1 / 15

Going Down HILL: More Efficient Pseudorandom Generators from Any One-way Function

Going Down HILL: More Efficient Pseudorandom Generators from Any One-way Function. Omer Reingold. &. Joint with Iftach Haitner and Salil Vadhan. One Way Functions. One Way Functions (OWF): f:{0,1} n  {0,1} n Easy to compute hard to invert (even on average).

zahur
Download Presentation

Going Down HILL: More Efficient Pseudorandom Generators from Any One-way Function

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Going Down HILL: More Efficient Pseudorandom Generators from Any One-way Function Omer Reingold & Joint with Iftach Haitner and Salil Vadhan

  2. One Way Functions One Way Functions (OWF): f:{0,1}n {0,1}n • Easy to compute hard to invert (even on average). • The most basic, unstructured form of cryptographic hardness [IL89 …]

  3. Pseudorandom Generators Eff. computable function G:{0,1}s {0,1}m • Stretching (m >s) • Output is computationally indistinguishable from uniform. • Central in cryptography, implies pseudorandom functions [GGM86], pseudorandom permutations [LR88], bit-commitments [Naor91], … x G(x)

  4. Håstad, Imagliazzo, Levin and Luby 89 Theorem Existence of OWFs Existence of PRGs • Hardness vs. Randomness in purest cryptographic form • Centerpiece in basing Cryptography on OWFs • Introduced key concepts and techniques (Pseudoentropy, Leftover Hash Lemma, …). • inefficient and quite complex

  5. Efficiency For this talk efficiency (and security) of construction is measured by PRG’s seed length s (as function of n) • [HILL89] O(n10), [HILL89,Holens06] O(n8), [HHR06a] O(n7), HereO(n4) • From exponentially hard OWFs: [Holens06] O(n5), [HHR06b] O(n2), Here reprove O(n2)

  6. Simplicity With years, [HILL] became simpler • But mainly because we got used to it (tools and techniques became “standard”). • [HILL99,Holens06] additional abstractions and more modularity (+ Holenstein's Uniform Hard-Core Lemma) • Here simpler. • Construction non-adaptive thus derive “OWFs in NC1 PRGs in NC0 ” (via [AIK06])

  7. False Entropy Generator • Loosely, the most basic object in HILL is: Gfe(x,g,i)=f(x),g,g(x)1..i (think of g as matrix multiplication). Lemma Let k=log|f-1(f(x))|, then when i=k+log n then g,g(x)1..i is pseudorandom (even conditioned on f(x)). • Intuition: first k-clog n bits are statistically close to uniform (Leftover Hash Lemma) and next (c+1)log n bits are pseudorandom (GL Hard-Core Function).

  8. False Entropy Generator (II) Gfe(x,g,i)=f(x),g,g(x)1..i Lemma: For the variable Gfe(x,g,i)(with random inputs)  = pseudoentropy – real entropy > (log n)/n Reason:w.p1/n over choice of i (when i=k+log n) the output Gfe(x,g,i) is indistinguishable from distribution with entropy |x|+|g|+log n (whereas real entropy |x|+|g|) • Disadvantages:rather small, value of real entropy unknown, pseudoentropy < entropy of input

  9. Our Building Block • Simply do not truncate: Gnb(x,g)=f(x),g,g(x) • Nonsense: Gnb(x,g) is invertible and therefore has no pseudoentropy! • Well yes but: Gnb(x,g) does have psudoentropy from the point of view of an online distinguisher (getting one bit at a time).

  10. Next-Bit Pseudoentropy • X has pseudoentropy k if Y with H(Y)  k such that X and Y are indistinguishable • X=X1…Xn has next-bit pseudoentropy k if Y with • iH(Yi|X1…Xi)  k such that • X_i and Y_i are indistinguishable conditioned on X1…Xi-1 • Remarks: • X and Y arejointly distributed • The two notions are identical for k=n [BM, Yao] • Generalizes to blocks (rather than bits)

  11. Our Next-Block Pseudoentropy Generator • Gnb(x,g)=f(x),g,g(x) • Next-block pseudoentropy> |x|+|g|+logn • X=G(x,g) and Y obtained from X by replacing first k+logn bits of g(x) with uniform • Advantages: •  = next-block pseudoentropy –real entropy> logn • Entropy bounds known (on total entropy) • “No bit left behind” • Relates to work on inaccessible entropy [HRVW09]

  12. HILL Revisited - Overview Gnb x,g … … … • n2 repetitions: • amplifies entropy gap and • turns next-block pseudo Shannonentropy to next-block pseudo min entropy Extract next-block pseudoentropy

  13. Uniform Construction and Uniform Security • Seed length so far O(n3), but construction non uniform (need to know how much to extract from each block). • Using an idea from [HRVW09] get uniform construction with seed length O(n4). • To carry out the hybrid (for the n2repetitions), need X and Y to be next-block indistinguishable even given an oracle that samplesX and Y. • Just as in HILL, most elegant solution is via Holenstein's Uniform Hardcore Lemma [Holens06].

  14. Final Comment • Assume f is OW-Permutation. Given f(x) hard to find x. • Intuitively, given f(x) we have that x has some computational entropy in it, (thus we can extract this entropy). • Nevertheless, given f(x), we have that x does not have any pseudoentropy in it. • However, G’nb(x)=f(x),x is a next-block pseudoentropy generator • Does it also hold for OWFs?

  15. Widescreen Test Pattern (16:9) Aspect Ratio Test (Should appear circular) 4x3 16x9

More Related