1

Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions

Iftach Haitner, Danny Harnik, Omer Reingold

2

Pseudorandom Generators (PRG) [BM82, Yao82]

Eff. computable function G:{0,1}n ! {0,1}n’

Increases Length (n’ > n) Output is computationally indistinguishable from

random.

G(Un) wC Un’

Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and …

x G(x)

3

Def: f:{0,1}n!{0,1}n is a one-way function (OWF) if

1. Efficiently computable

2. Hard to invert: for any PPT APrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n)

If f is also a permutation on {0,1}n, then it is a one-way permutation (OWP).

One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89].

PRG Based on General Hardness Assumptions

O(n8)

O(n)

O(n3)

Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF.

• Central to the security of the construction.

• denote the input length of the OWF by n

f:{0,1}n!{0,1}n is regular if all images have the same preimage size

for any x2{0,1}n it holds that |f-1(f(x))| = n.

4

Example: We trust a OWF to be secure only for 100 bit inputs.

[BMY] is insecure for seed < 100 bits. [HILL] is insecure for seed < 1016 bits!

Goal: Reduce input length blowup.

[Holenstein 06] One-way function with exponential hardness (2-Cn for some C>0)

O(n5)

Def: f:{0,1}n!{0,1}n is a one-way function (OWF) if:

1. Efficiently computable

2. Hard to invert: for any PPT APrxÃUn[A(f(x),1n) 2 f-1(f(x))] = neg(n)

Def: f:{0,1}n!{0,1}n is an exponentially hard one-way function if:

1. Efficiently computable

2. Hard to invert: for any PPT APrxÃUn[A(f(x),1n) 2 f-1(f(x))] < 2-Cn

for some constant C> 0

5

Our Results

O(n7)Any OWF[HHR05]

O(n2)Exponentially Hard OWFThis work

O(n5)Exponentially Hard OWF[Holens06]

O(n8)Any OWF[HILL89]

O(n log n)Regular OWF[HHR05]

O(n3)Regular OWF[GKL88]

n +o(n)One-way Permutations[BM82][Y82]

Seed lengthRestrictionPaper

6

PRG from exponentially hard OWF

[Holenstein 06] is a generalization of [HILL] that takes into account the hardness 2-Φn

Seed length is a function Φ, with optimal results when Φ is a constant C.

Our construction follows by developing the Randomized Iterate techniques presented in [HHR05] in the context of PRGs from regular OWFs. Works only for Φ> Ω (1/log n)

7

Plan of the talk: Motivation - The BMY generator. The Randomized Iterate. A PRG from regular OWFs. The randomized iterate of a general OWF. The construction for exponentially hard

OWFs.

8

The BMY PRG

G(x) =

Hardcore-predicate of f: given f(x) it is hard to predict b(x).

b(x) b(f1(x)) b(f2(x)) b(fn(x))…

Claim: G is a PRG.

x ff(x)f ff2(x) fn(x)… fn+1(x)

f

OWP f:{0,1}n!{0,1}n

9

One-Way on Iterates:

[Levin]: If 8k it is hard to invert fk

Then

b(x),b(f(x)),…,b(fm(x)) is pseudorandom.

given z = fk(x) it is hard to find y such that f(y) = z

10

Applying BMY to any OWF

When f is any OWF, inverting fi might be easy (even when f is regular). Example:

Easy inputs

f f

11

f0(x)f0(x,h)

Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances.

The Randomized Iterate [GKL],[HHR]:

The Randomized Iterate

G(x,h) = b(f0(x,h)),...,b(fn(x,h)),h1,...,hn

h1fx

ff1(x,h) …

h2 ff2(x,h)

h3 f

h = (h1,...,hn) random pairwise independent hash functions

H is a family of pairwise independent hash functions from {0,1}n ! {0,1}n if 8x1x2 and a random h2H (h(x1),h(x2)) is uniform over {0,1}2n.

Use H where description of h is of length O(n).

12

Lemma [HHR]: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert fk given h1,...,hk.

Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x,h) = b(f0(x,h)),b(f1(x,h)),…,b(fn(x,h)),h is a PRG.

13

Randomized Iterate of general OWF

Can we apply the construction to any OWF? No, security deteriorates with every iteration.

Lemma: It is hard to invert fk (given h) over a set of density at least 1/k.

(x,h) ! f0(x,h), f1(x,h) , … , fk(x,h) fk is hard to invert whenever the last iteration is at least as

heavy as all the iterations in the sequence. By Symmetry happens with probability ¸ 1/k.

Note: for regular functions always true…

14

bb1

fk(x,h) fk+1(x,h)fk(x1,h1) fk+1(x1,h1) With probability 1/k the bit b is pseudorandom when given fk+1(x,h) and h.

Idea: repeat m independent times

Use a randomness extractor to get O(m/k) pseudorandom bits

fk(x2,h2) fk+1(x2,h2)

b2fk(x3,h3) fk+1(x3,h3)

b3

fk(xm,hm) fk+1(xm,hm)

bm

Pseudoentropy source: at least m/k of the bits are

pseudorandom given fk+1 and hExt

m/2k bits

15

random output pseudorandom output

high entropy distribution high pseudoentropy distribution

Randomness Extractors [NZ93] Extract randomness from

distributions which contain sufficient (min)-entropy.

Use a short seed of truly random bits.

Output is (close to) uniform even when the seed is known.

Extractor seed

Uniform extraction Lemma: an analogues result for pseudoentropy, appears implicitly in [HILL]

New proof of the uniform extraction Lemma given in [Holens06] & [HHR05]. Based on the uniform hardcore set proof of Holenstein (FOCS 2005).

16

We can extract m/2k pseudorandom bits at each iteration.

Total pseudorandom bits:

∑k(m/2k) ¼ m/2 log t

For the generator to stretch this should be more than the mn bits of x1,…,xm

t>2n is too large !!!

x1,h1

x2,h2

x3,h3

x4,h4

xm,hm

m/4 m/6 m/8 m/10 m/12

t

17

Exponential hardness

Theorem [GL89]: if a one-way function f has hardness 2-Cn then it has O(Cn) hard-core bits.

We can take out more pseudorandom bits at every iteration!

18

We extract C’mn/k pseudorandom bits at the kth iteration.

Total number of pseudorandom bits:

∑k(C’nm/k) ¼ C’mn log t

Take t to be a constant such that ∑k (1/k) > C’

Total seed length is O(tmn) bits (description size of the hash functions). Take m=n, the seed

length becomes O(n2).

x1,h1

x2,h2

x3,h3

x4,h4

xm,hm

t

mn/4 mn/6 mn/8 mn/10 mn/12

19

Questions and Further Issues Holenstein achieves seed O(n4log2n) if the resulting

PRG need only have standard hardness (super-polynomial). Accordingly, we get O(n log2n) in such a case.

Can such methods work for general OWFs? Could work if the deterioration in security in each iteration where

somehow limited.

Other applications of exponentially hard OWFs? Recent results of [GI06],[HR06].