Under the auspices of the Computational Complexity Foundation (CCF)

REPORTS > DETAIL:

### Revision(s):

Revision #1 to TR15-172 | 15th May 2016 09:05

#### Algebraic Attacks against Random Local Functions and Their Countermeasures

Revision #1
Authors: Benny Applebaum, Shachar Lovett
Accepted on: 15th May 2016 09:05
Keywords:

Abstract:

Suppose that you have $n$ truly random bits $x=(x_1,\ldots,x_n)$ and you wish to use them to generate $m\gg n$ pseudorandom bits $y=(y_1,\ldots, y_m)$ using a local mapping, i.e., each $y_i$ should depend on at most $d=O(1)$ bits of $x$. In the polynomial regime of $m=n^s$, $s>1$, the only known solution, originates from (Goldreich, ECCC 2000), is based on \emph{Random Local Functions}: Compute $y_i$ by applying some fixed (public) $d$-ary predicate $P$ to a random (public) tuple of distinct inputs $(x_{i_1},\ldots,x_{i_d})$. Our goal in this paper is to understand, for any value of $s$, how the pseudorandomness of the resulting sequence depends on the choice of the underlying predicate. We derive the following results:

(1) We show that pseudorandomness against $\F_2$-linear adversaries (i.e., the distribution $y$ has low-bias) is achieved if the predicate is (a) $k=\Omega(s)$-resilience, i.e., uncorrelated with any $k$-subset of its inputs, and (b) has algebraic degree of $\Omega(s)$ even after fixing $\Omega(s)$ of its inputs. We also show that these requirements are necessary, and so they form a tight characterization (up to constants) of security against linear attacks. Our positive result shows that a $d$-local low-bias generator can have output length of $n^{\Omega(d)}$, answering an open question of Mossel, Shpilka and Trevisan (FOCS, 2003). Our negative result shows that a candidate for pseudorandom generator proposed by the first author (ECCC 2015) and by O'Donnell and Witmer (CCC 2014) is insecure. We use similar techniques to refute a conjecture of Feldman, Perkins and Vempala (STOC 2015) regarding the hardness of planted constraint satisfaction problems.

(2) Motivated by the cryptanalysis literature, we consider security against \emph{algebraic attacks}. We provide the first theoretical treatment of such attacks by formalizing a general notion of algebraic inversion and distinguishing attacks based on the Polynomial Calculus proof system. We show that algebraic attacks succeed if and only if there exist a degree $e=\Theta(s)$ non-zero polynomial $Q$ whose roots cover the roots of $P$ or cover the roots of $P$'s complement. As a corollary, we obtain the first example of a predicate $P$ for which the generated sequence $y$ passes all linear tests but fails to pass some polynomial-time computable test, answering an open question posed by the first author (Question~4.9, ECCC 2015).

### Paper:

TR15-172 | 3rd November 2015 08:46

#### Algebraic Attacks against Random Local Functions and Their Countermeasures

TR15-172
Authors: Benny Applebaum, Shachar Lovett
Publication: 3rd November 2015 08:53
Keywords:

Abstract:

Suppose that you have $n$ truly random bits $x=(x_1,\ldots,x_n)$ and you wish to use them to generate $m\gg n$ pseudorandom bits $y=(y_1,\ldots, y_m)$ using a local mapping, i.e., each $y_i$ should depend on at most $d=O(1)$ bits of $x$. In the polynomial regime of $m=n^s$, $s>1$, the only known solution, originates from (Goldreich, ECCC 2000), is based on \emph{Random Local Functions}: Compute $y_i$ by applying some fixed (public) $d$-ary predicate $P$ to a random (public) tuple of distinct inputs $(x_{i_1},\ldots,x_{i_d})$. Our goal in this paper is to understand, for any value of $s$, how the pseudorandomness of the resulting sequence depends on the choice of the underlying predicate. We derive the following results:

(1) We show that pseudorandomness against $\F_2$-linear adversaries (i.e., the distribution $y$ has low-bias) is achieved if the predicate is (a) $k=\Omega(s)$-resilience, i.e., uncorrelated with any $k$-subset of its inputs, and (b) has algebraic degree of $\Omega(s)$ even after fixing $\Omega(s)$ of its inputs. We also show that these requirements are necessary, and so they form a tight characterization (up to constants) of security against linear attacks. Our positive result shows that a $d$-local low-bias generator can have output length of $n^{\Omega(d)}$, answering an open question of Mossel, Shpilka and Trevisan (FOCS, 2003). Our negative result shows that a candidate for pseudorandom generator proposed by the first author (ECCC 2015) and by O'Donnell and Witmer (CCC 2014) is insecure. We use similar techniques to refute a conjecture of Feldman, Perkins and Vempala (STOC 2015) regarding the hardness of planted constraint satisfaction problems.

(2) Motivated by the cryptanalysis literature, we consider security against \emph{algebraic attacks}. We provide the first theoretical treatment of such attacks by formalizing a general notion of algebraic inversion and distinguishing attacks based on the Polynomial Calculus proof system. We show that algebraic attacks succeed if and only if there exist a degree $e=\Theta(s)$ non-zero polynomial $Q$ whose roots cover the roots of $P$ or cover the roots of $P$'s complement. As a corollary, we obtain the first example of a predicate $P$ for which the generated sequence $y$ passes all linear tests but fails to pass some polynomial-time computable test, answering an open question posed by the first author (Question~4.9, ECCC 2015).

ISSN 1433-8092 | Imprint