Algebraic attacks against random local functions and their countermeasures

Proceedings of the forty-eighth annual ACM symposium on Theory of Computing Pub Date : 2016-06-19 DOI:10.1145/2897518.2897554

B. Applebaum, Shachar Lovett

{"title":"Algebraic attacks against random local functions and their countermeasures","authors":"B. Applebaum, Shachar Lovett","doi":"10.1145/2897518.2897554","DOIUrl":null,"url":null,"abstract":"Suppose that you have n truly random bits x=(x1,…,xn) and you wish to use them to generate m≫ n pseudorandom bits y=(y1,…, ym) using a local mapping, i.e., each yi should depend on at most d=O(1) bits of x. In the polynomial regime of m=ns, s>1, the only known solution, originates from (Goldreich, ECCC 2000), is based on Random Local Functions: Compute yi by applying some fixed (public) d-ary predicate P to a random (public) tuple of distinct inputs (xi1,…,xid). Our goal in this paper is to understand, for any value of s, how the pseudorandomness of the resulting sequence depends on the choice of the underlying predicate. We derive the following results: (1) We show that pseudorandomness against F2-linear adversaries (i.e., the distribution y has low-bias) is achieved if the predicate is (a) k=Ω(s)-resilience, i.e., uncorrelated with any k-subset of its inputs, and (b) has algebraic degree of Ω(s) even after fixing Ω(s) of its inputs. We also show that these requirements are necessary, and so they form a tight characterization (up to constants) of security against linear attacks. Our positive result shows that a d-local low-bias generator can have output length of nΩ(d), answering an open question of Mossel, Shpilka and Trevisan (FOCS, 2003). Our negative result shows that a candidate for pseudorandom generator proposed by the first author (computational complexity, 2015) and by O’Donnell and Witmer (CCC 2014) is insecure. We use similar techniques to refute a conjecture of Feldman, Perkins and Vempala (STOC 2015) regarding the hardness of planted constraint satisfaction problems. (2) Motivated by the cryptanalysis literature, we consider security against algebraic attacks. We provide the first theoretical treatment of such attacks by formalizing a general notion of algebraic inversion and distinguishing attacks based on the Polynomial Calculus proof system. We show that algebraic attacks succeed if and only if there exist a degree e=O(s) non-zero polynomial Q whose roots cover the roots of P or cover the roots of P’s complement. As a corollary, we obtain the first example of a predicate P for which the generated sequence y passes all linear tests but fails to pass some polynomial-time computable test, answering an open question posed by the first author (Question 4.9, computational complexity 2015).","PeriodicalId":442965,"journal":{"name":"Proceedings of the forty-eighth annual ACM symposium on Theory of Computing","volume":"8 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-06-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"65","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the forty-eighth annual ACM symposium on Theory of Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2897518.2897554","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 65

Abstract

Suppose that you have n truly random bits x=(x1,…,xn) and you wish to use them to generate m≫ n pseudorandom bits y=(y1,…, ym) using a local mapping, i.e., each yi should depend on at most d=O(1) bits of x. In the polynomial regime of m=ns, s>1, the only known solution, originates from (Goldreich, ECCC 2000), is based on Random Local Functions: Compute yi by applying some fixed (public) d-ary predicate P to a random (public) tuple of distinct inputs (xi1,…,xid). Our goal in this paper is to understand, for any value of s, how the pseudorandomness of the resulting sequence depends on the choice of the underlying predicate. We derive the following results: (1) We show that pseudorandomness against F2-linear adversaries (i.e., the distribution y has low-bias) is achieved if the predicate is (a) k=Ω(s)-resilience, i.e., uncorrelated with any k-subset of its inputs, and (b) has algebraic degree of Ω(s) even after fixing Ω(s) of its inputs. We also show that these requirements are necessary, and so they form a tight characterization (up to constants) of security against linear attacks. Our positive result shows that a d-local low-bias generator can have output length of nΩ(d), answering an open question of Mossel, Shpilka and Trevisan (FOCS, 2003). Our negative result shows that a candidate for pseudorandom generator proposed by the first author (computational complexity, 2015) and by O’Donnell and Witmer (CCC 2014) is insecure. We use similar techniques to refute a conjecture of Feldman, Perkins and Vempala (STOC 2015) regarding the hardness of planted constraint satisfaction problems. (2) Motivated by the cryptanalysis literature, we consider security against algebraic attacks. We provide the first theoretical treatment of such attacks by formalizing a general notion of algebraic inversion and distinguishing attacks based on the Polynomial Calculus proof system. We show that algebraic attacks succeed if and only if there exist a degree e=O(s) non-zero polynomial Q whose roots cover the roots of P or cover the roots of P’s complement. As a corollary, we obtain the first example of a predicate P for which the generated sequence y passes all linear tests but fails to pass some polynomial-time computable test, answering an open question posed by the first author (Question 4.9, computational complexity 2015).

查看原文本刊更多论文

随机局部函数的代数攻击及其对策

假设你有n个真正随机位x = (x1,…,xn)和您希望使用它们来生成m≫n伪随机比特y = (y1,…,ym)使用本地映射,也就是,最多每个易建联应该是依靠d = O(1)的x m = ns的多项式政权,s > 1,唯一已知的解决方案,源于(Goldreich ECCC 2000),是基于随机局部功能:计算易通过应用一些固定的(公共)d-ary谓词P随机(公共)元组不同的输入(ξ1,…,xid)。我们在本文中的目标是理解，对于任意s值，结果序列的伪随机性如何依赖于底层谓词的选择。我们得出以下结果:(1)我们表明，如果谓词是(a) k=Ω(s)-弹性，即与其输入的任何k子集不相关，则对f2 -线性对手的伪随机性(即，分布y具有低偏差)是实现的，并且(b)即使在固定Ω(s)之后，其输入的代数度也为Ω(s)。我们还说明了这些需求是必要的，因此它们形成了针对线性攻击的安全性的严格特征(直到常数)。我们的积极结果表明，d局部低偏置发生器可以具有nΩ(d)的输出长度，回答了Mossel, Shpilka和Trevisan (FOCS, 2003)的一个开放问题。我们的否定结果表明，第一作者(computational complexity, 2015)和O 'Donnell and Witmer (CCC 2014)提出的伪随机生成器候选方案是不安全的。我们使用类似的技术来反驳Feldman, Perkins和Vempala (STOC 2015)关于种植约束满足问题的硬度的猜想。(2)受密码分析文献的启发，我们考虑了针对代数攻击的安全性。我们通过形式化代数反转的一般概念和基于多项式微积分证明系统的区分攻击，提供了这种攻击的第一个理论处理。我们证明代数攻击成功当且仅当存在一个阶e=O(s)非零多项式Q，其根覆盖P的根或覆盖P的补的根。作为推论，我们得到了谓词P的第一个例子，其中生成的序列y通过了所有线性测试，但未能通过一些多项式时间可计算测试，回答了第一作者提出的一个开放问题(问题4.9，计算复杂性2015)。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the forty-eighth annual ACM symposium on Theory of Computing

自引率

0.00%

发文量