20 research outputs found
A Dichotomy for Local Small-Bias Generators
We consider pseudorandom generators in which each output bit depends on a constant number of input bits. Such generators have appealingly simple structure: they can be described by a sparse input-output dependency graph and a small predicate that is applied at each output.
Following the works of Cryan and Miltersen (MFCS\u2701) and by Mossel et al (STOC\u2703), we focus on the study of ``small-bias generators (that fool linear distinguishers).
We prove that for most graphs, all but a handful of ``degenerate\u27\u27 predicates yield small-bias generators, f\colon \bit^n \rightarrow \bit^m, with output length m = n^{1 + \eps} for some constant \eps > 0. Conversely, we show that for most graphs, ``degenerate\u27\u27 predicates are not secure against linear distinguishers. Taken together, these results expose a dichotomy: every predicate is either very hard or very easy, in the sense that it either yields a small-bias generator for almost all graphs or fails to do so for almost all graphs.
As a secondary contribution, we attempt to support the view that small-bias is a good measure of pseudorandomness for local functions with large stretch. We do so by demonstrating that resilience to linear distinguishers implies resilience to a larger class of attacks
On the Non-Existence of Blockwise 2-Local PRGs with Applications to Indistinguishability Obfuscation
Lin and Tessaro (Eprint 2017/250) recently proposed indistinguishability obfuscation and functional encryption candidates and proved their security based on a standard assumption on bilinear maps and a non-standard assumption on ``Goldreich-like'' pseudorandom generators (PRG). In a nutshell, they require the existence of pseudo-random generators for some -size alphabet where each output bit depends on at most two input alphabet symbols, and which achieve sufficiently large stretch. We show a polynomial-time attack against such generators. Our attack uses tools from the literature on two-source extractors (Chor and Goldreich, SICOMP 1988) and efficient refutation of 2-CSPs over large alphabets (Allen, O'Donnell and Witmer, FOCS 2015). Finally, we propose new ways to instantiate the Lin-Tessaro construction that do not immediately fall to our attacks. While we cannot say with any confidence that these modifications are secure, they certainly deserve further cryptanalysis
Sum of squares lower bounds for refuting any CSP
Let be a nontrivial -ary predicate. Consider a
random instance of the constraint satisfaction problem on
variables with constraints, each being applied to randomly
chosen literals. Provided the constraint density satisfies , such
an instance is unsatisfiable with high probability. The \emph{refutation}
problem is to efficiently find a proof of unsatisfiability.
We show that whenever the predicate supports a -\emph{wise uniform}
probability distribution on its satisfying assignments, the sum of squares
(SOS) algorithm of degree
(which runs in time ) \emph{cannot} refute a random instance of
. In particular, the polynomial-time SOS algorithm requires
constraints to refute random instances of
CSP when supports a -wise uniform distribution on its satisfying
assignments. Together with recent work of Lee et al. [LRS15], our result also
implies that \emph{any} polynomial-size semidefinite programming relaxation for
refutation requires at least constraints.
Our results (which also extend with no change to CSPs over larger alphabets)
subsume all previously known lower bounds for semialgebraic refutation of
random CSPs. For every constraint predicate~, they give a three-way hardness
tradeoff between the density of constraints, the SOS degree (hence running
time), and the strength of the refutation. By recent algorithmic results of
Allen et al. [AOW15] and Raghavendra et al. [RRS16], this full three-way
tradeoff is \emph{tight}, up to lower-order factors.Comment: 39 pages, 1 figur
Revisiting the Concrete Security of Goldreich's Pseudorandom Generator
Local pseudorandom generators are a class of fundamental cryptographic
primitives having very broad applications in theoretical cryptography.
Following Couteau et al.'s work in ASIACRYPT 2018, this paper further studies
the concrete security of one important class of local pseudorandom generators,
i.e., Goldreich's pseudorandom generators. Our first attack is of the
guess-and-determine type. Our result significantly improves the
state-of-the-art algorithm proposed by Couteau et al., in terms of both
asymptotic and concrete complexity, and breaks all the challenge parameters
they proposed. For instance, for a parameter set suggested for 128 bits of
security, we could solve the instance faster by a factor of about ,
thereby destroying the claimed security completely. Our second attack further
exploits the extremely sparse structure of the predicate and combines
ideas from iterative decoding. This novel attack, named guess-and-decode,
substantially improves the guess-and-determine approaches for
cryptographic-relevant parameters. All the challenge parameter sets proposed in
Couteau et al.'s work in ASIACRYPT 2018 aiming for 80-bit (128-bit) security
levels can be solved in about () operations. We suggest new
parameters for achieving 80-bit (128-bit) security with respect to our attacks.
We also extend the attack to other promising predicates and investigate their
resistance.Comment: 20 pages, 9 figure
Indistinguishability Obfuscation from Well-Founded Assumptions
In this work, we show how to construct indistinguishability obfuscation from
subexponential hardness of four well-founded assumptions. We prove:
Let be arbitrary
constants. Assume sub-exponential security of the following assumptions, where
is a security parameter, and the parameters below are
large enough polynomials in :
- The SXDH assumption on asymmetric bilinear groups of a prime order ,
- The LWE assumption over with subexponential
modulus-to-noise ratio , where is the dimension of the LWE
secret,
- The LPN assumption over with polynomially many LPN samples
and error rate , where is the dimension of the LPN
secret,
- The existence of a Boolean PRG in with stretch
,
Then, (subexponentially secure) indistinguishability obfuscation for all
polynomial-size circuits exists
On the Concrete Security of Goldreichâs Pseudorandom Generator
International audienceLocal pseudorandom generators allow to expand a short random string into a long pseudo-random string, such that each output bit depends on a constant number d of input bits. Due to its extreme efficiency features, this intriguing primitive enjoys a wide variety of applications in cryptography and complexity. In the polynomial regime, where the seed is of size n and the output of size n s for s > 1, the only known solution, commonly known as Goldreich's PRG, proceeds by applying a simple d-ary predicate to public random sized subsets of the bits of the seed. While the security of Goldreich's PRG has been thoroughly investigated, with a variety of results deriving provable security guarantees against class of attacks in some parameter regimes and necessary criteria to be satisfied by the underlying predicate, little is known about its concrete security and efficiency. Motivated by its numerous theoretical applications and the hope of getting practical instantiations for some of them, we initiate a study of the concrete security of Goldreich's PRG, and evaluate its resistance to cryptanalytic attacks. Along the way, we develop a new guess-and-determine-style attack, and identify new criteria which refine existing criteria and capture the security guarantees of candidate local PRGs in a more fine-grained way
Recommended from our members
Limits on the Pseudorandomness of Low-Degree Polynomials over the Integers
We initiate the study of a problem called the Polynomial Independence Distinguishing Problem (PIDP). The problem is parameterized by a set of polynomials Q = (q_1, ... , q_m) of n variables and an input distribution D over the reals. The goal of the problem is to distinguish a tuple of the form {q_i, q_i(x)}_{i in [m]} from {q_i, q_i(x_i)}_{i in [m]} where x, x_1, ... , x_m are each sampled independently from the distribution D^n. Refutation and search versions of this problem are conjectured to be hard in general for polynomial time algorithms (Feige, STOC 02) and are also subject to known theoretical lower bounds for various hierarchies (such as Sum-of-Squares and Sherali-Adams). Nevertheless, we show polynomial time distinguishers for the problem in several scenarios, including settings where such lower bounds apply to the search or refutation versions of the problem
On the algebraic immunity - resiliency trade-off, implications for Goldreich's pseudorandom generator
peer reviewe
On the Algebraic Immunity - Resiliency trade-off, implications for Goldreich\u27s Pseudorandom Generator
Goldreich\u27s pseudorandom generator is a well-known building block for many theoretical cryptographic constructions from multi-party computation to indistinguishability obfuscation. Its unique efficiency comes from the use of random local functions: each bit of the output is computed by applying some fixed public -variable Boolean function to a random public size- tuple of distinct input bits.
The characteristics that a Boolean function must have to ensure pseudorandomness is a puzzling issue. It has been studied in several works and particularly by Applebaum and Lovett (STOC 2016) who showed that resiliency and algebraic immunity are key parameters in this purpose.
In this paper, we propose the first study on Boolean functions that reach together maximal algebraic immunity and high resiliency.
1) We assess the possible consequences of the asymptotic existence of such optimal functions. We show how they allow to build functions reaching all possible algebraic immunity-resiliency trade-offs (respecting the algebraic immunity and Siegenthaler bounds).
We provide a new bound on the minimal number of variables~, and thus on the minimal locality, necessary to ensure a secure Goldreich\u27s pseudorandom generator. Our results come with a granularity level depending on the strength of our assumptions, from none to the conjectured asymptotic existence of optimal functions.
2) We extensively analyze the possible existence and the properties of such optimal functions. Our results show two different trends. On the one hand, we were able to show some impossibility results concerning existing families of Boolean functions that are known to be optimal with respect to their algebraic immunity, starting by the promising XOR-MAJ functions. We show that they do not reach optimality and could be beaten by optimal functions if our conjecture is verified.
On the other hand, we prove the existence of optimal functions in low number of variables by experimentally exhibiting some of them up to variables. This directly provides better candidates for Goldreich\u27s pseudorandom generator than the existing XOR-MAJ candidates for polynomial stretches from to