PRG has block-locality , i.e. each output bit depends on at most out of the n blocks. The question of the maximum stretch m that such PRGs can have, as a function of n b recently emerged in the context of constructing provably secure program obfuscation. It also relates to the question of refuting constraint satisfaction problems on predicates with large alphabets in complexity theory. We show that such -block local PRGs can have output length at most O ( 2 b n 2 ) , by presenting a polynomial time algorithm that distinguishes inputs of the form G ( x ) (for any x ) from inputs where each coordinate is sampled independently according to the marginal distributions of the coordinates of G . As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro's cite{LinT17} recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator G : 1 nb 1 2 cb n as above for large enough 3"> c 3 with = 2 . (Following this work, and an independent work of Lombardi and Vaikuntanthan cite{LombardiV17a}, Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.)Our results follow from a general framework that handles more general class of pseudorandom generators. Namely they work even if the outputs are not binary valued and are computed using low-degree polynomial over R (instead of the more restrictive local/block-local assumption). Specifically, we prove that for every function G : 1 n R m ( R = reals), if every output of G is a polynomial (over the real numbers R ) of degree at most d of at most s monomials and m ( s n d 2 ) , then there is a polynomial time algorithm for the distinguishing task above. This implies that any such map G cannot be a pseudorandom generator. Our results yield, in particular, that natural modifications to notion of generators that are still sufficient for obtaining indistinguishability obfuscation from bilinear maps run into similar barriers.
展开▼
机译:PRG具有块局部性,即每个输出位最多取决于n个块中的每个。最近,在构造可证明的安全程序模糊化的背景下,出现了这样的PRG可以具有的最大拉伸m的问题,它是n b的函数。它还涉及在复杂性理论中反驳大字母谓词的约束满足问题。通过展示一种多项式时间算法,该算法可区分形式为G(x)(对于任何x)的输入与分别独立采样每个坐标的输入,从而表明此类块局部PRG的输出长度最多为O(2 bn 2)根据G坐标的边际分布。作为推论,我们驳斥了最近在构造可证明的安全不可混淆性混淆(iO)的背景下所作的一些推测。这包括从双线性图上驳斥Lin和Tessaro的 cite {LinT17}最近提出的候选iO的假设。具体来说,他们假设存在一个安全的伪随机数生成器G:1 nb 1 2 cb n,对于具有足够大的3“> c 3,其中= 2。 },Lin和Tessaro从他们的手稿中撤回了基于双线性图的候选对象。)我们的结果来自处理更一般类伪随机生成器的通用框架,即,即使输出不是二进制值并且使用低度来计算,它们也可以工作R上的多项式(而不是限制性更强的局部/块局部假设),具体来说,我们证明对于每个函数G:1 n R m(R =实数),如果G的每个输出都是多项式(在实数上) R的度数最多为s个单项式的d个和m(snd 2)个,那么上面的区分任务有一个多项式时间算法,这意味着任何这样的映射G都不可以是伪随机数生成器。特别是自然修改仍然足以从双线性图获得不可混淆度的生成器的概念离子遇到类似的障碍。
展开▼
