On the Existence of Pseudorandom Generators - Semantic Scholar
·.
•
TECHNION
~
Israel Institute of Technology
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
Computer Science Department
ON THE EXI,STENCE OF PSEqDO'RANDOM 'GENERATORS by
O. Go1drei~h,
R.
Krawczyk and M. Luby
Iechnica1 Report 8494 February 1988
..
•
On the Existence of Pseudorandom Generators
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
(Preliminary Version -- October 29th, 1987)
Oded Goldreich Dept. of Computer Sc. Technion Haifa, Israel
Hugo Krawczyk Dept. of Computer Sc. Technion Haifa, Israel
Michael Luby Dept. of Computer Sc. University of Toronto Ontario, Canada
ABSTRACT Pseudorandom generators [BM, Y] are efficient deterministic programs that expand a randomly selected k-bit seed into a much longer pseudorandom bit sequence which is indistinguishable in polynomial-time from a sequence of unbiased coin tosses. Thus, pseudorandom sequences can replace truly random sequences in all practical (i.e. polynomial-time) applications. Pseudorandom generators are known to exist assuming the existence of one-way permutations [Y].' The requirement that the one-way function be a permutation has been relaxed [L]. It suffices that the function cannot be efficiently inverted on the distributions induced by applying the function iteratively i times, lSiSkl.~, where k denotes the length of the argument Such a function was called "one-way on its iterates". The existence of functions which are one-way on their iterates is not only a sufficient, but also a necessary condition for the existence of pseudorandom generators. However, this condition is cumbersome, and it seems difficult to check whether particular functions, assumed to be one-way, are also one-way on their iterates. This raises the fundamental question whethel;' the mere existence of one-way function suffices for the construction of pseudorandom generators. In this paper we present progress towards this goal. We consider regular functions, in which every image of a k -bit string has the same number of preimages of length k. We show that if a regular function is one-way then pseudorandom generators do exist. It should be noted that (w.r.t a fixed function) regularity is incomparable with being "one-way on the iterates", and that regularity is easier to test than the plausibility of being "one-way on the iterates". In fact, assuming the intractability of general factoring, we can now prove that pseudorandom generators do exist. This has been previously known only under the intractability assumption for factoring special type of integers (more specifically, integers with all prime factors congruent to 3 mod 4). Another application is the construction of a pseudorandom generator based on the intractability assumption of decoding random linear codes. Our result holds, in fact, for a more general condition. We conjecture that our construction worlcs for anyone-way function.
Resell1'Ch done while the third author was visiting the Computer Science Dept. of the Technion. First author was supported by grant No. 86-00301 from the United States - Israel Binational Science Foundation (BSF), Jerusalem, Israel. Third author was partially supported by a Natural Sciences and Engineering Research Councjl of Canada operating grant and by a University of Toronto granL
-2-
1. INTRODUCTION
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
In recent years randomness has become a central notion in the theory of computation. It is
heavily used in the design of sequential, parallel and distributed algorithms, and is of course crucial to cryptography. Once so frequently used, randomness itself has become a resource, and economizing the amount of randomness required for an application has become a natural concern. It is in this light that the notion of pseudorandom generators was first suggested and the following fundamental result was derived: the number of coin tosses used in any practical application (modeled by a polynomial-time computation) can be decreased to an arbitrary power of the input length. The key to the above infonnal statement is the notion of a pseudorandom generator suggested and developed by Blum and Micali [BM] and Yao [Y]. A pseudorandom generator is a detenninistic polynomial-time algorithm which expands short seeds into longer bit sequences, such that the output ensemble is polynomially-indistinguishable from the unifonn probability distribution. More specifically, the generator (denoted G) expands a k-bit seed into a 2k-bit sequence so that for every polynomial-time algorithm (distinguishing test) T, any constant c >0, and SQfficiently large k
I prob[ T(G(Xk »=l]
-prob[ T(X u J=l]
I Sk-c,
where X", is a random variable assuming as values strings of length m, with unifoIll1 probability distribution. It follows that the strings output by a pseudorandom generator G can substitute the unbiased coin tosses used by any polynomial-time algorithm A, without damaging the behaviour of algorithm A in a noticeable fashion. This yields an equivalent polynomial-time algorithm, A', which randomly selects a seed, uses G to expand it to the desired amount, and then runs A using the output of the generator as the random source required by A. This is the basis of Yao's theorem [Y] stating that if there is a pseudorandom generator then random polynomial-time is contained in detenninistic subexponenti,al-time (i.e. R c (")r.>cPTime (2 k
». The theory of pseu-
dorandomness was further developed to deal with function generators and pennutation generators and many additional applications to cryptography have emerged [OOM, LR]. The existence of such seemingly stronger generators was reduced to the existence of pseudorandom (string) generators. In light of their practical and theoretical importance, constructing pseudorandom generators
calls for the attention of the research community. Of course, such a construction is possible only if one-way functions exist (since the generator itself can be easily modified into a one-way function). However, it is not known whether this necessary condition is sufficient. Instead, stronger versions of the one-wayness condition were shown to be sufficient Before reviewing these results, let us recall the definition of a one-way function.
-3-
Definition 1: A function 1 :{O,I}· -+{O,f}· is called one-way if it is polynomial-time computable, but not "polynomial-time invertible". Namely, there exists a constant c >0 such that for any
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
probabilistic polynomial-time algorithm A , and sufficiently large k-
prob[A(f(X),IA:),1-1(f(X»] > k-e,
(1)
where the probability is taken over all x 's of length k and the internal coin tosses of A , with unifonn probability distribution. (Remarlc: The role of 1A: in the above definition is to allow algorithm A to run time polynpmial in the length of the preimage it is supposed to find. 'Otherwise, any function which shrinks the input more than by a polynomial amount will be considered one-way.)
1.1. Previous Results
Pseudorandom generators based on the one-wayness 01a particular permutation: The first pseudorandom generator was constructed and proved valid, by Blum and Micali, under the assumption that the discrete logarithm problem is intractable on a non-negligible fraction of the instances [BM]. In other words, it was assumed that exponenting modulo a prime (i.e. the 1-1 mapping of (p ,g oX) to (p ,g ,gx mod p), where p is prime and g is a primitive element in Z;) is one-way. Assuming the intractability of factoring integers of the fonn N =p 'q, where p ,q
are primes and p !!!! q iE 3 mod 4, a simple pseudorandom generator exists [BBS, ACGS] (1). In this case squaring modulo such integers is assumed to be a one-way pennutation over the quadratic residues modulo the integer.
Pseudorandom generators based on anyone-way permutation: Yao has presented a much more general condition which suffices for the existence of pseu-. dorandom generators; namely, the existc:nce of one-way pennutations [Y]. In facl, Yao's condition is even more general.. He requires that / is 1-1 and that there exists a probability ensemble II which is invariant under the application of / and that inverting 1 is "hard on the average" when the input is chosen according to n.
Pseudorandom generators based on a/unction w,hich is one-way on its iterates: Levin has relaxed Yao's condition, presenting a necessary and sufficient condition lor the existence of pseudorandom generators [L]~ Levin's condition, hereafter referred to as one-way on iterates, can be derived from Definition 1 by substituting the following line (2) instead of line (1) 1) A slightly more general result, concerning integers wilh all prime divisors congruent ro 3 mod 4, also holds [eGG].
e
•
-4(2)
f
where f
(l)(X)
denotes f iteratively applied i times on x. (As before \he probability is taken uni-
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
formly over all x's of length k.) Levin proved that if a function is one-way on its iterates then pseudorandom generators do exist Clearly, anyone-way pennutation is one-way on its iterates. It is also easy to use any pseudorandom generator in order to construct a function which satisfies Levin's condition. Although Levin's condition for the construction of pseudorandom generators is necessary as well as sufficient, it is not simple. In particular, it seems hard to test the plausibility of the assumption that a particular function is one-way on its iterates. Furthennore, it is an open question whether Levin's condition is equivalent to the existence of one-wayfunctions.
1.2. Our Results In this report we present progress towards resolving the above question. We consider "regu-
lar" functions, in which every element in the ran~e has the'same number of preimages. More formally, we call a function f regular if there exists a function m(-) such that for every x E {O,l}· the cardinality of f- 1(f(x»n{O,l}lxl equals m(lxl). Clearly, every 1-1 function is regular (with m(n)= I, Vn). Our main result is Main Theorem (special case): If there exists a regular one-way function then there exists a pseudorandom generator. Regularity appears to be a simpler condition than intractability of inverting on the function's iterates. Funhennore, many natural functions (e.g. squaring modulo an integer) are regular and thus using our result a pseudorandom generator can be efficiently constructed assuming that any of these functions is one-way (instead of assuming that these functions are also oneway on their iterates). In particular, if factoring is weakly intractable (Le. every polynomial-time factoring algorithm fails on a non-negligible fraction of the integers) then pseudorandom generators do exist. This result was not known before! (It was only known that the intractability of a special subset of the integers implies the existence of a pseudorandom generator.) Using our results, we can also construct a pseudorandom generator based on the assumption that decoding random linear codes is intractable. The main theorem is proved by transforming any given regular one-way function into a function which is one-way on its iterates (and then applying Levin's result [L)). It is interesting !
•
to note that not every (regular) one-way function is "one-way on its iterates". Furthermore,
-5«
assuming that (regular) one-way functions exist" one can construct a (regular) one-way function which is easy to invert on the distribution 6btained by applying the function twice (see Appen-
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
dix). The novelity of this work is in presenting a direct construction that given a (regular) one-
way function which is not necessarily one-way on its iterates, yields a/unction that is one-way on I Its iterates. (An indirect construction which passes through a universal Turing machine is implicit in Levin's work. However, his construction may not use the function given.) Given an arbitrary one-way fwiction / , we construct the following function / I. which takes as arguments an index i=(i 1';']), many Xj 's and many high quality hashing functions (h j '.s).
The idea behind the construction is that an algorithm inverting /' on one of its iterates will also succeed in inverting /. In the case of regu!ar f\mctions, this is proved by showing that the probability distribution induced by the alternating sequential applications of / and the hj's is close to the probability distribution induced by a single application of/. Proving that these two distributions are close reduces to bounding the weight of. balls in the following game. The game is played with M balls and M. cells, and consists of t iterations. In each iteration, each ball is randomly assigned a cell with unifonn probability distribution. Balls which fall into the same cell are merged into one ball, having weight equal to the sum of the weights of the balls assigiled to this cell. We show that with very high probability, no ball ends the game with weight more than polynomial in t and log M .
•
-~-
2. MAIN RESULT If
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
2.1. Preliminaries
, In the sequel we make use of the following definition of strongly one-way function. (When
referring to Definition 1, we shall call the function weak one-way or simply one-way). Definition 2: A polynomial-time computable function! : (O,l)· ~(O,l}· is called strongly oneway if for any probabilistic polynomial-time algorithm A, any positive constant c, and suffi-
ciently large k,
prob[ A (f (x),tA:) e f-I(f (x)~ < k-c ,
where the probability is taken over
all x 's oflength k and the internal coin tosses of A, with uniform probability distribution. Theorem 1 (Yao [Y]): There exists a strong one-way function if and only if there exists a (weak) one-way function. Furthermore, given a one-way function, a strong one can be constroeted. It is important to note that Yao's construction preserves the regularity of the function. Thus,
we may assume without loss of generality, that we are given a function f which is strongly oneway and regular. For the sake of simplicity, we assume f is length preserving (i.e. V x ,If (x) I= I x I). Our results hold also without this assumption (see subsection 2.6). In the construction of a function that is one-way on the iterates, we use high quality hash
functions. More specificly, we use hash functions which map n-bit strings to n-bit strings, such that the locations assigned to the strings by a ran~omly selected hash function are uniformly distributed and n-wise independent We denote this set of hash functions by Hfi' These functions
•
can be described by means of an n 2-bit string. In the sequel h (e HfI) will refer both to the hash function and to its representation. For properties and implementations of these functions see [CW, J, CG, Lu].
Notation: For a finite set S •the notation S E R S means that the element s is selected from the set S with uniform probability distribution.
2.2. Main Ideas Suppose we are given a regular and strongly one-way function f. We construct a new functionf' that will be also strongly one-way, not only for its first application but for k 312 iterations, where k is the length of the input for f'. Using Levin's results, this construction suffices for proving our Main Theorem. Following are the main ideas behind this construction. Since the function f is strongly one-way. any algorithm trying to invert f, may succeed only on a negligible fraction of inputs. Here th~ success probability is taken over the elements in the range of f , distributed according to the weight that f associates to them (Le. the number of elements f maps to them). However;this
-7-
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
f
condition says nothing about the capability of certain algoritluns to invert the function when the range elements are taken from a fairly different distribution. This may be the case when applying the function twice or more (see Appendix). To prevent this possibility, we redistribute, after each application of/ , the elements in the range to ran~om locations in the domain. We prove the validity of our construction by showing that the probability distribution induced on the range of/ by our "random" transfonnations, keeps close to th~ distribution induced by the first application of
/. For achieving the right number of iterations required for the construction of pseudorandom generators, this redistribution must be applied several times, alternating with the application of the function / . Note that the function /' we construct must be detenninistic, and therefore this redistribution must be also detenninistic (Le. uniquely defined by the input to / '). The way we implement these ideas is as follows. We look at the input string to /' as containing two types of infonnation. One part of the string is the description of hash functions which will implement the "random" redistributions. The second part is interpreted as inputs for the original function /. We also must make sure that the infonnation contained in the input string to /' will be'sufficient for the application of k 312 iterations of the function (where k is the length of the
input to / 'I). In particular, it is essential for our function to use the hash functions described in its input several times rather than for a single application.
2.3. The Construction of/'
Following is the definition of the function/':
where 1=(; l,i~,1 S i 1 Ss, 1 S;2St,
Xj E
{O,l}n, 'and hj
E
Hn • s =s(n) and t =t(n) are polyno-
mials in n, whose exact values will be fixed later. The successor of the index ; is defined as i +1 =(1 I'; 2+1) if ;2 1 ... !! i). (Note that this phenomenon Is
• independent of the choice of the parameter n.) Instead we use the following technical Lemma. Lemma 5: Let S be a finite set, and let X be a random variable assuming as values partitions of S. For every A ~ S, we define a predicate XA mapping partitions to Boolean values so that XA (ll) =I iff A is contained in a single class of the partition 11. Let n < n' be integers. Let p" denote an upper bound on the probability that a speCific n -subset is contained in a single class of c
a partition chosen at random as above (i.e. ('VA
~S
,IA I =n) ProbCXA(X)=I)Sp,,). Let q",
denote an upper bound on the probability that a partition chosen at random as above contains a class of cardinality ~ n'. Then
[ ISn I] .PIt
q"' n -c", where g and Z are chosen with the above probability. By using this algorithm A. we can demonstrate an algorithm A which inverts I. I
contradicting the one-wayness of g e R Gil (r) and outputs A (g ,Z ).
I.
On input
Z
=1 (x),
A I picks r e R {I , ... , t (n) } and
- 11 We now show that A' invens I (on the unifonn distribution). Note that it must exists a nonnegligible subset of G' (defined above), denoted G", such that for each g in this set, A succeeds
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
with a significant probability, where the probability distribution of inputs to A is the one induced by g. Since g e G', the probability of any z under g differ by a polynomial factor from the probability induced by
I.
Thus, for g e G", A will succeed with non-negligible probability also
when the elements z ar~ taken from the probability distribul!On that I induces on its range. This is exactly the distribution of inputs to A', and contradiction follows. 0 Theorem 2 follows from Lemma 8 by noting that algorithm A on input g and g (x) can simulate the extra information given to the inv,erter of I'. Q.E.D
2.6. Extensions In the above exposition we assumed for simplicity that the function I is length preserving. In fact, this condition is not essential for our proof. IfI does not have this property, we can modi-
fied it in order to have a relaxed condition. Namely, that for any length n , any two elements of length
nhave images of the same length, say n'. (This modification can be carried using a pad-
ding technique that preserves the regularity of I). Once this condition holds, all we need is to use sets of hash function mapping n '-bit strings to n -bit strings. Another extension is a relaxation .of the regularity condition. Definition 3: A function I
i)
is called weakly regular if
There exists a bound function b('), such that for any n and any of the setS%
ii)
: {O, I }. -+ {O, I }.
=1- (f (x» () {O.l}" 1
x e (O,l}", the cardinality
is atmostb(n).
There exist polynomials p(') and q('), such that for any n the cardinality of the set
{xe (O,l}": IS%I ~b(n)lp(n)}isatleast2"lq(n) Clearly, this definition extends the original definition of regularity,. For weakly regular functions that are strongly one-way, our construction still works, with a slight modified proof. For the applications in Section 4, and possibly for other cases, the following extension (referred to as semi-regular) is useful. Let {f%}% e {o.l}" be a family of regular functions, then our construction can be still applied to the function I defined as I (x ,y) = (x ,1% (y
». The idea is to
use the construction for the application of the function/%, while keeping x unchanged.
-12 -
3. Functions which are One-way on Iterates imply Pseudorandom Generators (A survey of Levin's work [L]) The Main Theorem stated in the introduction is proven by combining Theorem 2 (above) with Levin's following result
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
.
Theorem 9 [L]: If there exists a junction which is one-way on iterates then there exists a pseudorandom generator. In the sequel we provide a sketch of Levin's proof [L], which follows Yao's argument [V].
The proof consists of four parts, and is sketched here since the original proof is complete except for "obvious details" (i.e. obvious to Levin). (The write-up of this part will be improved in the final version.) Levin starts with a function I which is one-way on its iterates. First, it is shown that the function I can be slightly modified into a function I 1 so that there exist a predicate b 1 satisfying the following two conditions: (1) the predicate is polynomial-time computable (i.e. there exist a polynomial-time algorithm A such thatA(x)=b 1(x»; but (2) the predicate cannot be efficiently 0.99-approximated from the value Of the function (I.e. for every polynomial-time algorithm A' Prob«(i'if l(x»=b 1(x»SO.99, where x is taken from a distribution generated by repeated appli-
cations of I). For this argument. Levin uses an error-correcting code which can correct a con-
•
stant fraction of errors (up to 4%) and has polynomial-time encoding and decoding algorithms. Let C (x) denote the codeword of the infonnation word x. and let lSi SIC (x) I . Define l1(i.x)=(il(x» and b 1(i.x) as the i-th bit of C(x). Clearly. 11 is one-way and b 1 is
polynomial-time computable. Now. assume that A' guesses b 1(i.x) correctly with probability 0.99. when the probability is taken over all choices of t and x. Then at least half the probability mass of the x's is concentrated on x's for which A ' has success probability ~.98. Running A' on
(II (x ».
(21 (x» .....( I C (x) I I (x
». with probability ~ 112. we obtain at least 0.96 of the
b l(i .x) ·s. Applying the decoding algorithm. in this case. we retrieve x. contradicting the one-
wayness of I . Second. it is shown that by applying I 1 in parallel sufficiently many times and XORing the corresponding values of b lone gets a function 12 and a predicate b 2 such that b 2(y) can be efficiently guessed from 12(y) only with probability negligibly close to half. (Ibis statement is known as "Yao's XOR technique".) In this case the number of copies should only be more than logarithmic. since we started with a predicate which cannot be guessed better than with some constant probability. Next, one applies the construction of Blum and Micali [BM] to obtain a generator which outputs bit sequences which cannot be efficiently predicted. Finally, .one uses Yao's theorem [V] that an ensemble is unpredictable if and only if it is pseudorandom.
•
-13 It is important.to note that the lepgth of the argument to the functions, constructed throughout Levin's proof, increases while the number of iterations on which these functions are
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
guaranteed to be one-way remains as in the OIikmal function f. Let k be the length of the argument to the original function. Then the argument to f 1 has length k + 0 (log k ) = 0 (k) and the
•
length of the argument to f 2 is 0 (k '(log k )2). When using the Blum and Micali construction we need to be able to apply the function f 2 a number of times which is twice the length of its argument. 1be function f 2 needs only be one-way for this number of iterations. Thus, iff is one-way on its first ~ .(lpg k)2 < k 3J2 iterates then we are done. Remark: The above aigument gives a pseudorapdom generator which expands k-bit strings to
2k -bit strings. Using such a pseudorandom gen~rator, one can construct a pseudorandom func;:. tion [GGM], which clearly yield a pseudorando~ generator which expands k -bit strings to p (k)bit strings. for an arbitrary polynomial p .
.
- 14-
4. Applications: Pseudorandom Generators BJlsed on Particular Intractability Assumptions In this section we apply our results in order to construct pseudorandom generators (PRGs)
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
•
based on the assumption that one of the following two computational problems is "hard on a non-negligible fraction of the instances". The first problem is factoring (arbitrary!) integers. The second problem is decoding random linear cqdes.
4.1. PRG Based on the Intractability of the General Factoring Problem It is known that pseudorandom generators can be constructed assuming the intractability of factoring integers of a special fonn [V]. More specifically, it was assumed that any polynomialtime algorithm will fail on a non-negligible fraction o{the integers which contain only prime facI
tors which are congruent to 3 modulo 4. With respect to such an integer N, squaring modulo N defmes a pennutation over the set of quadratic residues mod N, and therefore the intractability of factoring (such N's) yields the existence of a one-way permutation [R]. It was not known how to construct a one-way permutation or a pseudorandom generator assuming that factoring a nonnegligible fraction of all the integers is intractable. In such a case modular squaring is a one-way function, but this function does not necessarily induce a pennutation. Fortunately, modular squaring is a semi-regular function (see subsection 2.6), so we can apply our results. Assumption IGF (Intractability ofthe General 'Factoring Problem): There exists a constant c>O such that for any probabilistic polynomial-time algorithm A , and sufficiently large k prob[ A(N) does not splitN ] > k-{; ,
where N e
R (O,l}k.
Corollary 10: The IOF assumption implies the existence of pseudorandom generators. Proof: Define the following functionf(N,;x)=(N,x 2 modN). Clearly, this function is semiregular. The one-waynes~ of the function follows from IOF (using Rabin's argument [Rn. Using an extension of Theorem 2 (see subsection 2.6) the corollary follows. 0 Subsequently, J. (Cohen) Benaloh has found a way to construct a one-way pennutation based on the IOF assumption. This yields an a1~emative proof of Corollary 10.
4.2. PRG Based on the Intractability of Decoding Random Linear Codes One of the most outstanding open
, •
proble~s
in coding theory is that of decoding random
linear codes. Of particular interest are random linear codes with constant infonnation rate which
- J5can correct a constant fraction of errors. An (n' .k',d')-linear code is an k' -by-n ' binary matrix in
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
which the bit-by-bit XOR of any subSet of the rows has,at least d' ones. Gilbert-Varshamov
•
bound for linear codes, guarantees the existence of such a code provided that k'ln' < 1.-H 2(d'ln'), where H 2 is the binary entropy function [MeS, ch. I, p. 34]. The same
argument can be used to show that (for ev.ery £>0) if k'ln' < I-H 2«1+£)'d'ln'), then almost all k'-by-n' binary matrices constitute (n',k'rJ')-linear codes. We suggest the followin~ function 1 :{O,l}· -+{O,l}·. Let C be an k'-by-n' binary matrix, x e {O,l }k', ~ e e p,",' ~ {O,l }"' be a binary string with at most t' =L(d'-l)/2,] ones, where d' satisfies the above condition. Clearly, E,II,' can.be unifonnly sampled by an algorithm S running in time polynomial in n' (i.e. S:{O,l}POly(Il}-+E,'!'>. Let r e {O,l}pol)'(Il} be a string such that S(r)e E:"-'. Then, I(C ,X,r)=(C ,C(x)+S(r»,
where C(x) is the codeword of x (i.e. C(x) is the vector resulting by the matrix product xC). One can easily verify thati just defined is semi-regular (Le. Ic(x,r)=C(x)+S(r) is regular for all but a negligible fraction of the C's). The vector xC +e (e=S(r» represents a codeword per-
tuIbed by the error vector e.
Assumption IDLC (Intractability
•
01 Decoding Random Linear Codes): There exists a constant
c >0 such that for any probabilistic polynomial-time algorithm A, and sufficiently large k prol{ A(C ,C(x)+e):;tx ] > k-e ,
where C is a randomly selected k'-by'-n' matrix, x e R {O,l}k' and e e RE,",'. Now, either assumption IDLe is false which would be an earthshaking result in coding theory or pseudorandom generators do exist Corollary 11: The IDLC assumption implies the existence of pseudorandom generators.
Proof: The one-wayness of the function 1 follows from IDLC. Using an extension of Theorem 2 (see subsection 2.6) the corollary follows. 0
•
-16 -
APPENDIX
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
Assuming that I is a (regular) one-way function, we construct a (regular) one-way function
•
I- which is easy to invert on the distribution oBtained by iterating I- twice.
Assume for simplicity
thatl is length preseNjng (i.e. II (x)1 =Ix I). Let Ix I =Iy I (or Ix 1=Iy 1+1), we let l(XY) i= Oly II (x)
1 is one-way. On the other hand, (1'I «(1')e 1-1«(1'1 «(1'». Clearly,
»
f~r every xy e {O, 1}211 , 1if(xy = (1'1«(1') and
ACKNOWLEDGEMENTS We wish to thank Ronny Roth for sharing with us some of his knowledge on coding theory. We are
~teful
to Josh (Cohen)-Benaloh and Charlie Rackoff for very helpful discussions con-
cerning this wode. The first author wishes to express special thanks to Leonid Levin and Silvio. Mica1i for infini~ly
many discussions concerning pseudorandom generators.
The second author would like to ask the third author: "Do you know where Irit Hattmann's
office IS7" •
•
-.17 -
REFERENCES
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
•
•
•
[ACGS] W. Alexi, B. Char, O. Goldreich and C.P. Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As the Whole", Proc. 25th IEEE Symp. on Foundation of Computer Science, 1984, pp 449-457, (to appear in SIAM J. Computing). [BBS] L. Blum, M. Blum and M. shub, A Simple SecUTe Pseudo-Random Number Generator, Advances in Cryptology: Proc. of Crypto82, .ed. 'D. Chaum, RL. Rivest and A.T. Shennan, Plenum press, 1983, pp 61-78. [BM] Blum, M., and Micali, S., "How to Generate Cryptographically Strong Sequences of PseudoRandom Bits", SIAM JOUT. on Computing, Vol. 13, 1984, pp. 850-864. [CW] Carter, J., and M. Wegman, "Universal Oasses of Hash Functions", JCSS, 1979, Vol. 18, pp. 143-154. [CO] Chor, B., and O. Goldreich, "On the Power of Two-Point Sampling", to appear in JOUT. of Complexity. [CGG] Char, B., O. Goldreich, and S. Goldwasser, "The Bit Security of Modular Squaring Given Partial Factorization of the Modulos", Advances in Cryptology - Crypto 85 Proceedings, ed. H.C. Williams, Lecture Notes in Computer Science, 218, Springer Verlag, 1985, pp. 448- 457. [OH] W. Diffie, and M. E. HeUman, "New Directions in Cryptography", IEEE transactions on Info. Theory, IT-22 (Nov. 1976), pp. 644-654 [GGM] Goldreich, 0., S. Goldwasser, and S. MicaH, "How to Construct Random Functions", JoUT. of ACM, Vol. 33, No.4, 1986, pp. 792-807. [GM] Goldwasser, S., and S. MicaH, "Probabilistic Encryption", JCSS, Vol. 28, No.2, 1984, pp. 270299. [11 A. Joffe, "On a Set of Almost Deterministic k-Independent Random Variables", the Annals of Probability, 1974, Vol. 2, No. I, pp. 161-162. [L] L.A. Levin, "One-Way Function and Pseudorandom Generators", to appear in Combinatorica. A preliminary version appeared in Proc. 17th sroc, 1985, pp. 363-365. [L2] L.A. Levin, "Homogenous Measures and Polynomial Time Invariants", Workshop on Algorithms, Randomness and Complexity, CIRM, Luminy, France, (March 1986). [Lu] M. Luby, "A Simple Parallel Algorithm for the Maximal Independent Set Problem", SIAM J. Comput., Vol. IS, No.4, Nov. 1986, pp. 1036-1054. [LR] M. Luby and C. Rackoff, "Pseudo Random Permutation Generators and DES", Proc. 18th ACM Symp. on Theory ofComputing, 1986, pp. 35.6-363. [McS] McWilliams, FJ., and NJ.A. Sloane, The Theory ofError Correcting Codes. North-Holland Publishing Company, 1977. [R] M.O. Rabin, "Digitalized Signatures and Public Key Functions as Intractable as Factoring", MIT/LCSfIR-212, 1979. [RSA] ~. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems", Comm. ACM, Vol. 21, Feb. 1978, pp 120-126 [S] A. Shamir, "On the Generation of Cryptographically Strong Pseudorandom Sequences", ACM Transaction on Computer Systems, Vol. \, No. I, February 1983, pp. 38-44. [Y] Yao, A.C., "Theory and Applications of Trapdoor Functions", Proc. of the 23rd IEEE Symp. on Foundation ofComputer Science, 1982, pp. 80-91.
•
TECHNION
~
Israel Institute of Technology
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
Computer Science Department
ON THE EXI,STENCE OF PSEqDO'RANDOM 'GENERATORS by
O. Go1drei~h,
R.
Krawczyk and M. Luby
Iechnica1 Report 8494 February 1988
..
•
On the Existence of Pseudorandom Generators
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
(Preliminary Version -- October 29th, 1987)
Oded Goldreich Dept. of Computer Sc. Technion Haifa, Israel
Hugo Krawczyk Dept. of Computer Sc. Technion Haifa, Israel
Michael Luby Dept. of Computer Sc. University of Toronto Ontario, Canada
ABSTRACT Pseudorandom generators [BM, Y] are efficient deterministic programs that expand a randomly selected k-bit seed into a much longer pseudorandom bit sequence which is indistinguishable in polynomial-time from a sequence of unbiased coin tosses. Thus, pseudorandom sequences can replace truly random sequences in all practical (i.e. polynomial-time) applications. Pseudorandom generators are known to exist assuming the existence of one-way permutations [Y].' The requirement that the one-way function be a permutation has been relaxed [L]. It suffices that the function cannot be efficiently inverted on the distributions induced by applying the function iteratively i times, lSiSkl.~, where k denotes the length of the argument Such a function was called "one-way on its iterates". The existence of functions which are one-way on their iterates is not only a sufficient, but also a necessary condition for the existence of pseudorandom generators. However, this condition is cumbersome, and it seems difficult to check whether particular functions, assumed to be one-way, are also one-way on their iterates. This raises the fundamental question whethel;' the mere existence of one-way function suffices for the construction of pseudorandom generators. In this paper we present progress towards this goal. We consider regular functions, in which every image of a k -bit string has the same number of preimages of length k. We show that if a regular function is one-way then pseudorandom generators do exist. It should be noted that (w.r.t a fixed function) regularity is incomparable with being "one-way on the iterates", and that regularity is easier to test than the plausibility of being "one-way on the iterates". In fact, assuming the intractability of general factoring, we can now prove that pseudorandom generators do exist. This has been previously known only under the intractability assumption for factoring special type of integers (more specifically, integers with all prime factors congruent to 3 mod 4). Another application is the construction of a pseudorandom generator based on the intractability assumption of decoding random linear codes. Our result holds, in fact, for a more general condition. We conjecture that our construction worlcs for anyone-way function.
Resell1'Ch done while the third author was visiting the Computer Science Dept. of the Technion. First author was supported by grant No. 86-00301 from the United States - Israel Binational Science Foundation (BSF), Jerusalem, Israel. Third author was partially supported by a Natural Sciences and Engineering Research Councjl of Canada operating grant and by a University of Toronto granL
-2-
1. INTRODUCTION
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
In recent years randomness has become a central notion in the theory of computation. It is
heavily used in the design of sequential, parallel and distributed algorithms, and is of course crucial to cryptography. Once so frequently used, randomness itself has become a resource, and economizing the amount of randomness required for an application has become a natural concern. It is in this light that the notion of pseudorandom generators was first suggested and the following fundamental result was derived: the number of coin tosses used in any practical application (modeled by a polynomial-time computation) can be decreased to an arbitrary power of the input length. The key to the above infonnal statement is the notion of a pseudorandom generator suggested and developed by Blum and Micali [BM] and Yao [Y]. A pseudorandom generator is a detenninistic polynomial-time algorithm which expands short seeds into longer bit sequences, such that the output ensemble is polynomially-indistinguishable from the unifonn probability distribution. More specifically, the generator (denoted G) expands a k-bit seed into a 2k-bit sequence so that for every polynomial-time algorithm (distinguishing test) T, any constant c >0, and SQfficiently large k
I prob[ T(G(Xk »=l]
-prob[ T(X u J=l]
I Sk-c,
where X", is a random variable assuming as values strings of length m, with unifoIll1 probability distribution. It follows that the strings output by a pseudorandom generator G can substitute the unbiased coin tosses used by any polynomial-time algorithm A, without damaging the behaviour of algorithm A in a noticeable fashion. This yields an equivalent polynomial-time algorithm, A', which randomly selects a seed, uses G to expand it to the desired amount, and then runs A using the output of the generator as the random source required by A. This is the basis of Yao's theorem [Y] stating that if there is a pseudorandom generator then random polynomial-time is contained in detenninistic subexponenti,al-time (i.e. R c (")r.>cPTime (2 k
». The theory of pseu-
dorandomness was further developed to deal with function generators and pennutation generators and many additional applications to cryptography have emerged [OOM, LR]. The existence of such seemingly stronger generators was reduced to the existence of pseudorandom (string) generators. In light of their practical and theoretical importance, constructing pseudorandom generators
calls for the attention of the research community. Of course, such a construction is possible only if one-way functions exist (since the generator itself can be easily modified into a one-way function). However, it is not known whether this necessary condition is sufficient. Instead, stronger versions of the one-wayness condition were shown to be sufficient Before reviewing these results, let us recall the definition of a one-way function.
-3-
Definition 1: A function 1 :{O,I}· -+{O,f}· is called one-way if it is polynomial-time computable, but not "polynomial-time invertible". Namely, there exists a constant c >0 such that for any
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
probabilistic polynomial-time algorithm A , and sufficiently large k-
prob[A(f(X),IA:),1-1(f(X»] > k-e,
(1)
where the probability is taken over all x 's of length k and the internal coin tosses of A , with unifonn probability distribution. (Remarlc: The role of 1A: in the above definition is to allow algorithm A to run time polynpmial in the length of the preimage it is supposed to find. 'Otherwise, any function which shrinks the input more than by a polynomial amount will be considered one-way.)
1.1. Previous Results
Pseudorandom generators based on the one-wayness 01a particular permutation: The first pseudorandom generator was constructed and proved valid, by Blum and Micali, under the assumption that the discrete logarithm problem is intractable on a non-negligible fraction of the instances [BM]. In other words, it was assumed that exponenting modulo a prime (i.e. the 1-1 mapping of (p ,g oX) to (p ,g ,gx mod p), where p is prime and g is a primitive element in Z;) is one-way. Assuming the intractability of factoring integers of the fonn N =p 'q, where p ,q
are primes and p !!!! q iE 3 mod 4, a simple pseudorandom generator exists [BBS, ACGS] (1). In this case squaring modulo such integers is assumed to be a one-way pennutation over the quadratic residues modulo the integer.
Pseudorandom generators based on anyone-way permutation: Yao has presented a much more general condition which suffices for the existence of pseu-. dorandom generators; namely, the existc:nce of one-way pennutations [Y]. In facl, Yao's condition is even more general.. He requires that / is 1-1 and that there exists a probability ensemble II which is invariant under the application of / and that inverting 1 is "hard on the average" when the input is chosen according to n.
Pseudorandom generators based on a/unction w,hich is one-way on its iterates: Levin has relaxed Yao's condition, presenting a necessary and sufficient condition lor the existence of pseudorandom generators [L]~ Levin's condition, hereafter referred to as one-way on iterates, can be derived from Definition 1 by substituting the following line (2) instead of line (1) 1) A slightly more general result, concerning integers wilh all prime divisors congruent ro 3 mod 4, also holds [eGG].
e
•
-4(2)
f
where f
(l)(X)
denotes f iteratively applied i times on x. (As before \he probability is taken uni-
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
formly over all x's of length k.) Levin proved that if a function is one-way on its iterates then pseudorandom generators do exist Clearly, anyone-way pennutation is one-way on its iterates. It is also easy to use any pseudorandom generator in order to construct a function which satisfies Levin's condition. Although Levin's condition for the construction of pseudorandom generators is necessary as well as sufficient, it is not simple. In particular, it seems hard to test the plausibility of the assumption that a particular function is one-way on its iterates. Furthennore, it is an open question whether Levin's condition is equivalent to the existence of one-wayfunctions.
1.2. Our Results In this report we present progress towards resolving the above question. We consider "regu-
lar" functions, in which every element in the ran~e has the'same number of preimages. More formally, we call a function f regular if there exists a function m(-) such that for every x E {O,l}· the cardinality of f- 1(f(x»n{O,l}lxl equals m(lxl). Clearly, every 1-1 function is regular (with m(n)= I, Vn). Our main result is Main Theorem (special case): If there exists a regular one-way function then there exists a pseudorandom generator. Regularity appears to be a simpler condition than intractability of inverting on the function's iterates. Funhennore, many natural functions (e.g. squaring modulo an integer) are regular and thus using our result a pseudorandom generator can be efficiently constructed assuming that any of these functions is one-way (instead of assuming that these functions are also oneway on their iterates). In particular, if factoring is weakly intractable (Le. every polynomial-time factoring algorithm fails on a non-negligible fraction of the integers) then pseudorandom generators do exist. This result was not known before! (It was only known that the intractability of a special subset of the integers implies the existence of a pseudorandom generator.) Using our results, we can also construct a pseudorandom generator based on the assumption that decoding random linear codes is intractable. The main theorem is proved by transforming any given regular one-way function into a function which is one-way on its iterates (and then applying Levin's result [L)). It is interesting !
•
to note that not every (regular) one-way function is "one-way on its iterates". Furthermore,
-5«
assuming that (regular) one-way functions exist" one can construct a (regular) one-way function which is easy to invert on the distribution 6btained by applying the function twice (see Appen-
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
dix). The novelity of this work is in presenting a direct construction that given a (regular) one-
way function which is not necessarily one-way on its iterates, yields a/unction that is one-way on I Its iterates. (An indirect construction which passes through a universal Turing machine is implicit in Levin's work. However, his construction may not use the function given.) Given an arbitrary one-way fwiction / , we construct the following function / I. which takes as arguments an index i=(i 1';']), many Xj 's and many high quality hashing functions (h j '.s).
The idea behind the construction is that an algorithm inverting /' on one of its iterates will also succeed in inverting /. In the case of regu!ar f\mctions, this is proved by showing that the probability distribution induced by the alternating sequential applications of / and the hj's is close to the probability distribution induced by a single application of/. Proving that these two distributions are close reduces to bounding the weight of. balls in the following game. The game is played with M balls and M. cells, and consists of t iterations. In each iteration, each ball is randomly assigned a cell with unifonn probability distribution. Balls which fall into the same cell are merged into one ball, having weight equal to the sum of the weights of the balls assigiled to this cell. We show that with very high probability, no ball ends the game with weight more than polynomial in t and log M .
•
-~-
2. MAIN RESULT If
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
2.1. Preliminaries
, In the sequel we make use of the following definition of strongly one-way function. (When
referring to Definition 1, we shall call the function weak one-way or simply one-way). Definition 2: A polynomial-time computable function! : (O,l)· ~(O,l}· is called strongly oneway if for any probabilistic polynomial-time algorithm A, any positive constant c, and suffi-
ciently large k,
prob[ A (f (x),tA:) e f-I(f (x)~ < k-c ,
where the probability is taken over
all x 's oflength k and the internal coin tosses of A, with uniform probability distribution. Theorem 1 (Yao [Y]): There exists a strong one-way function if and only if there exists a (weak) one-way function. Furthermore, given a one-way function, a strong one can be constroeted. It is important to note that Yao's construction preserves the regularity of the function. Thus,
we may assume without loss of generality, that we are given a function f which is strongly oneway and regular. For the sake of simplicity, we assume f is length preserving (i.e. V x ,If (x) I= I x I). Our results hold also without this assumption (see subsection 2.6). In the construction of a function that is one-way on the iterates, we use high quality hash
functions. More specificly, we use hash functions which map n-bit strings to n-bit strings, such that the locations assigned to the strings by a ran~omly selected hash function are uniformly distributed and n-wise independent We denote this set of hash functions by Hfi' These functions
•
can be described by means of an n 2-bit string. In the sequel h (e HfI) will refer both to the hash function and to its representation. For properties and implementations of these functions see [CW, J, CG, Lu].
Notation: For a finite set S •the notation S E R S means that the element s is selected from the set S with uniform probability distribution.
2.2. Main Ideas Suppose we are given a regular and strongly one-way function f. We construct a new functionf' that will be also strongly one-way, not only for its first application but for k 312 iterations, where k is the length of the input for f'. Using Levin's results, this construction suffices for proving our Main Theorem. Following are the main ideas behind this construction. Since the function f is strongly one-way. any algorithm trying to invert f, may succeed only on a negligible fraction of inputs. Here th~ success probability is taken over the elements in the range of f , distributed according to the weight that f associates to them (Le. the number of elements f maps to them). However;this
-7-
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
f
condition says nothing about the capability of certain algoritluns to invert the function when the range elements are taken from a fairly different distribution. This may be the case when applying the function twice or more (see Appendix). To prevent this possibility, we redistribute, after each application of/ , the elements in the range to ran~om locations in the domain. We prove the validity of our construction by showing that the probability distribution induced on the range of/ by our "random" transfonnations, keeps close to th~ distribution induced by the first application of
/. For achieving the right number of iterations required for the construction of pseudorandom generators, this redistribution must be applied several times, alternating with the application of the function / . Note that the function /' we construct must be detenninistic, and therefore this redistribution must be also detenninistic (Le. uniquely defined by the input to / '). The way we implement these ideas is as follows. We look at the input string to /' as containing two types of infonnation. One part of the string is the description of hash functions which will implement the "random" redistributions. The second part is interpreted as inputs for the original function /. We also must make sure that the infonnation contained in the input string to /' will be'sufficient for the application of k 312 iterations of the function (where k is the length of the
input to / 'I). In particular, it is essential for our function to use the hash functions described in its input several times rather than for a single application.
2.3. The Construction of/'
Following is the definition of the function/':
where 1=(; l,i~,1 S i 1 Ss, 1 S;2St,
Xj E
{O,l}n, 'and hj
E
Hn • s =s(n) and t =t(n) are polyno-
mials in n, whose exact values will be fixed later. The successor of the index ; is defined as i +1 =(1 I'; 2+1) if ;2 1 ... !! i). (Note that this phenomenon Is
• independent of the choice of the parameter n.) Instead we use the following technical Lemma. Lemma 5: Let S be a finite set, and let X be a random variable assuming as values partitions of S. For every A ~ S, we define a predicate XA mapping partitions to Boolean values so that XA (ll) =I iff A is contained in a single class of the partition 11. Let n < n' be integers. Let p" denote an upper bound on the probability that a speCific n -subset is contained in a single class of c
a partition chosen at random as above (i.e. ('VA
~S
,IA I =n) ProbCXA(X)=I)Sp,,). Let q",
denote an upper bound on the probability that a partition chosen at random as above contains a class of cardinality ~ n'. Then
[ ISn I] .PIt
q"' n -c", where g and Z are chosen with the above probability. By using this algorithm A. we can demonstrate an algorithm A which inverts I. I
contradicting the one-wayness of g e R Gil (r) and outputs A (g ,Z ).
I.
On input
Z
=1 (x),
A I picks r e R {I , ... , t (n) } and
- 11 We now show that A' invens I (on the unifonn distribution). Note that it must exists a nonnegligible subset of G' (defined above), denoted G", such that for each g in this set, A succeeds
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
with a significant probability, where the probability distribution of inputs to A is the one induced by g. Since g e G', the probability of any z under g differ by a polynomial factor from the probability induced by
I.
Thus, for g e G", A will succeed with non-negligible probability also
when the elements z ar~ taken from the probability distribul!On that I induces on its range. This is exactly the distribution of inputs to A', and contradiction follows. 0 Theorem 2 follows from Lemma 8 by noting that algorithm A on input g and g (x) can simulate the extra information given to the inv,erter of I'. Q.E.D
2.6. Extensions In the above exposition we assumed for simplicity that the function I is length preserving. In fact, this condition is not essential for our proof. IfI does not have this property, we can modi-
fied it in order to have a relaxed condition. Namely, that for any length n , any two elements of length
nhave images of the same length, say n'. (This modification can be carried using a pad-
ding technique that preserves the regularity of I). Once this condition holds, all we need is to use sets of hash function mapping n '-bit strings to n -bit strings. Another extension is a relaxation .of the regularity condition. Definition 3: A function I
i)
is called weakly regular if
There exists a bound function b('), such that for any n and any of the setS%
ii)
: {O, I }. -+ {O, I }.
=1- (f (x» () {O.l}" 1
x e (O,l}", the cardinality
is atmostb(n).
There exist polynomials p(') and q('), such that for any n the cardinality of the set
{xe (O,l}": IS%I ~b(n)lp(n)}isatleast2"lq(n) Clearly, this definition extends the original definition of regularity,. For weakly regular functions that are strongly one-way, our construction still works, with a slight modified proof. For the applications in Section 4, and possibly for other cases, the following extension (referred to as semi-regular) is useful. Let {f%}% e {o.l}" be a family of regular functions, then our construction can be still applied to the function I defined as I (x ,y) = (x ,1% (y
». The idea is to
use the construction for the application of the function/%, while keeping x unchanged.
-12 -
3. Functions which are One-way on Iterates imply Pseudorandom Generators (A survey of Levin's work [L]) The Main Theorem stated in the introduction is proven by combining Theorem 2 (above) with Levin's following result
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
.
Theorem 9 [L]: If there exists a junction which is one-way on iterates then there exists a pseudorandom generator. In the sequel we provide a sketch of Levin's proof [L], which follows Yao's argument [V].
The proof consists of four parts, and is sketched here since the original proof is complete except for "obvious details" (i.e. obvious to Levin). (The write-up of this part will be improved in the final version.) Levin starts with a function I which is one-way on its iterates. First, it is shown that the function I can be slightly modified into a function I 1 so that there exist a predicate b 1 satisfying the following two conditions: (1) the predicate is polynomial-time computable (i.e. there exist a polynomial-time algorithm A such thatA(x)=b 1(x»; but (2) the predicate cannot be efficiently 0.99-approximated from the value Of the function (I.e. for every polynomial-time algorithm A' Prob«(i'if l(x»=b 1(x»SO.99, where x is taken from a distribution generated by repeated appli-
cations of I). For this argument. Levin uses an error-correcting code which can correct a con-
•
stant fraction of errors (up to 4%) and has polynomial-time encoding and decoding algorithms. Let C (x) denote the codeword of the infonnation word x. and let lSi SIC (x) I . Define l1(i.x)=(il(x» and b 1(i.x) as the i-th bit of C(x). Clearly. 11 is one-way and b 1 is
polynomial-time computable. Now. assume that A' guesses b 1(i.x) correctly with probability 0.99. when the probability is taken over all choices of t and x. Then at least half the probability mass of the x's is concentrated on x's for which A ' has success probability ~.98. Running A' on
(II (x ».
(21 (x» .....( I C (x) I I (x
». with probability ~ 112. we obtain at least 0.96 of the
b l(i .x) ·s. Applying the decoding algorithm. in this case. we retrieve x. contradicting the one-
wayness of I . Second. it is shown that by applying I 1 in parallel sufficiently many times and XORing the corresponding values of b lone gets a function 12 and a predicate b 2 such that b 2(y) can be efficiently guessed from 12(y) only with probability negligibly close to half. (Ibis statement is known as "Yao's XOR technique".) In this case the number of copies should only be more than logarithmic. since we started with a predicate which cannot be guessed better than with some constant probability. Next, one applies the construction of Blum and Micali [BM] to obtain a generator which outputs bit sequences which cannot be efficiently predicted. Finally, .one uses Yao's theorem [V] that an ensemble is unpredictable if and only if it is pseudorandom.
•
-13 It is important.to note that the lepgth of the argument to the functions, constructed throughout Levin's proof, increases while the number of iterations on which these functions are
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
guaranteed to be one-way remains as in the OIikmal function f. Let k be the length of the argument to the original function. Then the argument to f 1 has length k + 0 (log k ) = 0 (k) and the
•
length of the argument to f 2 is 0 (k '(log k )2). When using the Blum and Micali construction we need to be able to apply the function f 2 a number of times which is twice the length of its argument. 1be function f 2 needs only be one-way for this number of iterations. Thus, iff is one-way on its first ~ .(lpg k)2 < k 3J2 iterates then we are done. Remark: The above aigument gives a pseudorapdom generator which expands k-bit strings to
2k -bit strings. Using such a pseudorandom gen~rator, one can construct a pseudorandom func;:. tion [GGM], which clearly yield a pseudorando~ generator which expands k -bit strings to p (k)bit strings. for an arbitrary polynomial p .
.
- 14-
4. Applications: Pseudorandom Generators BJlsed on Particular Intractability Assumptions In this section we apply our results in order to construct pseudorandom generators (PRGs)
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
•
based on the assumption that one of the following two computational problems is "hard on a non-negligible fraction of the instances". The first problem is factoring (arbitrary!) integers. The second problem is decoding random linear cqdes.
4.1. PRG Based on the Intractability of the General Factoring Problem It is known that pseudorandom generators can be constructed assuming the intractability of factoring integers of a special fonn [V]. More specifically, it was assumed that any polynomialtime algorithm will fail on a non-negligible fraction o{the integers which contain only prime facI
tors which are congruent to 3 modulo 4. With respect to such an integer N, squaring modulo N defmes a pennutation over the set of quadratic residues mod N, and therefore the intractability of factoring (such N's) yields the existence of a one-way permutation [R]. It was not known how to construct a one-way permutation or a pseudorandom generator assuming that factoring a nonnegligible fraction of all the integers is intractable. In such a case modular squaring is a one-way function, but this function does not necessarily induce a pennutation. Fortunately, modular squaring is a semi-regular function (see subsection 2.6), so we can apply our results. Assumption IGF (Intractability ofthe General 'Factoring Problem): There exists a constant c>O such that for any probabilistic polynomial-time algorithm A , and sufficiently large k prob[ A(N) does not splitN ] > k-{; ,
where N e
R (O,l}k.
Corollary 10: The IOF assumption implies the existence of pseudorandom generators. Proof: Define the following functionf(N,;x)=(N,x 2 modN). Clearly, this function is semiregular. The one-waynes~ of the function follows from IOF (using Rabin's argument [Rn. Using an extension of Theorem 2 (see subsection 2.6) the corollary follows. 0 Subsequently, J. (Cohen) Benaloh has found a way to construct a one-way pennutation based on the IOF assumption. This yields an a1~emative proof of Corollary 10.
4.2. PRG Based on the Intractability of Decoding Random Linear Codes One of the most outstanding open
, •
proble~s
in coding theory is that of decoding random
linear codes. Of particular interest are random linear codes with constant infonnation rate which
- J5can correct a constant fraction of errors. An (n' .k',d')-linear code is an k' -by-n ' binary matrix in
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
which the bit-by-bit XOR of any subSet of the rows has,at least d' ones. Gilbert-Varshamov
•
bound for linear codes, guarantees the existence of such a code provided that k'ln' < 1.-H 2(d'ln'), where H 2 is the binary entropy function [MeS, ch. I, p. 34]. The same
argument can be used to show that (for ev.ery £>0) if k'ln' < I-H 2«1+£)'d'ln'), then almost all k'-by-n' binary matrices constitute (n',k'rJ')-linear codes. We suggest the followin~ function 1 :{O,l}· -+{O,l}·. Let C be an k'-by-n' binary matrix, x e {O,l }k', ~ e e p,",' ~ {O,l }"' be a binary string with at most t' =L(d'-l)/2,] ones, where d' satisfies the above condition. Clearly, E,II,' can.be unifonnly sampled by an algorithm S running in time polynomial in n' (i.e. S:{O,l}POly(Il}-+E,'!'>. Let r e {O,l}pol)'(Il} be a string such that S(r)e E:"-'. Then, I(C ,X,r)=(C ,C(x)+S(r»,
where C(x) is the codeword of x (i.e. C(x) is the vector resulting by the matrix product xC). One can easily verify thati just defined is semi-regular (Le. Ic(x,r)=C(x)+S(r) is regular for all but a negligible fraction of the C's). The vector xC +e (e=S(r» represents a codeword per-
tuIbed by the error vector e.
Assumption IDLC (Intractability
•
01 Decoding Random Linear Codes): There exists a constant
c >0 such that for any probabilistic polynomial-time algorithm A, and sufficiently large k prol{ A(C ,C(x)+e):;tx ] > k-e ,
where C is a randomly selected k'-by'-n' matrix, x e R {O,l}k' and e e RE,",'. Now, either assumption IDLe is false which would be an earthshaking result in coding theory or pseudorandom generators do exist Corollary 11: The IDLC assumption implies the existence of pseudorandom generators.
Proof: The one-wayness of the function 1 follows from IDLC. Using an extension of Theorem 2 (see subsection 2.6) the corollary follows. 0
•
-16 -
APPENDIX
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
Assuming that I is a (regular) one-way function, we construct a (regular) one-way function
•
I- which is easy to invert on the distribution oBtained by iterating I- twice.
Assume for simplicity
thatl is length preseNjng (i.e. II (x)1 =Ix I). Let Ix I =Iy I (or Ix 1=Iy 1+1), we let l(XY) i= Oly II (x)
1 is one-way. On the other hand, (1'I «(1')e 1-1«(1'1 «(1'». Clearly,
»
f~r every xy e {O, 1}211 , 1if(xy = (1'1«(1') and
ACKNOWLEDGEMENTS We wish to thank Ronny Roth for sharing with us some of his knowledge on coding theory. We are
~teful
to Josh (Cohen)-Benaloh and Charlie Rackoff for very helpful discussions con-
cerning this wode. The first author wishes to express special thanks to Leonid Levin and Silvio. Mica1i for infini~ly
many discussions concerning pseudorandom generators.
The second author would like to ask the third author: "Do you know where Irit Hattmann's
office IS7" •
•
-.17 -
REFERENCES
Technion - Computer Science Department - Tehnical Report CS0494 - 1988
•
•
•
[ACGS] W. Alexi, B. Char, O. Goldreich and C.P. Schnorr, "RSA and Rabin Functions: Certain Parts Are As Hard As the Whole", Proc. 25th IEEE Symp. on Foundation of Computer Science, 1984, pp 449-457, (to appear in SIAM J. Computing). [BBS] L. Blum, M. Blum and M. shub, A Simple SecUTe Pseudo-Random Number Generator, Advances in Cryptology: Proc. of Crypto82, .ed. 'D. Chaum, RL. Rivest and A.T. Shennan, Plenum press, 1983, pp 61-78. [BM] Blum, M., and Micali, S., "How to Generate Cryptographically Strong Sequences of PseudoRandom Bits", SIAM JOUT. on Computing, Vol. 13, 1984, pp. 850-864. [CW] Carter, J., and M. Wegman, "Universal Oasses of Hash Functions", JCSS, 1979, Vol. 18, pp. 143-154. [CO] Chor, B., and O. Goldreich, "On the Power of Two-Point Sampling", to appear in JOUT. of Complexity. [CGG] Char, B., O. Goldreich, and S. Goldwasser, "The Bit Security of Modular Squaring Given Partial Factorization of the Modulos", Advances in Cryptology - Crypto 85 Proceedings, ed. H.C. Williams, Lecture Notes in Computer Science, 218, Springer Verlag, 1985, pp. 448- 457. [OH] W. Diffie, and M. E. HeUman, "New Directions in Cryptography", IEEE transactions on Info. Theory, IT-22 (Nov. 1976), pp. 644-654 [GGM] Goldreich, 0., S. Goldwasser, and S. MicaH, "How to Construct Random Functions", JoUT. of ACM, Vol. 33, No.4, 1986, pp. 792-807. [GM] Goldwasser, S., and S. MicaH, "Probabilistic Encryption", JCSS, Vol. 28, No.2, 1984, pp. 270299. [11 A. Joffe, "On a Set of Almost Deterministic k-Independent Random Variables", the Annals of Probability, 1974, Vol. 2, No. I, pp. 161-162. [L] L.A. Levin, "One-Way Function and Pseudorandom Generators", to appear in Combinatorica. A preliminary version appeared in Proc. 17th sroc, 1985, pp. 363-365. [L2] L.A. Levin, "Homogenous Measures and Polynomial Time Invariants", Workshop on Algorithms, Randomness and Complexity, CIRM, Luminy, France, (March 1986). [Lu] M. Luby, "A Simple Parallel Algorithm for the Maximal Independent Set Problem", SIAM J. Comput., Vol. IS, No.4, Nov. 1986, pp. 1036-1054. [LR] M. Luby and C. Rackoff, "Pseudo Random Permutation Generators and DES", Proc. 18th ACM Symp. on Theory ofComputing, 1986, pp. 35.6-363. [McS] McWilliams, FJ., and NJ.A. Sloane, The Theory ofError Correcting Codes. North-Holland Publishing Company, 1977. [R] M.O. Rabin, "Digitalized Signatures and Public Key Functions as Intractable as Factoring", MIT/LCSfIR-212, 1979. [RSA] ~. Rivest, A. Shamir, and L. Adleman, "A Method for Obtaining Digital Signatures and Public Key Cryptosystems", Comm. ACM, Vol. 21, Feb. 1978, pp 120-126 [S] A. Shamir, "On the Generation of Cryptographically Strong Pseudorandom Sequences", ACM Transaction on Computer Systems, Vol. \, No. I, February 1983, pp. 38-44. [Y] Yao, A.C., "Theory and Applications of Trapdoor Functions", Proc. of the 23rd IEEE Symp. on Foundation ofComputer Science, 1982, pp. 80-91.
