1 / 14

On Constructing Parallel Pseudorandom Generators from One-Way Functions

On Constructing Parallel Pseudorandom Generators from One-Way Functions. Emanuele Viola Harvard University June 2005. Pseudorandom Generator (PRG) [BM,Y]. PRG. Poly(n)-time Computable Stretch s(n) ¸ 1 (e.g., s(n) = 1, s(n) = n) Fools efficient adversaries: 8 PPT A

lysa
Download Presentation

On Constructing Parallel Pseudorandom Generators from One-Way Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005

  2. Pseudorandom Generator (PRG) [BM,Y] PRG • Poly(n)-time Computable • Stretch s(n) ¸ 1 (e.g., s(n) = 1, s(n) = n) • Fools efficient adversaries: 8 PPT A PrX, |X| = n+s(n)[A(X) = 1] ¼ Pr, || = n [A(PRG(s)) = 1]

  3. Background on PRG • PRG , One-Way Functions (OWF) [BM,Y,GL,…,HILL] (f OWF if easy to compute but hard to invert, i.e. 8 PPT M, almost never M(f(X)) 2 f(X)-1) • Applications of PRG: cryptography, derandomization need stretch s(n) = poly(n) • Stretch s(n) only makes sense relative to n • E.g. G : {0,1}n! {0,1}n+s(n)) G : {0,1}n2! {0,1}n2+ n¢s(n) • Two main cases s(n) = 1, or s(n) = n

  4. PRG Constructions • We study complexity of constructing PRG with big stretch from OWF f • Def.: black-box PRG constructions Gf : for every (comput.-unbounded) function f, adversary A A breaks Gf)9 PPT M : Mf,A inverts f • Most constructions are black-box [BM,Y,…,HILL] Many negat. results for black-box model [IR,…,GT,RTV] • Cannot make sense of negat. result in non-black-box model

  5. Standard Constructions w/ big stretch Gf • STEP 1: OWF f ) Gf : {0,1}n! {0,1}n+1 • Think e.g. f : {0,1}n ! {0,1}n • STEP 2: Gf) PRG with stretch s(n) = poly(n) [GM] • Stretch s ) s adaptive queries to f ) circuit depth ¸ s • Question [this work]: stretch s vs. adaptivity & depth? E.g., can have s = n, circuit depth O(log n)? … Input  Gf Gf Gf Gf Gf . . . . . . . . Output . . . . . . . . .

  6. Previous Results • [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!) However, any stretch ) stretch s = 1 • [GT] s vs. number q of queries to OWF (Thm: q ¸ s) [This work] s vs. adaptivity & circuit depth • […,IN,NR] O(1)-depth PRG from specific assumptions [This work]general assumptions • Context: [V] studies complexity of NW-type PRG

  7. Outline • Our model • Our results • Proof sketch of main negative result • Other: new negative result on worst-case vs. average-case connections in NP, PH

  8. Our Model of PRG construction Input s, |s| = n • Parallel PRG Gf : {0,1}n! {0,1}n+s(n) from OWF f Nonadaptive Queries to f q1 q2 q3 q4 f f f f Constant Depth Circuit (AC0) Æ Æ Æ Æ Æ Æ Æ Æ Ç Ç Ç Ç Ç Ç Æ Æ Æ Æ Æ Æ Æ Æ Output, n+s(n) bits

  9. Our Results on PRG Constructions • Parallel construction Gf : {0,1}n! {0,1}n+s(n) From one-way function f ( e.g. f : {0,1}n! {0,1}nb )

  10. Proof Sketch of Negative Result • Thm[this work]: Parallel black-box PRG constructions Gf : {0,1}n! {0,1}n+s(n) satisfy s(n) · o(n) • Proof: Exhibit comput.-unbounded f, A such that: (1) A breaks Gf when s(n) = (n) (2) f one-way, i.e. hard to invert. We show distribution on f s. t. (1) & (2) hold w.h.p.

  11. Def. of f and (1) break Gf • Restriction [FSS,H,…]  maps bits to {0,1,*} • Def. distribution on f apply  to truth-table of f •  known to adversary A replace * with random bits (1) A breaks Gf : 8, Gf() isAC0 function of truth-table of f ) makes Gf() biased ) A breaks Gf(). • If s(n) = (n) can union bound over all . f(0) f(1)  f(111) 01** 1*0*  1**0 0101 1100  1110

  12. f = 01** 1*0* 1***1**0 (2) f one-way • Problem: f not one-way : r leaks info about x E.g. First bit f(x) = 0 ) x • Solution: Force many x’s to share same restriction Compose f with hash function • Many preimages ) f one-way Low collision prob. ) A still breaks Gf Q.E.D. f(0)f(1) f(10)  f(111) hash 01** 1*0* 1***1**0

  13. Our Result on Average Case Complexity • Question: given f2NP worst-case hard (f2P/poly), can build f 02NP average-case hard? I.e. 8 small circuit A : Prx[A(x)  f 0(x)] ¸ 1/3 • Thm[V]: no black-box construction of f 0 using both function f and adversary A as black-box • Thm[BT]: no construction using A as black-box • Also uses A ``non-adaptively’’ • Thm[this work]: no construction using f as black-box • Proof uses pseudorandom restrictions

  14. Conclusion • Thm[this work]: Parallel black-box construction Gf : {0,1}n! {0,1}n+s(n) satisfy • Average-case complexity Thm[this work]: given f 2NP worst-case hard no construction of average-case hard f 02NP using f as black-box

More Related