190 likes | 312 Views
Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions. Iftach Haitner, Danny Harnik, Omer Reingold. Pseudorandom Generators (PRG) [BM82, Yao82]. Eff. computable function G:{0,1} n ! {0,1} n’ Increases Length ( n’ > n )
E N D
Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner,Danny Harnik, Omer Reingold
Pseudorandom Generators (PRG)[BM82, Yao82] Eff. computable function G:{0,1}n! {0,1}n’ • Increases Length (n’ > n) • Output is computationally indistinguishable from random. G(Un)wCUn’ • Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88]and … x G(x)
PRG Based on General Hardness Assumptions • One-way permutations [BM82,Yao82]. • Regular one-way functions[GKL88]. • Any one-way function[HILL89]. O(n) O(n3) Def:f:{0,1}n!{0,1}n is a one-way function (OWF) if • Efficiently computable • Hard to invert: for any PPTAPrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n) If f is also a permutation on {0,1}n, then it is a one-way permutation (OWP). f:{0,1}n!{0,1}n is regular if all images have the same preimage size • for any x2{0,1}n it holds that |f-1(f(x))| =n. O(n8) • Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF. • Central to the security of the construction. • denote the input length of the OWF by n
Def:f:{0,1}n!{0,1}n is a one-way function (OWF) if: • Efficiently computable • Hard to invert: for any PPTAPrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n) Def:f:{0,1}n!{0,1}n is an exponentially hardone-way function if: • Efficiently computable • Hard to invert: for any PPTAPrxÃUn[A(f(x),1n) 2 f-1(f(x))] < 2-Cn for some constant C> 0 Example: We trust a OWF to be secure only for 100 bit inputs. • [BMY] is insecure for seed < 100 bits. • [HILL] is insecure for seed < 1016 bits! Goal: Reduce input length blowup. • [Holenstein 06]One-way function with exponential hardness (2-Cn for some C>0) O(n5)
Our Results Paper Restriction Seed length [BM82][Y82] One-way Permutations n +o(n) [GKL88] Regular OWF O(n3) [HHR05] Regular OWF O(n log n) [HILL89] Any OWF O(n8) [HHR05] Any OWF O(n7) [Holens06] Exponentially Hard OWF O(n5) This work Exponentially Hard OWF O(n2)
PRG from exponentially hard OWF • [Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2-Φn • Seed length is a function Φ, with optimal results when Φ is a constant C. • Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs. • Works only for Φ> Ω (1/log n)
Plan of the talk: • Motivation - The BMY generator. • The Randomized Iterate. • A PRG from regular OWFs. • The randomized iterate of a general OWF. • The construction for exponentially hard OWFs.
f f f … f x f(x) f2(x) fn(x) fn+1(x) … b(f2(x)) b(fn(x)) b(x) b(f1(x)) The BMY PRG OWP f:{0,1}n!{0,1}n G(x) = Claim:G is a PRG. Hardcore-predicate of f: given f(x) it is hard to predict b(x).
given z = fk(x) it is hard to find y such that f(y) = z One-Way on Iterates: [Levin]: If8k it is hard to invert fk Then b(x),b(f(x)),…,b(fm(x)) is pseudorandom.
Applying BMY to any OWF When f is any OWF, inverting fi might be easy (even when f is regular). Example: f f Easy inputs
f1(x,h) f2(x,h) x f h1 f h2 f h3 f … The Randomized Iterate Idea:use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances. The Randomized Iterate [GKL],[HHR]: f0(x,h) f0(x) h = (h1,...,hn) random pairwise independent hash functions H is a family of pairwise independent hash functions from {0,1}n! {0,1}n if 8x1x2and a random h2H(h(x1),h(x2)) is uniform over {0,1}2n. • Use H where description of his of length O(n). G(x,h) =b(f0(x,h)),...,b(fn(x,h)) ,h1,...,hn
Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert fkgiven h1,...,hk. Corollary:Let fbe a regular OWF and H be family of pairwise independent hash functions, then G(x,h) = b(f0(x,h)),b(f1(x,h)),…,b(fn(x,h)),h is a PRG.
Randomized Iterate of general OWF Can we apply the construction to any OWF? • No, security deteriorates with every iteration. Lemma: It is hard to invert fk (given h) over a set of density at least 1/k. (x,h) ! f0(x,h), f1(x,h) , … , fk(x,h) • fk is hard to invert whenever the last iteration is at least as heavy as all the iterations in the sequence. • By Symmetry happens with probability ¸1/k. Note: for regular functions always true…
fk(x,h) fk+1(x,h) b fk(x2,h2) fk+1(x2,h2) b2 fk(x3,h3) fk+1(x3,h3) b3 fk(xm,hm) fk+1(xm,hm) bm Ext m/2k bits fk(x1,h1) fk+1(x1,h1) b1 • With probability 1/k the bit b is pseudorandom when given fk+1(x,h) and h. • Idea: repeat m independent times • Use a randomness extractor to get O(m/k) pseudorandom bits Pseudoentropy source: at least m/k of the bits are pseudorandom given fk+1 and h
Extract randomness from distributions which contain sufficient (min)-entropy. Use a short seed of truly random bits. Output is (close to) uniform even when the seed is known. Extractor seed random output Randomness Extractors [NZ93] high pseudoentropy distribution high entropy distribution pseudorandom output • Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL] • New proof of the uniform extraction Lemma given in [Holens06] & [HHR05]. • Based on the uniform hardcore set proof of Holenstein (FOCS 2005).
t x1,h1 x2,h2 x3,h3 x4,h4 xm,hm m/4 m/6 m/8 m/10 m/12 • We can extract m/2k pseudorandom bits at each iteration. • Total pseudorandom bits: ∑k(m/2k) ¼ m/2 log t • For the generator to stretch this should be more than the mn bits of x1,…,xm • t>2nis too large !!!
Exponential hardness Theorem [GL89]: if a one-way function f has hardness 2-Cn then it has O(Cn) hard-core bits. We can take out more pseudorandom bits at every iteration!
t x1,h1 x2,h2 x3,h3 x4,h4 xm,hm mn/4 mn/6 mn/8 mn/10 mn/12 • We extract C’mn/k pseudorandom bits at the kth iteration. • Total number of pseudorandom bits: ∑k(C’nm/k) ¼ C’mn log t • Take t to be a constant such that ∑k (1/k) > C’ • Total seed length is O(tmn) bits (description size of the hash functions). • Take m=n, the seed length becomes O(n2).
Questions and Further Issues • Holenstein achieves seed O(n4log2n) if the resulting PRG need only have standard hardness (super-polynomial). Accordingly, we get O(n log2n) in such a case. • Can such methods work for general OWFs? • Could work if the deterioration in security in each iteration where somehow limited. • Other applications of exponentially hard OWFs? • Recent results of [GI06],[HR06].