Add to collection(s) Add to saved
  1. No category

Efficiency of PRGs

advertisement 
Constructing a PRG from a OWF
requires roughly n/log(n) calls.
Thomas Holenstein, Makrand Sinha
Black Box Impossibility Summer
School
PRG and OWF
• A OWF is a function f: {0,1}n → {0,1}n such that
for all PPT A: Pr[f(A(f(x))) = f(x)] is negligible.
• A PRG is a function g: {0,1}m → {0,1}m+1 such
that for all PPT A: Pr[A(g(v))] – Pr[A(w)] is
negligible.
Theorem: [HILL, HRV, VZ] There is a fully BB
construction of a PRG from a OWF with m =
~
~
3) calls to the OWF.
O(n3) and which does O(n
OWF and PRG
Theorem: [HILL, HRV, VZ] There is a fully BB
construction of a PRG from a OWF with m =
~
~
3
O(n ) and which does O(n3) calls to the OWF.
Our Result: Any such construction must do at
least Ω(n/log(n)) calls.
Proof sketch
1. Prove the result for r = 1 (30 % of the work)
(Pseudo-uniform OWF. Requires us to distinguish two
cases)
2. Prove the result for r = 2 (50 % of the work)
(Uses additionally a Chernoff-Bound)
3. Prove the result for r = n/log(n) (20% of the work)
(Uses a version of the Chernoff-Bound for polynomials)
Quick Remark
• The black box separation is weak: we make
the OWF f dependent on the construction g(f).
• Let’s do this on a few examples! We start with
r = 1.
Case r = 1
x
z
v = (x,z)
Input
Invert every 2nd bit.
g
f
Output
y
z
∑ 𝑥𝑖 𝑧𝑖
How to distinguish g(v) from a uniform w?
Breaker should invert the “left part” of g, then
compare ∑ 𝑥𝑖 𝑧𝑖 to the output.
Case r = 1
Input
x
z
f
Output
y
z
∑ 𝑥𝑖 𝑧𝑖
How to distinguish g(v) from a uniform w?
Pick f: {0,1}n → Y for a small set Y. If y ∈Y then
output 1, otherwise 0.
Case r = 1
Input
x
z
f
Output
y
z
∑ 𝑥𝑖 𝑧𝑖
How to distinguish g(v) from a uniform w?
Breaker will again invert the “left part” of g, then
compare ∑ 𝑥𝑖 𝑧𝑖 to the output.
Our result in more detail
Lemma: Let g(f):{0,1}m → {0,1}m+1 be a candidate
construction of a PRG from a OWF f: {0,1}n → {0,1}n
which does r calls. Then, one of the following holds.
• Pick f as a random permutation. There is a
BreakerOW which inverts “the left part of” g(f)
with probability ½ and doesn’t help invert f.
• Pick Y ⊆ {0,1}n of size 2𝑛/𝑟 at random. If we pick
uniform regular f: {0,1}n → Y, then there is
BreakPU which distinguishes the output of g
without knowing f.
Pseudouniform one-way functions
Always saying “left part stuff” gets annoying…
A function g(f):{0,1}m → {0,1}m is a pseudouniform
one-way function if
– It is a one-way function
– The output is indistinguishable from uniform.
Exercise: if g(f):{0,1}m → {0,1}m+1 is a PRG, then
chopping off the last bit gives a PU-OWF function
(Hint: show first that every PRG is a OWF).
Next up…
Plan: we give an inverter which works
sometimes. Show that if it does not work, then
the second case applies.
Now: how does the inverter work?
Invert Carefully!
Input
x
z
𝑧 ≠ 0𝑛
𝑧 = 0𝑛
(𝑥, 𝑧)
𝑓
𝑔 𝑥, 𝑧 =
𝑓 𝑣 ,𝑧
Output
y
z
This is a pseudouniform function (for every f!)
Hence – we need to invert! But not always!
Our Inverter
BreakOW(w): // Finds v with g(v) = w – sometimes
For all v:
if g(f)(v) = w and SafeToAnswer(w, y)
thisquery
doesto
not
invert
// y is the answer ofIfthe
f in
g(f)(v)g, it is
because SafeToAnswer returns
return v
true too often.
But then: making some y’s common
will make some w’s common!
SafeToAnswer(w,y):
false if #{v | g(v) = w if f(.) answers y} > 2n/30
Gennaro-Trevisan Technique:
Lemma: BreakOW does not help invert a random f.
Proof: How does the decoder work?
Decoder: Simulate A(f)(y). When A queries
BreakOW(w) evaluate g(f)(v) for all v. If only one
query is unknown, check if answering it with y
makes BreakOW(w) return v. If yes continue the
simulation with this answer, otherwise take the
next v. The preimage of y is the output of A(f)(y).
Should we store (x*,f(x*)) explicitly?
Decoder: Simulate A(f)(y). When A queries BreakOW(w)
evaluate g(f)(v) for all v. If only one query is unknown,
check if answering it with y makes BreakOW(w) return
v. If yes continue the simulation with this answer,
otherwise take the next v. The preimage of y is the
output of A(f)(y).
We have to store (x*,f(x*)) explicitly if:
A(f)(y) queries BreakOW with w for which:
BreakOW(f)(w) ≠ BreakOW(f*)(w)
Our Inverter
BreakOW(w): // Finds v with g(v) = w – sometimes
For all v:
if g(f)(v) = w and SafeToAnswer(w, y)
(f)(v)
// y is the answerFix
of the
query
to
f
in
g
w, y. There can only be 2n/30 x*
return v
for which BreakOW(f)(w) ≠
BreakOW(f*)(w) because each
such x* gives rise to a different v.
SafeToAnswer(w,y):
false if #{v | g(v) = w if f(.) answers y} > 2n/30
Remarks for r = 2
• For r = 2 and our breaker, the GennaroTrevisan encoding can get huge, if the function
f is chosen in an unlucky way!
• We don’t know how to avoid this.
• Instead, a Chernoff Bound shows that there
are only few such functions
• (see paper for an example).
Thanks!
A condition on BreakOW
We can give a condition on BreakOW: it should
be that for every w, y, there are only few (say
2n/30) values x* s.t.
BreakOW(f)(w) ≠ BreakOW(f*)(w)
Unfortunately, for r > 1, we can only show that
our Breaker has this property for almost all f.
Related documents
WESTFIELD PATIENT FORUM COFFEE & CAKE MORNING HELD ON SATURDAY
WESTFIELD PATIENT FORUM COFFEE & CAKE MORNING HELD ON SATURDAY
1 (submit at lecture of Nov. 17th)
1 (submit at lecture of Nov. 17th)
Minutes of Topcliffe Patient Reference Group
Minutes of Topcliffe Patient Reference Group
, Kintbury Surgery - Kintbury & Woolton Hill Surgery
, Kintbury Surgery - Kintbury & Woolton Hill Surgery
1 7 CHAPTER
1 7 CHAPTER
Download
advertisement