TY - GEN
T1 - Limits on low-degree pseudorandom generators (Or: Sum-of-squares meets program obfuscation)
AU - Barak, Boaz
AU - Brakerski, Zvika
AU - Komargodski, Ilan
AU - Kothari, Pravesh K.
N1 - Publisher Copyright:
© 2018, International Association for Cryptologic Research.
PY - 2018
Y1 - 2018
N2 - An m output pseudorandom generator G:({±1}b)n→{±1}m that takes input n blocks of b bits each is said to be ℓ -block local if every output is a function of at most ℓ blocks. We show that such ℓ -block local pseudorandom generators can have output length at most O~ (2ℓbn⌈ℓ/2⌉), by presenting a polynomial time algorithm that distinguishes inputs of the form G(x) from inputs where each coordinate is sampled from the uniform distribution on m bits. As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro’s [47] recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator G:{±1}nb→{±1}2cbn as above for large enough c> 3 and ℓ= 2. (Following this work, and an independent work of Lombardi and Vaikuntanthan [49], Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.) Our results actually hold for the much wider class of low-degree, non-binary valued pseudorandom generators: if every output of G: {± 1}n→ Rm (R = reals) is a polynomial (over R) of degree at most d with at most s monomials and m≥ Ω~ (sn⌈d/2⌉), then there is a polynomial time algorithm for distinguishing the output G(x) from z where each coordinate zi is sampled independently from the marginal distribution on Gi. Furthermore, our results continue to hold under arbitrary pre-processing of the seed. This implies that any such map G, with arbitrary seed pre-processing, cannot be a pseudorandom generator in the mild sense of fooling a product distribution on the output space. This allows us to rule out various natural modifications to the notion of generators suggested in other works that still allow obtaining indistinguishability obfuscation from bilinear maps. Our algorithms are based on the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a canonical semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality 3 and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever m= n1.5-ε. This class is extremely easy to describe: Let G be any simple non-abelian group with the group operation “ ∗ ”, and interpret the blocks of x as elements in G. The description of the pseudorandom generator is a sequence of m triples of indices (i, j, k) chosen at random and each output of the generator is of the form xi∗ xj∗ xk.
AB - An m output pseudorandom generator G:({±1}b)n→{±1}m that takes input n blocks of b bits each is said to be ℓ -block local if every output is a function of at most ℓ blocks. We show that such ℓ -block local pseudorandom generators can have output length at most O~ (2ℓbn⌈ℓ/2⌉), by presenting a polynomial time algorithm that distinguishes inputs of the form G(x) from inputs where each coordinate is sampled from the uniform distribution on m bits. As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro’s [47] recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator G:{±1}nb→{±1}2cbn as above for large enough c> 3 and ℓ= 2. (Following this work, and an independent work of Lombardi and Vaikuntanthan [49], Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.) Our results actually hold for the much wider class of low-degree, non-binary valued pseudorandom generators: if every output of G: {± 1}n→ Rm (R = reals) is a polynomial (over R) of degree at most d with at most s monomials and m≥ Ω~ (sn⌈d/2⌉), then there is a polynomial time algorithm for distinguishing the output G(x) from z where each coordinate zi is sampled independently from the marginal distribution on Gi. Furthermore, our results continue to hold under arbitrary pre-processing of the seed. This implies that any such map G, with arbitrary seed pre-processing, cannot be a pseudorandom generator in the mild sense of fooling a product distribution on the output space. This allows us to rule out various natural modifications to the notion of generators suggested in other works that still allow obtaining indistinguishability obfuscation from bilinear maps. Our algorithms are based on the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a canonical semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality 3 and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever m= n1.5-ε. This class is extremely easy to describe: Let G be any simple non-abelian group with the group operation “ ∗ ”, and interpret the blocks of x as elements in G. The description of the pseudorandom generator is a sequence of m triples of indices (i, j, k) chosen at random and each output of the generator is of the form xi∗ xj∗ xk.
UR - http://www.scopus.com/inward/record.url?scp=85045872911&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85045872911&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-78375-8_21
DO - 10.1007/978-3-319-78375-8_21
M3 - Conference contribution
AN - SCOPUS:85045872911
SN - 9783319783741
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 649
EP - 679
BT - Advances in Cryptology - EUROCRYPT 2018 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, 2018 Proceedings
A2 - Nielsen, Jesper Buus
A2 - Rijmen, Vincent
PB - Springer Verlag
T2 - 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, EUROCRYPT 2018
Y2 - 29 April 2018 through 3 May 2018
ER -