1 / 19

Constructing a PRG from a OWF requires roughly n/log(n) calls.

Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein , Makrand Sinha Black Box Impossibility Summer School. PRG and OWF. A OWF is a function f : {0,1} n → {0,1} n such that for all PPT A: Pr [ f ( A ( f ( x ))) = f ( x )] is negligible.

roman
Download Presentation

Constructing a PRG from a OWF requires roughly n/log(n) calls.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Constructing a PRG from a OWF requires roughly n/log(n) calls. Thomas Holenstein, Makrand Sinha Black Box Impossibility Summer School

  2. PRG and OWF • A OWF is a function f: {0,1}n → {0,1}n such that for all PPT A: Pr[f(A(f(x))) = f(x)] is negligible. • A PRG is a function g: {0,1}m → {0,1}m+1 such that for all PPT A: Pr[A(g(v))] – Pr[A(w)] is negligible. Theorem: [HILL, HRV, VZ] There is a fully BB construction of a PRG from a OWF with m = O(n3) and which does O(n3) calls to the OWF. ~ ~

  3. OWF and PRG Theorem: [HILL, HRV, VZ] There is a fully BB construction of a PRG from a OWF with m = O(n3) and which does O(n3) calls to the OWF. Our Result: Any such construction must do at least Ω(n/log(n)) calls. ~ ~

  4. Proof sketch • Prove the result for r = 1 (30 % of the work) (Pseudo-uniform OWF. Requires us to distinguish two cases) • Prove the result for r = 2 (50 % of the work) (Uses additionally a Chernoff-Bound) • Prove the result for r = n/log(n) (20% of the work) (Uses a version of the Chernoff-Bound for polynomials)

  5. Quick Remark • The black box separation is weak: we make the OWF f dependent on the construction g(f). • Let’s do this on a few examples! We start with r = 1.

  6. Case r = 1 x z v = (x,z) Input Invert every 2nd bit. g f Output y z ∑ How to distinguish g(v) from a uniform w? Breaker should invert the “left part” of g, then compare∑to the output.

  7. Case r = 1 x z Input f Output y z ∑ How to distinguish g(v) from a uniform w? Pick f: {0,1}n → Y for a small set Y. If yY then output 1, otherwise 0.

  8. Case r = 1 x z Input f Output y z ∑ How to distinguish g(v) from a uniform w? Breaker will again invert the “left part” of g, then compare ∑to the output.

  9. Our result in more detail Lemma: Let g(f):{0,1}m → {0,1}m+1 be a candidate construction of a PRG from a OWF f: {0,1}n → {0,1}n which does r calls. Then, one of the following holds. • Pick f as a random permutation. There is a BreakerOWwhich inverts “the left part of” g(f) with probability ½ and doesn’t help invert f. • Pick Y {0,1}n of sizeat random. If we pick uniform regular f: {0,1}n → Y, then there is BreakPUwhich distinguishes the output of g without knowing f.

  10. Pseudouniform one-way functions Always saying “left part stuff” gets annoying… A function g(f):{0,1}m → {0,1}m is a pseudouniform one-way function if • It is a one-way function • The output is indistinguishable from uniform. Exercise: if g(f):{0,1}m → {0,1}m+1 is a PRG, then chopping off the last bit gives a PU-OWF function (Hint: show first that every PRG is a OWF).

  11. Next up… Plan: we give an inverter which works sometimes. Show that if it does not work, then the second case applies. Now: how does the inverter work?

  12. Invert Carefully! x z Input Output z y This is a pseudouniform function (for every f!) Hence – we need to invert! But not always!

  13. Our Inverter BreakOW(w): // Finds v with g(v) = w – sometimes For all v: if g(f)(v) = w and SafeToAnswer(w, y) // y is the answer of the query to f in g(f)(v) return v SafeToAnswer(w,y): false if #{v | g(v) = w if f(.) answers y} > 2n/30 If this does not invert g, it is because SafeToAnswerreturns true too often. But then: making some y’s common will make some w’s common!

  14. Gennaro-Trevisan Technique: Lemma: BreakOW does not help invert a random f. Proof: How does the decoder work? Decoder: Simulate A(f)(y). When A queries BreakOW(w) evaluate g(f)(v) for all v. If only one query is unknown, check if answering it with y makes BreakOW(w) return v. If yes continue the simulation with this answer, otherwise take the next v. The preimage of y is the output of A(f)(y).

  15. Should we store (x*,f(x*)) explicitly? Decoder: Simulate A(f)(y). When A queries BreakOW(w) evaluate g(f)(v) for all v. If only one query is unknown, check if answering it with y makes BreakOW(w) return v. If yes continue the simulation with this answer, otherwise take the next v. The preimage of y is the output of A(f)(y). We have to store (x*,f(x*)) explicitly if: A(f)(y) queries BreakOW with w for which: BreakOW(f)(w) ≠ BreakOW(f*)(w)

  16. Our Inverter BreakOW(w): // Finds v with g(v) = w – sometimes For all v: if g(f)(v) = w and SafeToAnswer(w, y) // y is the answer of the query to f in g(f)(v) return v SafeToAnswer(w,y): false if #{v | g(v) = w if f(.) answers y} > 2n/30 Fix w, y. There can only be 2n/30x* for which BreakOW(f)(w) ≠ BreakOW(f*)(w) because each such x* gives rise to a different v.

  17. Remarks for r = 2 • For r = 2 and our breaker, the Gennaro-Trevisan encoding can get huge, if the function f is chosen in an unlucky way! • We don’t know how to avoid this. • Instead, a Chernoff Bound shows that there are only few such functions • (see paper for an example).

  18. Thanks!

  19. A condition on BreakOW We can give a condition on BreakOW: it should be that for every w, y, there are only few (say 2n/30) values x*s.t. BreakOW(f)(w) ≠ BreakOW(f*)(w) Unfortunately, for r > 1, we can only show that our Breaker has this property for almost all f.

More Related