Abstract
Two of the most useful cryptographic primitives that can be constructed from one-way functions are pseudorandom generators (PRGs) and universal one-way hash functions (UOWHFs). In order to implement them in practice, the efficiency of such constructions must be considered. The three major efficiency measures are: the seed length, the call complexity to the one-way function, and the adaptivity of these calls. Still, the optimal efficiency of these constructions is not yet fully understood: there exist gaps between the known upper bound and the known lower bound for black-box constructions.
A special class of one-way functions called unknown-regular one-way functions is much better understood. Haitner, Harnik and Reingold (CRYPTO 2006) presented a PRG construction with semi-linear seed length and linear number of calls based on a method called randomized iterate. Ames, Gennaro and Venkitasubramaniam (TCC 2012) then gave a construction of UOWHF with similar parameters and using similar ideas. On the other hand, Holenstein and Sinha (FOCS 2012) and Barhum and Holenstein (TCC 2013) showed an almost linear call-complexity lower bound for black-box constructions of PRGs and UOWHFs from one-way functions. Hence Haitner et al. and Ames et al. reached tight constructions (in terms of seed length and the number of calls) of PRGs and UOWHFs from regular one-way functions. These constructions, however, are adaptive.
In this work, we present non-adaptive constructions for both primitives which match the optimal call-complexity given by Holenstein and Sinha and Barhum and Holenstein. Our constructions, besides being simple and non-adaptive, are robust also for almost-regular one-way functions.
N. Mazor—Research supported by Israel Science Foundation grant 666/19 and the Blavatnik Interdisciplinary Cyber Research Center at Tel-Aviv University.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For a one-way function f and pairwise independent hash functions \(h_1,\dots ,h_k\), the k-th randomized iteration of f is \(f\circ h_k \circ \dots \circ f\circ h_1 \circ f\).
- 2.
We ignore low order terms for this introduction.
- 3.
By [17], \(\varOmega (n)\) calls are necessary for any black-box construction. Since for non-adaptive constructions the uniformly random calls seem the only reasonable way to use the one-way function, such construction needs at least \(\varOmega (n^2)\) input bits. We admit it is only a vague explanation.
- 4.
The assumption that f is length-preserving is made for simplicity, and is not crucial for our constructions.
- 5.
For this reason we need to output the last input \(x_t\) in our UOWHF construction.
- 6.
Actually, we need to show that the function g is hard to invert on outputs sampled from a specific distribution. This is sufficient for applying the Goldreich-Levin theorem, see Lemma 2.5.
- 7.
Such a “collision based" argument was also used in [2].
- 8.
By taking \(\mathcal {H}= \left\{ h_m :m \in \left\{ 0,1\right\} ^{2n\times ( \log ^2 n + \log n)}, h\in {\mathcal {G}}\right\} \) where
\({\mathcal {G}}=\left\{ g :\left\{ 0,1\right\} ^{2n} \rightarrow \left\{ 0,1\right\} ^{n-\log ^2 n}\right\} \) is arbitrary 2-universal family, and
\(h_m(z):=h(z)\circ m(z)\), the seed of length can be reduced up to \(O(n\cdot t)\).
- 9.
Note that if \(i\le n-\omega (\log n)\) there is no need in GL. Indeed, by the leftover hash lemma, the first bits of h are statistically close to uniform.
- 10.
Any approximately-flat, constructible, and 2-universal hash family will suffice. Such a family with a smaller size, if exists, can be used in order to reduce the key length up to \(O(n \cdot t)\).
References
Agrawal, R., Chen, Y.-H., Horel, T., Vadhan, S.: Unifying computational entropies via Kullback–Leibler divergence. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11693, pp. 831–858. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26951-7_28
Ames, S., Gennaro, R., Venkitasubramaniam, M.: The Generalized randomized iterate and its application to new efficient constructions of UOWHFs from regular one-way functions. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 154–171. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_11
Barhum, K., Holenstein, T.: A cookbook for black-box separations and a recipe for UOWHFs. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 662–679. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36594-2_37
Barhum, K., Maurer, U.: UOWHFs from OWFs: trading regularity for efficiency. In: Hevia, A., Neven, G. (eds.) LATINCRYPT 2012. LNCS, vol. 7533, pp. 234–253. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33481-8_13
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudorandom bits. SIAM J. Comput. 13(4), 850–864 (1984)
Gennaro, R., Gertner, Y., Katz, J., Trevisan, L.: Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)
Goldreich, O., Impagliazzo, R., Levin, L., Venkatesan, R., Zuckerman, D.: Security preserving amplification of hardness. In: Proceedings [1990] 31st Annual Symposium on Foundations of Computer Science, pp. 318–326. IEEE (1990)
Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 25–32 (1989)
Haitner, I., Harnik, D., Reingold, O.: Efficient pseudorandom generators from exponentially hard one-way functions. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 228–239. Springer, Heidelberg (2006). https://doi.org/10.1007/11787006_20
Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 22–40. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_2
Haitner, I., Holenstein, T., Reingold, O., Vadhan, S., Wee, H.: Universal one-way hash functions via inaccessible entropy. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 616–637. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_31
Haitner, I., Reingold, O., Vadhan, S.: Efficiency improvements in constructing pseudorandom generators from one-way functions. SIAM J. Comput. 42(3), 1405–1430 (2013)
Haitner, I., Reingold, O., Vadhan, S., Wee, H.: Inaccessible entropy. In: Proceedings of the Forty-First Annual ACM Symposium on Theory of Computing, pp. 611–620 (2009)
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
Holenstein, T.: Pseudorandom generators from one-way functions: a simple construction for any hardness. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 443–461. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_23
Holenstein, T., Sinha, M.: Constructing a pseudorandom generator requires an almost linear number of calls. In: 2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, pp. 698–707. IEEE (2012)
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 12–24 (1989)
Naor, M., Yung, M.: Universal one-way hash functions and their cryptographic applications. In: Proceedings of the Twenty-First Annual ACM Symposium on Theory of Computing, pp. 33–43 (1989)
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the Twenty-Second Annual ACM Symposium on Theory of Computing, pp. 387–394 (1990)
Vadhan, S., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: Proceedings of the Forty-Fourth Annual ACM Symposium on Theory of Computing, pp. 817–836 (2012)
Yao, A.C.: Theory and application of trapdoor functions. In: 23rd Annual Symposium on Foundations of Computer Science (SFCS 1982), pp. 80–91. IEEE (1982)
Yu, Yu., Gu, D., Li, X., Weng, J.: (Almost) optimal constructions of UOWHFs from 1-to-1, regular one-way functions and beyond. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 209–229. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48000-7_11
Yu, Yu., Gu, D., Li, X., Weng, J.: The randomized iterate, revisited - almost linear seed length PRGs from a broader class of one-way functions. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 7–35. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46494-6_2
Yu, Y., Li, X., Weng, J.: Pseudorandom generators from regular one-way functions: new constructions with improved parameters. Theor. Comput. Sci. 569, 58–69 (2015)
Acknowledgement
We are thankful to Iftach Haitner and Salil Vadhan for very useful discussions. We also thank the anonymous reviewers for their comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Missing Proofs
A Missing Proofs
1.1 A.1 Pseudorandom Generator
Lemma A.1
(Lemma 2.6, restated). There exists a PPT algorithm \(\mathsf{P}\) such that the following holds. Let Q be a distribution over \(\left\{ 0,1\right\} ^*\times \left\{ 0,1\right\} ^n\), and let \(\mathsf{D}\) be an algorithm and \(\alpha \in [0,1]\) such that,
Then there exists \(i\in [n]\) such that
Proof
(Proof of Claim 2.6.). Let \(Q, \mathsf{D}\) and \(\alpha \) be as in Claim 2.6. We start by showing that \(\mathsf{D}\) can be used in order to distinguish \(y_{i}\) from uniform bit given \(x,y_{1,\dots , i-1}\) for some index \(i\in [n]\). Later we use this fact in order to predict \(y_i\). Indeed, it holds that
and thus there exists \(i \in [n]\) such that
as we wanted to show. We now describe the predictor \(\mathsf{P}\). Consider the following algortihm.
We next show that the probability that \(\mathsf{P}\) outputs \(y_i\) is at least \(1/2 + \alpha /n\).
Let \(p:=\Pr _{\begin{array}{c} (x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},y_{i},z)=1\right] \). It holds that
Thus, \(\Pr _{\begin{array}{c} (x,y)\leftarrow Q, z\leftarrow \left\{ 0,1\right\} ^{n-i} \end{array}}\left[ \mathsf{D}(x,y_{1,\dots ,i-1},1-y_{i},z)=1\right] = p+2\epsilon \). Continue, the probability that \(\mathsf{P}\) outputs \(y_i\) is given by
as needed.
1.2 A.2 Universal Hash Families
Lemma A.3
(Lemma 2.13, restated). For every \(\ell ,n \in {\mathbb {N}}\) such that \(\ell \le n\), the family \(\left\{ m :m\in \left\{ 0,1\right\} ^{n\times \ell }\right\} \) is approximately-flat.
Proof
(Proof of Lemma 2.13). Fix \(\mathcal {Y},x_1,x_2\) and \(y_1\) as in Definition 2.12. We want to show that
We first assume that \(x_1\ne x_2\), as otherwise the lemma holds trivially. Next, we observe that M can be written as \(M_\mathcal {X}\in \left\{ 0,1\right\} ^{n\times \ell }\) and \(M_\mathcal {Y}\in \left\{ 0,1\right\} ^{n\times \ell }\), such that for every vectors \(x,y\in \left\{ 0,1\right\} ^n\) it holds that
We want to bound the probability that there exists \(y_2\in \mathcal {Y}\) such that \(M(x_1,y_1)= M(x_2,y_2)\), or equivalently,
Since \(x_1 \ne x_2\), it holds that \((x_1 \oplus x_2)\cdot M_\mathcal {X}\) is a uniform element in \(\left\{ 0,1\right\} ^{\ell }\). Thus, we are interested in lower bounding the probability
where the equality holds since \(z:=z' \oplus y_1\cdot M_{\mathcal {Y}}\) is a uniform element in \(\left\{ 0,1\right\} ^\ell \) which is independent from \(M_{\mathcal {Y}}\). In the following we show that with probability at least 1/2 over the choice of \(M_\mathcal {Y}\), the size of the set \( \mathcal {Y}\cdot M_\mathcal {Y}= \left\{ y\cdot M_\mathcal {Y}:y\in \mathcal {Y}\right\} \) is at least \(\min \left\{ |\mathcal {Y}|/2,2^\ell /32\right\} \), from which the lemma follows.
To see the above, first notice that for every vector \(v\in \left\{ 0,1\right\} ^n\) with \(v\ne 0\), it holds that \( \Pr _{M_\mathcal {Y}}\left[ v \cdot M_\mathcal {Y}=0\right] = 2^{-\ell } \), and thus,
By Markov inequality, we get that with probability at least 1/2 over the choice of \(M_\mathcal {Y}\), it holds that
In the following we show that for every matrix \(M_\mathcal {Y}\) for which Eq. (15) holds, it holds that \(\mathcal {Y}\cdot M_\mathcal {Y}\ge \min \left\{ |\mathcal {Y}|/2,2^\ell /32\right\} \).
Indeed, consider a graph \({\mathcal {G}}\), in which the set of vertices is \(\mathcal {Y}\), and the set of edges E is the set \(\left\{ y_1\ne y_2\in \mathcal {Y}:y_1\cdot M_\mathcal {Y}=y_2 \cdot M_\mathcal {Y}\right\} \). By assumption, \(\left| E\right| \le 2\left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }\). Furthermore, it is not hard to see that \({\mathcal {G}}\) is composed of disjoint cliques, and that the number of connected components in \({\mathcal {G}}\) is exactly the size of \( \mathcal {Y}\cdot M_{\mathcal {Y}}\). To bound the number of connected components of \({\mathcal {G}}\), we first assume that \({\mathcal {G}}\) has no more than \(|\mathcal {Y}|/2\) isolated vertices, as otherwise the bound trivially follows. We start with removing the isolated vertices from \({\mathcal {G}}\), to get a graph with at least \(|\mathcal {Y}|/2\) vertices and at most \(2\left| \mathcal {Y}\right| ^2\cdot 2^{-\ell }\) edges. Let k be the number of connected components in the graph, and let \(c_1,\dots , c_k\) be the number of vertices in each component. Since \(c_i > 1\) for every i, the number of edges in the i-th component is larger than \(c_i^2/4\). By Cauchy–Schwarz inequality,
which implies that \(k \ge 2^{\ell }/32\), and the lemma follows.
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Mazor, N., Zhang, J. (2021). Simple Constructions from (Almost) Regular One-Way Functions. In: Nissim, K., Waters, B. (eds) Theory of Cryptography. TCC 2021. Lecture Notes in Computer Science(), vol 13043. Springer, Cham. https://doi.org/10.1007/978-3-030-90453-1_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-90453-1_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90452-4
Online ISBN: 978-3-030-90453-1
eBook Packages: Computer ScienceComputer Science (R0)