Abstract
A central result in the theory of Cryptography, by Håstad, Imagliazzo, Luby and Levin [SICOMP’99], demonstrates that the existence one-way functions (OWF) implies the existence of pseudo-random generators (PRGs). Despite the fundamental importance of this result, and several elegant improvements/simplifications, analyses of constructions of PRGs from OWFs remain complex (both conceptually and technically).
Our goal is to provide a construction of a PRG from OWFs with a simple proof of security; we thus focus on the setting of non-uniform security (i.e., we start off with a OWF secure against non-uniform PPT, and we aim to get a PRG secure against non-uniform PPT).
Our main result is a construction of a PRG from OWFs with a self-contained, simple, proof of security, relying only on the Goldreich-Levin Theorem (and the Chernoff bound). Although our main goal is simplicity, the construction, and a variant there-of, also improves the efficiency—in terms of invocations and seed lengths—of the state-of-the-art constructions due to [Haitner-Reingold-Vadhan, STOC’10] and [Vadhan-Zheng, STOC’12], by a factor \(O(\log ^2 n)\).
The key novelty in our analysis is a generalization of the Blum-Micali [FOCS’82] notion of unpredictabilty—rather than requiring that every bit in the output of a function is unpredictable, we count how many unpredictable bits a function has, and we show that any OWF on n input bits (after hashing the input and the output) has \(n+O(\log n)\) unpredictable output bits. Such unpredictable bits can next be “extracted” into a pseudorandom string using standard techniques.
N. Mazor—Part of this work was done while at Tel Aviv University and while visiting the Simons Institute. Research partly supported by Israel Science Foundation grant 666/19, NSF CNS-2149305 and NSF CNS-2128519.
R. Pass—Part of this work was done while visiting the Simons Institute. Supported in part by NSF Award CNS 2149305, NSF Award SATC-1704788, NSF Award RI-1703846, AFOSR Award FA9550-18-1-0267, and a JP Morgan Faculty Award. This material is based upon work supported by DARPA under Agreement No. HR00110C0086. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or DARPA.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
More formally, for any function \(q(n)=\omega (n^3)\), there exists a construction of a PRG from OWFs that uses q calls. HRV [HRV13] state their result with additional \(\log n\) factor in both the seed length and the number of calls. However, the improved parameters can be easily deduced from their main theorem.
- 2.
As an additional didactic contribution, we show that this simple form of the LHL follows as a direct corollary of the GL-theorem; while this observation may already be folklore, as far as we know, it has not been explicitly stated anywhere (more than for the case of extracting 1, or \(O(\log n)\) bits).
- 3.
We note that this step differs from the next-bit pseudo-entropy generator of HRV where H is only applied to x and not f(x); this is the crucial difference that allows us to get unpredictability as opposed to next-bit pseudo-entropy. Additionally, we note that HRV has to work with a specially constructed hash function H (based on concatenation of a Reed-Solomon Code and the Hadamard code); Haitner and Vadhan [HV17] showed how to just use the standard GL predicate, but this gave a final PRG construction with significantly worse parameters. Finally, Vadhan and Zheng [VZ12] show how to analyze also the construction without any hash function (achieving the same parameters as HRV), but this requires a much more complicated proof.
- 4.
Formally, \(r=r(n)\) is a function of the input length n, and we here require the density condition to hold for all \(n \in N\).
- 5.
In this step we save \(\log ^2 n\) factor over HRV. The reason is that we apply the Chernoff bound on a random variable that can only take zero-one values, while HRV consider the sample entropy of the next bit, which can take larger values.
- 6.
That is, for every n for which E distinguishes \(g_{M_n}(X_n)_{\le i_n}\) from \((g_{M_n}(X_n)_{< i_n},U)\) given \(i_n\in \mathcal{S}(X^n)\), we define \(r^*(n)\) as described, and for all other n’s we define \(r^*(n)\) arbitrarily such that \({\textrm{Pr}}\left[ D_f(X_n)=r^*(n)\right] \) is noticeable.
References
Blum, M., Micali, S.: How to generate cryptographically strong sequences of pseudo random bits. In: Annual Symposium on Foundations of Computer Science (FOCS), pp. 112–117 (1982). (cit. on pp. 2, 4)
Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions (extended abstract). In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_22
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), pp. 25–32 (1989). (cit. on pp. 2, 11)
Goldwasser, S., Micali, S.: Probabilistic encryption. J. Comput. Syst. Sci. 270–299 (1984). (cit. on p. 2)
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Stoc 19, pp. 218–229 (1987). (cit. on p. 2)
Haitner, I., Harnik, D., Reingold, O.: On the power of the randomized iterate. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 22–40. Springer, Heidelberg (2006). https://doi.org/10.1007/11818175_2
Hastad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 1364–1396 (1999). (cit. on pp. 2, 5, 10)
Holenstein, T.: Pseudorandom generators from one-way functions: a simple construction for any hardness. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 443–461. Springer, Heidelberg (2006). https://doi.org/10.1007/11681878_23
Holenstein, T.: Strengthening key agreement using hard-core sets. Ph.D. thesis. ETH Zurich (2006). (cit. on pp. 3, 9)
Haitner, I., Reingold, O., Vadhan, S.: Efficiency improvements in constructing pseudorandom generators from one-way functions. SIAM J. Comput. 42(3), 1405–1430 (2013). (cit. on pp. 2–4, 7)
Haitner, I., Reingold, O., Vadhan, S., Wee, H.: Inaccessible entropy. In: Proceedings of the 41st Annual ACM Symposium on Theory of Computing (STOC), pp. 611–620 (2009). (cit. on p. 7)
Haitner, I., Vadhan, S.: The many entropies in one-way functions. In: Tutorials on the Foundations of Cryptography. ISC, pp. 159–217. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57048-8_4
Impagliazzo, R., Levin, L.A., Luby, M.: Pseudorandom generation from one-way functions. In: Annual ACM Symposium on Theory of Computing (STOC), pp. 12–24 (1989). (cit. on p. 24)
Naor, M.: Bit commitment using pseudorandomness. J. Cryptol. 151–158 (1991). (cit. on p. 2)
Shamir, A.: On the generation of cryptographically strong pseudorandom sequences. ACM Trans. Comput. Syst. (TOCS) 1(1), 38–44 (1983). (cit. on p. 4)
Vadhan, S., Zheng, C.J.: Characterizing pseudoentropy and simplifying pseudorandom generator constructions. In: Annual ACM Symposium on Theory of Computing (STOC), pp. 817–836 (2012). (cit. on pp. 2, 3, 6, 9, 10, 23–26)
Yao, A.C.: Theory and applications of trapdoor functions. In: Annual Symposium on Foundations of Computer Science (FOCS), pp. 80–91 (1982). (cit. on p. 11)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Mazor, N., Pass, R. (2023). Counting Unpredictable Bits: A Simple PRG from One-Way Functions. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14369. Springer, Cham. https://doi.org/10.1007/978-3-031-48615-9_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-48615-9_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48614-2
Online ISBN: 978-3-031-48615-9
eBook Packages: Computer ScienceComputer Science (R0)