Suppose that you have n truly random bits x = ( x 1 x n ) and you wish to use them to generate m n pseudorandom bits y = ( y 1 y m ) using a local mapping, i.e., each y i should depend on at most d = O (1) bits of x . In the polynomial regime of m = n s , 1"> s 1 , the only known solution, originates from (Goldreich, ECCC 2000), is based on emph{Random Local Functions}: Compute y i by applying some fixed (public) d -ary predicate P to a random (public) tuple of distinct inputs ( x i 1 x i d ) . Our goal in this paper is to understand, for any value of s , how the pseudorandomness of the resulting sequence depends on the choice of the underlying predicate. We derive the following results:(1) We show that pseudorandomness against F 2 -linear adversaries (i.e., the distribution y has low-bias) is achieved if the predicate is (a) k = ( s ) -resilience, i.e., uncorrelated with any k -subset of its inputs, and (b) has algebraic degree of ( s ) even after fixing ( s ) of its inputs. We also show that these requirements are necessary, and so they form a tight characterization (up to constants) of security against linear attacks. Our positive result shows that a d -local low-bias generator can have output length of n ( d ) , answering an open question of Mossel, Shpilka and Trevisan (FOCS, 2003). Our negative result shows that a candidate for pseudorandom generator proposed by the first author (ECCC 2015) and by O'Donnell and Witmer (CCC 2014) is insecure. We use similar techniques to refute a conjecture of Feldman, Perkins and Vempala (STOC 2015) regarding the hardness of planted constraint satisfaction problems.(2) Motivated by the cryptanalysis literature, we consider security against emph{algebraic attacks}. We provide the first theoretical treatment of such attacks by formalizing a general notion of algebraic inversion and distinguishing attacks based on the Polynomial Calculus proof system. We show that algebraic attacks succeed if and only if there exist a degree e = ( s ) non-zero polynomial Q whose roots cover the roots of P or cover the roots of P 's complement. As a corollary, we obtain the first example of a predicate P for which the generated sequence y passes all linear tests but fails to pass some polynomial-time computable test, answering an open question posed by the first author (Question~4.9, ECCC 2015).
展开▼
机译:假设您有n个真正的随机位x =(x 1 xn),并且希望使用它们通过局部映射生成mn个伪随机位y =(y 1 ym),即每个yi最多取决于d = O (1)个x的位。在m = ns的多项式状态中,1“> s 1是唯一已知的解决方案,它源自(Goldreich,ECCC 2000),基于 emph {Random Local Functions}:通过应用一些固定的(公共)d来计算yi -ary谓词P到不同输入的随机(公共)元组(xi 1 xid)。我们的目标是,对于s的任何值,了解结果序列的伪随机性如何取决于基础谓词的选择我们得出以下结果:(1)如果谓词为(a)k =(s)-弹性,则证明针对 F 2-线性对手(即,分布y具有低偏差)的伪随机性得以实现,与输入的任何k-子集都不相关,并且(b)即使固定输入(s),也具有(s)的代数度。我们还表明,这些要求是必要的,因此它们形成了严格的特征(up线性攻击的安全性。我们的积极结果表明,ad-local低偏置生成器可以具有输出n(d)的长度,回答了Mossel,Shpilka和Trevisan的公开问题(FOCS,2003年)。我们的否定结果表明,第一作者(ECCC 2015)以及O'Donnell和Witmer(CCC 2014)提出的伪随机数生成器候选者是不安全的。我们使用类似的技术来反驳Feldman,Perkins和Vempala(STOC 2015)关于种植的约束满足问题的难度的猜想。(2)受密码分析文献的启发,我们考虑了针对 emph {代数攻击}的安全性。通过形式化代数反演的一般概念并基于多项式演算证明系统区分攻击,我们为此类攻击提供了第一个理论处理。我们证明,当且仅当存在一个e =(s)次非零多项式Q且其根覆盖P的根或覆盖P的补数的根时,代数攻击才会成功。作为推论,我们获得了谓词P的第一个示例,该谓词P的生成序列y通过所有线性检验,但未通过某些多项式时间可计算的检验,回答了第一作者提出的一个开放性问题(Question〜4.9,ECCC 2015 )。
展开▼
