On the Concrete Security of Goldreich’s Pseudorandom Generator

  • Geoffroy CouteauEmail author
  • Aurélien Dupin
  • Pierrick Méaux
  • Mélissa Rossi
  • Yann Rotella
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11273)


Local pseudorandom generators allow to expand a short random string into a long pseudo-random string, such that each output bit depends on a constant number d of input bits. Due to its extreme efficiency features, this intriguing primitive enjoys a wide variety of applications in cryptography and complexity. In the polynomial regime, where the seed is of size n and the output of size \(n^{\textsf {s}}\) for \(\textsf {s}> 1\), the only known solution, commonly known as Goldreich’s PRG, proceeds by applying a simple d-ary predicate to public random size-d subsets of the bits of the seed.

While the security of Goldreich’s PRG has been thoroughly investigated, with a variety of results deriving provable security guarantees against class of attacks in some parameter regimes and necessary criteria to be satisfied by the underlying predicate, little is known about its concrete security and efficiency. Motivated by its numerous theoretical applications and the hope of getting practical instantiations for some of them, we initiate a study of the concrete security of Goldreich’s PRG, and evaluate its resistance to cryptanalytic attacks. Along the way, we develop a new guess-and-determine-style attack, and identify new criteria which refine existing criteria and capture the security guarantees of candidate local PRGs in a more fine-grained way.


Pseudorandom generators Algebraic attacks Guess-and-determine Gröbner basis 



We thank Jean-Pierre Tillich and Benny Applebaum for useful discussions and observations. We also are indebted to Guénaël Renault for fruitful discussions about Gröbner basis approaches, and to the reviewers of ASIACRYPT for their useful comments. This research has been partially funded by ANRT under the programs CIFRE N 2015/1158 and 2016/1583. We acknowledge the support of the French Programme d’Investissement d’Avenir under national project RISQ P141580. The first author was supported by ERC grant 724307 (project PREP-CRYPTO). The fifth author was partially supported by the French Agence Nationale de la Recherche through the BRUTUS project under Contract ANR-14-CE28-0015.


  1. [ABR12]
    Applebaum, B., Bogdanov, A., Rosen, A.: A dichotomy for local small-bias generators. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 600–617. Springer, Heidelberg (2012). Scholar
  2. [ABR16]
    Applebaum, B., Bogdanov, A., Rosen, A.: A dichotomy for local small-bias generators. J. Cryptol. 29(3), 577–596 (2016)MathSciNetCrossRefGoogle Scholar
  3. [ADI+17a]
    Applebaum, B., Damgård, I., Ishai, Y., Nielsen, M., Zichron, L.: Secure arithmetic computation with constant computational overhead. Cryptology ePrint Archive, Report 2017/617 (2017).
  4. [ADI+17b]
    Applebaum, B., Damgård, I., Ishai, Y., Nielsen, M., Zichron, L.: Secure arithmetic computation with constant computational overhead. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 223–254. Springer, Cham (2017). Scholar
  5. [AHI05]
    Alekhnovich, M., Hirsch, E.A., Itsykson, D.: Exponential lower bounds for the running time of DPLL algorithms on satisfiable formulas. J. Autom. Reason. 35(1–3), 51–72 (2005)MathSciNetzbMATHGoogle Scholar
  6. [AIK04]
    Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC\(^0\). In: 45th FOCS, pp. 166–175. IEEE Computer Society Press, October 2004Google Scholar
  7. [AIK08]
    Applebaum, B., Ishai, Y., Kushilevitz, E.: On pseudorandom generators with linear stretch in NC\(^0\). Comput. Complex. 17(1), 38–69 (2008)MathSciNetCrossRefGoogle Scholar
  8. [AL16]
    Applebaum, B., Lovett, S.: Algebraic attacks against random local functions and their countermeasures. In: 48th ACM STOC, pp. 1087–1100. ACM Press, June 2016Google Scholar
  9. [App12]
    Applebaum, B.: Pseudorandom generators with long stretch and low locality from random local one-way functions. In: 44th ACM STOC, pp. 805–816. ACM Press, May 2012Google Scholar
  10. [App13]
    Applebaum, B.: Pseudorandom generators with long stretch and low locality from random local one-way functions. SIAM J. Comput. 42(5), 2008–2037 (2013)MathSciNetCrossRefGoogle Scholar
  11. [App15]
    Applebaum, B.: The cryptographic hardness of random local functions - survey. Cryptology ePrint Archive, Report 2015/165 (2015).
  12. [ARS+15]
    Albrecht, M.R., Rechberger, C., Schneider, T., Tiessen, T., Zohner, M.: Ciphers for MPC and FHE. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 430–454. Springer, Heidelberg (2015). Scholar
  13. [BCG+17]
    Boyle, E., Couteau, G., Gilboa, N., Ishai, Y., Orrù, M.: Homomorphic secret sharing: optimizations and applications. In: ACM CCS 2017, pp. 2105–2122. ACM Press (2017)Google Scholar
  14. [Bet11]
    Bettale, L.: Cryptanalyse algebrique: outils et applications, Ph.D. thesis (2011)Google Scholar
  15. [BGI+01]
    Barak, B., et al.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). Scholar
  16. [BQ09]
    Bogdanov, A., Qiao, Y.: On the security of Goldreich’s one-way function. In: Dinur, I., Jansen, K., Naor, J., Rolim, J. (eds.) APPROX/RANDOM -2009. LNCS, vol. 5687, pp. 392–405. Springer, Heidelberg (2009). Scholar
  17. [CCF+16]
    Canteaut, A., et al.: Stream ciphers: a practical solution for efficient homomorphic-ciphertext compression. In: Peyrin, T. (ed.) FSE 2016. LNCS, vol. 9783, pp. 313–333. Springer, Heidelberg (2016). Scholar
  18. [CDM+18]
    Couteau, G., Dupin, A., Méaux, P., Rossi, M., Rotella, Y.: On the concrete security of Goldreich’s pseudorandom generator (2018)Google Scholar
  19. [CEMT14]
    Cook, J., Etesami, O., Miller, R., Trevisan, L.: On the one-way function candidate proposed by Goldreich. ACM Trans. Comput. Theor. (TOCT) 6(3), 14 (2014)MathSciNetzbMATHGoogle Scholar
  20. [CM01]
    Cryan, M., Miltersen, P.B.: On pseudorandom generators in NC0. In: Sgall, J., Pultr, A., Kolman, P. (eds.) MFCS 2001. LNCS, vol. 2136, pp. 272–284. Springer, Heidelberg (2001). Scholar
  21. [CM03]
    Courtois, N.T., Meier, W.: Algebraic attacks on stream ciphers with linear feedback. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 345–359. Springer, Heidelberg (2003). Scholar
  22. [Cou03]
    Courtois, N.T.: Fast algebraic attacks on stream ciphers with linear feedback. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 176–194. Springer, Heidelberg (2003). Scholar
  23. [DGM05]
    Dalai, D.K., Gupta, K.C., Maitra, S.: Cryptographically significant boolean functions: construction and analysis in terms of algebraic immunity. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 98–111. Springer, Heidelberg (2005). Scholar
  24. [DLR16]
    Duval, S., Lallemand, V., Rotella, Y.: Cryptanalysis of the FLIP family of stream ciphers. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 457–475. Springer, Heidelberg (2016). Scholar
  25. [DMS05]
    Dalai, D.K., Maitra, S., Sarkar, S.: Basic theory in construction of Boolean functions with maximum possible annihilator immunity. Cryptology ePrint Archive, Report 2005/229 (2005).
  26. [EJ00]
    Ekdahl, P., Johansson, T.: SNOW - a new stream cipher. In: Proceedings of First NESSIE Workshop, Heverlee (2000)Google Scholar
  27. [GGM84]
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions (extended abstract). In: 25th FOCS, pp. 464–479. IEEE Computer Society Press, October 1984Google Scholar
  28. [Gol00]
    Goldreich, O.: Candidate one-way functions based on expander graphs. Cryptology ePrint Archive, Report 2000/063 (2000).
  29. [GRR+16]
    Grassi, L., Rechberger, C., Rotaru, D., Scholl, P., Smart, N.P.: MPC-friendly symmetric key primitives. In: ACM CCS 2016, pp. 430–443. ACM Press, October 2016Google Scholar
  30. [HR00]
    Hawkes, P., Rose, G.G.: Exploiting multiples of the connection polynomial in word-oriented stream ciphers. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 303–316. Springer, Heidelberg (2000). Scholar
  31. [IKOS08]
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: 40th ACM STOC, pp. 433–442. ACM Press, May 2008Google Scholar
  32. [IPS08]
    Ishai, Y., Prabhakaran, M., Sahai, A.: Secure arithmetic computation with no honest majority. Cryptology ePrint Archive, Report 2008/465 (2008)Google Scholar
  33. [Lin17]
    Lin, H.: Indistinguishability obfuscation from SXDH on 5-linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). Scholar
  34. [LT17]
    Lin, H., Tessaro, S.: Indistinguishability obfuscation from trilinear maps and block-wise local PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part I. LNCS, vol. 10401, pp. 630–660. Springer, Cham (2017). Scholar
  35. [LV17]
    Lombardi, A., Vaikuntanathan, V.: Limits on the locality of pseudorandom generators and applications to indistinguishability obfuscation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017, Part I. LNCS, vol. 10677, pp. 119–137. Springer, Cham (2017). Scholar
  36. [MJSC16]
    Méaux, P., Journault, A., Standaert, F.-X., Carlet, C.: Towards stream ciphers for efficient FHE with low-noise ciphertexts. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part I. LNCS, vol. 9665, pp. 311–343. Springer, Heidelberg (2016). Scholar
  37. [MST03]
    Mossel, E., Shpilka, A., Trevisan, L.: On e-Biased generators in NC0. In: 44th FOCS, pp. 136–145. IEEE Computer Society Press, October 2003Google Scholar
  38. [OW14]
    ODonnell, R., Witmer, D.: Goldreich’s PRG: evidence for near-optimal polynomial stretch. In: IEEE 29th Conference on Computational Complexity (CCC), pp. 1–12. IEEE (2014)Google Scholar
  39. [Sie84]
    Siegenthaler, T.: Correlation-immunity of nonlinear combining functions for cryptographic applications (corresp.). IEEE Trans. Inf. Theor. 30(5), 776–780 (1984)MathSciNetCrossRefGoogle Scholar
  40. [SW14]
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: 46th ACM STOC, pp. 475–484. ACM Press, May/June 2014Google Scholar
  41. [Wie86]
    Wiedemann, D.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theor. 32(1), 54–62 (1986)MathSciNetCrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Geoffroy Couteau
    • 1
    Email author
  • Aurélien Dupin
    • 2
    • 3
    • 4
  • Pierrick Méaux
    • 5
  • Mélissa Rossi
    • 2
    • 6
    • 7
  • Yann Rotella
    • 7
  1. 1.Karlsruhe Institute of TechnologyKarlsruheGermany
  2. 2.Thales Communications and SecurityGennevilliersFrance
  3. 3.CentraleSupélecRennesFrance
  4. 4.IrisaRennesFrance
  5. 5.ICTEAM/ELEN/Crypto GroupUniversité catholique de LouvainLouvain-la-NeuveBelgium
  6. 6.École Normale Supérieure de Paris, Département d’informatique, CNRS, PSL Research UniversityParisFrance
  7. 7.InriaParisFrance

Personalised recommendations