Simple Constructions from (Almost) Regular One-Way Functions

Abstract

Two of the most useful cryptographic primitives that can be constructed from one-way functions are pseudorandom generators (PRGs) and universal one-way hash functions (UOWHFs). In order to implement them in practice, the efficiency of such constructions must be considered. The three major efficiency measures are: the seed length, the call complexity to the one-way function, and the adaptivity of these calls. Still, the optimal efficiency of these constructions is not yet fully understood: there exist gaps between the known upper bound and the known lower bound for black-box constructions.

A special class of one-way functions called unknown-regular one-way functions is much better understood. Haitner, Harnik and Reingold (CRYPTO 2006) presented a PRG construction with semi-linear seed length and linear number of calls based on a method called randomized iterate. Ames, Gennaro and Venkitasubramaniam (TCC 2012) then gave a construction of UOWHF with similar parameters and using similar ideas. On the other hand, Holenstein and Sinha (FOCS 2012) and Barhum and Holenstein (TCC 2013) showed an almost linear call-complexity lower bound for black-box constructions of PRGs and UOWHFs from one-way functions. Hence Haitner et al. and Ames et al. reached tight constructions (in terms of seed length and the number of calls) of PRGs and UOWHFs from regular one-way functions. These constructions, however, are adaptive.

In this work, we present non-adaptive constructions for both primitives which match the optimal call-complexity given by Holenstein and Sinha and Barhum and Holenstein. Our constructions, besides being simple and non-adaptive, are robust also for almost-regular one-way functions.

N. Mazor—Research supported by Israel Science Foundation grant 666/19 and the Blavatnik Interdisciplinary Cyber Research Center at Tel-Aviv University.

A Missing Proofs

1.1 A.1 Pseudorandom Generator

Lemma A.1

(Lemma 2.6, restated). There exists a PPT algorithm \(\mathsf{P}\) such that the following holds. Let Q be a distribution over \(\left\{ 0,1\right\} ^*\times \left\{ 0,1\right\} ^n\), and let \(\mathsf{D}\) be an algorithm and \(\alpha \in [0,1]\) such that,

$$\begin{aligned} \Pr _{(x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^n}\left[ \mathsf{D}(x,z)=1\right] -\Pr _{(x,y)\leftarrow Q}\left[ \mathsf{D}(x,y)=1\right] \ge \alpha . \end{aligned}$$

Then there exists \(i\in [n]\) such that

$$\begin{aligned} \Pr _{(x,y) \leftarrow Q}\left[ \mathsf{P}^{\mathsf{D}}(x,y_{1,\dots ,i-1})= y_i\right] \ge 1/2 + \alpha /n. \end{aligned}$$

Proof

(Proof of Claim 2.6.). Let \(Q, \mathsf{D}\) and \(\alpha \) be as in Claim 2.6. We start by showing that \(\mathsf{D}\) can be used in order to distinguish \(y_{i}\) from uniform bit given \(x,y_{1,\dots , i-1}\) for some index \(i\in [n]\). Later we use this fact in order to predict \(y_i\). Indeed, it holds that

$$\begin{aligned} \alpha&\le \Pr _{(x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^n}\left[ \mathsf{D}(x,z)=1\right] - \Pr _{(x,y)\leftarrow Q}\left[ \mathsf{D}(x,y)=1\right] \\&\le \sum _{i=1}^{n} ( \Pr _{(x,y)\leftarrow Q,z\leftarrow \left\{ 0,1\right\} ^n}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},z_{i,\dots , n})=1\right] \\&~~~~~~~~~~~~~-\Pr _{(x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^n}\left[ \mathsf{D}(x,y_{1,\dots ,i},z_{i+1,\dots , n})=1\right] ), \end{aligned}$$

and thus there exists \(i \in [n]\) such that

$$\begin{aligned} \epsilon&:=\Pr _{\begin{array}{c} (x,y)\leftarrow Q,\\ b\leftarrow \left\{ 0,1\right\} \\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},b,z)=1\right] -\Pr _{\begin{array}{c} (x,y)\leftarrow Q,\\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},y_{i},z)=1\right] \nonumber \\&\ge \alpha /n, \end{aligned}$$

(12)

as we wanted to show. We now describe the predictor \(\mathsf{P}\). Consider the following algortihm.

We next show that the probability that \(\mathsf{P}\) outputs \(y_i\) is at least \(1/2 + \alpha /n\).

Let \(p:=\Pr _{\begin{array}{c} (x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},y_{i},z)=1\right] \). It holds that

$$\begin{aligned} p+\epsilon&=\Pr _{\begin{array}{c} (x,y)\leftarrow Q, b\leftarrow \left\{ 0,1\right\} \\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},b,z)=1\right] \\&= 1/2\cdot (\Pr _{\begin{array}{c} (x,y)\leftarrow Q,\\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},y_{i},z)=1\right] \\&~~~~~~~~~~~~~~~+ \Pr _{\begin{array}{c} (x,y)\leftarrow Q,\\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},1-y_{i},z)=1\right] )\\&= 1/2\cdot (p+\Pr _{\begin{array}{c} (x,y)\leftarrow Q,\\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},1-y_{i},z)=1\right] )). \end{aligned}$$

Thus, \(\Pr _{\begin{array}{c} (x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},1-y_{i},z)=1\right] = p+2\epsilon \). Continue, the probability that \(\mathsf{P}\) outputs \(y_i\) is given by

$$\begin{aligned}&\Pr _{b \leftarrow \left\{ 0,1\right\} ^n}\left[ b =y_i\right] \cdot (1- p)+\Pr _{b \leftarrow \left\{ 0,1\right\} ^n}\left[ b =1-y_i\right] \\&~~~~~~~~~~\cdot \Pr _{\begin{array}{c} (x,y)\leftarrow Q,\\ z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},1-y_{i},z)=1\right] \\&= 1/2\cdot (1-p) + 1/2 \cdot (p+2\epsilon )\\&= 1/2 + \epsilon \\&\ge 1/2 + \alpha /n \end{aligned}$$

as needed.

1.2 A.2 Universal Hash Families

Lemma A.3

(Lemma 2.13, restated). For every \(\ell ,n \in {\mathbb {N}}\) such that \(\ell \le n\), the family \(\left\{ m :m\in \left\{ 0,1\right\} ^{n\times \ell }\right\} \) is approximately-flat.

Proof

(Proof of Lemma 2.13). Fix \(\mathcal {Y},x_1,x_2\) and \(y_1\) as in Definition 2.12. We want to show that

$$\begin{aligned} \Pr _{M \leftarrow \left\{ 0,1\right\} ^{2n\times \ell }}\left[ \exists y_2\in \mathcal {Y}\text { s.t. } M(x_1,y_1)= M(x_2,y_2)\right] \ge 2^{-10}\cdot \min \left\{ \left| \mathcal {Y}\right| \cdot 2^{-\ell }, 1\right\} . \end{aligned}$$

We first assume that \(x_1\ne x_2\), as otherwise the lemma holds trivially. Next, we observe that M can be written as \(M_\mathcal {X}\in \left\{ 0,1\right\} ^{n\times \ell }\) and \(M_\mathcal {Y}\in \left\{ 0,1\right\} ^{n\times \ell }\), such that for every vectors \(x,y\in \left\{ 0,1\right\} ^n\) it holds that

$$\begin{aligned}&M(x,y) = (x \cdot M_\mathcal {X}) \oplus (y \cdot M_{\mathcal {Y}}). \end{aligned}$$

(13)

We want to bound the probability that there exists \(y_2\in \mathcal {Y}\) such that \(M(x_1,y_1)= M(x_2,y_2)\), or equivalently,

$$\begin{aligned}&(x_1 \oplus x_2) \cdot M_\mathcal {X}= (y_2 \oplus y_1) \cdot M_\mathcal {Y}. \end{aligned}$$

(14)

Since \(x_1 \ne x_2\), it holds that \((x_1 \oplus x_2)\cdot M_\mathcal {X}\) is a uniform element in \(\left\{ 0,1\right\} ^{\ell }\). Thus, we are interested in lower bounding the probability

$$\begin{aligned}&\Pr _{M_\mathcal {Y}\leftarrow \left\{ 0,1\right\} ^{n\times \ell }, z' \leftarrow \left\{ 0,1\right\} ^{\ell }}\left[ \exists y_2\in \mathcal {Y}\text { s.t. } z'= (y_2\oplus y_1)\cdot M_\mathcal {Y}\right] \\&= \Pr _{M_\mathcal {Y}\leftarrow \left\{ 0,1\right\} ^{n\times \ell }, z \leftarrow \left\{ 0,1\right\} ^{\ell }}\left[ \exists y_2\in \mathcal {Y}\text { s.t. } z= y_2\cdot M_\mathcal {Y}\right] \end{aligned}$$

where the equality holds since \(z:=z' \oplus y_1\cdot M_{\mathcal {Y}}\) is a uniform element in \(\left\{ 0,1\right\} ^\ell \) which is independent from \(M_{\mathcal {Y}}\). In the following we show that with probability at least 1/2 over the choice of \(M_\mathcal {Y}\), the size of the set \( \mathcal {Y}\cdot M_\mathcal {Y}= \left\{ y\cdot M_\mathcal {Y}:y\in \mathcal {Y}\right\} \) is at least \(\min \left\{ |\mathcal {Y}|/2,2^\ell /32\right\} \), from which the lemma follows.

To see the above, first notice that for every vector \(v\in \left\{ 0,1\right\} ^n\) with \(v\ne 0\), it holds that \( \Pr _{M_\mathcal {Y}}\left[ v \cdot M_\mathcal {Y}=0\right] = 2^{-\ell } \), and thus,

$$\begin{aligned}&{\text {*}}{E}_{M_\mathcal {Y}}\left[ \left| \left\{ y_1\ne y_2\in \mathcal {Y}:y_1\cdot M_\mathcal {Y}=y_2 \cdot M_\mathcal {Y}\right\} \right| \right] \\&={\text {*}}{E}_{M_\mathcal {Y}}\left[ \left| \left\{ y_1\ne y_2\in \mathcal {Y}:(y_1\oplus y_2)\cdot M_\mathcal {Y}=0\right\} \right| \right] \\&\le \left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }. \end{aligned}$$

By Markov inequality, we get that with probability at least 1/2 over the choice of \(M_\mathcal {Y}\), it holds that

$$\begin{aligned}&\left| \left\{ y_1\ne y_2\in \mathcal {Y}:y_1\cdot M_\mathcal {Y}=y_2 \cdot M_\mathcal {Y}\right\} \right| \le 2\left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }. \end{aligned}$$

(15)

In the following we show that for every matrix \(M_\mathcal {Y}\) for which Eq. (15) holds, it holds that \(\mathcal {Y}\cdot M_\mathcal {Y}\ge \min \left\{ |\mathcal {Y}|/2,2^\ell /32\right\} \).

Indeed, consider a graph \({\mathcal {G}}\), in which the set of vertices is \(\mathcal {Y}\), and the set of edges E is the set \(\left\{ y_1\ne y_2\in \mathcal {Y}:y_1\cdot M_\mathcal {Y}=y_2 \cdot M_\mathcal {Y}\right\} \). By assumption, \(\left| E\right| \le 2\left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }\). Furthermore, it is not hard to see that \({\mathcal {G}}\) is composed of disjoint cliques, and that the number of connected components in \({\mathcal {G}}\) is exactly the size of \( \mathcal {Y}\cdot M_{\mathcal {Y}}\). To bound the number of connected components of \({\mathcal {G}}\), we first assume that \({\mathcal {G}}\) has no more than \(|\mathcal {Y}|/2\) isolated vertices, as otherwise the bound trivially follows. We start with removing the isolated vertices from \({\mathcal {G}}\), to get a graph with at least \(|\mathcal {Y}|/2\) vertices and at most \(2\left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }\) edges. Let k be the number of connected components in the graph, and let \(c_1,\dots , c_k\) be the number of vertices in each component. Since \(c_i > 1\) for every i, the number of edges in the i-th component is larger than \(c_i^2/4\). By Cauchy–Schwarz inequality,

$$\begin{aligned} (\left| \mathcal {Y}\right| /2)^2 \le (\sum _{i\in [k]} c_i)^2 \le k \cdot \sum _{i\in [k]} c_i^2 \le 4k \left| E\right| \le 8k\left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }, \end{aligned}$$

which implies that \(k \ge 2^{\ell }/32\), and the lemma follows.