On Constructing Parallel Pseudorandom Generators from OneWay Functions
![Pseudorandom Generator (PRG) [BM, Y] PRG • Poly(n)-time Computable • Stretch s(n) ¸ 1](https://slidetodoc.com/presentation_image/1d8d8fa0f9bbc8a142045929c71791f4/image-2.jpg "Pseudorandom Generator (PRG) [BM, Y] PRG • Poly(n)-time Computable • Stretch s(n) ¸ 1")
![Background on PRG • PRG , One-Way Functions (OWF) [BM, Y, GL, …, HILL]](https://slidetodoc.com/presentation_image/1d8d8fa0f9bbc8a142045929c71791f4/image-3.jpg "Background on PRG • PRG , One-Way Functions (OWF) [BM, Y, GL, …, HILL]")
![Previous Results • [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!) However, any stretch )](https://slidetodoc.com/presentation_image/1d8d8fa0f9bbc8a142045929c71791f4/image-6.jpg "Previous Results • [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!) However, any stretch )")
![Proof Sketch of Negative Result • Thm[this work]: Parallel black-box PRG constructions Gf :](https://slidetodoc.com/presentation_image/1d8d8fa0f9bbc8a142045929c71791f4/image-10.jpg "Proof Sketch of Negative Result • Thm[this work]: Parallel black-box PRG constructions Gf :")
![Def. of f and (1) break Gf • Restriction [FSS, H, …] maps bits](https://slidetodoc.com/presentation_image/1d8d8fa0f9bbc8a142045929c71791f4/image-11.jpg "Def. of f and (1) break Gf • Restriction [FSS, H, …] maps bits")
![Conclusion • Thm[this work]: Parallel black-box construction Gf : {0, 1}n ! {0, 1}n+s(n)](https://slidetodoc.com/presentation_image/1d8d8fa0f9bbc8a142045929c71791f4/image-14.jpg "Conclusion • Thm[this work]: Parallel black-box construction Gf : {0, 1}n ! {0, 1}n+s(n)")
- Slides: 14
On Constructing Parallel Pseudorandom Generators from One-Way Functions Emanuele Viola Harvard University June 2005
Pseudorandom Generator (PRG) [BM, Y] PRG • Poly(n)-time Computable • Stretch s(n) ¸ 1 (e. g. , s(n) = 1, s(n) = n) • Fools efficient adversaries: 8 PPT A Pr. X, |X| = n+s(n)[A(X) = 1] ¼ Pr , | | = n [A(PRG( )) = 1]
Background on PRG • PRG , One-Way Functions (OWF) [BM, Y, GL, …, HILL] (f OWF if easy to compute but hard to invert, i. e. 8 PPT M, almost never M(f(X)) 2 f(X)-1) • Applications of PRG: cryptography, derandomization need stretch s(n) = poly(n) • Stretch s(n) only makes sense relative to n 2 – E. g. G : {0, 1}n ! {0, 1}n+s(n) ) G : {0, 1}n ! {0, 1}n – Two main cases s(n) = 1, or s(n) = n 2 + n¢s(n)
PRG Constructions • We study complexity of constructing PRG with big stretch from OWF f • Def. : black-box PRG constructions Gf : for every (comput. -unbounded) function f, adversary A A breaks Gf ) 9 PPT M : Mf, A inverts f • Most constructions are black-box [BM, Y, …, HILL] Many negat. results for black-box model [IR, …, GT, RTV] – Cannot make sense of negat. result in non-black-box model
Standard Constructions w/ big stretch • STEP 1: OWF f ) Gf : {0, 1}n ! {0, 1}n+1 – Think e. g. f : {0, 1}n ! {0, 1}n Gf • STEP 2: Gf ) PRG with stretch s(n) = poly(n) [GM] Input Gf Gf Gf … . . . . Output. . • Stretch s ) s adaptive queries to f ) circuit depth ¸ s • Question [this work]: stretch s vs. adaptivity & depth? E. g. , can have s = n, circuit depth O(log n)?
Previous Results • [AIK] Log-depth OWF/PRG ) O(1)-depth PRG (!!!) However, any stretch ) stretch s = 1 • [GT] s vs. number q of queries to OWF (Thm: q ¸ s) [This work] s vs. adaptivity & circuit depth • […, IN, NR] O(1)-depth PRG from specific assumptions [This work] general assumptions • Context: [V] studies complexity of NW-type PRG
Outline • Our model • Our results • Proof sketch of main negative result • Other: new negative result on worst-case vs. average-case connections in NP, PH
Our Model of PRG construction • Parallel PRG Gf : {0, 1}n ! {0, 1}n+s(n) from OWF f Input , | | = n Nonadaptive Queries to f Constant Depth Circuit (AC 0) q 1 q 2 q 3 q 4 f f Æ Æ Æ Æ Ç Ç Ç Æ Æ Æ Æ Output, n+s(n) bits
Our Results on PRG Constructions • Parallel construction Gf : {0, 1}n ! {0, 1}n+s(n) n n From one-way function f ( e. g. f : {0, 1} ! {0, 1} ) f arbitrary f one-to-one f permutation Neg. s(n) · o(n) ? Pos. ? s(n) ¸ 1
Proof Sketch of Negative Result • Thm[this work]: Parallel black-box PRG constructions Gf : {0, 1}n ! {0, 1}n+s(n) satisfy s(n) · o(n) • Proof: Exhibit comput. -unbounded f, A such that: (1) A breaks Gf when s(n) = (n) (2) f one-way, i. e. hard to invert. We show distribution on f s. t. (1) & (2) hold w. h. p.
Def. of f and (1) break Gf • Restriction [FSS, H, …] maps bits to {0, 1, *} • Def. distribution on f apply to truth-table of f – known to adversary A replace * with random bits f(0) f(111) 01** 1*0* 1**0 0101 1100 1110 (1) A breaks Gf : 0 8 , Gf( ) is AC function of truth-table of f ) makes Gf( ) biased ) A breaks Gf( ). – If s(n) = (n) can union bound over all .
(2) f one-way • Problem: f not one-way : leaks info about x E. g. f = 01** 1*0* 1*** First bit f(x) = 0 ) x 1**0 • Solution: Force many x’s to share same restriction Compose f with hash function f(0) f(111) f(10) hash 01** 1*0* 1**0 1*** • Many preimages ) f one-way Low collision prob. ) A still breaks Gf Q. E. D.
Our Result on Average Case Complexity • Question: given f 2 NP worst-case hard (f 2 P/poly), can build f 0 2 NP average-case hard? I. e. 8 small circuit A : Prx[A(x) f 0(x)] ¸ 1/3 • Thm[V]: no black-box construction of f 0 using both function f and adversary A as black-box • Thm[BT]: no construction using A as black-box – Also uses A ``non-adaptively’’ • Thm[this work]: no construction using f as black-box – Proof uses pseudorandom restrictions
Conclusion • Thm[this work]: Parallel black-box construction Gf : {0, 1}n ! {0, 1}n+s(n) satisfy f arbitrary f one-to-one f permutation Neg. s(n) · o(n) ? Pos. ? s(n) ¸ 1 • Average-case complexity Thm[this work]: given f 2 NP worst-case hard no construction of average-case hard f 0 2 NP using f as black-box