) is 2 ( ) -close to U given '( , ) h x n f x h c m 2 A tighter approach (use the tight version of Goldreich-Levin)? m if ' is an '-hard OWF, then ( ) is (2 ') -close to U given '( , ) f h x f x h 2 c m 1/5 Goldreich show ' ( ) in [Gol01,vol-1] O 1. 2. We show ' 3 against -time adversaries t the idea: show ' is almost 1-to-1, i.e. H ( '( , ) | ) 1 f f X H H n 2 2 2
The Second Construction (NEW, improving the Randomized Iterate)
The Randomized Iterate Goldreich, Krawczyk and Luby (SICOMP 93) : PRGs from known regular OWFs with seed length O ( n 3 ) Haitner, Harnik and Reingold (CRYPTO 2006): PRGs from unknown regular OWFs with seed length O ( n ·log n ) f h 1 f h 2 f x ( ) ( ) ( ) x h y ( ) x h y ( ) y f x y f x y f x 1 1 1 2 2 2 1 2 1 3 2 output ( ) ( ) ( ) h x h x h x 1 2 c c c h 1, h 2, … are random pairwise independent hash, h c is hard-core function
Lower bounds by Holenstein and Sinha (FOCS12) Asymptotic setting: Any black-box construction of PRG must make calls to an arbitrary (including ( / log ) n n unknown regular) OWF. Concrete setting : Any black-box construction of PRG must make calls to an arbitrary (including unknown ( / log(1/ )) n regular) -secure OWF. 1 ( , )
PRGs from unknown-regular OWFs: a new construction Assumption: f is -one-way and 2 k -regular ( k is unknown). t ( , ) The goal: a PRG construction oblivious of k. The idea: transform f into a known-regular OWF f Y Y n n :{0,1 } , where {0,1 } f Y Y n define : {0,1} f ( , ) ( ) f y r f y r where : "bitwise XOR", ( ), ' y f U r U n n is also a -one-way function t 1. f ( , ) is a 2 n -regular function, i.e. 1 2. n f | ( , )| 2 regardless of f y r k
PRGs from unknown-regular OWFs: a new construction (cont’d) Given a one-way function with known pre-image size 2 n Y Y } n : {0,1 f Similarly, has bits of UP given . ( , ) log(1/ ) ( , ) Y R n f Y R Y Y (log(1/ )) n n We get a special PRG : {0,1 } {0,1 } g Done? Y No, n bits needed to sample from (i.e. ) ( ) f U n stretch : (log(1/ )) (log(1/ )) (log(1/ )) n To make it positive: iterate g In summary: a PRG from unknown regular OWF with linear seed length (hybrid argument) and OWF calls. ( / log(1/ )) n Tight (Holenstein and Sinha, FOCS 2012): BB construction of PRG requires OWF calls, and calls in general. ( / log ) ( / log(1/ )) n n n
Summary PRG from any known-regular : OWF -hard OWF seed length and to the underlying OWF ( ) a single call O n (1) calls ( ) O n PRG from any unknown-regular : OWF -hard OWF seed length and OWF calls ( ) ( ) ( / log ) calls ( / log(1/ )) n O n n n O n Question: remove the dependency on ? Yes, by paying a factor in seed length and number of calls. (1) Why? Due to the entropy loss of the Leftover Hash Lemma. Given (without knowing ) n n 1 1-to-1 OWF :{0,1 } {0,1 } f Run q = copies of f , extracting 2 log n hardcore bits per copy, (1) followed by a single extraction with entropy loss set to q · log n .
More details Full version at eprint http://eprint.iacr.org/2013/270
Thank you!
Recommend
More recommend
