1 / 17

Efficient Amplification of the Security of weak Pseudo-random Function Generators

Efficient Amplification of the Security of weak Pseudo-random Function Generators. Author: Steven Myers Speaker: F90921022 Bo-Yuan Peng. Outline. Motivation What Is a Pseudo-Random Function Generator? Diamond Operator Strong PRFG Construction Scheme Proof of Strong PRFG Construction

vanig
Download Presentation

Efficient Amplification of the Security of weak Pseudo-random Function Generators

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Amplification of the Security of weak Pseudo-random Function Generators Author: Steven Myers Speaker: F90921022Bo-Yuan Peng

  2. Outline • Motivation • What Is a Pseudo-Random Function Generator? • Diamond Operator • Strong PRFG Construction Scheme • Proof of Strong PRFG Construction • Conclusion

  3. Weak OWF Generator Yao's XOR Lemma PRFG  PRPG WOWF  SOWF PRNG  PRFG partially securePRPG Weak One-way Function Strong One-way Function Secure PRNG Secure PRFG Secure PRPG Motivation It was known that a partially secure PRPG implied a totally secure PRPG. The construction scheme is as the following scheme, although not efficient.

  4. Motivation (cont'd) • Here a natural, efficient and parallelizable construction for generating a PRFG from a partially secure PRFG is given. • if is a partially secure pseudo-random function generator, then the constructionis a strongly secure pseudo-random function generator, where 's are randomly chosen from , and 's are randomly chosen from .

  5. What Is a Pseudo-Random Function Generator? • Function GeneratorsWe call a function generator, and that is a key of . We write as . • Function Generator EnsemblesLet and be polynomials, and let . For each , let be a function generator. We call a function generator ensemble.

  6. What Is a Pseudo-Random Function Generator? (cont'd) • -Distinguishing AdversaryLet be a function, and let and be two sequence of distributions over oracle gates, where is a distribution over oracle gates of input size , for .We say the circuit family is an adversary capable of distinguishing from if for some polynomial and infinitely many ,

  7. What Is a Pseudo-Random Function Generator? (cont'd) • Pseudo-Random Function Generator Ensembles:Consider , the set of all functions for some ;and , a function generator ensemble where any instance in the ensemble is computable in time bounded by a polynomial in ; where and are both polynomial.We say that is secure if there exists no adversary , bound in size to be polynomial in , which can distinguish from .We say that is a pseudo-random function generator if it is secure.

  8. What Is a Pseudo-Random Function Generator? (cont'd) • If is a secure function generator ensemble, we say it is (a) strongly secure (PRFG ensemble). • If is secure for some polynomial , then we say it is (a) partially secure (PRFG ensemble). • If is not partially secure (and therefore not strongly secure), we sat it is (an) insecure (PRFG ensemble).

  9. Diamond Operator • Diamond Operator for Functions and Diamond Operator Generator:Let , be two functions. For each , the corresponding diamond operator is defined asMoreover, we define the diamond operator generator as

  10. Diamond Operator (cont'd) • Diamond operator for function generator ensemblesLet and be two function generator ensembles.We write ifis a function generator ensemble defined bywhere , , and

  11. Strong PRFG Construction Scheme • Diamond Operator Security Amplification:Let be a polynomial, and then the function generator ensembleis a strong pseudo-random function generator ensemble if is a constant secure pseudo-random function generator ensemble. • Note that in order to compute a random function it is sufficient to computewhere each is randomly selected from .

  12. Proof of Strong PRFG Construction • Lemma. Given any decision circuit , for eachand for each , • Corollary. Given any decision circuit , for each ,

  13. Proof of Strong PRFG Construction (cont'd) • Lemma. Let be a polynomial sized family of decision circuits, and be a non-empty set. Then for any , there exists an such that for all sufficiently large , • Corollary. Let be a polynomial sized family of decision circuits, and be a non-empty set. Then for every constant , and for all but of the ,

  14. Proof of Strong PRFG Construction (cont'd) • Lemma. [DIAMOND ISOLATION LEMMA] There exists a fixed polynomial s.t. the following hold:Let be functions. Let and be function generators, where and are polynomials which bound from above the size of the circuits which compute the function generators respectively.Hypothesis: There exists a family of decision circuits , where for each the circuit is of size bounded above by the polynomial , and for some and infinitely many ,

  15. Proof of Strong PRFG Construction (cont'd) • Lemma. [DIAMOND ISOLATION LEMMA] (cont'd)Conclusion: For infinitely many there exists either a decision circuit of size for whichor a decision circuit of sizeand , where is the number of oracle gates in circuit , for which

  16. Proof of Strong PRFG Construction (cont'd) • Theorem. [DIAMOND COMPOSITION THEOREM]Let be a constant, and let be a secure PRFG. Then for each functionthe generator is a secure PRFG.

  17. Conclusion • A relatively simple and efficient construction for transforming a partially secure PRFG into a strongly secure PRFG is prersented. • The construction could possibly be used to guide the development of block ciphers. • Since the resulting generator is a function generator and not a permutation generator, there will be systems and applications where this is an infeasible approach.

More Related