Abstract
We study the complexity of black-box constructions of pseudorandom functions (PRFs) from one-way functions (OWFs) that are secure against non-uniform adversaries. We show that if OWFs do not exist, then given as an oracle any (inefficient) hard-to-invert function, one can compute a PRF in polynomial time with only k(n) oracle queries, for any k(n)=ω(1) (e.g., k(n)=log∗ n). Combining this with the fact that OWFs imply PRFs, we show that unconditionally there exists a (pathological) construction of a PRF from OWF making at most k(n) queries. This result shows a limitation of a certain class of techniques for proving efficiency lower bounds on the construction of PRFs from OWFs. Our result builds on the work of Reingold, Trevisan, and Vadhan (TCC’04), who show that when OWFs do not exist there is a pseudorandom generator (PRG) construction that makes only one oracle query to the hard-to-invert function. Our proof combines theirs with the Nisan–Wigderson generator (JCSS’94), and with a recent technique by Berman and Haitner (TCC’12).
Working in the same context (i.e., when OWFs do not exist), we also construct a poly-time PRG with arbitrary polynomial stretch that makes non-adaptive queries to an (inefficient) one-bit-stretch oracle PRG. This contrasts with the well-known adaptive stretch-increasing construction due to Goldreich and Micali.
Both above constructions simply apply an affine function (parity or its complement) to the query answers. We complement this by showing that if the post-processing is restricted to only taking projections then non-adaptive constructions of PRFs, or even linear-stretch PRGs, can be ruled out.
1 Introduction
The notion of pseudorandomness is fundamental to the study of both cryptography and computational complexity. An efficient algorithm G:{0,1}n→{0,1}n+s is a (cryptographic) pseudorandom generator (PRG) with stretch s≥1 if no efficient adversary can distinguish a random output from a uniformly random string, except with negligible advantage. A family of efficient functions \(\mathcal{F} = \{F_{k}\mid k \in\{0,1\}^{n}\}\) indexed by a seed (or key) k is a pseudorandom function (PRF) if no efficient adversary with oracle access can distinguish a random function in \(\mathcal{F}\) from a uniformly random function, except with negligible advantage.
As the unconditional existence of a PRG/PRF would imply P≠NP, their security is typically shown via a reduction to a hardness assumption. The weakest possible assumption is the existence of one-way functions (OWFs), functions which are easy to compute but hard to invert. It is known that the existence of an OWF is sufficient to construct a PRG, i.e., there exists a construction G f:{0,1}n→{0,1}n+s that has black-box access to a function \(f : \{0,1\} ^{\ell}\to\{0,1\}^{\ell^{O(1)}}\) and computes a PRG whenever f is an OWF [18]. In addition, it is known that a PRG with stretch s≥n is sufficient to construct a PRF, again in a black-box manner [13]. These can be combined to show that OWFs suffice to construct PRFs.
The Efficiency of Cryptographic Constructions
Despite an intense research effort [9, 13–15, 17–20, 29, 30], black-box constructions of PRGs and PRFs based on OWFs remain relatively inefficient. Efficiency here can be measured in several different ways, including the seed length n relative to the OWF input length ℓ, the number of queries made to the OWF, and the circuit size of the construction. For example, the recent work of Vadhan and Zheng [29] gives a PRG with seed length n=O(ℓ 3), which is the best known. Also, the [29] construction makes \(\widetilde{O}(\ell^{3})\) queries to the OWF, and, of course, this number lower bounds the circuit size. For PRF constructions, these parameters are even larger. However, it would be desirable to have PRG and PRF constructions where these parameters are smaller, especially if theoretical constructions aim to have direct practical applications.
A natural approach to explaining this state of affairs is to prove lower bounds on the efficiency of these black-box constructions. Such a lower bound might show, for example, that any construction computing a PRG from black-box access to an arbitrary OWF f must make ≥ℓ queries to f. The seminal work of Impagliazzo and Rudich [23] was the first to study such “black-box separations” in the setting of cryptography, though the similar notion of oracle separations in complexity theory dates to the work of Baker, Gill, and Solovay [6]. Impagliazzo and Rudich observed that most cryptographic constructions, including [18] and [13], are of the following form which is known as fully black-box: G has only black-box access to f, and further any adversary A breaking G f yields an efficient adversary C A,f with black-box access to A and f that breaks f. The authors of [23] prove, among other things, that there is no fully black-box construction of key-agreement protocols from OWFs (regardless of efficiency).
Unfortunately, when it comes to primitives such as PRGs and PRFs that are known to exist relative to OWFs, lower bounds on the efficiency of fully black-box constructions remain elusive. Essentially, the only lower bound known is due to Gennaro et al. [12] who show that any PRG construction G f with stretch s must make at least Ω(s/logT) queries when the OWF f has security T. This lower bound is tight when the OWF is a permutation, as in this case there are constructions achieving this number of queries [9, 15, 30]. However, it is not known to be tight when starting from an OWF, as known constructions make n c queries, for various constants c>1, even for stretch s=1.
The results of [12] also imply a query lower bound of Ω(n/logT) for an n-bit-output PRF with seed length n, i.e., \(\mathcal{F} = \{F_{k} : \{0, 1\}^{n} \to\{0, 1\}^{n} \mid k \in\{0, 1\}^{n}\}\) because these give a PRG with stretch s=n via \(G^{f}(k) := F_{k}^{f}(0) \circ F_{k}^{f}(1)\). However, for a 1-bit-output PRF F k :{0,1}n→{0,1}, the results from [12] do not say anything. Indeed, perhaps surprisingly it is consistent with current knowledge that there exists a 1-bit-output PRF construction that has seed length n=O(ℓ) and makes only a single query to the OWF per output.
Reingold, Trevisan, and Vadhan [26] offer a possible explanation for our inability to prove stronger lower bounds on PRG constructions. They consider another type of construction which they term weakly black-box. In contrast to fully black-box constructions described above, these simply guarantee that G f is a PRG whenever f is hard to invert; i.e., C may depend arbitrarily on the adversary A. We suggest the alternative terminology, primitive black-box, to signify both that only the primitive (and not the adversary) is treated as a black-box, and that this is a “cruder” form of reduction. Note that in general primitive black-box constructions cannot be ruled out without ruling out the existence of PRGs, because if the latter exist a construction can just ignore the oracle and output a PRG.
The explanation of [26] has two components. First, they observe that the lower bound of [12] applies even to primitive black-box constructions, in the sense that a construction breaking the query/stretch tradeoff implies an unconditional PRG (this is also observed in [12]). Second, they prove that there exists an infinitely-often primitive black-box PRG construction G f:{0,1}n→{0,1}n+1 from an OWF f:{0,1}ℓ→{0,1}ℓ, where G makes only one query to f and has seed length n=2ℓ. (This construction, like ours below, does not immediately yield improved “real-world” efficiency due to the use of [18] as a component.) The conclusion is that any significant strengthening of [12] must use different techniques.
Despite their pathological nature, primitive constructions are important because any efficiency lower bound must account for them. After more than 20 years since the seminal results in [13, 18] and the result by Goldreich and Micali mentioned below, primitive constructions appear to offer the only available explanation for the lack of progress on efficiency lower bounds for fundamental cryptographic constructions.
Subsequent to our results below, Holenstein and Sinha [21] proved that any fully black-box construction of a PRG from an OWF f:{0,1}ℓ→{0,1}ℓ requires Ω(ℓ/logℓ) queries. This bound applies even to regular OWF, in which |f −1(y)| is the same for each y∈ range (f), in which case it matches the construction given by Goldreich, Krawczyk, and Luby [14]. Note that [21] circumvents the primitive black-box PRG construction of [26], but does not provide stronger query bounds on PRF constructions than what is given by [12]. In particular, it does not rule out PRF constructions making a single query per output bit.
Our Results on PRF Constructions
Our main result is an extension of [26] to pseudorandom functions. We show that there is an (infinitely-often) primitive black-box PRF construction that makes only k(n) queries to the OWF per output bit, for any k(n)=ω(1) (e.g., k(n)=log∗ n). Thus, one must avoid this construction to prove a super-constant lower bound on the query complexity of PRF constructions. This holds for OWFs that are secure against non-uniform adversaries; it is an interesting open problem to obtain such a construction in the uniform setting.
Theorem 1.1
For every k(n)=ω(1), there is a \(\operatorname{poly}(n)\)-time oracle algorithm F (⋅):{0,1}n×{0,1}n→{0,1} that makes k(n) non-adaptive oracle queries and satisfies the following: for some \(\ell= \varTheta(\sqrt{n})\) and every function f:{0,1}ℓ→{0,1}ℓ that is hard to invert by poly-size circuits, F f( ⋅ ,U n ) is a PRF for infinitely many input lengths.
The seed length of our construction is quadratic in ℓ, rather than linear as in [26]. This stems from our use of the Nisan–Wigderson PRG [25] in the construction. Reducing the seed length of this PRG to O(ℓ) is an open problem, and such an improvement would also reduce the seed length of our construction to O(ℓ). Note that we can also obtain an n-bit-output PRF by making any ω(n) queries, whereas [12] gives a lower bound of Ω(n/logT) as mentioned above.
We also make a modest step towards circumventing the above obstacle to proving black-box lower bounds. We observe that using non-black-box techniques (jumping ahead, the work by Applebaum et al. [2]), one can rule out a simple, yet arguably natural PRF construction. This natural construction is to “hash, then extract”, that is, we let the seed of the PRF specify a pairwise-independent (or even k-wise independent) hash function h and a seed s of an extractor \(\operatorname{Ext}\), and output \(\operatorname{Ext}(f(h(x)),s)\). We prove a negative result for such constructions whenever the hash function and the extractor are linear, that is, for any fixed seed they are a linear function of the input. We note that standard constructions of hash functions [1, 10, 11] and extractors [18, 27] are indeed linear.
Theorem 1.2
If there is an OWF computable in logarithmic space, and in particular if factoring is hard, then there is an OWF f such that \(\mathcal{F} = \{F_{h,s}(x) := \operatorname{Ext}(f(h(x)),s)\}\) is not a PRF for any functions h and \(\operatorname{Ext}\) that are linear for every fixed seed.
To our knowledge, it is not known how to rule out such “hash, then extract” constructions using black-box separation techniques.
The Role of Adaptivity in PRG Constructions
Our main result also has implications for constructions that increase the stretch of a PRG. Though the definition of a PRG only requires stretch s≥1, all cryptographic and derandomization applications of which we are aware require much larger stretch, e.g., linear (s=Ω(n)). An important and well-known result, due to Goldreich and Micali, is that the existence of a PRG with stretch s=1 implies the existence of a PRG with stretch \(s = \operatorname{poly}(n)\) for any desired polynomial. We briefly recall the construction that establishes this result (cf. [16, Sect. 3.3.2]).
For a one-bit-stretch generator G:{0,1}n→{0,1}n+1 and a positive integer k, let G k(x) denote the (n+1)-bit string resulting from k iterative applications of G, using x as the input for the first invocation, and the first n bits of the previous output as the input for subsequent invocations. Then, the “stretch-increasing” construction H (⋅):{0,1}n→{0,1}m is
That is, H iteratively queries G as described above, and outputs the final bit of each answer.
An aspect of this construction of particular interest to us is that the queries are adaptive, in the sense that the ith query can be determined only after the answer to the (i−1)th query has been received. The presence of adaptivity in such constructions is especially important when considering the existence of cryptographic primitives in “low” complexity classes. The celebrated work of Applebaum et al. [2], in combination with the (non-adaptive) construction of Haitner et al. [20], demonstrates the existence of a PRG computable in NC0 under the assumption that there exists an OWF computable in logarithmic space. However, the resulting PRG has sub-linear stretch, and the application of construction (1) would place it outside of NC0.
Our Results on Adaptivity
We show that, in the primitive black-box setting, there is a non-adaptive stretch-increasing construction with arbitrary polynomial stretch. This in fact follows from Theorem 1.1 because the queries made by the PRF construction are non-adaptive, and because any PRG is also an OWF. This again holds under the assumption that the one-bit-stretch generator is secure against non-uniform adversaries.
Theorem 1.3
For every constant c=O(1), there is a \(\operatorname{poly}(n)\)-time oracle algorithm \(H^{(\cdot)} : \{0,1\}^{n} \to\{0,1\}^{n^{c}}\) that makes n c non-adaptive oracle queries and satisfies the following: for some \(\ell= \varTheta(\sqrt{n})\) and every one-bit-stretch PRG G:{0,1}ℓ→{0,1}ℓ+1, H G(⋅) is a PRG for infinitely many input lengths. In addition, H (⋅) has the form
where q i :{0,1}n→{0,1}ℓ specifies the ith query, r i :{0,1}n→{0,1}ℓ+1 specifies the ith parity function, and t i :{0,1}n→{0,1} specifies whether to complement the ith bit.
In Theorem 1.3, the post-processing consists of applying an input-dependent affine function to the query answers (this is also true in Theorem 1.1). We complement this result by showing that the post-processing cannot be weakened to taking projections. More specifically, we give a fully black-box separation showing that non-adaptive linear-stretch constructions cannot have post-processing that only takes projections of the query answers. This means that, in particular, there is no non-adaptive PRF construction with projection post-processing.
Theorem 1.4
For all sufficiently large ℓ and for \(n \leq2^{\sqrt{\ell}}\), there is no fully black-box construction H (⋅):{0,1}n→{0,1}n+s of a generator with stretch s≥5n/logn and error ϵ≤1/4 from any one-bit-stretch generator G:{0,1}ℓ→{0,1}ℓ+1 with error \(\delta\geq2^{-\sqrt {\ell}/30}\) and with security reduction size \(t \leq2^{\sqrt{\ell }/30}\) of the form
where q i :{0,1}n→{0,1}ℓ specifies the ith query and b i :{0,1}n→[ℓ+1] specifies the bit of the ith answer to output.
Note that this holds even if G is secure against non-uniform adversaries. Theorem 1.4 indeed complements Theorem 1.3 because we observe in Theorem 4.3 that this impossibility result also extends to the primitive black-box setting, in the sense that any such construction implies NP/poly≠P/poly. As the post-processing in the Goldreich–Micali construction (1) consists of taking projections, linear-stretch constructions require either adaptive queries or post-processing the answers in a more sophisticated way than projecting.
It was pointed out to us by Benny Applebaum that Theorem 1.4 can be strengthened to rule out even AC0 post-processing; we elaborate on this improvement in Sect. 1.2.
1.1 Techniques
Our main idea behind the proofs of Theorems 1.1 and 1.3 is to combine the construction of [26] with the Nisan–Wigderson PRG [25]. The [26] construction is proved secure by a case analysis, depending on the existence or non-existence of an OWF. If an OWF exists, we use the results of Håstad et al. [18] and Goldreich et al. [13] yielding that a PRF also exists; the construction then ignores its oracle and simply outputs a PRF.
If OWFs do not exist, this means that the oracle cannot be computed by poly-size circuits (since it is assumed to be hard to invert). We then use Goldreich–Levin [15] to transform the oracle into a Boolean function that is hard to compute by any family of poly-size circuits. Until now this is the argument in [26]. (Actually, [26] is more involved because it works even in the uniform setting.) We next apply the Nisan–Wigderson construction to get an arbitrary polynomial-stretch PRG. This gives Theorem 1.3.
To turn this into a PRF and thus prove Theorem 1.1, we employ a recent technique by Berman and Haitner [7]. First, we observe that for every constant c one can obtain a “weak PRF” that is secure against adversaries which make at most n ϵ⋅c queries and have distinguishing advantage ≥1/n ϵ⋅c. This is obtained by hashing the input to select one of the n c bits generated via Nisan–Wigderson as above.
To obtain a single PRF that has this security for every constant c, we xor k=ω(1) copies of the weak PRF that are secure with respect to constants c=1,2,…,k.
Since the Nisan–Wigderson construction is non-adaptive and each copy of the weak PRF is independent, this construction makes k non-adaptive queries to its oracle.
We note that, as is well-known, the proof of correctness of the Nisan–Wigderson construction requires non-uniformity, and this is what prevents this result from applying in the uniform setting.
To break the “hash, then extract” PRF construction (Theorem 1.2), we use the OWF computable in NC0 given by Applebaum et al. [2]. Then, every \(F_{h,s} \in \mathcal{F}\) is computable by a low-degree polynomial and so can be distinguished by the results of Alon et al. [4].
We now explain the proof of Theorem 1.4, the impossibility result for non-adaptive constructions with projection post-processing. Our proof is similar to the lower bound by Gennaro et al. mentioned previously [12], though we do not bound the number of queries. For simplicity, we first explain the proof in the case in which the construction always outputs the same bit of the answers, say the first bit (i.e., b i (x)=1 for all i).
We start by considering a (non-explicit) PRG G:{0,1}ℓ→{0,1}ℓ+1 that is hard to break even for circuits that have oracle access to G. Such PRGs are obtained in an unpublished manuscript of Impagliazzo [22] and in a work by Zimand [31]. (They work in a slightly different setting, however, obtaining a PRG with high probability in the random oracle model. For completeness we present a streamlined version of their arguments in Sect. 5.) By padding, we can modify our oracle to have the extra property that G(x)1=x 1 for every x. But now, H doesn’t need to query G because each output bit \(G(q_{i}(x))_{b_{i}(x)}\) can be replaced with q i (x)1. So we can consider an adversary A that breaks H G by simply checking, given a challenge z∈{0,1}m, whether there exists an x such that z i =q i (x)1 for all i. This breaks H as soon as the output length is ≥|x|+1. Since H doesn’t use G anymore, neither does the adversary A. Hence the ability to access A does not compromise the security of G, contradicting Definition 2.1.
To generalize our result to constructions that output different bits, i.e., not always the first one, we identify a set of indices T⊆[ℓ+1] of size ℓ(1−Θ(1/logℓ)) such that, for most input strings x∈{0,1}n, most of the bits b i (x) chosen by H fall inside T. We exploit this fact by designing an oracle PRG G that reveals the first |T| bits of its input on the set T, that is, G(x)| T =x 1 x 2⋯x |T| for every input x. (Here and throughout, we use the notation x| S to denote the bits of x selected by indices in a set S.) We then consider an adversary A that distinguishes H G from uniform by examining, for every x∈{0,1}n, only the bits i such that b i (x)∈T, and checking if each bit matches the corresponding bit from the query q i (x). This turns out to break H as soon as the output length is ≥|x|+Ω(|x|/log|x|) (we do not attempt to optimize this value and content ourselves with anything sublinear). We show that G remains secure even against adversaries with oracle access to this A (which is possible because A depends on G only through the set T), and thus there is no C such that C A,G breaks G, again contradicting Definition 2.1.
To obtain the result for primitive constructions, we observe that A can be computed in NP/poly, and hence, under the assumption that NP/poly=P/poly, we obtain a distinguisher.
1.2 More Related Work
The earlier work [28] (which was later extended by [24]) analyzes a type of pseudorandom generator construction that is very similar to ours. The constructions in [28] make non-adaptive queries to an oracle one-way function, and then apply an arbitrary unbounded-fan-in constant-depth circuit (AC0) to the outputs; [28] shows that such constructions cannot have linear stretch. At first glance this construction is incomparable to Theorem 1.4, because it starts from a weaker primitive (one-way function instead of one-bit-stretch generator) but on the other hand allows for AC0 postprocessing instead of just projections.
However, it was pointed out to us by Benny Applebaum that a strengthening of Theorem 1.4 follows from [28] when combined with the works [2] and [20]. Specifically, a version of Theorem 1.4 holds even if the construction H is allowed to apply an AC0 circuit to the output of the one-bit-stretch oracle PRG G (rather than just taking projections). We now elaborate on this improvement. (We also remark that at the moment this establishes a strengthened negative result only for constructions that start from a uniform hardness assumption, because Theorem 1.1 in [28] is only proved for those.)
Assume that there exists a fully black-box construction H (⋅):{0,1}n→{0,1}n+s of a PRG from a one-bit-stretch PRG which has the form \(H^{G}(x) := C_{x}(G(q_{1}(x)),\ldots, G(q_{\operatorname {poly}(n)}(x)))\), where C x is an AC0 circuit generated arbitrarily from x and the functions q i are arbitrary as before. Let \(G_{\mathrm{HRV}}^{(\cdot)} : \{0,1\}^{\ell}\to\{0,1\}^{\ell+1}\) be the fully black-box construction of a PRG from an OWF given by [20, Theorem 6.1]. This construction has the form \(G_{\mathrm{HRV}}^{f}(x) := C'(x,f(x'_{1}),\ldots,f(x'_{t}))\) where C′ is an NC1 circuit and the \(x'_{i}\) are disjoint projections of the input x. Then, we can apply the compiler from [2, Remark 6.7] to obtain a fully black-box construction \(G_{\mathrm{AIK}}^{(\cdot)} : \{ 0,1\}^{\ell} \to\{0,1\}^{\ell+1}\) of a PRG from an OWF of the form \(G_{\mathrm{AIK}}^{f}(x) := C''(x,f(x'_{1}),\ldots,f(x'_{t}))\), where now C″ is an NC0 circuit (and thus is also an AC0 circuit). (For both G HRV and G AIK the seed length is \(\ell= \operatorname{poly}(m)\), where m is the input length of the oracle OWF, though the [2] compiler does increase the seed length.) Finally, by combining H and G AIK, we obtain a fully black-box construction \(H_{*}^{(\cdot)} : \{0,1\}^{n} \to\{0,1\} ^{n+s}\) of a PRG from an OWF which has the form \(H_{*}^{f}(x) := C'''_{x}(f(q_{1}(x)),\ldots,f(q_{\operatorname{poly}(n)}(x)))\) where \(C'''_{x}\) is an AC0 circuit. This is a contradiction to [28, Theorem 1.1] when the oracle f:{0,1}m→{0,1}k has logω(1) m<k≤m O(1) and the stretch s is greater than n⋅logO(1) m/k=o(n).
Finally, we mention that, in a concurrent work, Bronson, Juma and Papakonstantinou [8] also study non-adaptive black-box PRG constructions and obtain results which are incomparable to ours.
Organization
In Sect. 2, we formally define the types of black-box constructions we consider. In Sect. 3, we give our PRF construction (Theorem 1.1) and the corresponding stretch-increasing construction (Theorem 1.3). In Sect. 3.3, we rule out “hash, then extract” PRF constructions (Theorem 1.2). In Sect. 4, we prove the fully black-box separation result (Theorem 1.4). Finally, in Sect. 5, we construct the one-bit-stretch oracle generator used in Sect. 4.
2 Black-Box Constructions
Here we give the formal definitions of the black-box constructions that we consider. To explain and motivate these, we start by sketching the proof of correctness of the Goldreich–Micali construction (1).
Suppose there is an adversary A that distinguishes H G(U n ) from U m with advantage greater than ϵ⋅m. Using a hybrid argument, one can show that there exists a k∈[m]:={1,…,m} such that A distinguishes the distributions U k−1∘(H G(U n )|[m−(k−1)]) and U k ∘(H G(U n )|[m−k]) with advantage greater than ϵ. Then, we define a probabilistic oracle circuit C (⋅) as follows: on input (x,b)∈{0,1}n×{0,1}, C A,G computes H G(x) using its oracle to G, chooses y∈{0,1}k−1 uniformly at random, and then outputs A(y∘b∘H G(x)|[m−k]). Depending on whether (x,b) was chosen from U n+1 or from G(U n ), the input C gives to A will come from one of the two hybrid distributions that A can distinguish between, and so C distinguishes G with advantage greater than ϵ, contradicting G’s pseudorandomness.
This argument is an example of a black-box reduction: it applies to any (possibly hard to compute) functions G and A, provided that we are given oracle access to them. We now formally define stretch-increasing PRG constructions in the fully black-box setting. Here and throughout, we adopt the standard convention that whenever a random variable appears multiple times in the same probability expression, it denotes the same sample. Also, we define the size of a circuit to be the number of wires it contains.
Definition 2.1
(Fully black-box stretch-increasing construction)
An oracle function H (⋅):{0,1}n→{0,1}n+s is a fully black-box stretch-increasing construction with security reduction size t of a generator with stretch s and error ϵ from any one-bit-stretch oracle generator G:{0,1}ℓ→{0,1}ℓ+1 with error δ if the following holds:
For every 1-bit stretch generator G:{0,1}ℓ→{0,1}ℓ+1 and every adversary A, if A distinguishes H G with advantage ϵ, i.e.,
then there is an oracle circuit C (⋅) of size t that, when given oracle access to both A and G, distinguishes G with advantage δ, i.e.,
We next formally define primitive black-box constructions. These differ from the above in that the adversary C may depend arbitrarily on A (i.e., C is not required to treat A as a black-box), but C is only required to exist in the case when A is efficient. We work in the asymptotic setting for these definitions because our results are cleaner to state in that setting. We also note that our primitive black-box constructions will hold for infinitely many (as opposed to sufficiently large) input lengths.
Definition 2.2
(Infinitely-often primitive black-box stretch-increasing construction)
Let ℓ be a security parameter, and let n=n(ℓ) and s=s(ℓ). An oracle function H (⋅):{0,1}n→{0,1}n+s is an infinitely-often primitive black-box stretch-increasing construction with stretch s if the following holds:
For every c there exists c′ such that for every ℓ 0 there exists ℓ≥ℓ 0 such that for every G:{0,1}ℓ→{0,1}ℓ+1, if there exists a circuit A of size at most n c that distinguishes H G with advantage at least 1/n c, i.e.,
then there exists a circuit C (⋅) of size at most ℓ c′ that distinguishes G with advantage at least 1/ℓ c′, i.e.,
Definition 2.3
(Infinitely often primitive black-box PRF construction)
Let ℓ be a security parameter and let n=n(ℓ). A set of oracle functions \(\mathcal{F} = \lbrace f^{(\cdot)} : \{0,1\}^{n} \to\{0,1\} \rbrace\) is an infinitely-often primitive black-box PRF construction if the following holds:
For every c there exists c′ such that for every ℓ 0 there exists ℓ≥ℓ 0 such that for every g:{0,1}ℓ→{0,1}ℓ, if there exists a circuit A (⋅) of size at most n c that distinguishes \(\mathcal{F}^{g}\) with advantage at least 1/n c, i.e.,
where \(\mathcal{U}\) is the uniform distribution over functions mapping {0,1}n→{0,1}, then there exists a circuit C (⋅) of size at most ℓ c′ that inverts g with probability at least 1/ℓ c′, i.e.,
3 Non-adaptive Primitive Black-Box Constructions
In this section, we prove Theorems 1.1 and 1.3. We first state the definitions of an OWF and hard to compute functions that we will use.
Definition 3.1
(One-way function)
Let f:{0,1}∗→{0,1}∗ be a function. f is hard to invert if for all constants c, there is a constant ℓ 0 such that for all ℓ≥ℓ 0 and every oracle circuit C (⋅) of size at most ℓ c we have Pr[C f(f(U ℓ ))∈f −1(f(U ℓ ))]<1/ℓ c. If in addition f is computable by circuits of size \(\operatorname{poly}(\ell)\), f is a one-way function.
Definition 3.2
(Hard to compute infinitely often)
Let f:{0,1}∗→{0,1} be a Boolean function. f is hard to compute infinitely often if for every c and ℓ 0, there exists ℓ>ℓ 0 such that for every circuit C of size at most ℓ c, we have Pr[C(U ℓ )=f(U ℓ )]<1/2+1/ℓ c.
In what follows, we will sometimes make the assumption that “OWFs do not exist”, which means that for any function f that is hard to invert, every \(\operatorname{poly}(\ell)\)-sized circuit family fails to compute f on infinitely many input lengths. The following lemma constructs a function that is hard to compute infinitely often from one that is hard to invert, when OWFs do not exist. This was also proved in [26] in the uniform setting. Our proof, which relies on non-uniformity, is a bit simpler.
Lemma 3.3
Assume that OWFs do not exist, and let f:{0,1}∗→{0,1}∗ be hard to invert. Then the Boolean function f′(x,r):=〈f(x),r〉 is hard to compute infinitely often.
Proof
Assume for contradiction that there exist constants c and ℓ 0 such that for all ℓ≥ℓ 0, there exists a circuit C of size ≤ℓ c such that \(\Pr[C(U_{\ell},U'_{\ell}) = \langle f(U_{\ell}), U'_{\ell}\rangle] \geq1/2 + 1/\ell^{c}\), where U ℓ and \(U'_{\ell}\) denote independent instances of the uniform distribution on {0,1}ℓ (we assume for simplicity that f is length-preserving). Then by the Goldreich–Levin theorem, there exist constants c′ and \(\ell'_{0}\) such that for all \(\ell\geq\ell'_{0}\), there exists a circuit C′ of size ≤ℓ c′ such that Pr[C′(U ℓ )=f(U ℓ )]≥1/ℓ c′. Now notice that C′ computes a weak OWF, that is, the function computed by C′ can only be inverted on strictly less than a 1−1/(2ℓ c′) fraction of inputs by circuits of size \(\operatorname{poly}(\ell)\) for sufficiently large ℓ, because any circuit which inverts C′ on a \(1-1/(2\ell^{c_{1}})\) fraction of inputs also inverts f on at least a \(1/(2\ell^{c_{1}})\) fraction of inputs. However, using the standard direct product construction (originally due to Yao [30]; see also [16, Thm. 2.3.2]), this implies the existence of an OWF, contradicting the assumption that OWFs do not exist. □
3.1 Stretch-Increasing Construction
In this section, we prove Theorem 1.3, the non-adaptive stretch-increasing construction; this can be viewed as a warmup for our PRF construction in the subsequent section. We use the following definition of a PRG.
Definition 3.4
(Pseudorandom generator)
A function G:{0,1}n→{0,1}n+s is a (T,ϵ)-pseudorandom generator if s≥1 and for every oracle circuit C (⋅) of size ≤T, we have |Pr[C G(G(U n ))=1]−[C G(U n+s )=1]|<ϵ.
By virtue of Lemma 3.3, Theorem 1.3 will actually hold when the oracle is any function that is hard to invert. For completeness and to justify the term “stretch-increasing”, we note that any one-bit-stretch PRG is hard to invert.
Lemma 3.5
If G:{0,1}ℓ→{0,1}ℓ+1 is a (p(ℓ),1/p(ℓ))-pseudorandom generator for all polynomials p and sufficiently large ℓ, then it is hard to invert.
Proof
Assume for contradiction that there exist constants c and ℓ 0 such that for all ℓ>ℓ 0 there exists a circuit C of size ≤ℓ c and an ϵ≥1/ℓ c such that Pr[C(G(U ℓ ))∈G −1(G(U ℓ ))]=ϵ. Then, define an adversary A (⋅):{0,1}ℓ+1→{0,1} as follows: On input y, A G computes x=C(y), uses its oracle to G to check if G(x)=y, and outputs 1 iff this holds. We clearly have \(|A| = \operatorname{poly}(\ell)\) and Pr[A(G(U ℓ ))=1]=ϵ.
Let \(T \subseteq\operatorname{Im}(G)\) be the set of outputs that C inverts, and note that ∑ y∈T Pr[G(U ℓ )=y]=ϵ. For each y∈T we have Pr[G(U ℓ )=y]≥1/2ℓ, and so |T|/2ℓ≤ϵ. Then, since A will only output 1 on inputs that C can invert and since no string outside \(\operatorname{Im}(G)\) can be inverted, we have Pr[A(U ℓ+1)=1]=|T|/2ℓ+1≤ϵ/2, and thus A distinguishes G from uniform with advantage \({\geq}\epsilon/2 = 1/\operatorname{poly}(\ell)\). □
In order to apply the Nisan–Wigderson construction, we recall the notion of designs.
Definition 3.6
(Design)
A collection of sets S 1,…,S d ⊆[n] is an (ℓ,α)-design if
-
1.
∀i: |S i |=ℓ.
-
2.
∀i≠j: |S i ∩S j |≤α.
Lemma 3.7
([25])
For any integers d and ℓ such that logd≤ℓ≤d, there exists a collection S 1,…,S d ⊆[4ℓ 2] which is an (ℓ,logd)-design. For this collection, on input j∈[d] the set S j can be constructed in time \(\operatorname{poly}(\ell)\).
We now give the proof of Theorem 1.3, which follows closely the argument in [25].
Theorem 3.8
(Theorem 1.3 restated)
Let ℓ be a security parameter, and let n=17ℓ 2. Then for any constant c>1, there exists an infinitely-often primitive black-box stretch-increasing construction \(H^{(\cdot)} : \{0,1\}^{n} \to \{0,1\}^{n^{c}}\) from any one-bit-stretch generator G:{0,1}ℓ→{0,1}ℓ+1. In addition, H (⋅) is computable in time \(\operatorname{poly}(n)\), and has the form
where q i :{0,1}n→{0,1}ℓ specifies the ith query, r i :{0,1}n→{0,1}ℓ+1 specifies the ith parity function, and t i :{0,1}n→{0,1} specifies whether to complement the ith bit.
Proof
If OWFs exist, then by the results of [18] there exists a PRG \(H' : \{0,1\}^{n} \to\{0,1\}^{n^{c}}\). Then, the construction H (⋅) is simply H G(z):=H′(z). Note that this can be achieved in the form stated in the theorem by setting r i (z)=0ℓ+1 for all i and z, and choosing the t i appropriately to compute each bit of H′.
Now assume that OWFs do not exist. Let G:{0,1}ℓ→{0,1}ℓ+1 be any function, and define f:{0,1}2ℓ+1→{0,1} as f(x,r):=〈G(x),r〉. Fix a constant c>1, and define n=4(2ℓ+1)2 (which is at most 17ℓ 2 for sufficiently large ℓ). Let \(S_{1},\ldots,S_{n^{c}} \subseteq[n]\) be the (2ℓ+1,clogn) design guaranteed by Lemma 3.7. Then, the construction \(H^{G} : \{0,1\}^{n} \rightarrow\{0,1\}^{n^{c}}\) is defined as
If there exists a polynomial p and a circuit family of size p(ℓ) that distinguishes G from uniform with advantage at least 1/p(ℓ), then the theorem is trivially true. Thus, we can take G to be (p(ℓ),1/p(ℓ))-pseudorandom for all polynomials p and sufficiently large ℓ. We will show that if H G can be distinguished from random by an efficient adversary, then f can be computed efficiently with probability noticeably bigger than 1/2, contradicting Lemmas 3.3 and 3.5.
Assume for contradiction that there exists a constant c 0 and a circuit family A of size \(n^{c_{0}}\) that distinguishes H G(U n ) from \(U_{n^{c}}\) with advantage \(1/n^{c_{0}}\). By the standard equivalence between distinguishing and next-bit predicting [30] (cf. [16, Thm. 3.3.7]), this implies the existence of i∈[n c] and a circuit family A′:{0,1}i−1→{0,1} of size \(n^{O(c_{0})}\) such that
Separating out the part of the input indexed by S i , this can be rewritten as
where z∈{0,1}n is defined by \(z|_{S_{i}} = x\) and \(z|_{\overline{S_{i}}} = y|_{\overline{S_{i}}}\). By an averaging argument, there is a way to fix y∈{0,1}n such that (2) holds; from here on, we assume that this y is fixed. For each j∈[i], define the function f j :{0,1}2ℓ+1→{0,1} as f j (x):=H G(z) j , where now z∈{0,1}n is defined by \(z|_{S_{i} \cap S_{j}} = x_{1}x_{2}\cdots x_{|S_{i} \cap S_{j}|}\) and \(z|_{\overline{S_{i} \cap S_{j}}} = y|_{\overline{S_{i} \cap S_{j}}}\). (Note that f i is equivalent to f.) Since |S i ∩S j |≤clogn and y is fixed, for j≤i−1 each f j is computable by a circuit family of size \(\operatorname{poly}(n) = \operatorname{poly}(\ell)\). Finally, define the circuit family A″:{0,1}2ℓ+1→{0,1} as A″(x):=A′(f 1(x),…,f i−1(x)). It can be easily checked that A″ has size \(\operatorname{poly}(\ell)\) and correctly computes H G(x) i =f(x) on a random x with probability at least \(1/2 + 1/n^{c+c_{0}}\). □
3.2 PRF Construction
We now extend the previous construction to get a low-query, non-adaptive primitive black-box PRF construction from any OWF f. The proof again proceeds via a case analysis, as follows. In the case when OWFs exist, [18] and [13] give a PRF. If OWFs do not exist, we use 〈f(x),r〉 in the Nisan–Wigderson construction as above. Then we apply a pairwise-independent hash function to select a bit of this construction’s output, obtaining for any i a “weak PRF” \(\mathcal{F}_{i}\) that has security n Ω(i) when i=O(1). Finally, by taking k(n)=ω(1) and \(\mathcal{F} := \bigoplus_{j \leq k} \mathcal{F}_{j}\), and showing a reduction from breaking \(\mathcal{F}_{i}\) to breaking \(\mathcal{F}\), we prove that \(\mathcal{F}\) is a PRF because any poly-size circuit breaking \(\mathcal{F}\) contradicts the hardness of \(\mathcal{F}_{i}\) for sufficiently large i=O(1)≤k.
Theorem 3.9
(Theorem 1.1 restated)
Let ℓ be a security parameter, and let n=16ℓ 2. For any k=k(n)=ω(1), there is an infinitely-often primitive black-box PRF construction \(\mathcal{F} = \lbrace F^{(\cdot)} : \{0,1\}^{n} \to\{0,1\} \rbrace\) from any oracle function f:{0,1}ℓ→{0,1}ℓ, of the form
where q i :{0,1}n→{0,1}ℓ specifies the ith query, r i :{0,1}n→{0,1}ℓ specifies the ith parity function, and t:{0,1}n→{0,1} specifies whether to complement the output bit. The functions q i , r i , and t are specified by the O(n)-bit seed of \(F^{(\cdot)} \in\mathcal{F}\) and are all \(\operatorname{poly}(n)\)-time computable.
Proof
Note that the theorem is trivially true for any oracle that is not hard to invert, so we assume throughout that f is hard to invert.
If OWFs exist, then by [18] and [13] we know that infinitely-often PRFs exist (in fact, they exist for all sufficiently large input lengths), so we can take F (⋅) to be the construction that ignores its oracle and outputs such a PRF. This can be achieved in the stated form by setting r i (x)=0ℓ for all i and x, and choosing t appropriately to compute the PRF.
Now assume that OWFs do not exist. We give the construction \(\mathcal {F}_{i}\), from which we will construct \(\mathcal{F} := \bigoplus_{j \leq k} \mathcal{F}_{j}\).
Let f′:{0,1}∗→{0,1} be defined on even input lengths by f′(x,r):=〈f(x),r〉. For any even \(\ell\in\mathbb {N}\), let n=4ℓ 2.Footnote 1 For an integer i≤n/logn, let \(\mathcal{H} = \lbrace h : \{0,1\}^{n} \to[n^{i}] \rbrace\) be a pairwise-independent hash family, and let \(S_{1},\ldots,S_{n^{i}} \subseteq[n]\) be the (ℓ,ilogn)-design guaranteed by Lemma 3.7. (The bound i≤n/logn is to guarantee n i≤2n.)
Then, \(\mathcal{F}_{i} = \lbrace F_{h,z} : \{0,1\}^{n} \to\{0,1\}\ | h \in\mathcal{H},\ z \in\{0,1\}^{n} \rbrace\) is defined as
Note that F h,z (x) has the form 〈f(q i (x)),r i (x)〉. As i is bounded, F h,z is computable (with oracle access to f) in time n α for a universal constant α independent of i.
The following claim relates the hardness of distinguishing \(\mathcal {F}_{i}\) to that of computing f′.
Claim
If there exists a circuit of size ≤n i/4 that distinguishes \(\mathcal{F}_{i}\) with advantage ≥1/n i/4, then there exists a circuit of size ℓ O(i) that computes f′(U ℓ ) with probability ≥1/2+1/ℓ 3i.
Before proving this claim, we show how it implies the theorem. Let k=k(n) be any monotonic non-decreasing integer function such that k=ω(1) and k≤n/logn, and define \(\mathcal{F} := \bigoplus_{j \leq k} \mathcal{F}_{j}\). We will show that a distinguisher of size n c for \(\mathcal{F}\) implies the existence of a distinguisher of size n O(c) for \(\mathcal{F}_{i}\). Then by choosing an appropriate i=Θ(c) and letting n be sufficiently large to guarantee k≥i, this will imply the existence of a poly-size circuit computing f′, in contradiction to Lemma 3.3.
Assume for contradiction that there exist constants c and n 0 and a circuit (family) A (⋅) of size n c such that A (⋅) distinguishes \(\mathcal{F}\) from uniform with advantage ≥1/n c for all input lengths n≥n 0. For any i≤k, we construct a circuit \(A_{i}^{(\cdot)}\) that distinguishes \(\mathcal{F}_{i}\) from uniform with the same advantage on the same input lengths, as follows: \(A_{i}^{\mathcal{O}}\) simulates A (⋅), and answers its oracle queries with \(\mathcal{O} \oplus\bigoplus_{j \neq i} \mathcal{F}_{j}\). The key point is that if \(\mathcal{O} = \mathcal{F}_{i}\) then the simulated oracle is \(\mathcal{F}\), and if \(\mathcal{O}\) is uniform then the simulated oracle is uniform. The size of A i is ≤n c⋅k(n)⋅n α, where n α is the size needed to compute each \(\mathcal{F}_{j}\). Let c′=c+O(1) be a constant (independent of i) such that |A i |≤n c′, and note that A i distinguishes \(\mathcal{F}_{i}\) with advantage ≥1/n c′ on all input lengths n≥n 0.
Now let i=⌈4c′⌉, and let \(n_{0}' \geq n_{0}\) be the smallest integer such that \(k(n_{0}') \geq i\). Then A i has size ≤n i/4 and distinguishes \(\mathcal{F}_{i}\) with advantage ≥1/n i/4 on all input lengths \(n \geq n_{0}'\). By the claim, this gives a circuit of size ℓ O(1) that computes f′(U ℓ ) with probability 1/2+1/ℓ O(1) for all input lengths \(\ell\geq \sqrt{n_{0}'}/2\), which contradicts Lemma 3.3.
We now prove the claim.
Proof of Claim
Let A (⋅) be an oracle circuit of size ≤n i/4 such that
Let \(B : \{0,1\}^{n^{i}} \to\{0,1\}\) be the circuit of size |A|⋅n O(i) which, on input x, selects a uniform \(h \leftarrow\mathcal {H}\) and simulates A (⋅) by answering query q∈{0,1}n with x h(q)∈{0,1}. By construction, we have the following:
Now let E be the event that A F∘h makes two queries q≠q′ such that h(q)=h(q′); it can be shown that Pr F,h [E]<|A|2/n i≤1/n i/2 by a collision-probability argument. Note that conditioned on ¬E, B(x) is distributed identically to A F when x is chosen uniformly, i.e.,
and therefore
(Technically, this inequality holds either for B or for the circuit which outputs the opposite of B; we take B to be the circuit for which it holds. Also, note that we can take B to be a deterministic circuit by fixing the choice of h that maximizes the above difference.)
By the Nisan–Wigderson analysis (cf. proof of Theorem 3.8), the fact that each pair of distinct S j ,S j′ have overlap ≤ilogn implies the existence of a circuit C of size ≤|B|⋅n O(i)=ℓ O(i) that computes f′ correctly on a 1/2+1/2n 5i/4≥1/2+1/ℓ 3i fraction of inputs of size ℓ. □
This completes the proof of the theorem. □
3.3 An Impossible PRF Construction
Here we briefly mention a seemingly natural approach for constructing PRFs from OWFs, and show that it fails for a specific choice of the OWF. For simplicity of notation, we take the PRF and OWF to have the same input length n.
The approach is to “hash, then extract’, that is, we let the seed of the PRF specify a pairwise-independent hash function h:{0,1}n→{0,1}n, and a seed s∈{0,1}m of an extractor \(\operatorname{Ext} : \{0,1\}^{n} \times\{0,1\}^{m} \to\{0,1\}\), and output
where f:{0,1}n→{0,1}n is an OWF. More generally, one can hash the input to \(\operatorname{poly}(n)\) k-wise independent samples for k=O(1), apply f to each sample, and then extract. All the considerations in this section apply to this more general construction as well. This approach seems natural because if one models each output of the OWF as giving some amount of fresh randomness, then such a construction can work. Indeed, the oracle OWF f:{0,1}n→{0,1}n constructed in [12] has the property that it is uniformly random on ω(logn) bits and fixed on all other bits. For any such OWF, applying the inner product extractor \(\operatorname {Ext}(x,s) := \langle x,s \rangle\) gives a (1-bit-output) PRF because the output is uniform as long as one of f’s random bits is “hit” by s. (Note that the probability that there exists one of \(\operatorname {poly}(n)\) queries for which a random bit is not hit is at most \(\operatorname{poly}(n) \cdot2^{-\omega(\log n)} = n^{-\omega(1)}\).)
However, we observe that such an approach cannot produce a PRF without either (a) violating many widely-held cryptographic assumptions or (b) relying on properties of \(\operatorname{Ext}\) other than its output being statistically close to uniform. To show that this approach cannot work, we use the NC0 OWF given by Applebaum, Ishai and Kushilevitz [2].
Theorem 3.10
([2])
If there is an OWF computable in logarithmic space, then there is an OWF f:{0,1}n→{0,1}n computable in NC0.
We will also use the distinguisher given by Alon et al. [4].
Theorem 3.11
([4])
For every d>0, there is a randomized algorithm A (⋅) running in time 2O(d)⋅n O(1) with oracle access to a function g:{0,1}n→{0,1} such that Pr[A g=1]=1 when g is a degree ≤d polynomial and Pr[A g=1]<1/2 when g is a uniformly random function.
We now restate and prove our theorem. Note that there are well-known constructions of linear hash functions h [1, 10, 11] and extractors \(\operatorname{Ext}\) that are linear for every fixed seed [18, 27].
Theorem 1.2
If there is an OWF computable in logarithmic space, and in particular if factoring is hard, then there is an OWF f such that \(\mathcal{F} = \{F_{h,s}(x) := \operatorname{Ext}(f(h(x)),s)\}\) is not a PRF for any functions h and \(\operatorname{Ext}\) that are linear for every fixed seed.
Proof
Assume that there is an OWF computable in logarithmic space, let f:{0,1}n→{0,1}n be the NC0 OWF given by Theorem 3.10, and let \(\mathcal{F}\) be as in the statement of the theorem. Because any NC0 function is computable by a degree d=O(1) polynomial and \(\operatorname{Ext}\) and h are linear, every \(F_{h,s} \in\mathcal{F}\) is computable by a degree-d polynomial. Thus the algorithm A from Theorem 3.11 runs in time n O(1) and distinguishes \(\mathcal{F}\) from uniform with advantage >1/2, so \(\mathcal{F}\) is not a PRF. □
We also mention that such a construction can be broken by essentially the same argument even when f is a linear-stretch PRG (a stronger primitive than OWF), using the NC0 construction of such PRG due to [3] which is secure under the (somewhat non-standard) assumption of Alekhnovich [5].
4 Fully Black-Box Stretch-Increasing Constructions
In this section, we prove Theorem 1.4, the impossibility result for non-adaptive stretch-increasing constructions with projection post-processing. Recall that this requires constructing a one-bit-stretch oracle G with the key property, stated in the next theorem, that it reveals a large portion of its input, i.e., most output bits are simply copied from the input.
Theorem 4.1
Let \(\ell,d \in\mathbb{N}\) be sufficiently large with d≤ℓ/2. Then, for any subset T⊆[ℓ+1] with |T|=ℓ−d and any oracle A, there exists a generator G:{0,1}ℓ→{0,1}ℓ+1 such that
-
1.
G is (2d/30,2−d/30)-pseudorandom against adversaries with oracle access to A (and G).
-
2.
For every input x∈{0,1}ℓ, G(x)| T =x 1 x 2⋯x ℓ−d .
The proof of this theorem is relatively straightforward given previous work [12, 14, 15, 22, 31]. For completeness we include a proof in Sect. 5, where we also discuss the relationship with previous work.
We now show how Theorem 4.1 is used to prove Theorem 1.4. First, we need a simple technical lemma showing that for any stretch-increasing construction of the specified form, we can find a large set of indices inside which most b i (x) fall for most choices of x.
Lemma 4.2
Let \(n,d,s,\ell\in\mathbb{N}\) with d<ℓ. Let {b i :{0,1}n→[ℓ+1]} i∈[n+s] be a collection of n+s functions. Then, there exists a set T⊆[ℓ+1] of size ℓ−d such that
Proof
Let S⊆[ℓ+1] denote a random subset of size d+1. We have Pr x,i,S [b i (x)∈S]=(d+1)/(ℓ+1), and so we can fix some S so that Pr x,i [b i (x)∈S]≤(d+1)/(ℓ+1). This can be restated as \(\mathbb{E}_{x} [\Pr_{i} [b_{i}(x) \in S ] ] \leq(d+1)/(\ell+1)\), and so, by Markov’s inequality, we have Pr x [Pr i [b i (x)∈S]≥4(d+1)/(ℓ+1)]≤1/4. Letting T:=[ℓ+1]∖S completes the proof. □
We now prove Theorem 1.4.
Theorem 1.4
For all sufficiently large ℓ and for \(n \leq2^{\sqrt{\ell}}\), there is no fully black-box construction H (⋅):{0,1}n→{0,1}n+s of a generator with stretch s≥5n/logn and error ϵ≤1/4 from any one-bit-stretch generator G:{0,1}ℓ→{0,1}ℓ+1 with error \(\delta\geq2^{-\sqrt {\ell}/30}\) and with security reduction size \(t \leq2^{\sqrt{\ell }/30}\) of the form
where q i :{0,1}n→{0,1}ℓ specifies the ith query and b i :{0,1}n→[ℓ+1] specifies the bit of the ith answer to output.
Proof
Let H (⋅) be a construction of the specified form. Fix a parameter d:=ℓ/logn. Fix T⊆[ℓ+1] to be the subset of size ℓ−d guaranteed by Lemma 4.2. For each x∈{0,1}n, let I x denote the set {i:b i (x)∈T}⊆[n+s]. Using s=5n/logn, the chosen value for d, and the fact that |I x | is an integer, the bound from Lemma 4.2 can be restated as Pr x [|I x |≥n+1]≥3/4 for sufficiently large n and ℓ. In the remainder of the proof, we refer to x such that |I x |≥n+1 as good.
Let T −1 denote a transformation such that T −1(j)=k if j is the kth smallest element of T (this is simply to provide a mapping from G’s output bits to the corresponding revealed input bits). The adversary A:{0,1}n+s→{0,1} is defined as the function which accepts exactly the set
Let G:{0,1}ℓ→{0,1}ℓ+1 be the PRG guaranteed by Theorem 4.1 using these choices of T and A. We claim that A distinguishes H G(U n ) from U n+s with advantage at least 1/4. To see this, consider z which is a uniformly chosen output of H G, i.e., z=H G(x) for x←U n . Because x is good with probability at least 3/4, and because \(H^{G}(x)_{i} = q_{i}(x)_{T^{-1}(b_{i}(x))}\) for all i∈I x by item 2 of Theorem 4.1, we have Pr[A(H G(U n ))=1]≥3/4. Conversely, for the case where A’s input is chosen from U n+s , we have the following calculation:
(The second inequality follows from the fact that |I x |≥n+1 for x that are good.)
Finally, note that item 1 in Theorem 4.1 (along with the choice of d and the upper bound on n) implies that there is no oracle circuit C of size at most \(2^{\sqrt{\ell}/30}\) such that C A,G distinguishes G with advantage at least \(2^{-\sqrt{\ell }/30}\). Therefore, H does not meet the conditions of Definition 2.1 for the stated parameters. □
Next, we show that this theorem can be extended to the primitive black-box setting.
Theorem 4.3
Let \(n = n(\ell) \leq2^{\sqrt{\ell}}\) and s=s(n)≥5n/logn. Let H (⋅):{0,1}n→{0,1}n+s be a primitive black-box stretch-increasing construction with stretch s from any family of one-bit-stretch generators G:{0,1}ℓ→{0,1}ℓ+1. If H has the form
and the q i and b i are computable by \(\operatorname{poly}(n)\)-sized circuits, then \(\mathrm{NP/poly} \neq \mathrm{P/poly}\).
Proof
Let H be a primitive black-box stretch-increasing construction of the specified form. Let G and I x be defined as in Theorem 1.4 (the oracle A against which G is secure is not relevant here). Because the q i ,b i functions are computable by \(\operatorname{poly}(n)\)-size circuits, there is a \(\operatorname {poly}(n)\)-size circuit family which computes the string \(H^{G}(x)|_{I_{x}}\) on input x, while making no oracle calls to G. As a result, we can define a non-deterministic \(\operatorname{poly}(n)\)-size circuit family that distinguishes H G from uniform with advantage 1/4: on input z∈{0,1}n+s, the circuit non-deterministically guesses x∈{0,1}n, and accepts iff |I x |≥n+1 and \(z|_{I_{x}} = H^{G}(x)|_{I_{x}}\). The proof that this is indeed a distinguisher for H G is identical to the argument given for Theorem 1.4.
Now assume for contradiction that \(\mathrm{NP/poly} = \mathrm{P/poly}\), i.e., that every non-deterministic circuit family can be simulated by a deterministic circuit family with only a polynomial increase in size. Then, there is a \(\operatorname{poly}(n)\)-size deterministic circuit family that distinguishes H G from uniform with noticeable advantage. By the definition of a primitive black-box construction, there must also be such a circuit family that distinguishes G, contradicting G’s pseudorandomness. □
5 Constructing the Oracle Generator
In this section, we prove Theorem 4.1 (restated for convenience), which gives the one-bit-stretch oracle generator used in the proofs of our negative results (Theorems 1.4 and 4.3).
Theorem 4.1
Let \(\ell,d \in\mathbb{N}\) be sufficiently large with d≤ℓ/2. Then, for any subset T⊆[ℓ+1] with |T|=ℓ−d and any oracle A, there exists a generator G:{0,1}ℓ→{0,1}ℓ+1 such that
-
1.
G is (2d/30,2−d/30)-pseudorandom against adversaries with oracle access to A (and G).
-
2.
For every input x∈{0,1}ℓ, G(x)| T =x 1 x 2⋯x ℓ−d .
On Constructing the Oracle
A direct proof that a random function G:{0,1}ℓ→{0,1}ℓ+1 is a pseudorandom generator even for circuits that have oracle access to G does not seem immediate to us. The existence of such oracles is shown via an indirect route in an unpublished manuscript of Impagliazzo [22] and—in a slightly different scenario—in a work by Zimand [31]. Both works proceed by considering an oracle one-way function, and then applying standard constructions of generators from one-way functions (for which one can now use [18] or [20]).
We proceed by first considering a hard-to-invert oracle permutation π, and then using the Goldreich–Levin hardcore bit [15] to get one bit of stretch. This approach will have security exponential in the input length of π, and so we can apply π to the relatively few (Θ(ℓ/logℓ)) bits outside of |T|, and then use padding to get a generator G on ℓ bits that reveals most of its input
We know of two ways to demonstrate the existence of such a permutation π. One is via a theorem in [12] which uses a clever encoding argument to prove that a random permutation is hard to invert with very high probability. They show that if there exists a small circuit which inverts a permutation π on some fraction of inputs, then π can be succinctly encoded when the circuit is given as advice. Then, since only a small number of permutations have succinct encodings, the probability that a random π can be sufficiently inverted by a fixed circuit is small, and a union bound over circuits gives the result.
The second way, and the one that we use here, is an arguably more direct argument showing that any fixed circuit with access to a fixed auxiliary oracle has negligible probability (over the choice of permutation) of sufficiently inverting the permutation. This method is from [22] and [31] (though they consider general length-preserving functions rather than permutations), and hinges on a combinatorial trick which originally appeared in [14]. Briefly, it is shown that for a fixed circuit C, the expected number of subsets of size k that are inverted by C is not too large. Then, Markov’s inequality is used to show that the probability that C inverts any set of size m≈k 2 is small, since to do so C would have to invert each of its \({m \choose k}\) subsets of size k (this is the combinatorial trick).
We now turn to the formal proof of Theorem 4.1. There are two main ingredients. The first is the well-known Goldreich–Levin theorem [15]. It can be checked that the standard proof of this theorem relativizes, essentially because (in the statement below) the circuit B uses C as a black-box; we omit the details.
Theorem 5.1
Let f:{0,1}d→{0,1}m be a function, and let A be any oracle. Let C be an oracle circuit of size T such that \(\Pr [C^{A}(f(U_{d}),U'_{d}) = \langle U_{d}, U'_{d} \rangle] \geq1/2 + \epsilon\). Then, for d sufficiently large, there exists an oracle circuit B of size at most α⋅T⋅(d/ϵ)2 (where α is a universal constant) such that Pr[B A(f(U d ))=U d ]≥ϵ 3/8d.
The second ingredient is the fact that there exist permutations π which are hard to invert even for adversaries that have access to π and to an arbitrary fixed auxiliary oracle.
Theorem 5.2
Let \(d \in\mathbb{N}\) be sufficiently large. Then for any oracle A, there exists a permutation π:{0,1}d→{0,1}d that is (2d/5,2−d/5)-hard to invert against adversaries with oracle access to π and A.
Before giving the proof, we state and prove two lemmas. The aforementioned combinatorial trick, due to [14], is given by the following lemma.
Lemma 5.3
Let U be a finite set, let Γ={ϕ:U→{0,1}} be a family of predicates on U, and let p k be an upper bound on the probability that ϕ chosen uniformly from Γ returns true for every element in a subset of size k, i.e.,
Then, for any m such that k≤m≤|U|, we have
Proof
Let ϕ(X) denote ∏ x∈X ϕ(x). We have \(\mathbb{E}[|\{K \subseteq U : |K| = k \mbox{ and } \phi(K) = 1\}|] \leq{|U| \choose k} \cdot p_{k}\) by linearity of expectation. Then the lemma follows from double counting because, for any set M⊆U of size m, ϕ(M)=1 iff ϕ(K)=1 for every one of the \({m \choose k}\) subsets K⊆M of size k. □
We now explain why this lemma is helpful. Following [22] and [31], we bound the probability (over the permutation π) that a fixed circuit C of size s inverts a fixed set K of size k; this is done by considering the probability that any k out of the at most ks distinct queries made by C on inputs from K are mapped by π to K; specifically, we bound
The factor of s k prevents us from using a union bound over all \({|U| \choose k}\) subsets of size k. So we instead use Lemma 5.3, choosing m so that \({m \choose k} \approx s^{2.3k}\), which makes the probability of inverting a set of size m small enough to use a union bound over all circuits.
We also require a bound on the number of oracle circuits of a given size.
Lemma 5.4
There are at most 2s(3+4logs) oracle circuits of size s that have access to two oracles π and A.
Proof
Recall that we define the size of a circuit as the number of wires; this is also an upper bound on the number of gates. For each wire in the circuit, we must specify two things:
-
The gate it is an output of (or if it is an input wire) and the position it is in for this gate;
-
The gate it is an input of (or if it is an output wire) and the position it is in for this gate.
Note that the positions are relevant for wires incident on oracle gates, as the functions computed by these gates may not be symmetric. Specifying either incident gate for a given wire takes logs bits (as there are at most s gates), and likewise each position can be specified with logs bits. Therefore, each of the s wires can be specified with 4logs bits. Finally, for each gate, we must specify which of the five types it is (∧, ∨, ¬, π-oracle or A-oracle), which takes three bits. □
Proof of Theorem 5.2
We will, in fact, show that a random π has the desired property with probability at least \(1 - 2^{-2^{d/4}}\). Fix an oracle A and an oracle circuit C of size s. Fix a subset K⊆{0,1}d of size k; we will first bound the probability that C inverts all of K. Let \(Q^{\pi}_{x}\) denote the set of at most s distinct queries that C A,π(x) makes to π (for some choice of x and π), and let \(Q^{\pi}_{K} := \bigcup_{x \in K}Q^{\pi}_{x}\). We assume, without loss of generality, that the last query that C makes to π is the string that C outputs (this is justified because any circuit which does not query its output string can be modified into one that does with an increase in size that is so small as to not affect the union bound below).
A necessary condition for C to invert all of K is that \(\pi ^{-1}(x) \in Q^{\pi}_{K}\) for all x∈K. Since \(|Q^{\pi}_{K}| \leq ks\), we can bound this by
We now apply Lemma 5.3 in the obvious way: U is {0,1}d, and there is a predicate ϕ π ∈Γ for each permutation π, where ϕ π (x)=1 iff C A,π(x)=π −1(x). By the lemma, the probability that there exists a set M of size m≥k such that C inverts every element of M is bounded from above by (e 2⋅k⋅s/m)k. Choosing k=2d/3,m=24d/5 and s=2d/5, this is bounded by \(2^{-2^{d/3}}\) for sufficiently large d. By Lemma 5.4, there are at most \(2^{2^{d/5} \cdot\varTheta(d)}\) circuits of size 2d/5, and so the probability over the choice of π that there exists a circuit of size 2d/5 which inverts a set of size at least 24d/5 is at most \(2^{-2^{d/3} + 2^{d/5} \cdot\varTheta(d)} < 2^{-2^{d/4}}\) for sufficiently large d. Therefore, π is (2d/5,2−d/5)-hard to invert with probability at least \(1 - 2^{-2^{d/4}}\). □
We may now give the proof of Theorem 4.1.
Proof of Theorem 4.1
Let the oracle A and the subset T be given. Recall that |T|=ℓ−d, and let π:{0,1}d→{0,1}d be the permutation guaranteed by Theorem 5.2 which is (2d/5,2−d/5)-hard to invert against adversaries with oracle access to π and A. Then, the generator G treats its input x∈{0,1}ℓ as (x 1,x 2,x 3)∈{0,1}ℓ−2d×{0,1}d×{0,1}d, and outputs the (ℓ+1)-bit string defined as follows:
Now assume for contradiction that there exists an oracle circuit C:{0,1}ℓ+1→{0,1} of size at most 2d/30 such that Pr[C A,G(G(U ℓ ))=1]−Pr[C A,G(U ℓ+1)=1]≥2−d/30 (dropping the absolute value w.l.o.g.). Because the permutation π is the only part of G’s output which may be “difficult” to compute, we can take C to have oracles (A,π) instead of (A,G) at the cost of increasing C’s size by a factor of \(\operatorname{poly}(d)\). We construct a probabilistic oracle circuit IP:{0,1}d×{0,1}d→{0,1} which, on input (x,y), tries to compute 〈π −1(x),y〉. IPA,π(x,y) performs the following steps:
-
1.
Chooses a random string z∈{0,1}ℓ−2d and a random bit b∈{0,1};
-
2.
Constructs the (ℓ+1)-bit string w defined by w|[ℓ+1]∖T =x∘b, w| T =z∘y;
-
3.
Computes C A,π(w) and outputs C A,π(w)⊕1⊕b.
We clearly have \(|\mathrm{IP}| \leq|C| \cdot\operatorname{poly}(d) \leq2^{d/30} \cdot\operatorname{poly}(d)\). Consider the behavior of IPA,π on a uniformly random input (x,y). It is easy to see that the string w is distributed according to U ℓ+1. If we condition on the chosen bit b being equal to 〈π −1(x),y〉 (which happens with probability 1/2), then w is distributed according to G(U ℓ ). For brevity, let E IP denote the event IPA,π(x,y)=〈π −1(x),y〉, and let E b denote the event b=〈π −1(x),y〉. Then,
The probabilities are over both (x,y) and the internal randomness of IP; by a standard averaging argument, we can fix the internal randomness of IP to get a deterministic circuit which computes 〈π −1(x),y〉 on a random (x,y) with the same success probability. Then for sufficiently large d, Theorem 5.1 gives an oracle circuit of size at most \(2^{d/30} \cdot \operatorname{poly}(d) \cdot O(d^{2} \cdot2^{2d/30}) \leq2^{d/5}\) that, when given access to A and π, inverts π with probability at least 2−3d/30/8d≥2−d/5 over its input, contradicting the hardness of π. □
Notes
We are now using ℓ to refer to the input length of f′, which is twice the input length of f.
References
N. Alon, L. Babai, A. Itai, A fast and simple randomized algorithm for the maximal independent set problem. J. Algorithms 7, 567–583 (1986)
B. Applebaum, Y. Ishai, E. Kushilevitz, Cryptography in NC0. SIAM J. Comput. 36(4), 845–888 (2006)
B. Applebaum, Y. Ishai, E. Kushilevitz On pseudorandom generators with linear stretch in NC0. Comput. Complex. 17(1), 38–69 (2008)
N. Alon, T. Kaufman, M. Krivelevich, S. Litsyn, D. Ron, Testing low-degree polynomials over \({\rm GF}(2)\), in 7th Workshop on Randomization and Approximation Techniques in Computer Science (RANDOM). Lecture Notes in Computer Science, vol. 2764 (Springer, Berlin, 2003), pp. 188–199
M. Alekhnovich, More on average case vs approximation complexity, in FOCS (2003), pp. 298–307
T. Baker, J. Gill, R. Solovay, Relativizations of the P=?NP question. SIAM J. Comput. 4(4), 431–442 (1975)
I. Berman, I. Haitner, From non-adaptive to adaptive pseudorandom functions, in 9th Theory of Cryptography Conference (TCC) (2012)
J. Bronson, A. Juma, P.A. Papakonstantinou, Limits on the stretch of non-adaptive constructions of pseudo-random generators, in 8th Theory of Cryptography Conference (TCC) (2011)
M. Blum, S. Micali, How to generate cryptographically strong sequences of pseudo-random bits. SIAM J. Comput. 13(4), 850–864 (1984)
B. Chor, O. Goldreich, On the power of two-point based sampling. J. Complex. 5(1), 96–106 (1989)
J.L. Carter, M.N. Wegman, Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
R. Gennaro, Y. Gertner, J. Katz, L. Trevisan, Bounds on the efficiency of generic cryptographic constructions. SIAM J. Comput. 35(1), 217–246 (2005)
O. Goldreich, S. Goldwasser, S. Micali, How to construct random functions. J. ACM 33(4), 792–807 (1986)
O. Goldreich, H. Krawczyk, M. Luby, On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)
O. Goldreich, L. Levin, A hard-core predicate for all one-way functions, in 21st ACM Symp. on the Theory of Computing (STOC) (1989), pp. 25–32
O. Goldreich, Foundations of Cryptography: Volume 1, Basic Tools (Cambridge University Press, Cambridge, 2001)
I. Haitner, D. Harnik, O. Reingold, Efficient pseudorandom generators from exponentially hard one-way functions, in Coll. on Automata, Languages and Programming (ICALP) (2006), pp. 228–239
J. Håstad, R. Impagliazzo, L.A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)
T. Holenstein, Pseudorandom generators from one-way functions: a simple construction for any hardness, in TCC, ed. by S. Halevi, T. Rabin. Lecture Notes in Computer Science, vol. 3876 (Springer, Berlin, 2006), pp. 443–461
I. Haitner, O. Reingold, S.P. Vadhan, Efficiency improvements in constructing pseudorandom generators from one-way functions, in 42nd ACM Symp. on the Theory of Computing (STOC) (2010), pp. 437–446
T. Holenstein, M. Sinha, Constructing a pseudorandom generator requires an almost linear number of calls, in FOCS (2012), pp. 698–707
R. Impagliazzo, Very strong one-way functions and pseudo-random generators exist relative to a random oracle. Manuscript (1996)
R. Impagliazzo, S. Rudich, Limits on the provable consequences of one-way permutations, in ACM Symp. on the Theory of Computing (STOC) (1989), pp. 44–61
C.-J. Lu, On the complexity of parallel hardness amplification for one-way functions, in 3rd Theory of Cryptography Conference (TCC) (2006), pp. 462–481
N. Nisan, A. Wigderson, Hardness vs randomness. J. Comput. Syst. Sci. 49(2), 149–167 (1994)
O. Reingold, L. Trevisan, S. Vadhan, Notions of reducibility between cryptographic primitives, in 1st Theory of Cryptography Conference, 2004, Feb. 19–21 (Springer, Cambridge, 2004)
L. Trevisan, Extractors and pseudorandom generators. J. ACM 48(4), 860–879 (2001)
E. Viola, On constructing parallel pseudorandom generators from one-way functions, in 20th IEEE Conf. on Computational Complexity (CCC) (2005), pp. 183–197
S.P. Vadhan, C.J. Zheng, Characterizing pseudoentropy and simplifying pseudorandom generator constructions, in ACM Symp. on the Theory of Computing (STOC) (2012)
A. Yao, Theory and applications of trapdoor functions, in 23rd IEEE Symp. on Foundations of Computer Science (FOCS) (IEEE Press, New York, 1982), pp. 80–91
M. Zimand, Efficient privatization of random bits, in “Randomized Algorithms” Satellite Workshop of the 23rd Symposium on Mathematical Foundations of Computer Science (1998). Available at http://triton.towson.edu/~mzimand/pub/rand-privat.ps
Acknowledgements
We are very grateful to Benny Applebaum for several useful comments, and especially for pointing out the strengthening of Theorem 1.4 and allowing us to include a proof in Sect. 1.2. We also would like to thank Russell Impagliazzo for sharing [22] with us, and the anonymous TCC referees for helpful feedback.
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Omer Reingold.
E. Miles and E. Viola were supported by NSF grants CCF-0845003 and CCF-1319206.
Rights and permissions
About this article
Cite this article
Miles, E., Viola, E. On the Complexity of Constructing Pseudorandom Functions (Especially when They Don’t Exist). J Cryptol 28, 509–532 (2015). https://doi.org/10.1007/s00145-013-9161-x
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00145-013-9161-x
Key words
- Black-box reductions
- Pseudorandom functions
- adaptivity