Embed Size (px)
Citation preview
1
On the Power of the Randomized Iterate
Iftach Haitner, Danny Harnik, Omer Reingold
2
Pseudorandom generators. Hardness amplification.
The Randomized Iterate [GKL88]
3
Pseudorandom Generators (PRG) [BM82, Yao82]
Eff. computable function G:{0,1}n ! {0,1}n’
Increases Length (n’ > n) Output is computationally indistinguishable from
random.
G(Un) wC Un’
Central in cryptography, implies bit-commitment [Naor91], pseudorandom functions [GGM86], pseudorandom permutations [LR88] and …
x G(x)
4
Def: f:{0,1}n!{0,1}n is a one-way function (OWF) if
1. Efficiently computable
2. Hard to invert: hard to find an inverse f-1(f(x)) for a random f(x).
If f is also a permutation on {0,1}n, then it is a one-way permutation (OWP).
f:{0,1}n!{0,1}n is regular if all images have the same preimage size
for any x2{0,1}n it holds that |f-1(f(x))| = n.
If n is efficiently-computable then f is known regular.
One-way permutations [BM82,Yao82]. Regular one-way functions [GKL88]. Any one-way function [HILL89].
PRG Based on General Hardness Assumptions
O(n8)
O(n)
O(n3)
Input Blowup: The input length of the resulting PRG grows compared to the underlying OWF.
• Central to the security of the construction.
• denote the input length of the OWF by n
5
Example: We trust a OWF to be secure only for 100 bit inputs.
[BMY] is insecure for seed < 100 bits. [GKL] is insecure seed < 1,000,000 bits. [HILL] is insecure for seed < 1016 bits!
Goal: Reduce input length blowup.
[Holens06] One-way function with exponential hardness (2-Cn for some C>0)
O(n5)
6
Our Results
Pseudorandom generators from: Regular one-way functions O(n log n) Any one-way function O(n7) One-way function with exponential
hardness O(n2)
7
Def: -weak one-way functions - No PPT can invert with probability better than 1-.
Goal: Strong OWF from weak OWF. General one-way functions [Yao82] O(n2/). One-way permutations [GILVZ90] O(n). Known regular one-way functions [GILVZ90] between O(n)
to O(n2) (depends on the hardness of the function). Regular one-way functions [DI99] O(n) in the public
randomness model.
Our Result:
From weak (unknown) regular OWF O(n log n).
Hardness amplification
8
The Plan of the Talk Present our construction of PRG from
regular one-way functions. Give some highlights on the other two
results:More efficient PRG for any one-way function.Efficient hardness amplification for regular
one-way functions.
9
PRG from Regular OWF.
Motivation - The BMY generator. The Randomized Iterate. PRG with seed length O(n2). Derandomize the construction to get a
PRG with seed length O(n log n).
10
The BMY PRG
G(x) =
Hardcore-predicate of f: given f(x) it is hard to predict b(x).
b(x) b(f1(x)) b(f2(x)) b(fn(x))…
Claim: G is a PRG.
x ff(x)f ff2(x) fn(x)… fn+1(x)
f
OWP f:{0,1}n!{0,1}n
11
One-Way on Iterates:
[Levin]: If 8k it is hard to invert fk
Then
b(x),b(f(x)),…,b(fm(x)) is pseudorandom.
given z = fk(x) it is hard to find y such that f(y) = z
12
Applying BMY to any OWF
When f is any OWF, inverting fi might be easy (even when f is regular). Example:
Easy inputs
f f
13
f0(x)f0(x,h)
h1,...,hn 2H - a family of k-wise independent hash functions from {0,1}n ! {0,1}n s.t. 8x1,..., xk and a random h2H (h(x1),h(x2),...,h(xk)) is uniform over {0,1}nk.
The description of hi is of length O(nk).
Idea: use “randomization steps” between the iterations of f to prevent the convergence of the outputs into easy instances.
The Randomized Iterate [GKL]:
The Randomized Iterate
G(x,h) = b(f0(x,h)),...,b(fn(x,h)),h1,...,hn
h1fx
ff1(x,h) …
h2 ff2(x,h)
h3 f
h = (h1,...,hn)
14
[GKL] prove it for n-wise independent hash functions. (O(n3) bits to describe h1,...,hn)
We simplify the proof. Apply the proof to pairwise independent
hash functions, thus we need only O(n2) bits to describe h1,...,hn.
Derandomized the selection of h1,...,hn using only O(n log n) bits.
15
Lemma 1: (Last randomized iteration is hard to invert) Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert fk given h1,...,hk.
Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x,h) = b(f0(x,h)),b(f1(x,h)),…,b(fn(x,h)),h
is a PRG with seed length O(n2).
16
A'
Proof of Lemma 1
Af1(x,h)
h
y
Pr[f(h(y))= f1(x,h)] >
( = 1/poly)
f1(x,h)h’ÃH
yA
Pr[f(h’(y))= f1(x,h)] > ’
(’ = 2/2)
Contradition!
A’ inverts f itself!
17
Def: The collision-probability of a distribution D, is the probability of choosing the same element twice while drawing two random elements from D.
Claim: A inverts (f1(x,h),h) A inverts (f1(x,h),h’) A’ inverts f1(x,h).
(f1(Un,H),H) ¼ (f1(Un,H),H’)
CP(f1(Un,H),H) ¼ CP(f1(Un,H),H’)
CP(f1(Un,H),H) · 2¢CP(f1(Un,H),H’)
Lemma 2: If CP(f1(Un,H),H) < nC.CP(f1(Un,H),H’) then: T is noticeable w.r.t. (f1(Un,H),H) T is noticeable w.r.t. (f1(Un,H),H’)
T = {(z,h) | A inverts (z,h)}
f hf
Im(f)£H
T This is the only place we use the regularity of f!
H and H’ are uniform distributions over H
18
fºhf
CP(f1(Un,H),H) ·
1/|H| CP(f1(Un,H),H’) = CP(f(Un)/|H|.
(CP(f(Un)+ CP(f(Un)) = 2¢CP(f(Un)/|H|.
CP(f1(Un,H),H) · 2¢ CP(f1(Un,H),H’)
19
Proving Lemma 2
Claim: Let D be a distribution over a set S s.t. CP(D) < nC.CP(US). For every TµS
if PrxÃD[T] ¸ then PrxÃUs[T] ¸ 2n-C.
Proof: CP(D) ¸ 2 ¢ 1/|T| |T| ¸ 2/ CP(D) |T| ¸ 2/(nC.CP(US)) = 2n-C|S|
PrxÃUs[T] ¸ 2n-C.
the probability of hitting T twice
Once inside T, the probability of hitting the
same element twice
S = Im(f)HD = (f1(Un,H),H)
20
Lemma 1: Let f be a regular OWF and H be family of pairwise independent hash functions, then no PPT can invert fk given h1,...,hk.
Corollary: Let f be a regular OWF and H be family of pairwise independent hash functions, then G(x,h) = b(f0(x,h)),b(f1(x,h)),…,b(fn(x,h)),h
is a PRG with seed length O(n2).
21
Derandomizing the PRG fk(Un,Hk) = f(Un). CP(fk(Un,Hk),Hk) = Both properties can be “verified” by an algorithm
(branching-program) that uses O(n) space.
Can choose h1,...,hk using a generator that fools bounded-space adversaries [Nisan92],[INW94] with space bound 2n and error 2-n.
The seed length on the new generator is O(n log n). Could be O(n) given better bounded-space
generators.
Collision verifier.
input tape: h1,...,hk.
Choose two random elements x1,x22{0,1}n.
Return “1” iff fk(x1,h1,...,hk) = fk(x2,h1,...,hk)
22
The Plan of the Talk Present our construction of PRG from
regular one-way functions. Give some highlights on the other two
results:More efficient PRG for any one-way
function.Efficient hardness amplification for regular
one-way functions.
23
PRG from Any OWF
Can we apply the randomized iterate to any OWF?No, security deteriorates with every iteration.However:
Lemma: It is hard to invert fi over a set of density at least 1/i.
Does not seem enough for an efficient PRG from any OWF.
2Cn-hard OWF implies PRG with seed O(n2).
24
Pseudo-Entropy Pair (PEP)
Def: A pair of a function and a predicate (g,b) is a (,)-PEP if
1. H(b(Un) | g(Un)) · .
2. b is a ( + )-hard predicate of g.
[HILL]
1. OWF (,1/n)-PEP, where is unknown.
2. (,1/n)-PEP PRG, where is known.
It is hard to predict b(Un) given g(Un) with probability better than
1 – ( + )/2
b has entropy
b has pseudoentropy +
25
8i 2 [n], “guess” that = i/n and construct Gi. G(x1,...,xn) = G1(x1)© G2(x2) © ... © Gn(xn).
First apply standard length extending method [GGM] to each of the Gi, so that its output length is n2+1.
This increases the seed length by a factor of O(n) and increases the complexity by a factor of O(n3).
Dealing with Unknown
G G...
26
f1 = f(h(f0(x,h))) = f(h(f(x)))
Let b’(x,h) = b(f0(x,h)) and let g(x,h) = f1(x,h),hLemma: (g,b’) is a (1/2,1/n)-PEP.
Using the randomized iterate to construct a (1/2,1/n)-PEP
x f0 f1fºhf
The Goldreich-Levin predicate
27
Lemma:
1. If Df(f0) ¸ Df(f1) then f0 is w.h.p. Information theoretically determined by (f1,h). *
2. Df(f0) · Df(f1) implies that it is hard to compute f0 given (f1,h).
Claim:
Pr[Df(f0) · Df(f1)] = Pr[Df(f0) ¸ Df(f1)] ¸ ½ +1/n.
“Proof”: Df(f0) and Df(f1) are two i.i.d. over [n].
Therefore, H(b(f(x)) | (f1(x,h),h)) · ½. b’ is a (½ +1/n)-hard predicate of g.
Df(y) = dlog|(f-1(y))|e.
f1 = f(h(f0)) = f(h(f(x)))
29
The Plan of the Talk Present our construction of PRG from
regular one-way functions. Give some highlights on the other two
results:More efficient PRG for any one-way function.Efficient hardness amplification for regular
one-way functions.
30
From weak regular to OWF
Def: an -weak one-way function f - No PPT can invert with probability better than 1-.
Claim: Any PPT A and polynomial p has a failing-set SAµIm(f) of weight /2
PryÃf(Un) [A(y)2f-1(y) | y2SA]· 1/p.
31
x1
f fºh1 f’(x1,x2,...,xm) = f(x1), f(x2)...,f(xm)
Might be possible to find a different pre-image. From our proof for regular OWF, inverting
fm(x,h1,...,hm) is hard even when given h1,...,hm. The description of h1,...,hm is too long.
Use derandomization to get O(n log n)
Hitting every Failing-Set
f
fm(x,h1,...,hm)
f fºhm
,h1,...,hm
f fºh2
x2
xm m = O(n/)
A inverts f’ ! M inverts f
On input y2 Im(f):
8i2[m] (x1,...,xm) Ã A(f(Un),...,y,...,f(Un))if(f(xi) == y) retrun xi
32
Further issues
Linear (O(n)) constructions for the regular OWF PRG and weak-OWF amplification.*through better bounded-space generator?
BMY-like PRG for any (for any hardness) OWF? Efficient hardness amplification for any weak
OWF.
