Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Learning Parity with Noise. The computational version of learning parity with noise (LPN) assumption with parameters \(n\in \mathbb {N}\) (length of secret), \(q\in \mathbb {N}\) (number of queries) and \(0<\mu <1/2\) (noise rate) postulates that it is computationally infeasible to recover the n-bit secret \(s\in \{0, 1\}^{n} \) given \((a\cdot {s}\oplus {e},~a)\), where a is a random \(q{\times }n\) matrix, e follows \(\mathsf {Ber}_\mu ^q\), \(\mathsf {Ber}_\mu \) denotes the Bernoulli distribution with parameter \(\mu \) (i.e., \(\Pr [\mathsf {Ber}_\mu =1]=\mu \) and \(\Pr [\mathsf {Ber}_\mu =0]=1-\mu \)), ‘\(\cdot \)’ denotes matrix vector multiplication over GF(2) and ‘\(\oplus \)’ denotes bitwise XOR. The decisional version of LPN simply assumes that \(a\cdot {s}\oplus {e}\) is pseudorandom (i.e., computationally indistinguishable from uniform randomness) given a. The two versions are polynomially equivalent [5, 12, 36].

Hardness of LPN. The computational LPN problem represents a well-known NP-complete problem “decoding random linear codes” [9] and thus its worst-case hardness is well studied. LPN was also extensively studied in learning theory, and it was shown in [24] that an efficient algorithm for LPN would allow to learn several important function classes such as 2-DNF formulas, juntas, and any function with a sparse Fourier spectrum. Under a constant noise rate (i.e., \(\mu =\varTheta (1)\)), the best known LPN solvers [13, 40] require time and query complexity both \(2^{O(n/\log {n})}\). The time complexity goes up to \(2^{O(n/\log \log {n})}\) when restricted to \(q=\mathsf {poly}(n)\) queries [42], or even \(2^{O(n)}\) given only \(q=O(n)\) queries [45]. Under low noise rate \(\mu =n^{-c}\) (\(0<c<1\)), the security of LPN is less well understood: on the one hand, for \(q=n+O(1)\) we can already do efficient distinguishing attacks with advantage \(2^{-O(n^{1-c})}\) that match the statistical distance between the LPN samples and uniform randomness (see Remark 2); on the other hand, for (even super-)polynomial q the best known attacks [7, 11, 15, 39, 54] are not asymptotically better, i.e., still at the order of \(2^{\varTheta (n^{1-c})}\). We mention that LPN does not succumb to known quantum algorithms, which makes it a promising candidate for “post-quantum cryptography”. Furthermore, LPN also enjoys simplicity and is more suited for weak-power devices (e.g., RFID tags) than other quantum-secure candidates such as LWE [52]Footnote 1.

LPN-based Cryptographic Applications. LPN was used as a basis for building lightweight authentication schemes against passive [31] and even active adversaries [35, 36] (see [1] for a more complete literature). Recently, Kiltz et al. [38] and Dodis et al. [20] constructed randomized MACs based on the hardness of LPN, which implies a two-round authentication scheme with man-in-the-middle security. Lyubashevsky and Masny [43] gave an more efficient three-round authentication scheme from LPN (without going through the MAC transformation) and recently Cash, Kiltz, and Tessaro [16] reduced the round complexity to 2 rounds. Applebaum et al. [4] showed how to constructed a linear-stretchFootnote 2 pseudorandom generator (PRG) from LPN. We mention other not-so-relevant applications such as public-key encryption schemes [3, 22, 37], oblivious transfer [19], commitment schemes and zero-knowledge proofs [33], and refer to a recent survey [49] on the current state-of-the-art about LPN.

Does LPN imply low-depth PRFs? Pseudorandom functions (PRFs) play a central role in symmetric cryptography. While in principle PRFs can be obtained via a generic transform from any one-way function [26, 29], these constructions are inherently sequential and too inefficient to compete with practical instantiations (e.g., the AES block cipher) built from scratch. Motivated by this, Naor, Reingold [46] and Rosen [47] gave direct constructions of PRFs from concrete number-theoretic assumptions (such as decision Diffie-Hellman, RSA, and factoring), which can be computed by low-depth circuits in NC\(^2\) or even TC\(^0\). However, these constructions mainly established the feasibility result and are far from practical as they require extensive preprocessing and many exponentiations in large multiplicative groups. Banerjee, Peikert, and Rosen [6] constructed relatively more efficient PRFs in NC\(^1\) and TC\(^0\) based on the “learning with errors” (LWE) assumption. More specifically, they observed that LWE for certain range of parameters implies a deterministic variant which they call “learning with rounding” (LWR), and that LWR in turn gives rise to pseudorandom synthesizers [46], a useful tool for building low-depth PRFs. Despite that LWE is generalized from LPN, the derandomization technique used for LWE [6] does not seemingly apply to LPN, and thus it is an interesting open problem if low-depth PRFs can be based on (even a low-noise variant of) LPN (see a discussion in [49, Footnote 18]). In fact, we don’t even know how to build low-depth weak PRFs from LPN. Applebaum [4] observed that LPN implies “weak randomized pseudorandom functions”, which require independent secret coins on every function evaluation, and Akavia et al. [2] obtained weak PRFs in “AC\(^{0}{\circ }\)MOD\(_2\)” from a relevant non-standard hard learning assumption.

Our contributions. In this paper, we give constructions of low-depth PRFs from low-noise LPN (see Theorem 1 below), where the noise rate \(n^{-c}\) (for any constant \(0<c<1\)) encompasses the noise level of Alekhnovich [3] (i.e., \(c=1/2\)) and higher noise regime. Strictly speaking, the PRFs we obtain are not contained in AC\(^0(\)MOD\(_2)\) Footnote 3, but the circuit depth \(\omega (1)\) can be arbitrarily small (e.g., \(\log \log \log {n}\) or even less). This complements the negative result of Razborov and Rudich [51] (which is based on the works of Razborov and Smolensky [50, 53]) that PRFs with more than quasi-polynomial security do not exist in AC\(^0(\)MOD\(_2)\).

Theorem 1

(main results, informal). Assume that the LPN problem with secret length n and noise rate \(\mu =n^{-c}\) (for any constant \(0<c<1\)) is \((q=1.001n\), \(t=2^{O(n^{1-c})}, \epsilon =2^{-O(n^{1-c})})\)-hardFootnote 4. Then,

  1. 1.

    for any \(d=\omega (1)\), there exists a \((q' = n^{d/3}, t-q'\mathsf {poly}(n), O(nq'\epsilon ))\)-randomized-PRF on any weak key of Rényi entropy no less than \(O(n^{1-c}\cdot \log n)\), or on an \(n^{1-\frac{c}{2}}\)-bit uniform random key with any \((1-\frac{O(\log {n})}{n^{c/2}})\)-fraction of leakage (independent of the public coins of the PRF);

  2. 2.

    let \(\lambda =\varTheta (n^{1-c}\log {n})\), for any \(d=\omega (1)\), there exists a \((q'=\lambda ^{\varTheta (d)},~t'=2^{O(\lambda /\log \lambda )},~\epsilon '=2^{-O(\lambda /\log \lambda )})\)-randomized PRF with key length \(\lambda \);

where both PRFs are computable by polynomial-size depth-O(d) circuits with unbounded-fan-in AND, OR and XOR gates.

On lifted security. Note that there is nothing special with the factor 1.001, which can be replaced with any constant greater than 1. The first parallelizable PRF has securityFootnote 5 comparable to the underlying LPN (with linear secret length) yet it uses a key of only sublinear entropy, or in the language of leakage resilient cryptography, a sublinear-size secret key with any \((1-o(1))\)-fraction of leakage (independent of the public coins). From a different perspective, let the security parameter \(\lambda \) be the key length of the PRF, then the second PRF can have security up to \(2^{O(\lambda /\log {\lambda })}\) given any \(n^{\varTheta (d)}\) number of queries. We use security-preserving PRF constructions without relying on k-wise independent hash functions. This is crucial for low-depth constructions as recent works [17, 34] use (almost) \(\omega (\log {n})\)-wise independent hash functions, which are not known to be computable in (almost) constant-depth even with unbounded fan-in gates. We remark that circuit depth \(d=\omega (1)\) is independent of the time/advantage security of PRF, and is reflected only in the query complexity \(q'=n^{\varTheta (d)}\). This is reasonable in many scenarios as in practice the number of queries may depend not only on adversary’s computing power but also on the amount of data available for cryptanalysis. It remains open whether the dependency of query complexity on circuit depth can be fully eliminated.

Bernoulli-like Randomness Extractor/Sampler. Of independent interests, we propose the following randomness extractor/sampler in constant depth and they are used in the first/second PRF constructions respectively.

  • A Bernoulli randomness extractor in AC\(^0(\)MOD\(_2)\) that converts almost all entropy of a weak Rényi entropy source into Bernoulli noise distributions.

  • A sampler in AC\(^0\) that uses a short uniform seed and outputs a Bernoulli-like distribution of length m and noise rate \(\mu \), denoted as \(\psi _\mu ^m\) (see Algorithm 1).

Alekhnovich’s cryptosystem [3] considers a random distribution of length m that has exactly \(\mu {m}\) 1’s, which we denote as \(\chi _{\mu {m}}^{m}\). The problem of sampling \(\chi _{\mu {m}}^{m}\) dates back to [12], but the authors only mention that it can be done efficiently, and it is not known whether \(\chi _{\mu {m}}^{m}\) can be sampled in AC\(^0(\)MOD\(_2)\). Instead, Applebaum et al. [4] propose the following sampler for Bernoulli distribution \(\mathsf {Ber}_\mu ^q\) using uniform randomness. Let \(w=w_1\cdots {w_n}\) be an n-bit uniform random string, and for convenience assume that \(\mu \) is a negative power of 2 (i.e., \(\mu =2^{-v}\) for integer v). Let \(\mathsf{sample}: \{0, 1\}^{v} \rightarrow \{0, 1\}^{} \) output the AND of its input bits, and let

$$ e=(\mathsf{sample}(w_1\cdots {w_{v}}),\cdots ,\mathsf{sample}(w_{(q-1)v+1}\cdots {w_{{(q-1)v+v}}})) $$

so that \(e \sim \mathsf {Ber}_\mu ^q\) for any \(q\le \lfloor {n/\log (1/\mu )}\rfloor \). Note that \(\mathsf {Ber}_\mu \) has Shannon entropy \({{\mathbf {H}}_{1}}(\mathsf {Ber}_\mu )\) \(=\) \(\varTheta (\mu \log (1/\mu ))\) (see Fact A1), and thus the above converts a \((q{{\mathbf {H}}_{1}}(\mathsf {Ber}_\mu )/n)\) \(=\) \(O(\mu )\)-fraction of the entropy into Bernoulli randomness. It was observed in [4] that conditioned on e source w remains of \((1-O(\mu ))n\) bits of average min-entropy, which can be recycled into uniform randomness with a universal hash function h. That is, the two distributions are statistically close

$$ (e,~h(w),~h)~{\mathop \sim \limits ^s}~ (\mathsf {Ber}_\mu ^q,~U_{(1-O(\mu ))n},~h), $$

where \(U_q\) denotes a uniform distribution over \( \{0, 1\}^{q} \). The work of [4] then proceeded to a construction of PRG under noise rate \(\mu =\varTheta (1)\). However, for \(\mu =n^{-c}\) the above only samples an \(O(n^{-c})\)-fraction of entropy. To convert more entropy into Bernoulli distributions, one may need to apply the above sample-then-recycle process to the uniform randomness recycled from a previous round (e.g., h(w) of the first round) and repeat the process many times. However, this method is sequential and requires a circuit of depth \(\varOmega (n^c)\) to convert any constant fraction of entropy. We propose a more efficient and parallelizable extractor in AC\(^0(\)MOD\(_2)\). As shown in Fig. 1, given any weak source of Rényi entropy \(\varTheta (n)\), we apply i.i.d. pairwise independent hash functions \(h_1\), \(\cdots \), \(h_q\) (each of output length v) to w and then use \(\mathsf{sample}\) on the bits extracted to get the Bernoulli distributions. We prove a lemma showing that this method can transform almost all entropy into Bernoulli distribution \(\mathsf {Ber}_\mu ^q\), namely, the number of extracted Bernoulli bits q can be up to \(\varTheta (n/{{\mathbf {H}}_{1}}(\mathsf {Ber}_\mu ))\). This immediately gives an equivalent formulation of the standard LPN by reusing matrix a to randomize the hash functions. For example, for each \(1 \le i \le q\) denote by \(a_i\) the i-th row of a, let \(h_i\) be described by \(a_i\), and let i-th LPN sample be \(\langle {a_i}\), \(s \rangle \) \(\oplus \) \(\mathsf{sample}(h_{i}(w))\). Note that the algorithm is non-trivial as \((h_1(w)\), \(\cdots \), \(h_q(w))\) can be of length \(\varTheta (n^{1+c})\), which is much greater than the entropy of w.

Fig. 1.
figure 1

An illustration of the proposed Bernoulli randomness extractor in AC\(^0(\)MOD\(_2)\).

Full size image

The Bernoulli randomness extractor is used in the first PRF construction. For our second construction, we introduce a Bernoulli-like distribution \(\psi _\mu ^m\) that can be more efficiently sampled in \(\text {AC}^0\) (i.e., without using XOR gates), and show that it can be used in place of \(\mathsf {Ber}_\mu ^m\) with provable security.

PRGs and PRFs from LPN. It can be shown that standard LPN implies a variant where the secret s and noise vector e are sampled from \(\mathsf {Ber}_\mu ^{n+q}\) or even \(\psi _\mu ^{n+q}\). This allows us to obtain a randomized PRG \(G_a\) with short seed and polynomial stretch, where a denotes the public coin. We then use the technique of Goldreich, Goldwasser and Micali [26] with a \(n^{\varTheta (1)}\)-ary tree of depth \(\omega (1)\) (reusing public coin a at every invocation of \(G_a\)) and construct a randomized PRF (see Definition 4) \(F_{k,a}\) with input length \(\omega (\log {n})\), secret key k and public coin a. This already implies PRFs of arbitrary input length by Levin’s trick [41], i.e., where h is a universal hash function from any fixed-length input to \(\omega (\log {n})\) bits. Note that \(\bar{F}_{(k,h),a}\) is computable in depth \(\omega (1)\) (i.e., the depth of the GGM tree) for any small \(\omega (1)\). However, the security of the above does not go beyond \(n^{\omega (1)}\) due to a birthday attack. To overcome this, we use a simple and parallel method [8, 44] by running a sub-linear number of independentFootnote 6 copies of \(\bar{F}_{(k,h),a}\) and XORing their outputs, and we avoid key expansions by using pseudorandom keys (expanded using \(G_a\) or \(F_{k,a}\)) for all copies of \(\bar{F}_{(k,h),a}\). We obtain our final security-preserving construction of PRFs by putting together all the above ingredients.

The rest of the paper is organized as follows: Sect. 2 gives background information about relevant notions and definitions. Section 3 presents the Bernoulli randomness extractor. Sections 4 and 5 give the two constructions of PRFs respectively. We include in Appendix A well-known lemmas and inequalities used, and refer to Appendix B for all the proofs omitted in the main text.

2 Preliminaries

Notations and definitions. We use [n] to denote set {1, ..., n}. We use capital lettersFootnote 7 (e.g., X, Y) for random variables and distributions, standard letters (e.g., x, y) for values, and calligraphic letters (e.g. \(\mathcal {X}\), \(\mathcal {E}\)) for sets and events. The support of a random variable X, denoted by Supp(X), refers to the set of values on which X takes with non-zero probability, i.e., \(\{x:\Pr [X=x]>0\}\). Denote by \(|\mathcal {S}|\) the cardinality of set \(\mathcal {S}\). We use \(\mathsf {Ber}_\mu \) to denote the Bernoulli distribution with parameter \(\mu \), i.e., \(\Pr [\mathsf {Ber}_\mu =1] = \mu \), \(\Pr [\mathsf {Ber}_\mu = 0] = 1 - \mu \), while \(\mathsf {Ber}_\mu ^q\) denotes the concatenation of q independent copies of \(\mathsf {Ber}_\mu \). We use \(\chi _i^q\), \(i \le q\), to denote a uniform distribution over \(\{e\in \{0, 1\}^{q} :|e|=i\}\), where |e| denotes the Hamming weight of binary string e. For \(n\in \mathbb {N}\), \(U_n\) denotes the uniform distribution over \( \{0, 1\}^{n} \) and independent of any other random variables in consideration, and \(f(U_n)\) denotes the distribution induced by applying the function f to \(U_n\). \(X{\sim }D\) denotes that random variable X follows distribution D. We use \(s\leftarrow {S}\) to denote sampling an element s according to distribution S, and let \(s\xleftarrow {\$}{\mathcal {S}}\) denote sampling s uniformly from set \(\mathcal {S}\).

Entropy definitions. For a random variable X and any \(x\in \mathsf {Supp}(X)\), the sample-entropy of x with respect to X is defined as

from which we define the Shannon entropy, Rényi entropy and min-entropy of X respectively, i.e.,

For \(0<\mu <1/2\), let be the binary entropy function so that \({{\mathbf {H}}}(\mu )={{\mathbf {H}}_{1}}(\mathsf {Ber}_\mu )\). We know that \({{\mathbf {H}}_{1}}(X)\ge {{\mathbf {H}}_{2}}(X)\ge {{\mathbf {H}}_{\infty }}(X)\) with equality when X is uniformly distributed. A random variable X of length n is called an \((n,\lambda )\)-Rényi entropy (resp., min-entropy) source if \({{\mathbf {H}}_{2}}(X)\ge \lambda \) (resp., \({{\mathbf {H}}_{\infty }}(X)\ge \lambda \)). The statistical distance between X and Y, denoted by \(\mathsf {SD}(X,Y)\), is defined by

$$ \mathsf {SD}(X,Y) \mathop {=}\limits ^{{\mathsf{def}}}\frac{1}{2}\sum _{x}\left| \Pr [X=x] - \Pr [Y=x]\right| $$

We use \(\mathsf {SD}(X,Y|Z)\) as a shorthand for \(\mathsf {SD}((X,Z),(Y,Z))\).

Simplifying Notations. To simplify the presentation, we use the following simplified notations. Throughout, n is the security parameter and most other parameters are functions of n, and we often omit n when clear from the context. For example, \(\mu =\mu (n)\in (0,1/2)\), \(q=q(n)\in \mathbb {N}\), \(t=t(n)>0\), \(\epsilon =\epsilon (n)\in (0,1)\), and \(m=m(n)=\mathsf {poly}(n)\), where \(\mathsf {poly}\) refers to some polynomial.

Definition 1

(Computational/decisional LPN). Let n be a security parameter, and let \(\mu \), q, t and \(\epsilon \) all be functions of n. The decisional \(\mathsf {LPN}_{\mu ,n}\) problem (with secret length n and noise rate \(\mu \)) is (q, t, \(\epsilon )\)-hard if for every probabilistic distinguisher \(\mathsf{D}\) running in time t we have

$$\begin{aligned} \big |\mathop {\Pr }\limits _{A,S,E}[\mathsf{D}_{}(A,~A{\cdot }{S} \oplus E)=1] - \mathop {\Pr }\limits _{A,U_q}[\mathsf{D}(A, U_q)=1]\big |~\le ~\epsilon \end{aligned}$$
(1)

where \(A~{\sim }~U_{q{n}}\) is a \(q \times n\) matrix, \(S\sim {U_n}\) and \(E\sim \mathsf {Ber}_\mu ^q\). The computational \(\mathsf {LPN}_{\mu ,n}\) problem is \((q, t, \epsilon )\)-hard if for every probabilistic algorithm \(\mathsf{D}\) running in time t we have

$$ \mathop {\Pr }\limits _{A,S,E}[\mathsf{D}_{}(A,~A{\cdot }{S} \oplus E)=(S,E)]~\le ~\epsilon , $$

where \(A~{\sim }~U_{q{n}}\), \(S\sim {U_n}\) and \(E\sim \mathsf {Ber}_\mu ^q\).

Definition 2

(LPN variants). The decisional/computational X- \(\mathsf {LPN}_{\mu ,n}\) is defined as per Definition 1 accordingly except that (SE) follows distribution X. Note that standard \(\mathsf {LPN}_{\mu ,n}\) is a special case of X-\(\mathsf {LPN}_{\mu ,n}\) for \(X\sim (U_n,\mathsf {Ber}_\mu ^q)\).

In respect of the randomized feature of LPN, we generalize standard PRGs/PRFs to equivalent randomized variants, where the generator/function additionally uses some public coins for randomization, and that seed/key can be sampled from a weak source (independent of the public coins).

Definition 3

(Randomized PRGs on weak seeds). Let \(\lambda \le \ell _1<\ell _2,\ell _3,t,\epsilon \) be functions of security parameter n. An efficient function family ensemble \(\mathcal {G}=\{G_a: \{0, 1\}^{\ell _1} \rightarrow \{0, 1\}^{\ell _2} ,a\in \{0, 1\}^{\ell _3} \}_{n \in \mathbb {N}}\) is a \((t,\epsilon )\) randomized PRG on \((\ell _1, \lambda )\)-weak seed if for every probabilistic distinguisher \(\mathsf{D}\) of running time t and every \((\ell _1,\lambda )\)-Rényi entropy source K it holds that

$$ \big |\!\mathop {\Pr }\limits _{K,A\sim {U_{\ell _3}}}[\mathsf{D}(G_A(K),A)=1] - \mathop {\Pr }\limits _{U_{\ell _2},A\sim {U_{\ell _3}}}[\mathsf{D}(U_{\ell _2},A)=1]\big |~\le ~\epsilon . $$

The stretch factor of \(\mathcal {G}\) is \(\ell _2/\ell _1\). Standard (deterministic) PRGs are implied by defining for a uniform random k.

Definition 4

(Randomized PRFs on weak keys). Let \(\lambda \le \ell _1,\ell _2,\ell _3,\ell ,t,\epsilon \) be functions of security parameter n. An efficient function family ensemble \(\mathcal {F}=\{F_{k,a}: \{0, 1\}^{\ell } \rightarrow \{0, 1\}^{\ell _2} ,k\in \{0, 1\}^{\ell _1} ,a\in \{0, 1\}^{\ell _3} \}_{n \in \mathbb {N}}\) is a \((q,t,\epsilon )\) randomized PRF on \((\ell _1,\lambda )\)-weak key if for every oracle-aided probabilistic distinguisher \(\mathsf{D}\) of running time t and bounded by q queries and for every \((\ell _1,\lambda )\)-Rényi entropy source K we have

$$ \big |\mathop {\Pr }\limits _{K,A\sim {U}_{\ell _3}}[\mathsf{D}^{F_{K,A}}(A)=1] - \mathop {\Pr }\limits _{R,A{\sim }U_{\ell _3}}[\mathsf{D}^{R}(A)=1]\big |~\le ~\epsilon (n), $$

where R denotes a random function distribution ensemble mapping from \(\ell \) bits to \(\ell _2\) bits. Standard PRFs are a special case for empty a (or keeping \(k'=(k,a)\) secret) on uniformly random key.

Definition 5

(Universal hashing). A function family \(\mathcal {H}=\{h_a : \{0, 1\}^{n} \rightarrow \{0, 1\}^{m} , a\in \{0, 1\}^{l} \}\) is universal if for any \(x_1 \ne x_2 \in \{0, 1\}^{n} \) it holds that

$$ \mathop {\Pr }\limits _{a\xleftarrow {\$} \{0, 1\}^{l} }[h_a(x_1) = h_a(x_2)] \le 2^{-m}. $$

Definition 6

(Pairwise independent hashing). A function family \(\mathcal {H}\) = {\(h_a\): \( \{0, 1\}^{n} \) \(\rightarrow \) \( \{0, 1\}^{m} \), \(a\in \{0, 1\}^{l} \)} is pairwise independent if for any \(x_1 \ne x_2 \in \{0, 1\}^{n} \) and any \(v\in \{0, 1\}^{2m} \) it holds that

$$ \mathop {\Pr }\limits _{a\xleftarrow {\$} \{0, 1\}^{l} }[(h_a(x_1), h_a(x_2)) = v] = 2^{-2m}. $$

Concrete constructions. We know that for every \(m\le {n}\) there exists a pairwise independent (and universal) \(\mathcal {H}\) with description length \(l=\varTheta (n)\), where every \(h\in \mathcal {H}\) can be computed in AC\(^0\)(MOD\(_2\)). For example, \(\mathcal {H}_1\) and \(\mathcal {H}_2\) defined below are universal and pairwise independent respectively:

where \(a\in \{0, 1\}^{n+m-1} \) is interpreted as an \(m \times n\) Toeplitz matrix and ‘\(\cdot \)’ and ‘\(\oplus \)’ denote matrix-vector multiplication and addition over GF(2) respectively.

3 Bernoulli Randomness Extraction in \({\mathrm{AC}^0}\)(MOD\(_2)\)

First, we state below a variant of the lemma (e.g., [28]) that taking sufficiently many samples of i.i.d. random variables yields an “almost flat” joint random variable, i.e., the sample-entropy of most values is close to the Shannon entropy of the joint random variable. The proof is included in Appendix B for completeness.

Lemma 1

(Flattening Shannon entropy). For any n \(\in \) \(\mathbb {N}\), \(0<\mu <1/2\) and for any \(\varDelta >0\) define

(2)

Then, we have \(\Pr [\mathsf {Ber}_\mu ^q\in \mathcal {E}]\ge 1-\exp ^{-\frac{\min (\varDelta ,\varDelta ^2)\mu {q}}{3}}\).

Lemma 2 states that the proposed Bernoulli randomness extractor (see Fig. 1) extracts almost all entropy from a Rényi entropy (or min-entropy) source. We mention that the extractor can be considered as a parallelized version of the random bits recycler of Impagliazzo and Zuckerman [32] and the proof technique is also closely relevant to the crooked leftover hash lemma [14, 21].

Lemma 2

(Bernoulli randomness extraction). For any m, \(v\in \mathbb {N}\) and \(0<\mu ~ \le ~1/2\), let \(W\in \mathcal {W}\) be any \((\lceil \log |\mathcal {W}|\rceil , m)\)-Rényi entropy source, let \(\mathcal {H}\) be a family of pairwise independent hash functions mapping from \(\mathcal {W}\) to \( \{0, 1\}^{v} \), let \({\varvec{H}}=(H_1,\ldots ,H_q)\) be a vector of i.i.d. random variables such that each \(H_i\) is uniformly distributed over \(\mathcal {H}\), let \(\mathsf{sample}: \{0, 1\}^{v} \rightarrow \{0, 1\}^{} \) be any Boolean function such that \(\mathsf{sample}(U_v)\sim {\mathsf {Ber}_\mu }\). Then, for any constant \(0<\varDelta \le 1\) it holds that

$$ \mathsf {SD}(\mathsf {Ber}_{\mu }^q, \mathsf{sample}({\varvec{H}}(W))~|~{\varvec{H}}) \le ~2^{\big ((1+\varDelta )q{{\mathbf {H}}}(\mu )-m\big )/2} + \exp ^{-\frac{\varDelta ^2\mu {q}}{3}}, $$

where

Remark 1

(On entropy loss). The amount of entropy extracted (i.e., \(q{{\mathbf {H}}}(\mu )\)) can be almost as large as entropy of the source (i.e., m) by setting \(m=(1+2\varDelta )q{{\mathbf {H}}}(\mu )\) for any arbitrarily small constant \(\varDelta \). Further, the leftover hash lemma falls into a special case for \(v=1\) (\(\mathsf{sample}\) being an identity function) and \(\mu =1/2\).

Proof

Let set \(\mathcal {E}\) be defined as in (2). For any \({\varvec{e}}\in \{0, 1\}^{q} \) and \({\varvec{h}}\in {\mathcal {H}^q}\), use shorthands , and . We have

$$\begin{aligned}&\mathsf {SD}\big ((\mathsf {Ber}_{\mu }^q,{\varvec{H}}),~(\mathsf {sample}({\varvec{H}}(W)),{\varvec{H}})\big )~\\&\quad =\frac{1}{2}\sum _{{\varvec{h}}\in \mathcal {H}^q,{\varvec{e}}\in \mathcal {E}} p_{{\varvec{h}}} |~p_{{\varvec{e}}|{\varvec{h}}} - p_{{\varvec{e}}}~| + \frac{1}{2}\sum _{{\varvec{h}}\in \mathcal {H}^q,{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}} |~p_{{\varvec{e}}|{\varvec{h}}} - p_{{\varvec{e}}}~|\\&\quad \le \frac{1}{2}\sum _{{\varvec{h}}\in {\mathcal {H}^q},{\varvec{e}}\in \mathcal {E}} \left( ~\sqrt{p_{{\varvec{h}}}\cdot {p_{{\varvec{e}}}}}\right) \cdot \left( \sqrt{\frac{p_{{\varvec{h}}}}{p_{{\varvec{e}}}}}~\big |~p_{{\varvec{e}}|{\varvec{h}}} - p_{{\varvec{e}}}~\big |~\right) \\&\qquad + \frac{1}{2}\bigg (\sum _{{\varvec{h}}\in \mathcal {H}^q,{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}} +\sum _{{\varvec{h}}\in \mathcal {H}^q,{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}}p_{{\varvec{e}}}\bigg )\\&\quad \le \frac{1}{2}\sqrt{~\left( \sum _{{\varvec{h}}\in \mathcal {H}^q,{\varvec{e}}\in \mathcal {E}} p_{{\varvec{h}}}\cdot {p_{{\varvec{e}}}} \right) \cdot \left( \sum _{{\varvec{h}}\in {\mathcal {H}^q},{\varvec{e}}\in \mathcal {E}} {\frac{p_{{\varvec{h}}}}{p_{{\varvec{e}}}}} \cdot \left( p_{{\varvec{e}}|{\varvec{h}}} - p_{{\varvec{e}}}~\right) ^2\right) }+\Pr [\mathsf {Ber}_\mu ^q\notin \mathcal {E}]\\&\quad \le \frac{1}{2}\sqrt{~1\cdot \sum _{{\varvec{e}}\in \mathcal {E}}\bigg (\sum _{{\varvec{h}}\in \mathcal {H}^q} {\frac{p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}^2}{p_{{\varvec{e}}}}} - 2\sum _{{\varvec{h}}\in \mathcal {H}^q} {p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}} + \sum _{{\varvec{h}}\in \mathcal {H}^q} {p_{{\varvec{h}}}p_{{\varvec{e}}}} \bigg ) } + \exp ^{-\frac{\varDelta ^2\mu {q}}{3}}\\&\quad \le \frac{1}{2}\sqrt{|\mathcal {E}|\cdot {2^{-m}}} + \exp ^{-\frac{\varDelta ^2\mu {q}}{3}}\\&\quad \le 2^{\frac{(1+\varDelta )q{{\mathbf {H}}}(\mu )-m}{2}} + \exp ^{-\frac{\varDelta ^2\mu {q}}{3}}, \end{aligned}$$

where the second inequality is Cauchy-Schwarz, i.e., \(|\sum a_i b_i |\) \(\le \) \(\sqrt{(\sum a_i^2)\cdot (\sum b_i)^2}\) and (3) below, the third inequality follows from Lemma 1, and the fourth inequality is due to (4) and (5), i.e., fix any \({\varvec{e}}\) (and thus fix \(p_{{\varvec{e}}}\) as well) we can substitute \(p_{{\varvec{e}}}\cdot (2^{-m}+p_{{\varvec{e}}})\) for \(\sum _{{\varvec{h}}\in \mathcal {H}^q} {{p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}^2}}\), and \(p_{{\varvec{e}}}\) for both \(\sum _{{\varvec{h}}\in \mathcal {H}^q} {p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}}\) and \(\sum _{{\varvec{h}}\in \mathcal {H}^q} {p_{{\varvec{h}}}p_{{\varvec{e}}}}\), and the last inequality follows from the definition of \(\mathcal {E}\) (see (2))

$$ |\mathcal {E}|~\le ~1/{\min _{{\varvec{e}}\in \mathcal {E}}\Pr [\mathsf {Ber}_\mu ^q={\varvec{e}}]}~ \le ~2^{(1+\varDelta )q{{\mathbf {H}}}(\mu )} $$

which completes the proof.

Claim 1

$$\begin{aligned} \sum _{{\varvec{h}}\in {\mathcal {H}^q},{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}} = \sum _{{\varvec{h}}\in {\mathcal {H}^q},{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}}p_{{\varvec{e}}} = \Pr [{\mathsf {Ber}_\mu ^q\notin \mathcal {E}}] \end{aligned}$$
(3)
$$\begin{aligned} \forall {\varvec{e}}\in \{0, 1\}^{q} :\sum _{{\varvec{h}}\in {\mathcal {H}^q}} {{p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}^2}}~ \le ~p_{{\varvec{e}}}\cdot (2^{-m}+p_{{\varvec{e}}}) \end{aligned}$$
(4)
$$\begin{aligned} \forall {\varvec{e}}\in \{0, 1\}^{q} :\sum _{{\varvec{h}}\in {\mathcal {H}^q}} {p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}}=\sum _{{\varvec{h}}\in {\mathcal {H}^q}} {p_{{\varvec{h}}}p_{{\varvec{e}}}}=p_{{\varvec{e}}} \end{aligned}$$
(5)

Proof

Let . The pairwise independence of \(\mathcal {H}\) implies that

$$ {{\varvec{H}}}(W)~\sim ~(U_v^1,\ldots ,U_v^q) $$

holds even conditioned on any fixing of \(W=w\), and thus \(\mathsf {sample}({\varvec{H}}(W))\sim \mathsf {Ber}_\mu ^q\). We have

$$ \sum _{{\varvec{h}}\in {\mathcal {H}^q},{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}=\Pr [\mathsf {sample}({\varvec{H}}(W))\notin \mathcal {E}]=\Pr [\mathsf {Ber}_\mu ^q\notin \mathcal {E}], $$
$$ \forall {\varvec{e}}\in \{0, 1\}^{q} :\sum _{{\varvec{h}}\in {\mathcal {H}^q}} {p_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}}=\Pr [\mathsf {sample}({\varvec{H}}(W))={\varvec{e}}] = \Pr [\mathsf {Ber}_\mu ^q={\varvec{e}}]=p_{{\varvec{e}}}, $$
$$ \sum _{{\varvec{h}}\in {\mathcal {H}^q},{\varvec{e}}\notin \mathcal {E}} p_{{\varvec{h}}}p_{{\varvec{e}}} = \sum _{{\varvec{h}}\in {\mathcal {H}^q}} p_{{\varvec{h}}}\cdot \sum _{{\varvec{e}}\notin \mathcal {E}}p_{{\varvec{e}}} = \Pr [\mathsf {Ber}_\mu ^q\notin \mathcal {E}], $$
$$ \forall {\varvec{e}}\in \{0, 1\}^{q} :\sum _{{\varvec{h}}\in {\mathcal {H}^q}} {p_{{\varvec{h}}}p_{{\varvec{e}}}} = p_{{\varvec{e}}}\cdot \sum _{{\varvec{h}}\in {\mathcal {H}^q}}p_{{\varvec{h}}} = p_{{\varvec{e}}}. $$

Now fix any \({\varvec{e}}\in \{0, 1\}^{q} \), and let \(W_1\) and \(W_2\) be random variables that are i.i.d. to W, we have

$$\begin{aligned}&\sum _{{\varvec{h}}\in \mathcal {H}^q} {{p}_{{\varvec{h}}}p_{{\varvec{e}}|{\varvec{h}}}^2}\\&\quad =\mathop {\Pr }\limits _{W_1,W_2,{\varvec{H}}}[\mathsf {sample}({\varvec{H}}(W_1))=\mathsf {sample}({\varvec{H}}(W_2))={\varvec{e}}]\\&\quad \le \mathop {\Pr }\limits _{W_1,W_2}[W_1=W_2]\cdot \mathop {\Pr }\limits _{W_1,{\varvec{H}}}[\mathsf {sample}({\varvec{H}}(W_1))={\varvec{e}}]\\&\qquad +\mathop {\Pr }\limits _{{\varvec{H}}}[\mathsf {sample}({\varvec{H}}(w_1))=\mathsf {sample}({\varvec{H}}(w_2))={\varvec{e}}~|~w_1\ne {w_2}]\\&\quad \le 2^{-m}\cdot {p_{{\varvec{e}}}} + \Pr [\mathsf {Ber}_\mu ^q={\varvec{e}}]^2~=2^{-m}\cdot {p_{{\varvec{e}}}} + p_{{\varvec{e}}}^2, \end{aligned}$$

where the second inequality is again due to the pairwise independence of \(\mathcal {H}\), i.e., for any \(w_1\ne {w_2}\), \({\varvec{H}}(w_1)\) and \({\varvec{H}}(w_2)\) are i.i.d. to \((U_v^1,\ldots ,U_v^q)\) and thus the two distributions \(\mathsf{sample}({\varvec{H}}(w_1))\) and \(\mathsf{sample}({\varvec{H}}(w_2))\) are i.i.d. to \(\mathsf {Ber}_\mu ^q\).

4 Parallelizable PRFs on Weak Keys

4.1 A Succinct Formulation of LPN

The authors of [22] observed that the secret of LPN is not necessary to be uniformly random and can be replaced with a Bernoulli distribution. We state a more quantitative version (than [22, Problem 2]) in Lemma 3 that \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) (see Definition 2) is implied by standard LPN for nearly the same parameters except that standard LPN needs n more samples. The proof follows by a simple reduction and is included in Appendix B.

Lemma 3

Assume that the decisional (resp., computational) \(\mathsf {LPN}_{\mu ,n}\) problem is \((q, t, \epsilon )\)-hard, then the decisional (resp., computational) \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) problem is at least \((q-(n+2)\), \(t-{\mathsf {poly}(n+q)}\)\(2\epsilon )\)-hard.

Remark 2

(On the security of low-noise LPN). For \(\mu =n^{-c}\), a trivial statistical test suggests (by the piling-up lemma) that any single sample of decisional \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) is \((1/2 + 2^{-O(n^{1-c})})\)-biased to 0. In other words, decisional \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) is no more than \((q=1\), \(t=O(1)\), \(\epsilon =2^{-O(n^{1-c})})\)-hard and thus it follows (via the reduction of Lemma 3) that decisional \(\mathsf {LPN}_{\mu ,n}\) cannot have indistinguishability beyond \((q=n+3, t = \mathsf {poly}(n), \epsilon = 2^{-O(n^{1-c})})\). Asymptotically, this is also the current state-of-the-art attack on low-noise LPN using \(q=\mathsf {poly}(n)\) or even more samples.

4.2 A Direct Construction in Almost Constant Depth

To build a randomized PRG (on weak source w) from the succinct LPN, we first sample Bernoulli vector (se) from w (using random coins a), and then output \(a{\cdot }s\oplus {e}\). Theorem 2 states that the above yields a randomized PRG on weak seed w and public coin a.

Theorem 2

(randomized PRGs from LPN). Let n be a security parameter, let \(\delta >0\) be any constant, and let \(\mu =n^{-c}\) for any \(0<c<1\). Assume that decisional \(\mathsf {LPN}_{\mu ,n}\) problem is \(((1+2\delta )n\), t, \(\epsilon )\)-hard, then \(\mathcal {G}=\{G_a: \{0, 1\}^{n^{1-\frac{c}{2}}} \rightarrow \{0, 1\}^{\delta {n}} ,a\in \{0, 1\}^{{\delta }n{\times }n} \}_{n \in \mathbb {N}}\), where

$$ G_{a}(w) = a\cdot s \oplus e, s\in \{0, 1\}^{n} , e\in \{0, 1\}^{\delta {n}} $$

and \((s, e)=\mathsf{sample}({\varvec{h}}_{\varvec{a}}(w))\), is a \((t-\mathsf {poly}(n),~O(\epsilon ))\)-randomized PRG on \((n^{1-\frac{c}{2}}\), \(4c(1+\delta ^2)n^{1-c}\cdot \log {n})\)-weak seed with stretch factor \(\delta {\cdot }{n^{\frac{c}{2}}}\).

Proof

We have by Lemma 3 that \(((1+2\delta )n, t, \epsilon )\)-hard decisional \(\mathsf {LPN}_{\mu ,n}\) implies \(({\delta }n, t-{\mathsf {poly}(n)}, 2\epsilon )\)-hard decisional \(\mathsf {Ber}_\mu ^{n+\delta {n}}\)-\(\mathsf {LPN}_{\mu ,n}\), so the conclusion follows if we could sample \((s,e)\xleftarrow {\$}\mathsf {Ber}_\mu ^{n+\delta {n}}\) from w. This follows from Lemma 2 by choosing \(q=n+{\delta }n\), \(\varDelta =\delta \), and \(m=4c(1+\delta )^2n^{1-c}\cdot \log {n}\) such that the sampled noise vector is statistically close to \(\mathsf {Ber}_\mu ^{n+\delta {n}}\) except for an error bounded by

$$\begin{aligned}&2^{\big ((1+\varDelta )q{{\mathbf {H}}}(\mu )-m\big )/2} + \exp ^{-\frac{\varDelta ^2\mu {q}}{3}}\\&\quad \le 2^{\big ((1+\delta )^2n{{\mathbf {H}}}(\mu )-2(1+\delta )^2n{{\mathbf {H}}}(\mu )\big )/2} + 2^{-\varOmega (n^{1-c})}\\&\quad = 2^{-\varOmega (n^{1-c}\cdot {\log {n}})} + 2^{-\varOmega (n^{1-c})}\\&\quad = 2^{-\varOmega (n^{1-c})} \end{aligned}$$

where recall by Fact A1 that \(\mu \log (1/\mu )<{{\mathbf {H}}}(\mu )<\mu (\log (1/\mu )+2)\) and thus \(m>2(1+\delta ^2)n^{1-c}(c\log {n}+2)>2(1+\delta ^2)n{{\mathbf {H}}}(\mu )\). We omit the above term since \(\epsilon =2^{-O(n^{1-c})}\) (see Remark 2).

We state a variant of the theorem by Goldreich, Goldwasser and Micali [26] on building PRFs from PRGs, where we consider PRGs with stretch factor \(2^v\) for \(v=O(\log {n})\) (i.e., a balanced \(2^v\)-ary tree) and use randomized (instead of deterministic) PRG \(G_a\), reusing public coin a at every invocation of \(G_a\).

Theorem 3

(PRFs from PRGs [26]). Let n be a security parameter, let \(v=O(\log {n})\), \(\lambda \le m = n^{O(1)}\), \(\lambda = \mathsf {poly}(n)\), \(t = t(n)\) and \(\epsilon =\epsilon (n)\). Let \(\mathcal {G}=\{G_a: \{0, 1\}^{m} \rightarrow \{0, 1\}^{2^{v}{\cdot }m} ,a\in \mathcal {A}\}_{n \in \mathbb {N}}\) be a \((t,\epsilon )\) randomized PRG (with stretch factor \(2^{v}\)) on \((m,\lambda )\)-weak seed. Parse \(G_a(k)\) as \(2^{v}\) blocks of m-bit strings:

where \(G_a^{i_1\cdots {i_{v}}}(k)\) denotes the \((i_1\cdots {i_{v}})\)-th m-bit block of \(G_a(k)\). Then, for any \(d\le \mathsf {poly}(n)\) and \(q = q(n)\), the function family ensemble \(\mathcal {F}=\{F_{k,a}: \{0, 1\}^{dv} \rightarrow \{0, 1\}^{2^v{\cdot }m} , k\in \{0, 1\}^{m} , a\in \mathcal {A}\}_{n\in \mathbb {N}}\), where

is a \((q,~t-q\cdot \mathsf {poly}(n),~dq\epsilon )\) randomized PRF on \((m,\lambda )\)-weak key.

On polynomial-size circuits. The above GGM tree has \(\varTheta (2^{dv})\) nodes and thus it may seem that for \(dv=\omega (\log {n})\) we need a circuit of super-polynomial size to evaluate \(F_{k,p}\). This is not necessary since we can represent the PRF in the following alternative form:

$$ F_{k,a}=G_a~\circ ~\underbrace{\mathsf {mux}_{x_{(d-1)v+1}\cdots {x_{dv}}}\circ G_a}_{G_a^{x_{(d-1)v+1}\cdots {x_{dv}}}} \circ \cdots \circ \underbrace{\mathsf {mux}_{x_{v+1}\cdots {x_{2v}}}\circ G_a}_{G_a^{x_{v+1}\cdots {x_{2v}}}} \circ \underbrace{\mathsf {mux}_{x_1\cdots {x_v}}\circ G_a}_{G_a^{x_1\cdots {x_v}}} $$

where ‘\(\circ \)’ denotes function composition, each multiplexer \(\mathsf {mux}_{i_1\cdots {i_{v}}}: \{0, 1\}^{2^v{m}} \rightarrow \{0, 1\}^{m} \) simply selects as output the \((i_1\cdots {i_{v}})\)-th m-bit block of its input, and it can be implemented with \(O(2^v\cdot {m})=\mathsf {poly}(n)\) NOT and (unbounded fan-in) AND/OR gates of constant depth. Thus, for \(v=O(\log {n})\) function \(F_{k,p}\) can be evaluated with a polynomial-size circuit of depth O(d).

Lemma 4

(Levin’s trick [41]). For any \(\ell \le n\in \mathbb {N}\), let \(R_1\) be a random function distribution over \( \{0, 1\}^{\ell } \rightarrow \{0, 1\}^{n} \), let \(\mathcal {H}\) be a family of universal hash functions from n bits to \(\ell \) bits, and let \(H_1\) be a function distribution uniform over \(\mathcal {H}\). Let be a function distribution over \( \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} \). Then, for any \(q\in \mathbb {N}\) and any oracle aided \(\mathsf{D}\) bounded by q queries, we have

$$ \big |\!\mathop {\Pr }\limits _{{R_1},{H_1}}[\mathsf{D}^{{{R_1}\circ {H_1}}}=1] - \mathop {\Pr }\limits _R[\mathsf{D}^{R}=1]\big |~\le ~\frac{q^2}{2^{\ell +1}}, $$

where R is a random function distribution from n bits to n bits.

Theorem 4

(A direct PRF). Let n be a security parameter, and let \(\mu =n^{-c}\) for constant \(0<c<1\). Assume that decisional \(\mathsf {LPN}_{\mu ,n}\) problem is \((\alpha n, t, \epsilon )\)-hard for any constant \(\alpha > 1\), then for any (efficiently computable) \(d=\omega (1)\le {O(n)}\) and any \(q~ \le ~n^{d/3}\) there exists a \((q, t-q\,\mathsf {poly}(n), O(dq\epsilon ) + {q^2}{n^{-d}})\)-randomized PRF on \((n^{1-\frac{c}{2}},~O(n^{1-c}\log {n}))\) Footnote 8-weak key

$$\begin{aligned} \bar{\mathcal {F}}=\{\bar{F}_{k,a}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} ,k\in \{0, 1\}^{n^{1-\frac{c}{2}}} ,a\in \{0, 1\}^{O(n^{2})} \}_{n \in \mathbb {N}} \end{aligned}$$
(6)

which is computable by a uniform family of polynomial-size depth-O(d) circuits with unbounded-fan-in AND, OR and XOR gates.

Proof

For \(\mu =n^{-c}\), we have by Theorem 2 that the decisional \((\alpha n, t, \epsilon )\)-hard \(\mathsf {LPN}_{\mu ,n}\) implies a \((t-\mathsf {poly}(n), O(\epsilon ))\) randomized PRG in \({\text {AC}}^0\)(MOD\(_2\)) on (\(n^{1-\frac{c}{2}}\), O \((n^{1-c}\log {n})\) )-weak seed k and public coin \(a \in \{0, 1\}^{O(n^2)} \) with stretch factor \(2^v = n^{\frac{c}{2}}\). We plug it into the GGM construction (see Theorem 3) with tree depth \(d' = 2d/c\) to get a \((q, t - q\,\mathsf {poly}(n), O(dq\epsilon ))\) randomized PRF on weak keys (of same parameters) with input length \(d'v=d\log {n}\) and output length \(2^v\cdot {n^{1-\frac{c}{2}}} = n\) as below:

$$\begin{aligned} \mathcal {F}= \{F_{k,a}: \{0, 1\}^{d\log {n}} \rightarrow \{0, 1\}^{n} , k \in \{0, 1\}^{n^{1-\frac{c}{2}}} , a\in \{0, 1\}^{O(n^{2})} \}_{n\in \mathbb {N}}. \end{aligned}$$
(7)

Now we expand k (e.g., by evaluating \(F_{k,a}\) on a few fixed points) into a pseudorandom \((\bar{k},\bar{h}_1)\), where \(\bar{k}\in \{0, 1\}^{n^{1-\frac{c}{2}}} \) and \(\bar{h}_1\) describes a universal hash function from n bits to \(\ell =d\log {n}\) bits. Motivated by Levin’s trick, we define a domain-extended PRF . For any oracle-aided distinguisher \(\mathsf{D}\) running in time \(t-q\mathsf {poly}(n)\) and making q queries, denote with the advantage of \(\mathsf{D}\) (who gets public coin A as additional input) in distinguishing between function oracles \(F_1\) and \(F_2\). Therefore, we have by a triangle inequality

$$\begin{aligned} \delta _\mathsf{D}(F_{\bar{K},A} \circ \bar{H}_1, R) \le&~\delta _\mathsf{D}(F_{\bar{K},A} \circ \bar{H}_1, F_{{K},A} \circ {H}_1) + \delta _\mathsf{D}(F_{{K},A} \circ {H}_1, R_1 \circ H_1)\\&~~~~ + \delta _\mathsf{D}(R_1 \circ H_1,~R)~\\ \le&~O(dq\epsilon ) + q^2n^{-d}, \end{aligned}$$

where advantage is upper bounded by three terms, namely, the indistinguishability between \((\bar{K}, \bar{H}_1)\) and truly random \((K, H_1)\), that between \(F_{K,A}\) and random function \(R_1\) (of the same input/output lengths as \(F_{K,A}\)), and that due to Lemma 4. Note that A is independent of \(R_1\), \(H_1\) and R.

4.3 Going Beyond the Birthday Barrier

Unfortunately, for small \(d = \omega (1)\) the security of the above PRF does not go beyond super-polynomial (cf. term \(q^2n^{-d}\)) due to a birthday attack. This situation can be handled using security-preserving constructions. Note the techniques from [17, 34] need (almost) \(\varOmega (d\log {n})\)-wise independent hash functions which we don’t know how to compute with unbounded fan-in gates of depth O(d). Thus, we use a more intuitive and depth-preserving approach below by simply running a few independent copies and XORing their outputs. The essential idea dates backs to [8, 44] and the technique receives renewed interest recently in some different contexts [23, 25]. We mention that an alternative (and possibly more efficient) approach is to use the second security-preserving domain extension technique from [10] that requires a few pairwise independent hash functions and makes only a constant number of calls to the underlying small-domain PRFs. This yields the PRF stated in Theorem 5.

Lemma 5

(Generalized Levin’s Trick [8, 44]). For any \(\kappa , \ell \le n\in \mathbb {N}\), let \(R_1\), \(\ldots , R_\kappa \) be independent random function distributions over \( \{0, 1\}^{\ell } \rightarrow \{0, 1\}^{n} \), let \(\mathcal {H}\) be a family of universal hash functions from n bits to \(\ell \) bits, and let \(H_1\), \(\cdots , H_\kappa \) be independent function distributions all uniform over \(\mathcal {H}\). Let \(F_{{\varvec{R}}, {\varvec{H}}}\) be a function distribution (induced by \({\varvec{R}} = (R_1, \ldots , R_\kappa )\) and \({\varvec{H}} = (H_1, \ldots , H_\kappa ))\) over \( \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} \) defined as

(8)

Then, for any \(q\in \mathbb {N}\) and any oracle aided \(\mathsf{D}\) bounded by q queries, we have

$$ \big |\!\Pr [\mathsf{D}^{F_{{\varvec{R}},{\varvec{H}}}}=1] - \Pr [\mathsf{D}^{R}=1]\big |~\le ~\frac{q^{\kappa +1}}{2^{\kappa \ell }} $$

where R is a random function distribution over \( \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} \).

Finally, we get the first security-preserving construction below. To have comparable security to LPN with secret size n, it suffices to use a key of entropy \(O(n^{1-c}\cdot \log {n})\), or a uniform key of size \(n^{1-\frac{c}{2}}\) with any \((1-O(n^{-\frac{c}{2}}{\log {n}}))\)-fraction of leakage (see Fact A7), provided that leakage is independent of public coin a.

Theorem 5

(A security-preserving PRF on weak key). Let n be a security parameter, and let \(\mu =n^{-c}\) for constant \(0<c<1\). Assume that the decisional \(\mathsf {LPN}_{\mu ,n}\) problem is \((\alpha {n}, t, \epsilon )\)-hard for any constant \(\alpha >1\), then for any (efficiently computable) \(d=\omega (1)\le {O(n)}\) and any \(q~ \le ~n^{d/3}\) there exists a \((q,~t-q\mathsf {poly}(n),~O(dq\epsilon ))\)-randomized PRF on \((n^{1-\frac{c}{2}}, O(n^{1-c}\cdot \log {n}))\)-weak key

$$ \hat{\mathcal {F}}=\{\hat{F}_{k,a}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} ,k\in \{0, 1\}^{n^{1-\frac{c}{2}}} ,a\in \{0, 1\}^{O(n^{2})} \}_{n \in \mathbb {N}} $$

which are computable by a uniform family of polynomial-size depth-O(d) circuits with unbounded-fan-in AND, OR and XOR gates.

Proof sketch

Following the proof of Theorem 4, we get a \((q,~t-q\mathsf {poly}(n), O(dq\epsilon ))\)-randomized PRF \(\mathcal {F}=\{F_{k,a}\}_{n\in \mathbb {N}}\) on weak keys (see (7)) with input length \(d\log {n}\) and of depth O(d). We define \(\mathcal {F}'=\{F'_{({\varvec{k}},{\varvec{h}}),a}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} ,{\varvec{k}}\in \{0, 1\}^{O(\kappa {n^{1-\frac{c}{2}}})} ,{\varvec{h}}\in \mathcal {H}^\kappa ,a\in \{0, 1\}^{O(n^{2})} \}_{n\in \mathbb {N}}\) where

Let . We have that for any oracle-aided distinguisher running in time \(t-q\mathsf {poly}(n)\) and making up to q queries, we have by a triangle inequality that

$$\begin{aligned} \delta _\mathsf{D}({F'}_{({\varvec{K}},{\varvec{H}}),A},~R)~\le & {} ~\delta _\mathsf{D}({F'}_{({\varvec{K}},{\varvec{H}}),A},~F_{{\varvec{R}},{\varvec{H}}}) + \delta _\mathsf{D}(F_{{\varvec{R}},{\varvec{H}}},~R)\\\le & {} ~O(\kappa {d}q\epsilon ) + n^{d(1-2\kappa )/3}\\= & {} ~O(\kappa {d}q\epsilon ) + 2^{-\omega ({n^{1-c}})} = O(\kappa {d}q\epsilon ), \end{aligned}$$

where \(F_{{\varvec{R}},{\varvec{H}}}\) is defined as per (8), the first term of the second inequality is due to a hybrid argument (replacing every \(F_{K_i,A}\) with \(R_i\) one at a time), the second term of the second inequality follows from Lemma 5 with \(\ell =d\log {n}\) and \(q~ \le ~n^{d/3}\), and the equalities follow by setting \(\kappa =n^{1-c}\) to make the first term dominant. Therefore, \(F'_{({\varvec{k}},{\varvec{h}}),a}\) is almost the PRF as desired except that it uses a long key \(({\varvec{k}},{\varvec{h}})\), which can be replaced with a pseudorandom one. That is, let and , which adds only a layer of gates of depth O(d).      \(\square \)

5 An Alternative PRF with a Short Uniform Key

In this section, we introduce an alternative construction based on a variant of LPN (reducible from standard LPN) whose noise vector can be sampled in AC\(^0\) (i.e., without using XOR gates). We state the end results in Theorem 6 that standard LPN with n-bit secret implies a low-depth PRF with key size \(\varTheta (n^{1-c}\log {n})\). Concretely (and ideally), assume that computational LPN is \((q=1.001n, t=2^{n^{1-c}/3}, \epsilon = 2^{-n^{1-c}/12})\)-hard, and let \(\lambda = \varTheta (n^{1-c}\log {n})\), then for any \(\omega (1) = d = O(\lambda /\log ^2{\lambda })\) there exists a parallelizable \((q'=\lambda ^{\varTheta (d)}, t'=2^{\varTheta (\lambda /\log \lambda )}, \epsilon '=2^{-\varTheta (\lambda /\log \lambda )}))\)-randomized PRF computable in depth O(d) with secret key length \(\lambda \) and public coin length \(O(\lambda ^{\frac{1+c}{1-c}})\).

5.1 Main Results and Roadmap

Theorem 6

(A PRF with a compact uniform key). Let n be a security parameter, and let \(\mu =n^{-c}\) for constant \(0<c<1\). Assume that the computational \(\mathsf {LPN}_{\mu ,n}\) problem is \((\alpha {n}, t, \epsilon )\)-hard for any constant \(\alpha >1\) and efficiently computable \(\epsilon \), then for any (efficiently computable) \(d=\omega (1)\le {O(n)}\) and any \(q'~ \le ~n^{d/3}\) there exists a \((q', \varTheta (t\cdot \epsilon ^2{n^{1-2c}}), O(dq'{n^2\epsilon }))\)-randomized PRF on uniform key

$$ \tilde{\mathcal {F}}=\{\tilde{F}_{k,a}: \{0, 1\}^{n} \rightarrow \{0, 1\}^{n} ,k\in \{0, 1\}^{\varTheta (n^{1-c}\cdot \log {n})} ,a\in \{0, 1\}^{O(n^{2})} \}_{n \in \mathbb {N}} $$

which are computable by a uniform family of polynomial-size depth-O(d) circuits with unbounded-fan-in AND, OR and XOR gates.

We sketch the steps below to prove Theorem 6, where ‘C-’ and ‘D-’ stand for ‘computational’ and ‘decisional’ respectively.

  1. 1.

    Introduce distribution \(\psi _\mu ^m\) that can be sampled in \({\text {AC}}^0\).

  2. 2.

    \(((1+\varTheta (1))n\),t,\(\epsilon )\)-hard C- \(\mathsf {LPN}_{\mu ,n} \implies (\varTheta (n), t-{\mathsf {poly}(n)}, 2\epsilon )\)-hard C- \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) (by Lemma 3).

  3. 3.

    \((\varTheta (n), t, \epsilon )\)-hard C- \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n} \implies (\varTheta (n), t-{\mathsf {poly}(n)}, O({n^{3/2-c}}\epsilon ))\)-hard C- \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) (by Lemma 9).

  4. 4.

    \((\varTheta (n), t, \epsilon )\)-hard C- \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n} \implies (\varTheta (n), \varOmega (t(\epsilon /n)^2), 2\epsilon )\)-hard D- \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) (by Theorem 7).

  5. 5.

    \((\varTheta (n), t, \epsilon )\)-hard D- \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n} \implies (q, t-q\,\mathsf {poly}(n), O(dq'\epsilon ))\)-randomized PRF for any \(d=\omega (1)\) and \(q' \le n^{d/3}\), where the PRF has key length \(\varTheta (n^{1-c}\log {n})\) and can be computed by polynomial-size depth-O(d) circuits with unbounded-fan-in AND, OR and XOR gates. This is stated as Theorem 8.

5.2 Distribution \(\psi _\mu ^{m}\) and the \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) Problem

We introduce a distribution \(\psi _\mu ^m\) that can be sampled in \({\text {AC}}^0\) and show that \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) is implied by \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) (and thus by standard LPN). Further, for \(\mu =n^{-c}\) sampling \(\psi _\mu ^m\) needs \(\varTheta (mn^{-c}\log {n})\) random bits, which asymptotically match the Shannon entropy of \(\mathsf {Ber}_\mu ^m\).

figure a

Lemma 6

The distribution \(\psi _\mu ^m\) (sampled as per Algorithm 1) is \(2^{-\varOmega (\mu {m}\log (1/\mu ))}\)-close to a convex combination of \(\chi _{\mu {m}}^{{m}}\), \(\chi _{\mu {m}+1}^{{m}}\), \(\dots , \chi _{2\mu {m}}^{m}\).

Proof

It is easy to see that \(\psi _\mu ^m\) is a convex combination of \(\chi _1^m\), \(\chi _2^m\), \(\dots , \chi _{2\mu {m}}^{m}\) as conditioned on \(|\psi _\mu ^m|=i\) (for any i) \(\psi _\mu ^m\) hits every \(y\in \{0, 1\}^{m} \) of Hamming weight \(|y|=i\) with equal probability. Hence, it remains to show that those \(\chi _{j}^{m}\)’s with Hamming weight \(j<\mu {m}\) sum to a fraction less than \(2^{-\mu {m}(\log (1/\mu )-2)}\), i.e.,

$$\begin{aligned} \Pr [|\psi _\mu ^m|<\mu {m}]= & {} \sum _{y\in \{0, 1\}^{m} :|y|<{\mu {m}}}\Pr [\psi _\mu ^m=y]\\<&\mu ^{2\mu {m}}{\cdot }2^{m{{\mathbf {H}}}(\mu )-\frac{\log {m}}{2}+O(1)}\\< & {} \mu ^{2\mu {m}} {\cdot }2^{\mu {m}(\log (1/\mu )+2)+O(1)} = 2^{\mu {m}(-\log (1/\mu )+2)+O(1)} \end{aligned}$$

where the first inequality is due to the partial sum of binomial coefficients (see Fact A5) and that for any fixed y with \(|y|<\mu {m}\) \(\psi _\mu ^m=y\) happens only if the bit 1 of every \(z_i\) (see Algorithm 1) hits the 1’s of y (each with probability less than \(\mu \) independently) and the second inequality is Fact A1.

By definition of \(\psi _\mu ^{n+q}\) the sampled (se) has Hamming weight no greater than \(2\mu (n+q)\) and the following lemma states that \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) is almost injective.

Lemma 7

( \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) is almost injective). For \(q=\varOmega (n)\), define set . Then, for every \((s,e)\in \mathcal {Y}\),

$$ \mathop {\Pr }\limits _{a\leftarrow {U_{qn}}}\big [\exists (s',e')\in \mathcal {Y}:(s',e')\ne {(s,e)}\wedge ~as \oplus e=as'\oplus {e'}~\big ] = 2^{-\varOmega (q)}. $$

Proof

Let \(\mathcal {H}\mathop {=}\limits ^{{\mathsf{def}}}\{h_a: \{0, 1\}^{n+q} \rightarrow \{0, 1\}^{q} , a\in \{0, 1\}^{qn} ,h_a(s,e) \mathop {=}\limits ^{{\mathsf{def}}}as\oplus {e}\}\) and it is not hard to see that \(\mathcal {H}\) is a family of universal hash functions. We have

$$ \log |\mathcal {Y}|=\log \sum _{i=0}^{(n+q)/\log {n}}{n+q\atopwithdelims (){i}} = O\big ((n+q)\log \log {n}/\log {n}\big )=o(q), $$

where the approximation is due to Fact A5 and the conclusion immediately follows from Lemma 8.

Lemma 8

(The injective hash lemma (e.g. [55])). For any integers \(l_1\le {l_2},m\), let \(\mathcal {Y}\) be any set of size \(|\mathcal {Y}| \le 2^{l_1}\), and let \(\mathcal {H}\mathop {=}\limits ^{{\mathsf{def}}}\{h_a: \{0, 1\}^{m} \rightarrow \{0, 1\}^{l_2} , a\in \mathcal {A},\mathcal {Y}\subseteq \{0, 1\}^{m} \}\) be a family of universal hash functions. Then, for every \(y\in \mathcal {Y}\) we have

$$ \mathop {\Pr }\limits _{~a{\xleftarrow {\$}}\mathcal {A}}[\exists {y'}\in \mathcal {Y}:~{y'}\ne {y}~{\wedge }~h_a(y')=h_a(y)]~{\le }~2^{l_1-l_2}. $$

5.3 Computational \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) \(\rightarrow \) Computational \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\)

Lemma 9 non-trivially extends the well-known fact that the computational LPN implies the computational exact LPN, i.e., \((U_n,\chi _{\mu {q}}^q)\)-\(\mathsf {LPN}_{\mu ,n}\).

Lemma 9

Let \(q=\varOmega (n)\), \(\mu =n^{-c}\) \((0<c<1)\) and \(\epsilon =2^{-O(n^{1-c})}\). Assume that the computational \(\mathsf {Ber}_\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) problem is \((q, t, \epsilon )\)-hard, then the computational \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) problem is \((q, t - \mathsf {poly}(n+q), O(\mu {(n+q)^{3/2}}\epsilon ))\)-hard.

Proof

Let \(m=n+q\) and write \(\mathsf {Adv}_{\mathsf{D}}(X) \mathop {=}\limits ^{{\mathsf{def}}}\Pr _{a\xleftarrow {\$}{U_{qn}},(s,e){\leftarrow }X}[\mathsf{D}_{}(a,a{\cdot }{s} \oplus e)=(s,e)]\). Towards a contradiction we assume that there exists \(\mathsf{D}\) such that \(\mathsf {Adv}_{\mathsf{D}}(\psi _\mu ^{m})>\epsilon '\), and we assume WLOG that on input (az) \(\mathsf{D}\) always outputs \((s',e')\) with \(|(s',e')|\le {2\mu {m}}\). That is, even if it fails to find any \((s',e')\) satisfying \(as'\oplus {e'}=z\) and \(|(s',e')|\le {2\mu {m}}\) it just outputs a zero vector. Lemma 6 states that \(\psi _\mu ^{m}\) is \(2^{-\varOmega (\mu {n}(\log (1/\mu ))}\)-close to a convex combination of \(\chi _{\mu {m}}^m\), \(\chi _{\mu {m}+1}^m\), \(\dots , \chi _{2\mu {m}}^{m}\), and thus there exists \(j\in \{\mu {m},\mu {m}+1, \dots , 2\mu {m}\}\) such that \(\mathsf {Adv}_{\mathsf{D}}(\chi _{j}^m)>\epsilon '-2^{-\varOmega (n^{1-c}\log {n})}>\epsilon '/2\), which further implies that \(\mathsf {Adv}_{\mathsf{D}}(\mathsf {Ber}_{j/m}^m)=\varOmega (\epsilon '/\sqrt{m})\) as \(\mathsf {Ber}_{j/m}^m\) is a convex combination of \(\chi _{0}^m\), \(\dots , \chi _{m}^{m}\), of which it hits \(\chi _{j}^{m}\) with probability \(\varOmega (1/\sqrt{m})\) by Lemma 10. Next, we define \(\mathsf{D}'\) as in Algorithm 2.

figure b

We denote \(\mathcal {E}_{suc}\) the event that \(\mathsf{D}\) succeeds in finding \((s',e')\) such that \(as' \oplus \, e'=z\oplus (as_1\oplus {e_1})\) and thus we have \(a(s'\oplus {s_1}) \oplus (e'\oplus {e_1})=z=as\oplus {e}\), where values are sampled as defined above. This however does not immediately imply \((s,e)=(s'\oplus {s_1},e'\oplus {e_1})\) unless conditioned on the event \(\mathcal {E}_{inj}\) that \(h_a(s,e) \mathop {=}\limits ^{{\mathsf{def}}}a{\cdot {s}\oplus {e}}\) is injective on input (se).

where the bound on event \(\lnot \mathcal {E}_{inj}\) is given below. We reach a contradiction by setting \(\varepsilon '=\varOmega (1)\cdot \mu {m^{3/2}}\epsilon \) for a large enough \(\varOmega (1)\) so that \(\mathsf{D}'\) solves \(\mathsf {Ber}_\mu ^{m}\)-\(\mathsf {LPN}_{\mu ,n}\) with probability greater than \(\epsilon \).

where , the second inequality is from Lemma 7, the third inequality is that \(|(u\oplus {w})|\ge {\kappa }\) implies \(|w|\ge {\kappa }-|u|\) and by definition of \(\mathsf{D}\) string \((s',e')\) has Hamming weight no greater than \({2\,\mu {m}}\), and the last inequality is a typical Chernoff-Hoeffding bound.

Lemma 10

For \(0<\mu '<1/2\) and \(m\in \mathbb {N}\), we have that

$$ \Pr \bigg [|\mathsf {Ber}_{\mu '}^{m}| = \lceil \mu '{m}\rceil ~\bigg ]=\varOmega (1/\sqrt{m}). $$

5.4 C- \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) \(\rightarrow \) D- \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) \(\rightarrow \) \(\omega (1)\)-Depth PRFs

Next we show that the computational \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) problem implies its decisional counterpart. The theorem below is implicit in [5]Footnote 9 and the case for \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) falls into a special case. Note that \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) is almost injective by Lemma 7, and thus its computational and decisional versions are equivalent in a sample-preserving manner. In fact, Theorem 7 holds even without the injective condition, albeit with looser bounds.

Theorem 7

(Sample preserving reduction [5]). If the computational X-\(\mathsf {LPN}_{\mu ,n}\) is \((q, t, \epsilon )\)-hard for any efficiently computable \(\epsilon \), and it satisfies the injective condition, i.e., for any \((s,e)\in \textsf {Supp}(X)\) it holds that

$$ \mathop {\Pr }\limits _{~a{\leftarrow }U_{qn}}[\exists {(s',e')}\in \textsf {Supp}(X):~{(s',e')}\ne {(s,e)}~{\wedge }~a\cdot {s}\oplus {e}=a\cdot {s'}\oplus {e'}]~{\le }~2^{-\varOmega (n)}. $$

Then, the decisional X-\(\mathsf {LPN}_{\mu ,n}\) is \((q, \varOmega (t(\epsilon /n)^2), 2\epsilon )\)-hard.

Theorem 8

(Decisional \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) \(\rightarrow \) PRF). Let n be a security parameter, and let \(\mu =n^{-c}\) for any constant \(0<c<1\). Assume that the decisional \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) problem is \((\delta {n}, t, \epsilon )\)-hard for any constant \(\delta >0\), then for any (efficiently computable) \(d=\omega (1)\le {O(n)}\) and any \(q'~ \le ~n^{d/3}\) there exists a \((q', t-q'\mathsf {poly}(n), O(dq'\epsilon ))\)-randomized PRF (on uniform key) with key length \(\varTheta (n^{1-c}\log {n})\) and public coin size \(O(n^2)\), which are computable by a uniform family of polynomial-size depth-O(d) circuits with unbounded-fan-in AND, OR and XOR gates.

Proof sketch

The proof is essentially the same as that of Theorem 5, replacing the Bernoulli randomness extractor with the \(\psi _\mu ^{n+q}\) sampler. That is, decisional \(\psi _\mu ^{n+q}\)-\(\mathsf {LPN}_{\mu ,n}\) for \(q=\varTheta (n)\) implies a constant-depth polynomial-stretch randomized PRG on seed length \(2{\mu }(n+q)\log {(n+q)}=\varTheta (n^{1-c}\log {n})\) and output length \(\varTheta (n)\), which in turn implies a nearly constant-depth randomized PRF, where the technique in Lemma 5 is also used to make the construction security preserving.       \(\square \)