Algebraic attacks against random local functions and their countermeasures

Suppose that you have n truly random bits x=(x1,…,xn) and you wish to use them to generate m≫ n pseudorandom bits y=(y1,…, ym) using a local mapping, i.e., each yi should depend on at most d=O(1) bits of x. In the polynomial regime of m=ns, s>1, the only known solution, originates from (Goldreich, ECCC 2000), is based on Random Local Functions: Compute yi by applying some fixed (public) d-ary predicate P to a random (public) tuple of distinct inputs (xi1,…,xid). Our goal in this paper is to understand, for any value of s, how the pseudorandomness of the resulting sequence depends on the choice of the underlying predicate. We derive the following results: (1) We show that pseudorandomness against F2-linear adversaries (i.e., the distribution y has low-bias) is achieved if the predicate is (a) k=Ω(s)-resilience, i.e., uncorrelated with any k-subset of its inputs, and (b) has algebraic degree of Ω(s) even after fixing Ω(s) of its inputs. We also show that these requirements are necessary, and so they form a tight characterization (up to constants) of security against linear attacks. Our positive result shows that a d-local low-bias generator can have output length of nΩ(d), answering an open question of Mossel, Shpilka and Trevisan (FOCS, 2003). Our negative result shows that a candidate for pseudorandom generator proposed by the first author (computational complexity, 2015) and by O’Donnell and Witmer (CCC 2014) is insecure. We use similar techniques to refute a conjecture of Feldman, Perkins and Vempala (STOC 2015) regarding the hardness of planted constraint satisfaction problems. (2) Motivated by the cryptanalysis literature, we consider security against algebraic attacks. We provide the first theoretical treatment of such attacks by formalizing a general notion of algebraic inversion and distinguishing attacks based on the Polynomial Calculus proof system. We show that algebraic attacks succeed if and only if there exist a degree e=O(s) non-zero polynomial Q whose roots cover the roots of P or cover the roots of P’s complement. As a corollary, we obtain the first example of a predicate P for which the generated sequence y passes all linear tests but fails to pass some polynomial-time computable test, answering an open question posed by the first author (Question 4.9, computational complexity 2015).

[1]  Carsten Lund,et al.  Proof verification and hardness of approximation problems , 1992, Proceedings., 33rd Annual Symposium on Foundations of Computer Science.

[2]  Nicolas Courtois,et al.  The Security of Hidden Field Equations (HFE) , 2001, CT-RSA.

[3]  Willi Meier,et al.  Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[4]  Luca Trevisan,et al.  On the One-Way Function Candidate Proposed by Goldreich , 2014, ACM Trans. Comput. Theory.

[5]  Jacques Patarin,et al.  Cryptanalysis of the Matsumoto and Imai Public Key Scheme of Eurocrypt'88 , 1995, CRYPTO.

[6]  Michael Alekhnovich More on Average Case vs Approximation Complexity , 2011, computational complexity.

[7]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[8]  Uriel Feige,et al.  Relations between average case complexity and approximation complexity , 2002, STOC '02.

[9]  Oded Goldreich,et al.  Candidate One-Way Functions Based on Expander Graphs , 2011, Studies in Complexity and Cryptography.

[10]  Guy Kindler,et al.  On the optimality of semidefinite relaxations for average-case and generalized constraint satisfaction , 2013, ITCS '13.

[11]  ApplebaumBenny,et al.  Cryptography in $NC^0$ , 2006 .

[12]  Russell Impagliazzo,et al.  Lower bounds for the polynomial calculus and the Gröbner basis algorithm , 1999, computational complexity.

[13]  Stephen A. Cook,et al.  The complexity of theorem-proving procedures , 1971, STOC.

[14]  Peter Bro Miltersen,et al.  On Pseudorandom Generators in NC , 2001, MFCS.

[15]  David Witmer,et al.  Goldreich's PRG: Evidence for Near-Optimal Polynomial Stretch , 2014, 2014 IEEE 29th Conference on Computational Complexity (CCC).

[16]  Claude Carlet,et al.  Boolean Functions for Cryptography and Error-Correcting Codes , 2010, Boolean Models and Methods.

[17]  Jean Charles Faugère,et al.  A new efficient algorithm for computing Gröbner bases without reduction to zero (F5) , 2002, ISSAC '02.

[18]  Benny Applebaum,et al.  Cryptographic Hardness of Random Local Functions , 2013, computational complexity.

[19]  Benny Applebaum,et al.  Pseudorandom generators with long stretch and low locality from random local one-way functions , 2012, STOC '12.

[20]  Luca Trevisan,et al.  On e-Biased Generators in NC0 , 2003, FOCS.

[21]  Adi Shamir,et al.  Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations , 2000, EUROCRYPT.

[22]  Thomas Siegenthaler,et al.  Correlation-immunity of nonlinear combining functions for cryptographic applications , 1984, IEEE Trans. Inf. Theory.

[23]  Rafail Ostrovsky,et al.  Cryptography with constant computational overhead , 2008, STOC.

[24]  Michael Alekhnovich,et al.  Lower bounds for polynomial calculus: non-binomial case , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[25]  Yuval Filmus,et al.  Towards an Understanding of Polynomial Calculus: New Separations and Lower Bounds - (Extended Abstract) , 2013, ICALP.

[26]  Luca Trevisan,et al.  Goldreich's One-Way Function Candidate and Myopic Backtracking Algorithms , 2009, TCC.

[27]  Yuval Ishai,et al.  On Pseudorandom Generators with Linear Stretch in NC0 , 2006, computational complexity.

[28]  Salil P. Vadhan,et al.  Computational Complexity , 2005, Encyclopedia of Cryptography and Security.

[29]  Russell Impagliazzo,et al.  Using the Groebner basis algorithm to find proofs of unsatisfiability , 1996, STOC '96.

[30]  Santosh S. Vempala,et al.  Statistical Algorithms and a Lower Bound for Detecting Planted Cliques , 2012, J. ACM.

[31]  Benny Applebaum Cryptographic Hardness of Random Local Functions , 2015, computational complexity.

[32]  Michael Kearns,et al.  Efficient noise-tolerant learning from statistical queries , 1993, STOC.

[33]  Youming Qiao,et al.  On the security of Goldreich’s one-way function , 2011, computational complexity.

[34]  Yuval Ishai,et al.  Cryptography in NC0 , 2004, SIAM J. Comput..

[35]  Seinosuke Toda,et al.  Classes of Arithmetic Circuits Capturing the Complexity of Computing the Determinant , 1992 .

[36]  Santosh S. Vempala,et al.  University of Birmingham On the Complexity of Random Satisfiability Problems with Planted Solutions , 2018 .

[37]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[38]  Avi Wigderson,et al.  Public-key cryptography from different assumptions , 2010, STOC '10.

[39]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[40]  Nicolas Courtois,et al.  General Principles of Algebraic Attacks and New Design Criteria for Cipher Components , 2004, AES Conference.

[41]  Benny Applebaum,et al.  A Dichotomy for Local Small-Bias Generators , 2012, Journal of Cryptology.

[42]  Shafi Goldwasser,et al.  The Computational Benefit of Correlated Instances , 2015, ITCS.

[43]  Alon Rosen,et al.  Input Locality and Hardness Amplification , 2011, Journal of Cryptology.

[44]  Sanjeev Arora,et al.  Probabilistic checking of proofs: a new characterization of NP , 1998, JACM.

[45]  Dominique De Werra Boolean Models and Methods in Mathematics, Computer Science, and Engineering , 2010, Boolean Models and Methods.