Hardness Preserving Constructions of Pseudorandom Functions

Size: px

Start display at page:

Download "Hardness Preserving Constructions of Pseudorandom Functions"

Gwendolyn Alexander
6 years ago
Views:

1 Hardness Preserving Constructions of Pseudorandom Functions Abisek Jain 1, Krzysztof Pietrzak 2, and Aris Tentes 3 1 UCLA. abisek@cs.ucla.edu 2 IST Austria. pietrzak@ist.ac.at 3 New York University. tentes@cs.nyu.edu Abstract. We sow a ardness-preserving construction of a PRF from any lengt doubling PRG wic improves upon known constructions wenever we can put a non-trivial upper bound q on te number of queries to te PRF. Our construction requires only O(log q) invocations to te underlying PRG wit eac query. In comparison, te number of invocations by te best previous ardness-preserving construction (GGM using Levin s trick) is logaritmic in te ardness of te PRG. For example, starting from an exponentially secure PRG {0,1} n {0,1} 2n, we get a PRF wic is exponentially secure if queried at most q = exp( n) times and were eac invocation of te PRF requires Θ( n) queries to te underlying PRG. Tis is muc less tan te Θ(n) required by known constructions. 1 Introduction In 1984, te notion of pseudorandom functions was introduced in te seminal work of Goldreic, Goldwasser and Micali [10]. Informally speaking, a pseudorandom function (PRF) is a keyed function F : {0,1} n {0,1} m {0,1} n, suc tat no efficient oracle aided adversary can distinguis weter te oracle implements a uniformly random function, or is instantiated wit F(k,.) for a random key k {0,1} n. PRFs can be used to realize a sared random function, wic as found many applications in cryptograpy [9,7,8,2,16,15,12]. Goldreic et al. [10] gave te first construction of a PRF from any lengtdoubling pseudorandom generator G : {0,1} n {0,1} 2n ; tis is known as te GGM construction. In tis work, we revisit tis classical result. Altoug we will state te security of all constructions considered in a precise quantitative way, it elps to tink in asymptotic terms to see te qualitative differences between constructions. In te discussion below, we will terefore tink of n as a parameter (and assume te PRG G is defined for all input lengts n N, and not just say n = 128). Moreover, for concreteness we assume tat G is exponentially ard, Researc conducted wile at CWI Amsterdam. Supported by te European Researc Council under te European Union s Sevent Framework Programme (FP7/ ) / ERC Starting Grant ( PSPC) Researc conducted wile at CWI Amsterdam and IST Austria.

2 tat is, for some constant c > 0 and all sufficiently large n, no adversary of size 2 cn can distinguis G(U n ) from U 2n (were U n denotes a variable wit uniform distribution over {0,1} n ) wit advantage more tan 2 cn. We will also refer to tis as G aving cn bits of security. Te GGM construction GGM G : {0,1} n {0,1} m {0,1} n is ardness preserving, wic means tat if te underlying PRG G as cn bits of security, it as c n bits of security for some 0 < c < c. Te domain size {0,1} m can be arbitrary, but te efficiency of te construction depends crucially on m as every invocation of GGM G requires m calls to te underlying PRG G. Levin[13] proposed a modified construction wic improves efficiency for long inputs: first as te long m-bit input to a sort u-bit string using a universal as function : {0,1} m {0,1} u, and only ten use te GGM construction on tis sort u-bit string. Te smaller a u we coose, te better te efficiency. If we just want to acieve security against polynomial size adversaries, ten a super-logaritmic u = ω(log n) will do. But if we care about exponential security and want tis construction to be ardness preserving, ten we must coose a u = Ω(n) tat is linear in n. Tus, te best ardness-preserving construction of a PRF F G from a lengt-doubling PRG G requires Θ(n) invocations of G for every query to F (unless te domain m = o(n) is sublinear, ten we can use te basic GGM construction.) In tis work we ask if one can improve upon tis construction in terms of efficiency. We believe tat in tis generality, te answer actually is no, and state tis explicitly as a conjecture. But our main result is a new construction wic dramatically improves efficiency in many practical settings, namely, wenever we can put a bound on te number of queries te adversary can make. In te discussion above, we didn t treat te number of queries an adversary can make as a parameter. Of course, te size of te adversary considered is an upper bound on te number of queries, but in many practical settings, te number of outputs an adversary can see is tiny compared to its computational resources. For example consider an adversaryof size 2 cn wo can make only q = 2 n 2 cn queries to te PRF. If te domain of te PRF is small, m = Θ( n), ten using GGM we get a ardness-preserving construction wit efficiency Θ( n) (were efficiency is measured by te number of queries to G per invocation of te PRF.) If we want a larger domain m = ω( n), ten te efficiency drops to m = ω( n). We can get efficiency Θ(n) regardless of ow large m is by using Levin s trick, but cannot go below tat witout sacrificing ardness preservation. In tis paper we give a ardness-preserving construction wic, for any input lengt m, acieves efficiency Θ( n). Te construction works also for oter settings of te parameters. In particular, for q = 2 nǫ (note tat above we considered te case ǫ = 1/2) we get a construction wit efficiency Θ(logq) = Θ(n ǫ ). Actually, tis is only true for ǫ 1/2; weter tere exists a ardness-preserving black-box construction wit efficiency Θ(logq) for q = 2 nǫ were ǫ < 1/2 is an interesting open question.

3 Oter Applications. Altoug we described our result as an improved reduction from PRFs to PRGs,te main idea is more general.viewing it differently, oursis a new tecnique for extending te domain of a PRF. If we apply our tecnique to PRFs wit an input domain of lengt l bits, Levin s trick would require rougly a domain of size l 2 to acieve a comparable quality of ardness preservation. Tis tecnique can be used to give more efficient constructions in oter settings, for example to te work of Naor and Reingold [18] wo construct PRFs computable by low dept circuits from so called pseudorandom syntesizer (PRS), wic is an object stronger tan a PRG, but weaker tan a full blown PRF. Very briefly, [18] gives a ardness-preserving construction of a PRF from PRS wic can be computed making Θ(n) queries to te PRS in dept Θ(log n) (GGM also makes Θ(n) queries, but sequentially, i.e. as dept Θ(n); on te oter and, GGM only needs a PRG, not a PRS as building block). Our domain extension tecnique can also be used to improve on te Naor-Reingold construction, and improves efficiency from Θ(n) to Θ(logq) = Θ(n ǫ ) wenever one can put an upper bound q = 2 nǫ (ǫ 1/2) on te number of adversarial queries. Subsequent to[18], several number-teoretic constructions of PRFs ave been proposed, inspired by te PRS based construction and GGM [19,20,14,5,1]. In particular, in [19], Naor and Reingold gave an efficient construction of a PRF from te DDH assumption tat requires only n multiplications and one exponentiation instead of te n exponentiations required for GGM or te PRS based construction. Tis is acieved by exploiting particular properties of te underlying assumptions like te self reducibility of DDH. Our tecnique does not seem to be directly applicable to improve upon tese constructions [19]. Te Construction. Before we describe our construction in more detail, it is instructive to see wy te universal as-function : {0,1} m {0,1} u used for Levin s trick must ave range u = Ω(n) to be ardness-preserving. Consider any two queries x i and x j made by te adversary.if we avea collision (x i ) = (x j ) for te initial asing, ten te outputs GGM G (k,(x i )) = GGM G (k,(x j )) of te PRF will also collide. To get exponential security, we need tis collision probability to be exponentially small. Te probability for suc a collision depends on te range u and is Pr [(x i ) = (x j )] = 2 u. So we must coose u = Θ(n) to make tis term exponentially small. Similar to Levin s trick, we also use a as function : {0,1} m {0,1} t to as te input down to t = 3logq bits (Recall tat q is an upper bound on te queries to te PRF, so if say q = 2 n, ten t = 3 n.) As discussed earlier, te collision probability wit suc a sort output lengt will not be exponentially small. However, we can prove someting weaker, namely, if is t-wise independent, ten te probability tat we ave a t + 1-wise collision (i.e. any t+1 of te q inputs as down to te same value.) is exponentially small. Next, te ased value x i = (x i) is used as input to te standard GGM PRF to compute x i := GGM G (k,x i ). Note, owever, tat we can t simply set x i as te output of our PRF because several of te inputs x 1,...,x q can be

4 mapped by to te same x, and tus also te same x, wic would not look random at all. We solve tis problem by using x i = GGM G (k,(x i )) to sample a t-wise independent as function i. Te final output z i := i (x i ) is ten computed by asing te original input x i using tis i. Note tat wit very ig probability, for every i, at most t t different x i1,...,x it will map to te same t-wise independent i. Tus, te corresponding outputs i (x i1 ),..., i (x it ) will be random. Te invocation of te GGM construction and te sampling of i from x i can bot be done wit Θ(t) invocations of G, tus we get an overall efficiency of Θ( n). 2 Preliminaries Variables, Sets and Sampling. By lowercase letters we denote values and bit strings, by uppercase letters we denote random variables and by uppercase calligrapicletters we denote sets. Specifically, by U m we denote te randomvariable wic takes values uniformly at random from te set of bit strings of lengt m and by R m,n te set of all functions F : {0,1} m {0,1} n. If X is a set, ten by X t we denote te t t direct product of X, i.e., (X 1,...,X t ) of t identical copies of X. If X is a random variable, ten by X (t) we denote te random variable wic consists of t independent copies of X. By x X we denote te fact tat x was cosen according to te random variable X and analogously by x X, tat x was cosen uniformly at random from set X. Computational/Statisical Indistinguisability. For random variables X 0,X 1 distributed over some set X, we write X 0 X 1 to denote tat tey are identically distributed, we write X 0 δ X 1 to denote tat tey ave statistical distance δ, x X Pr X 0 [x] Pr X1 [x] δ, and X 0 (δ,s) X 1 to denote tat tey are i.e. 1 2 (δ,s) indistinguisable, i.e. for all distinguisers D of size at most D s we ave x X Pr X 0 [D(x) 1] Pr X1 [D(x) 1] δ. In informal discussions we will also use s to denote statistical closeness (i.e. δ for some small δ) and c to denote computational indistinguisability (i.e. (δ,s) for some large s and small δ.) 3 Definitions We will need two information teoretic notions of as functions, namely, δ- universal and t-wise independent as functions. Informally, a as function is t-wise independent if its output is uniform on any t distinct inputs. A function is δ-universal if any two inputs collide wit probability at most δ. Definition 1 (almost universal as function). For l,m,n Z, a function : {0,1} l {0,1} m {0,1} n is δ-almost universal if for any x x {0,1} m Pr k {0,1} l[ k (x) = k (x )] δ

5 Universal as functions were studied in [6,21], wo also gave explicit constructions. Proposition 1. For any m,n tere exists a 2 n+1 -universal as function wit key lengt l = 4(n + logm). Furter, no suc function can be δ-universal for δ < 2 n 1. Definition 2 (t-wise independent as function family). For l, m, n, t Z, a function : {0,1} l {0,1} m {0,1} n is t-wise independent, if for every t distinct inputs x 1,...,x t {0,1} m and a random key k {0,1} l te outputs are uniform, i.e. k (x 1 )... k (x t ) U (t) n Proposition 2. For any t,m,n m tere exits a t-wise independent as function wit key lengt l = m t. Remark 1. Note tat 2-wise independence implies 2 n -universality. Te reason to consider te notion of δ-universality for δ > 2 n is tat it can be acieved wit keys of lengt linear in te output, as opposed to te input. Definition 3 (PRG[4,22]). A lengt-increasing function G : {0,1} n {0,1} m (m > n) is a (δ,s)-ard pseudorandom generator if G(U n ) (δ,s) U m We say G as σ bits of security if G is (2 σ,2 σ )-ard. G is exponentially ard if it as cn bits of security for some c > 0, and G is sub-exponentially ard if it as cn ǫ bits of security for some c > 0,ǫ > 0. Te following lemma, wic follows from a standard ybrid argument, will be useful. Lemma 1. If G : {0,1} n {0,1} m is a (δ,s)-ard PRG of size G = s, ten for any q N G(U n ) (q) (q δ,s q s ) U (q) m Definition 4 (PRF[10]). A function F : {0,1} l {0,1} m {0,1} n is a (q, δ, s)-ard pseudorandom function (PRF) if for every oracle aided distinguiser D of size D s making at most q oracle queries Pr k {0,1} l[d F(k,.) 1] Pr f Rm,n [D f(.) 1] δ F as σ bits of security against q queries if F is (q,2 σ,2 σ ) secure. If q is not explicitly specified, it is unbounded (te size 2 σ of te distinguiser considered is a trivial upper bound on q.)

6 3.1 Te GGM construction Goldreic, Goldwasser and Micali [10] gave te first construction of a PRF from any lengt doubling PRG. We describe teir simple construction below. For a lengt-doubling function G : {0,1} n {0,1} 2n and m N, let GGM G : {0,1} n {0,1} m {0,1} n denote te function GGM G (k,x) = k x werek x is recursively defined ask ε = k andk a 0 k a 1 := G(k a ) Proposition 3 ([10]). If G is a (δ G,s G )-ard PRG, ten for any m,q N, GGM G : {0,1} n {0,1} m {0,1} n is a (q,δ,s)-ard PRF were δ = m q δ G s = s G q m G (1) 3.2 Levin s trick One invocation of te GGM construction GGM G : {0,1} n {0,1} m {0,1} n requires m invocations of te underlying PRG G, so te efficiency of te PRF depends linearly on te input lengt m. Levin observed tat te efficiency can be improved if one first ases te input using a universal as function. Using tis trick one gets a PRF on long m-bit inputs at te cost of evaluating a PRF on sort u bit inputs plus te cost of asing te m-bit string down to u bits. 4 Proposition 4 (Levin s trick). Let : {0,1} l {0,1} m {0,1} u be a δ - universal as function and F : {0,1} l {0,1} u {0,1} n be a (q,δ F,s)-ard PRF, ten te function F : {0,1} l+l {0,1} m {0,1} n defined as is a (q,δ,s)-ard PRF were F (k F k,x) := F(k F,(k,x)) δ = q 2 δ +δ F s = s F q (2) 3.3 Hardness Preserving and Good Constructions Definition 5 (Hardness Preserving Construction). A construction F of a PRF from a PRG is ardness preserving up to q = q(n) queries, if for every constant c > 0,ǫ > 0 tere is a constant c > 0 and n Z suc tat for all n n : if G is of polynomial size and as cn ǫ bits of security, F as c n ǫ bits of security against q queries. It is ardness preserving if it is ardness preserving for any q. If te above olds for every c < c, we say tat it is strongly ardness preserving. 4 As universal as functions are non-cryptograpic primitives, asing is generally muc ceaper tan evaluating pseudorandom objects.

7 Proposition 5. Te GGM construction is ardness preserving, more concretely (1) if G as cn ǫ bits of security, GGM G as c n ǫ bits of security for any c < c/2 (2) GGM for q = n ǫ, ǫ < ǫ queries is strongly ardness preserving. Proof. By eq.(1), if G as cn ǫ bits of security, ten te GGM construction as min{cn ǫ log(q) log(m),cn ǫ log G log(m)} (3) bits of security. To see (1), we observe tat for any c < c/2 eq.(3) is c n ǫ for sufficiently large n as required (using tat m and G are polynomial in n and q = 2 c n.) To see (2) observe tat for log(q) = n ǫ were ǫ < ǫ, te term eq.(3) is c n ǫ for sufficiently large n and every c < c. Recall tat one invocation of GGM requires m invocations of te underlying PRG, were m must be at least log(q). We conjecture tat Ω(log(q)) invocations are necessary for any ardness preserving construction. Conjecture 1. Any construction 5 F G (.,.) : {0,1} n {0,1} m {0,1} n tat preserves ardness for q queries and as a black-box security proof must make Ω(logq) invocation to G per invocation of F G. In te appendix we give some intuition as wy we believe tis conjecture olds. We sow tat te standard black-box security proof tecnique as used e.g. for GGM will not work for constructions making o(log q) invocations. Definition 6 ((Very) Good Construction). We call a construction as in Definition 5 good for q queries, if it is ardness preserving up to q queries and eac invocation of F G results in O(logq) invocations of G. We call it very good, if it is even strongly ardness-preserving. Tus, GGM G is good as long as te domain m is in O(logq), but not if we need a large domain m = ω(logq). Let s look at Levin s construction. Proposition 6. Te GGM construction wit Levin s trick GGM G (wit : {0,1} l {0,1} m {0,1} u as in Proposition 4) is ardness preserving if and only if u is linear in te security of te underlying PRG (e.g. u as to be linear in n if G is exponentially ard.) Proof. For concreteness, we assume G is exponentially ard, te proof is easily adapted to te general case. Te number of queries to G per invocation of GGM G is u, were {0,1} u is te range of te δ universal as function. By eq.(2), GGM G as security δ = q2 δ + δ GGMG. To preserve exponential ardness, δ must be exponentially small. So also δ δ must be exponentially small. By Proposition 1 δ > 2 u 1, tus u must be linear in n. 5 We restrict te key lengt to n bits. Tis is not muc of a restriction, as one can use G to expand te key. If we allow polynomially sized keys directly, ten te conjecture would be wrong for polynomial q as te key could just contain te entire function table.

8 Summing up, te GGM construction is ardness preserving for any q, but only good if te domain is restricted to m = O(logq) bits. By using Levin s trick, we can get a ardness preserving construction were u = Θ(n) (if G is exponentially ard), but tis will only be a good construction for q queries if q is also exponentially large. In a practical setting we often know tat a potential adversary will never see more tan, say 2 n outputs of a PRF F G. If we need a large domain for te PRF, and would like te construction to preserve te exponential ardness of te underlying PRG G, ten te best we can do is to use GGM wit Levin s trick, wic will invoke G a linear in n number of times wit every query. Can we do better? If Conjecture 1 is true, ten one needs Θ( n) invocations, wic is muc better tan Θ(n). Te main result in tis paper is a construction matcing tis (conjectured) lower bound. 4 Our Construction C 0 = C C 1 C 2 C 3 C 4 = R 3n,3n 3n x x x x x t 3n k 0 k 0 k 0 k 0 t x x x x n k 1 GGM G R t,n R t,n n x x x R t,t 3n R 3n,3n G 3t G 3t R n,t 3n t 3n k x k x k x k x 3n z z z z z Fig.1: TeleftmostfigureillustratesourconstructionC(.,.)usingkeyk = k 0 k 1 on input x. Te numbers 3n,t 3n,... on te left indicate te bit-lengt of te corresponding values x,k 0,... Te remaining figures illustrate te games from te proofofteorem1.t = 3log(q) is aparameterwicdepends onte number of queries q we allow. Let G : {0,1} n {0,1} 2n be a lengt doubling function. For e N, we denote wit G e : {0,1} n {0,1} en te function tat expands an n bit string to

9 a en bits string using e 1 invocations of G (tis can be done sequentially, or in parallel in dept log e.) We will use te following simple lemma wic follows by a standard ybrid argument. Lemma 2. Let G be a (δ,s)-ard PRG, ten G e is a (e δ,s e G )-ard PRG. Furter, our constructions uses a t-wise independent (cf. Proposition 2) as function. : {0,1} t 3n {0,1} 3n {0,1} 3n Our construction C G : {0,1} t 3n+n {0,1} 3n {0,1} 3n of a PRF wic will be good for large ranges of q, on input a key k = k 0 k 1 (were k 0 {0,1} t 3n and k 0 {0,1} n ) and x {0,1} 3n, computes te output as (X t denotes te t bit prefix of X.) C(k,x) = (G 3t (GGM G (k 1,(k 0,x) t )), x) Remark 2 (About te domain size and key-lengt). Tis construction as a domain of 3n bits and key-lengt t 3n+n. We can use Levin s trick to expand te domain to any m bits, and tis will not affect te fact tat te construction is good: by eq.(2) we get an additional q 2 δ = q 2 /2 3n 1 term in te distinguising advantage, wic can be ignored compared to te oter terms. We can also use a sort n-bit key (like in plain GGM) and ten expand it to a longer t 3n+n bit key wit every invocation (if we use Levin s trick we will need an extra 4(3n+logm) bits.) Tis also will preserve te fact tat te construction is good. Teorem 1 (Main Teorem). If G is a (δ G,s G )-ard PRG, ten C G is a (q, δ, s)-secure PRF were δ = 4 q t δ G +q 2 /2 n +q t /2 t2 s = s G q C G q 3 t n G (4) Before we prove tis Teorem, let s see wat it implies for some concrete parameters. Assume G is (δ G = 2 cn,s G = 2 cn )-ard and we want security against q = 2 n queries. If we set t := 3logq ten te construction is very good (cf. Def. 6): It makes 7t = 21log(q) = O(logq) invocation to G per query to C G. C G is strongly ardness preserving for q = 2 n queries. By eq.(4) we get δ < 2 cn+2+ n+log(3 n) s 2 cn 2 n C G If C G is polynomial in n (wic is te only case we care about), ten by te above equation, for every c < c, we ave δ 2 c n and s 2 c n for sufficiently large n as required by Definition 5. Te above argument works for any q = 2 nǫ were 0.5 ǫ < 1. It also works if q is unbounded (i.e. ǫ = 1), but we only get normal (and not strong) ardnesspreservation. Te argument fails for ǫ < 0.5, tat is wenever q = 2 o( n). Tecnically, te reason is tat te q t /2 t2 term in eq.(4) is not exponentially small (as

10 required for ardness-preservation) wen we set t = O(log q) (as required for a good construction.) It is an interesting open question if an optimal and ardness preserving construction wit range ω(log(q)) exits for any q = 2 o n. Summing up, we get te following corollary of Teorem 1 Corollary 1. For any 0 < δ 1 and ǫ [δ/2,δ[, te construction C G (setting t := 3log(q)) is very good for q = 2 nǫ queries for any G wit cn δ bits of security (for any c > 0.) It is good for ǫ = δ. Proof (Proof of Teorem 1). Let D be any q-query distinguiser of size s. We denote wit C 0 our construction C, wit C 4 = R 3n,3n a random function and wit C 1,C 2,C 3 intermediate constructions as sown in Figure 1. Wit p(i) we denote te probability tat D Ci(.) outputs 1 (were e.g. in C 0 te probability is over te coice of k 0 k 1, in C 1 te probability is over te coice of k 0 and f R t,n, etc.) Note tat te advantage of D in breaking C is δ = p(0) p(4), to prove te teorem we will sow tat 3 3 p(0) p(4) = p(i) p(i+1) p(i) p(i+1) 4 q t δ G +q 2 /2 n +q t /2 t2 i=0 i=0 Te last step follows from te four claims below. Claim. p(0) p(1) q t δ G Proof (Proof of Claim). Assume p(0) p(1) > q t δ G. We will construct a distinguiser D 1 for GGM G and R t,n, wic is of size s G q t G and as advantage > q t δ G, contradicting Proposition 3. D O(.) 1 cooses a random k 0 {0,1} 3tn, and ten runs D were it answers its oracle queries by simulating C (using k 0 ), but replacing te GGM G invocation wit its oracle O(.). In te end D 1 outputs te same as D. If O(.) = GGM G (k 1,.) (for some random k 1 ) ten tis simulates C 0, and if O(.) = R t,n it will simulate C 1. Tus D 1 will distinguis GGM G and R t,n wit exactly te same advantage > q t δ G tat D as for C 0 and C 1. Claim. p(1) p(2) q 3 t δ G Proof (Proof of Claim). Assume p(1) p(2) > q 3 t δ G. We will construct a distinguiser D 2 wic is of size s G q 3 n t G wo can distinguis q- tuples of samples of U 3tn from G 3t (U n ) wit advantage > q 3 t δ G. Using a standard ybrid argument tis ten gives a distinguiser D 2 wo distinguises a single sample of U 3tn from G 3t (U n ) wit advantage > q 3 t δ G /q = 3 t δ G, contradicting Lemma 2. D 2 on input v 1,...,v q {0,1} 3tn, runs D and answers its oracle queries by simulating C 1, but replacing te output of G 3t wit te v i s (using a fres v i for every query, except if x appeared in a previous query, ten it uses te same v i as in tis previous query. If te v i s ave distribution G 3t (U n ) tis perfectly simulates C 1, and if tey ave distribution U 3tn tis simulates C 2. So D 2 as te same distinguising advantage as D as for C 1 and C 2.

11 Te proofs of te final two claims are completely information teoretic. Claim. p(2) p(3) q 2 /2 n Proof (Proof of Claim). We claim tat te distinguising advantage of any(even computationally unbounded) q-query distinguiser for C 2 and C 3 is q 2 /2 n. We get C 3 from C 2 by replacing te two nested uniformly random functions f 2 (.) = R n,t 3n (R t,n (.)) wit a single f 3 (.) = R t,t 3n (.). As eac invocation of C 2 resultsin exactlyoneinvocationoff 2 (.), te distinguising advantageofte best q-query distinguiser for C 2 from C 3 can be upper bounded by te distinguising advantage of te best suc distinguiser for f 2 (.) and f 3 (.). Let E denote te event tat te q distinct queries x 1,...,x q to f 2 (.) = R n,t 3n (R t,n (.)) do not contain a collision on te inner function, i.e. R t,n (x i ) R t,n (x j ) for all x i x j. Conditioned on E, te outputs of f 2 and f 3 ave te same distribution, namely U [q] t 3n. Using tis observation, we can bound (using e.g. Teorem 1.(i) in [17] or te fundamental Lemma from [3]) 6 te distinguising advantage of any q-query distinguiser for f 2 and f 3 by te probability tat one can make te event E fail. Tis is te probability tat q uniformly random elements from {0,1} n (i.e. te outputs of te inner function) contain a collision. Tis probability can be upper bounded as q 2 /2 n. Claim. p(3) p(4) q t /2 t2 Proof (Proof of Claim). We claim tat te distinguising advantage of any(even computationally unbounded) q-query distinguiser for C 3 and C 4 is q t /2 t2. We will first prove tis only for non-adaptive distinguisers. To sow security against adaptive adversaries, security against adaptive adversaries will ten follow by a result from [17]. Let x 1,...,x q denote te q distinct queries non-adaptively cosen by D. Let E denote te event wic olds if tere is no t + 1-wise collision after te evaluation of te initial as function in C 3. Tat is, tere is no subset I [q] of size I = t + 1 suc tat (k 0,x i ) = (k 0,x j ) for all i,j I. Below we sow tat conditioned on E, te outputs y 1,...,y q (were y i := C 3 (x i )) are uniformly random, and tus ave te same distribution like te outputs of C 4. Using Teorem1.(i) in [17] orte fundamentallemma from [3], tis meanswe can upper bound te distinguising advantage of any non-adaptive distinguiser for C 3 and C 4 by te te probability tat te event E fails to old. Wic means we ave a t+1 wise collision in q t-wise independent strings over {0,1} t. Tis can be upper bounded as q t /2 t2. 7 We now sow tat te outputs of C 3 are uniform conditioned on E. Consider a subset J [q] wit J t suc tat (k 0,x i ) = (k 0,x j ) = a for all 6 Informally, te statement we use is te following: given two systems F and G and an evente definedfor F,if F conditioned one beavesexactlyas G, tendistinguising F from G is at least as ard as making te event E fail. 7 Te probability tat any t particular strings in {0,1} t collide is exactly (2 t ) t 1 = 2 t2 +t, we get te claimed bound by taking te union bound over all q t /t! possible t-element subsets of te q element set.

12 i,j J. Te fact tat R t,3tn (a) is a uniformly random togeter wit te fact tat is a t-wise independent as function implies tat te joint distribution of ((a,x i )) i J follows te uniform distribution. Now let J 1,...,J q be te subsets of [q] of size at most t, suc tat for j J i (k 0,x j ) = a i and all a i s are distinct. Te fact tat (R t,3nt (a i )) i [q ] follows te uniform distribution and J 1,...,J q are of size at most t implies tat ((R t,3nt (a i ),x i )) i [q] follows te uniform distribution as well. So far, we only establised te indistinguisability of C 3 and C 4 against nonadaptive distinguisers. We get te same bound for adaptive distinguisers using Teorem 2 from [17], wic (for our special case) states tat adaptivity does not elp if te outputs of te system (C 3 in our case) are uniform conditioned on te event we want to provoke. Very recently [11] found tat te precondition stated in[17] is not sufficient, but one additionally requires tat te probability of te event failing is independent of te outputs observed so far. Fortunately in our case (and also for all applications in [17]) tis stronger precondition is easily seen to be satisfied. References 1. Abisek Banerjee, Cris Peikert, and Alon Rosen. Pseudorandom functions and lattices. In EUROCRYPT, Miir Bellare and Safi Goldwasser. New paradigms for digital signatures and message autentication based on non-interative zero knowledge proofs. In Gilles Brassard, editor, Advances in Cryptology CRYPTO 89, volume 435 of Lecture Notes in Computer Science, pages Springer, August Miir Bellare and Pillip Rogaway. Te security of triple encryption and a framework for code-based game-playing proofs. In Serge Vaudenay, editor, Advances in Cryptology EUROCRYPT 2006, volume 4004 of Lecture Notes in Computer Science, pages Springer, May / June Manuel Blum and Silvio Micali. How to generate cryptograpically strong sequences of pseudo random bits. In FOCS, pages , Dan Bone, Hart William Montgomery, and Anant Ragunatan. Algebraic pseudorandom functions wit improved efficiency from te augmented cascade. In ACM Conference on Computer and Communications Security, pages , Larry Carter and Mark N. Wegman. Universal classes of as functions. J. Comput. Syst. Sci., 18(2): , Oded Goldreic. Two remarks concerning te goldwasser-micali-rivest signature sceme. In CRYPTO, pages , Oded Goldreic. Towards a teory of software protection and simulation by oblivious rams. In STOC, pages , Oded Goldreic, Safi Goldwasser, and Silvio Micali. On te cryptograpic applications of random functions. In CRYPTO, pages , Oded Goldreic, Safi Goldwasser, and Silvio Micali. How to construct random functions. J. ACM, 33(4): , D. Jetcev, O. Özen, and M. Stam. Probabilistic analysis of adaptive adversaries revisited. Manuscript in preparation, Jonatan Katz and Yeuda Lindell. Introduction to Modern Cryptograpy.

13 13. Leonid A. Levin. One-way functions and pseudorandom generators. Combinatorica, 7(4): , Allison B. Lewko and Brent Waters. Efficient pseudorandom functions from te decisional linear assumption and weaker variants. In ACM Conference on Computer and Communications Security, pages , Micael Luby. Pseudorandomness and cryptograpic applications. Princeton computer science notes. Princeton University Press, Princeton, NJ, USA, Micael Luby and Carles Rackoff. A study of password security. In Carl Pomerance, editor, Advances in Cryptology CRYPTO 87, volume 293 of Lecture Notes in Computer Science, pages Springer, August Ueli M. Maurer. Indistinguisability of random systems. In Lars R. Knudsen, editor, Advances in Cryptology EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages Springer, April / May Moni Naor and Omer Reingold. Syntesizers and teir application to te parallel construction of psuedo-random functions. In FOCS, pages , Moni Naor and Omer Reingold. Number-teoretic constructions of efficient pseudorandom functions. In 38t Annual Symposium on Foundations of Computer Science, pages IEEE Computer Society Press, October Moni Naor, Omer Reingold, and Alon Rosen. Pseudo-random functions and factoring (extended abstract). In STOC, pages 11 20, Mark N. Wegman and Larry Carter. New as functions and teir use in autentication and set equality. J. Comput. Syst. Sci., 22(3): , Andrew Ci-Ci Yao. Teory and applications of trapdoor functions (extended abstract). In FOCS, pages 80 91, A Intuition for Conjecture 1 We can tink of te GGM construction wit domain {0,1} m as a tree, were te outputs are leaves at dept m. More generally, we can tink of any construction F G as a directed loop-free grap, wic is separated in layers. Eac invocations starts at te root wic olds te secret key K, and te computation follows a pat, crossing layers, were te pat witin eac layer contains at most one invocation of G. We can define te entropy of a layer, as te amount of randomness leaving te layer(assuming G is a uniformly random function.) In te GGM contsruction, te fist layer as 2n bits of randomness, namely G(K), te it layer as 2 i n bits of randomness. In a construction F G contradicting te conjecture, tere must be a layer wic as significantly more tan twice as muc randomness as te layer before. To see tis note tat if eac layer at most doubles te randomness, we need log(q) layers to get te qn bits of randomness. And moreover te last layer must ave qn bits of randomness, as for a black-box security proof te only source of randomness is G. Now, if a layer more tan doubles its randomness, it must be te case tat in tis layer, G is invoked on eiter (1) inputs tat are not uniformly random, or (2) te inputs to G are not independent. In a black-box reduction from F G to G, one considers a series of ybrids H 1,H 2,...,H t, were H 1 is F G and H t is a random function. One gets from a ybrid H i to H i+1 by replacing some

14 internal value Y := G(X) wit a uniform U 2n. If we ave an adversary A wo can distinguis H i from H i+1, we can use it to tell if a random variable Z as distribution U 2n or G(U n ) by replacing Y wit Z in H i, and using A to tell if wat we get is H i (wic will be te case if Z = G(U n )) or H i+1. In te above argument, it is crucial tat X as distribution U n, but if (1) or (2) olds, tis will not be te case. It is ard to imagine a black-box tecnique wic works differently tan by replacing some internal variables Y wit te callenge Z, wic as just explained will not work ere.

Near-Optimal conversion of Hardness into Pseudo-Randomness

Near-Optimal conversion of Hardness into Pseudo-Randomness Russell Impagliazzo Computer Science and Engineering UC, San Diego 9500 Gilman Drive La Jolla, CA 92093-0114 russell@cs.ucsd.edu Ronen Saltiel