1 / 20

Basing Pseudorandom Generators on Regular One-way Functions

This paper explores the construction of pseudorandom generators (PRGs) using regular one-way functions (OWFs). It discusses the concepts of regular functions, known-regular functions, and unknown-regular functions. It also explains the relationship between PRGs and OWFs and presents different constructions and proofs for PRGs from known-regular OWFs and unknown-regular OWFs. The paper concludes with lower bounds and a new construction for PRGs from unknown-regular OWFs with linear seed length.

willien
Download Presentation

Basing Pseudorandom Generators on Regular One-way Functions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Basing Pseudorandom Generators on Regular One-way Functions 基于规则单项函数的伪随机产生器构造 郁昱 上海交通大学 计算机系

  2. One-way Functions (单向函数) • One-way function(OWF) • Simplifying notation: f • Definition: f is an -OWF if f is efficient (computable in time poly(n)) and for all probabilistic polynomial-time adversaries A: • Standard definition: is negligible in, denoted by • Folklore: OWFs can be assumed to be length-preserving, i.e., m=n.

  3. Regular Functions (规则函数) • f is a regular function if the preimage size α= is fixed (independent of y). • Known-regular function: a regular function f whose regularity α is polynomial-time computable from security parameter n. • Unknown-regular function: a regular function f whose regularity α is inefficient to approximate from security parameter n. one-way permutation: a special case of known-regular OWFs.

  4. Pseudorandom Generators (伪随机产生器) Pseudorandom generator (PRG) A function (< ) is an -PRG if is efficient and every PPT distinguisher tells from with only negligible advantages: =negl(n) x g(x) y

  5. OWF  PRG : a central problem in cryptography • The BM-Y generator Theorem (BM-Y 1982): Any one-way permutation implies a PRG for any =poly(n). Theorem (generalized): Any PRG implies a PRG for any =poly(n). Manuel Blum Turing Award 1995 Silvio Micali Turing Award 2012 Andrew Yao Turing Award 2000 f f f f output

  6. Min-entropy and pseudo-entropy • implies every (even unbounded) algorithm A satisfies • (Unpredictable) Pseudo-entropy: denoted by if every PPT algorithm A satisfies Question: what is the (pseudo)entropy of x given f(x) for OWF f ?

  7. Statistical and computational distances • Statistical distance: between X and Y, denoted by SD(X,Y) is defined by SD(X,Y)= • SD(X,Y) implies every (even unbounded) distinguisher D satisfies • Computational distance: between X and Y, denoted by CD(X,Y) if every PPT distinguisher D satisfies

  8. (pseudo)randomness extraction • Leftover hash lemma: let (X,Z) be any r.v. with and let h: be a universal hash function, then : uniform distribution over , d:entropy loss • Goldreich Levin theorem: let (X,Z) be any r.v. with then there exists efficient hash (with linear description) : k= and thus =negl(n)

  9. Pseudoentropy of regular one-way functions • Unpredictable Pseudoentropy (UP) : X has m bits of UP given f(X) if every PPT A wins the following game with probability no greater than • Question: what’s the UP of X given f(X) if f is a regular -OWF with regularity • Claim: • Rationale: Challenger C Adversary A

  10. PRGs from Known Regular OWFs • g (X, h1, h2,hc) =(h1(f(X1)), h2(X1),hc(X1), h1, h2,hc) A complicated and long proof is given by Goldreich in his crypto textbook volume1,Sec3.5.2(pp. 141-147)

  11. PRGs from Known-Regular OWFs by three extractions (a three-line proof) • Assumption: f is -one-way and 2k-regular, i.e. • Construction and Proof. • extract () bits using h1 • extract bits using h2 • chain rule: extract bits using hard-core function hc • This completes the proof for the folklore construction, i.e. g (X, h1, h2, hc) =(h1(f(X)), h2(X),hc(X), h1, h2, hc) is a PRG. • Optimal parameters: seed length linear in n, and a single call to f .

  12. Tightening the security bounds • g (x, h1, h2,hc) =(h1(f(x)), h2(x),hc(x), h1, h2,hc) The proof for 3rd extraction: consider f ‘(x,h2)=(f(x), h2(x), h2) • A tighter approach?

  13. PRGs from unknown-regular OWFs the randomized Iterate • Goldreich, Krawczyk and Luby (SICOMP 93) : PRGs from known regular OWFs with seed length O(n3) • Haitner, Harnik and Reingold (CRYPTO 2006): PRGs from unknown regular OWFs with seed length O(n ·log n) f h1 f h2 f output h1, h2, … are random pairwise independent hash, hc is hard-core function

  14. Lower bounds by Holenstein and Sinha (FOCS12) • Asymptotic setting: Any black-box construction of PRG must make calls to an arbitrary (including unknown regular) OWF. • Concrete setting : Any black-box construction of PRG must make calls to an arbitrary (including unknown regular) -secure OWF.

  15. PRGs from unknown-regular OWFs: a new construction • Assumption: f is -one-way and 2k-regular ( k is unknown). • The goal: a PRG construction oblivious of k. • The idea: transform f into a known-regular OWF • is also an -one-way function • is a 2n-regular function, i.e.

  16. PRGs from unknown-regular OWFs: a new construction (cont’d) • Given a one-way function with known pre-image size 2n • Similarly, has bits of UP given . • We get a special PRG • Done? No, n bits needed to sample from (i.e. ) stretch : To make it positive: iterate • In summary: a PRG from unknown regular OWF with linear seed length (hybrid argument) and OWF calls. • Tight (Holenstein and Sinha, FOCS 2012): BB construction of PRG requires OWF calls, and calls in general.

  17. Summary • PRG from any known-regular : seed length and to the underlying OWF • PRG from any unknown-regular : seed length and OWF calls Question: remove the dependency on ? Yes, by paying a factor in seed length and number of calls. Why? Due to the entropy loss of the Leftover Hash Lemma. Given (without knowing ) Run q= copies of f , extracting 2logn hardcore bits per copy, followed by a single extraction with entropy loss set to q · logn . calls

  18. The ultimate: PRGs from any OWFs • The HILL generator: Håstad, Impagliazzo, Levin, and Luby (SICOMP 1999) gave a construction of PRG from any OWF but with seed length O() • The HRV generator: Haitner, Reingold and Vadhan (STOC 2010) gave a PRG with seed length O() from any OWF. • The Vadhan-Zheng generator: Vadhan and Zheng(STOC 2012) gave a PRG with seed length O() from any OWF. • Open problem: how to construct PRG with seed length o() from any OWF?

  19. More details Extend abstract in the proceedings of Asiacrypt 2013 also available at eprinthttp://eprint.iacr.org/2013/270 ECCC Report TR14-082 Contact: yuyu@yuyu.hk

  20. Thank you!

More Related