5.3.2: The statistical difference between the random variables

3.5 ∗ Constructions Based on One-Way Functions

Claim 3. 5.3.2: The statistical difference between the random variables

Hpn(−nl)(n)(f(Un)),H n−l(n) p(n) ,Ul(n)+1 and Un−l(n),H n−l(n) p(n) ,Ul(n)+1 is bounded by 2·2−l(n)/3_.

Proof Idea: Use the hypothesis that Sn_p−₍_nl₎(n) is a hashing family, and apply Lemma 3.5.1. Specifically, use δ=2−l(n)/3_{, note that} Pr_[_f₍_U

n)=y]≤2−n for

every y, and count separately the contributions of bad and non-bad h’s to the statistical difference between (Hpn(−nl)(n)(f(Un)),H

n−l(n)

p(n) ) and (Un−l(n), H n−l(n) p(n) ).

Because the statistical difference is a bound on the ability of algorithms to distinguish, the proposition follows.

Extension.Proposition 3.5.3 can be extended to the case in which the function f is polynomial-to-1 (instead of 1-to-1). Specifically, let f satisfy|f−1(f(x))|<q(|x|) for some polynomialq(·) and all sufficiently longx’s. The modified proposition asserts thatfor every probabilistic polynomial-time algorithm A, every polynomial p(·), and all sufficiently large n’s,

|Pr[A(G(Un,Uk))=1]−Pr[A(Un₊k₊1)=1]|<2·2−

l(n)−log2q(n)

3 + 1

p(n) where k is as in Proposition 3.5.3.

3.5.1.3. Obtaining Pseudorandom Generators

With Proposition 3.5.3 proved, we consider the possibility of applying it in order to construct pseudorandom generators. We stress that applying Proposition 3.5.3 with length function l(·) requires having a hard-core function g for f, with |g(x)| =l(|x|)+1. By Theorem 2.5.6 (in Section 2.5.3), such hard-core functions exist essentially for all one-way functions, provided thatl(·) is logarithmic. (Actually, Theorem 2.5.6 asserts that such hard-cores exist for a modification of any one-way function, where the modified function preserves the 1-1 property of the original function.) Hence, combining

PSEUDORANDOM GENERATORS

Theorem 2.5.6 and Proposition 3.5.3 and using a logarithmic length function, we get very close to constructing a pseudorandom generator. In particular, for every polynomial p(·), usingl(n)def=3 log₂ p(n), we can construct a deterministic polynomial-time algorithm expandingO(n)-bit-long seeds into (O(n)+1)-bit-long strings such that no polynomial-time algorithm can distinguish the output strings from uniformly chosen ones with probability greater than 1

p(n) (except for finitely manyn’s). Yet this does not

imply that the output is pseudorandom (i.e., that the distinguishing gap is smaller than anypolynomial fraction). An additional idea is needed (because we cannot use l(·) larger than any logarithmic function). In the sequel, we shall present two alternative ways of obtaining a pseudorandom generator from Construction 3.5.2.

The First Alternative.As a prelude to the actual construction, we use Construc- tion 3.3.2 (in Section 3.3.2) in order to increase the expansion factors for the algorithms arising from Construction 3.5.2. In particular, for everyi ∈N, we construct a deterministic polynomial-time algorithm, denotedGi, expandingn-bit-long seeds into n3_{-bit-long strings such that no polynomial-time algorithm can distinguish the output}

strings from uniformly chosen ones with probability greater than _n1i (except for finitely manyn’s). Denote these algorithms byG1,G2, . . .. We now construct a pseudorandom

generatorGby letting

G(s)def=G1(s1)⊕G2(s2)⊕ · · · ⊕Gm(|s|)

sm(|s|)

where ⊕ denotes bit-by-bit XOR of strings, s1s2· · ·sm(|s_|)=s, |si| = _m|₍s_||_s_|₎ ±1, and m(n)def=√3_n_.4 _Clearly,|_G₍_s₎| ≈₍ |s|

m(|s_|))

3_{= |}_s_|2_{. The pseudorandomness of}_G _follows

by a reducibility argument. Specifically, if for somei and infinitely manyn’s, some polynomial-time algorithm can distinguish G(Un) fromUn2 with probability greater

than 1

n2i/3, then we can distinguishGi(Un_/m(n)) fromU(n/m(n))3(in polynomial time) with

probability greater than_n21i/3 = 1

(n/m(n))i, in contradiction to the hypothesis regardingGi.

The Second Alternative.Here we apply Construction 3.5.2 to the function f defined by f(x1, . . . ,xn)

def

= f(x1)· · · f(xn)

where|x1| = · · · = |xn| =n. The benefit in applying Construction 3.5.2 to the function f is that we can usel(n2₎def₌ _n₋_{1, and hence Proposition 3.5.3 indicates that}_G _{is a}

pseudorandom generator. All that is left is to show that f has a hard-core function that mapsn2_{-bit strings into}_n_{-bit strings. Assuming that}_b_{is a hard-core predicate of the}

function f, we can construct such a hard-core function for f. Specifically: Construction 3.5.4:Let f:{0,1}∗→{0,1}∗and b:{0,1}∗→{0,1}. Define

f(x1, . . . ,xn) def = f(x1)· · · f(xn) g(x1, . . . ,xn) def =b(x1)· · ·b(xn) where|x1| = · · · = |xn| =n.

4_{The choice of the function}_m_:_N_→_N_{is rather arbitrary; any unbounded function}_m_:_N_→_N_satisfying

3.5.∗∗CONSTRUCTIONS BASED ON ONE-WAY FUNCTIONS

Proposition 3.5.5:Let f and b be as in Construction 3.5.4. If b is a hard-core predicate of f , then g is a hard-core function of f .

Proof Idea: Use the hybrid technique. Theith hybrid is

fU_n(1), . . . , fU_n(n),bU_n(1), . . . ,bU_n(i),U₁(i+1), . . . ,U₁(n) Indeed, the nth hybrid equals (f(Un2),g(U_n2)), whereas the 0th hybrid equals

(f(Un2),Un). Next, show how to transform an algorithm that distinguishes neigh-

boring hybrids into one predictingb(Un) from f(Un). Specifically, this transfor-

mation is analogous to a construction used in the proof of the “opposite direction” for Theorem 3.3.7 and in the second proof of Theorem 3.4.1.

Conclusion.Using either of the preceding two alternatives, we get the following: Theorem 3.5.6: If there exist1-1one-way functions, then pseudorandom gener- ators exist as well.

The entire argument can be extended to the case in which the function f is polynomial- to-1 (instead of 1-to-1). Specifically, let f satisfy|f−1f(x)|<q(|x|) for some polynomialq(·) and all sufficiently long x’s. We claim that if f is one-way, then (either of the preceding alternatives yields that) pseudorandom generators exist. Proving the latter statement using the first alternative is quite straightforward, given the extension of Proposition 3.5.3 (stated at the end of Section 3.5.1.2). For proving the statement using the second alternative, apply Construction 3.5.2 to the function f, with l(n2₎def₌_n₋₁₊_n_·_log

2q(n). This requires showing that f has a hard-core function

that mapsn2_{-bit strings into (}_n_·₍₁₊_log

2q(n)))-bit strings. Assuming thatgis a hard-

core function of the function f, with|g(x)| =1+log₂q(|x|), we can construct such a hard-core function for f. Specifically,

g(x1, . . . ,xn) def

=g(x1)· · ·g(xn)

where|x1| = · · · = |xn| =n.

3.5.2. Using Regular One-Way Functions

The validity of Proposition 3.5.3 relies heavily on the fact that if f is 1-1, then f(Un)

maintains the “entropy” ofUn in a strong sense (i.e.,Pr[f(Un)=α]≤2−n for every α). In this case, it is possible to shrink f(Un) (ton−l(n) bits) and get almost uniform

distribution over{0,1}n₋l(n)_{. As stressed earlier, the condition can be relaxed to requir-}

ing that f be polynomial-to-1 (instead of 1-to-1). In such a case, only logarithmic loss of “entropy” occurs, and such a loss can be compensated by an appropriate increase in the range of the hard-core function. We stress that hard-core functions of logarithmic length (i.e., satisfying|g(x)| =O(log|x|)) can be constructed for any one-way function. However, in general, the function f may not be polynomial-to-1, and in particular it can map exponentially many pre-images to the same image. If that is the case, then

PSEUDORANDOM GENERATORS

applying f toUn will yield a great loss in “entropy” that cannot be compensated by

using the foregoing methods. For example, if f(x,y)def= f(x)0|y| _for _|_x_|=|_y_| _then

Pr[f(Un)=α]≥2−

|α|

2 for someα’s. In this case, achieving uniform distribution from f(Un) requires shrinking it to length approximatelyn/2. In general, we cannot com-

pensate for these lost bits (using the foregoing methods), because f may not have a hard-core with such a huge range (i.e., a hard-coregsatisfying|g(α)|> |α₂|). Hence, in this case, a new idea is needed and indeed is presented next.

The idea is that in case f maps different pre-images into the same image y, we can augment y by the index of the pre-image in the set f−1₍_y_), _{without damaging}

the hardness-to-invert of f. Namely, we defineF(x)def= f(x)·idxf(x), where idxf(x)

denotes the index (say by lexicographic order) ofx in the set{x: f(x)= f(x)}. We claim that inverting F is not substantially easier than inverting f. This claim can be proved by a reducibility argument. Given an algorithm for invertingF, we can invert f as follows. On inputy(supposedly in the range of f(Un)), we first selectmuniformly

in{1, . . . ,n}, next selectiuniformly in{1, . . . ,2m_}_{, and finally try to invert}_F_{on (}_y_,_i_).

When analyzing this algorithm, consider the casei = )log₂|f−1(y)|*.

The suggested functionF does preserve the hardness-to-invert of f. The problem is thatF does not preserve the easy-to-compute property of f. In particular, for general f, it is not clear how to compute idxf(x); the best we can say is that this task can be

performed in exponential time (and polynomialspace). Again, hashing functions come to the rescue. Suppose, for example, that f is 2m_{-to-1 on strings of length}_n_{. Then we can}

let idxf(x)=(Hnm,H m

n (x)), obtaining “probabilistic indexing” of the set of pre-images.

We stress that applying this idea requires having a good estimate for the size of the set of pre-images (of a given image). That is, givenx, it should be easy to compute|f−1(f(x))|. A simple case where such an estimate is handy is the case of regular functions.

Definition 3.5.7 (Regular Functions):A function f:{0,1}∗→{0,1}∗ is called

regularif there exists an integer function m:N→Nsuch that for all sufficiently long x ∈ {0,1}∗, it holds that

|{y: f(x)= f(y)∧ |x| = |y|}| =2m(|x|)

For simplicity, the reader can further assume that there exists an algorithm that on input ncomputesm(n) in poly(n) time. As we shall see at the end of this subsection, one can do without this assumption. For the sake of simplicity (of notation), we assume in the sequel that if f(x)= f(y), then|x| = |y|.

Construction 3.5.8: Let f:{0,1}∗→{0,1}∗be a regular function, with m(|x|)= log₂|f−1₍_f₍_x₎₎_|_{for some integer function m}₍_·₎_{. Let l}_:_N_→_N_{be an integer func-}

tion, and Sm(n)−l(n)

n a hashing family. For every x ∈ {0,1}

n _{and h}_∈_Sm(n)−l(n)

n ,

define

F(x,h)def= (f(x),h(x),h)

If f can be computed in polynomial time andm(n) can be computed fromnin poly(n) time, thenFcan be computed in polynomial time. We now show that if f is a regular

3.5.∗∗CONSTRUCTIONS BASED ON ONE-WAY FUNCTIONS

one-way function, thenFis “hard to invert.” Furthermore, ifl(·) is logarithmic, thenF is “almost 1-1.”

Proposition 3.5.9:Let f , m, l, and F be as in Construction 3.5.8. Suppose that there exists an algorithm that on input n computes m(n)inpoly(n)time. Then: 1. Fis “almost” 1-1:

PrF−1FUn,Hnm(n)−l(n)>2

l(n)+1 _<_O_n_·₂−l(n)/4 (Recall thatHk

n denotes a random variable uniformly distributed overSnk. )

2. F“preserves” the one-wayness of f:

If f is strongly (resp., weakly) one-way, then so is F .

Proof Sketch: Part 1 is proved by applying Lemma 3.5.1, using the hypothesis that Sm(n)−l(n)

n is a hashing family. Specifically, Lemma 3.5.1 implies that for

everyαand all but a 2−l(n)_{fraction of}_h_∈_Sm(n)−l(n)

n , it holds thatPr[h(Un)=α]≤

2−m(n)+l(n)+1_{. Thus, for every}_α_{, it holds that}_Pr_[_|_F−1₍_α,_Hm(n)−l(n) n )|>2

l(n)+1_]_<

2−l(n)_{. Letting} _Bdef_{= {}₍_α,_h_{) :}_|_F−1₍_α,_h₎_|_>₂l(n)+1_}_{, we have} _Pr_[(_U

m(n)−l(n),

Hm(n)−l(n)

n )∈B]<2−

l(n)_{. Using Claim 3.5.9.1 (given later), it follows that} Pr[(Hm(n)−l(n)

n (Un),Hnm(n)−l(n))∈B]<O(m(n)·2−

l(n)₎1/4_{, as required in Part 1.}

Part 2 is proved using a reducibility argument. Assuming, to the contradiction, that there exists an efficient algorithmAthat invertsFwith unallowable success probability, we construct an efficient algorithmAthat inverts f with unallowable success probability (reaching contradiction). For the sake of concreteness, we consider the case in which f is strongly one-way and assume, to the contradiction, that algorithmAinvertsFonF(Un,Hnm(n)−l(n)) with success probabilityε(n),such

thatε(n)> _poly(1_n₎ for infinitely manyn’s. Following is a description ofA. On inputy(supposedly in the range of f(Un)), algorithmAselects uniformly h∈Sm(n)−l(n)

n andα∈ {0,1}

m(n)−l(n)_{and initiates}_A_{on input (}_y_{, α,}_h_{). Algorithm}

Asetsxto be then-bit-long prefix of A(y, α,h) and outputsx.

Clearly, algorithm Aruns in polynomial time. We now evaluate the success probability of A. For every possible input y to algorithm A, we consider a random variable Xn uniformly distributed in f−1(y) (i.e.,Pr[Xn =α]=2−m(n)

if α∈ f−1(y), and Pr[Xn =α]=0 otherwise). Let δ(y) denote the success

probability of algorithm A on input (y,Hk

n(Xn),Hnk), where n def

= |y| and kdef=m(n)−l(n). That is,

δ(y)def= PrAy,H_nk(Xn),Hnk

∈ F−1y,H_nk(Xn),Hnk (3.14)

By the contradiction hypothesis (and the definition of δ(y)), it holds that

E[δ(f(Un))]=ε(n), andPr[δ(f(Un))>ε(₂n)]> ε(₂n) follows. We fix an arbitrary y∈ {0,1}n_{such that}_δ₍_y₎_> ε(n)

2 . We prove the following technical claim.

Claim 3.5.9.1: Letk≤nbe natural numbers, and letXn ∈ {0,1}n be a random

PSEUDORANDOM GENERATORS

In document Foundations of Cryptography Vol 1, Basic Tools pdf (Page 160-165)