200 likes | 344 Views
Performance Improvement for the GGM-Construction of Pseudorandom Functions. Yu-Sheng Chen Gwoboa Horng Chao-Liang Liu NCS 2005. Abstract. The GGM (Goldreich Goldwasser Micali) -construction is a method to construct pseudorandom functions.
E N D
Performance Improvement for the GGM-Construction of Pseudorandom Functions Yu-Sheng Chen Gwoboa Horng Chao-Liang Liu NCS 2005
Abstract • The GGM (Goldreich Goldwasser Micali) -construction is a method to construct pseudorandom functions. • We propose a simple variant of the GGM-construction that works faster than the original one. • Our construction is optimal under a reasonable assumption.
Outline • Introduction • Pseudorandom function • Pseudorandom generator • The GGM-construction • Performance Analysis • The Variant of the GGM-construction • Performance Analysis • Proof of Correctness • Conclusion
Pseudorandom function x f(x) Random function x f(x) Introduction-Pseudorandom Function • Informally, a pseudorandom function is a function that cannot be efficiently distinguished from a truly random function. Pseudorandom function: Input-output behavior is computationally indistinguishable from that of a random function. On query x, a random function returns a random value.
Introduction-PseudorandomFunction f query AF 0 or 1
Introduction-Pseudorandom Generator • A pseudorandom generator is a polynomial-time algorithm that can stretch its random input to a polynomial long pseudorandom string. Pseudorandom Generator x (secret seed) 01001100111110100100010…… Computationally Indistinguishable! truly random string
Introduction-Pseudorandom Generator g Uk AG 0 or 1
The GGM-Construction of Pseudorandom Functions • Let G :{0,1}k→{0,1}2k be a pseudorandom generator. • Denote • G(x)=b1b2…bkbk+1…b2k • G0(x)=b1…bk • G1(x)=bk+1…b2k • Construct a pseudorandom function GGMx: • Choose a random k-bit string x as a key. • Define GGMx(α)=Gαk(…Gα2(Gα1(x))), where α=α1α2…αk is an input (query) to GGMx.
The GGM-Construction of Pseudorandom Functions x α1=0 α1=1 G0(x) G1(x) α2 G(x)=b1b2…bkbk+1…b2k G0(x)=b1b2…bk G1(x)=bk+1…b2k αk GGMx(α)=Gαk(…Gα2(Gα1(x))) Illustration: The Computation of GGMx(α)
Performance Analysis forThe GGM construction • Notation • T0 is the cost of generating G0(x). • T1 is the cost of generating G1(x). • TGGM is the cost of computing GGMx(α) • Assumption • The cost of generating pseudorandom bits by G is , i.e. T1=2T0.
Performance Analysis forThe GGM construction (Conti.) • For a randomly chosen α • On average, one evaluation of GGMx() takes . x α1=0 α1=1 G0(x) G1(x) α2 αk GGMx(α)
The Variant of the GGM-construction • Let G :Ik→I4k be a pseudorandom generator. • Denote • G(x)=b1b2…b4k • G(0,0)(x)=b1…bk G(0,1)(x)=bk+1…b2k • G(1,0) (x)=b2k+1…b3k G(1,1)(x)=b3k+1…b4k • Construct a pseudorandom function GGMx’ : • Choose a random k-bit string x as a key. • Define GGMx’(α)=G(αk,αk-1)(…G(α4,α3)(G(α2,α1)(x))) if k is even ; GGMx’(α)=G(0,αk)(…G(α4,α3)(G(α2,α1)(x))) if k is odd, where α=α1α2…αk is an input (query) to GGMx’.
The GGM-Construction of Pseudorandom Functions x 11 α2α1=00 01 10 G(1,0)(x) G(1,1)(x) G(0,0)(x) G(0,1)(x) α3α4 αk-1 αk if k is even αk if k ie odd GGMx’(α) Illustration: The Computation of GGMx’(α)
Performance Analysis forThe Variant • Notation • T0 is the cost of generating G(0,0)(x). • TGGM’ is the cost of evaluating GGMx’(α) • Assumption • The cost of generating pseudorandom bits by G is .
Extension to the Generalized 2c-ary-tree Construction x αc…α2α1=0…00 ……. 1…11 0…01 …….
Proof of Correctness • Theorem:The functions constructed by GGM’ are pseudorandom functions. • Proof Sketch
Proof of Correctness (Illustration) Oracle Ai Ai stores random k-bit strings in all nodes of level i. In the nodes of succeeding levels, it stores k-bit string output by G. A0 Ai Ai+1 G(0,0) G(0,1) G(1,0) G(1,1) pki≡ Pr[ AG outputs 1 | AG can query Ai] Then pk0= pkF and pkk/2= pkH. Ak/2 AG : (1) Choose a random i, . (2) Use strings in Uk to “pave” the nodes of level i+1 and answer AF’s queries. (3) Output AF’s output. If Uk consists strings generated by G, AG acts for Ai. If Uk consists random strings, AG acts for Ai+1.
Conclusion • We propose a variant of the GGM-construction GGM’ and prove its correctness. • GGM’ has the best performance under the assumption that the cost of generating pseudorandom bits by G is .