A hard-core predicate for all one-way functions

A central tool in constructing pseudorandom generators, secure encryption functions, and in other areas are “hard-core” predicates <italic>b</italic> of functions (permutations) ƒ, discovered in [Blum Micali 82]. Such <italic>b</italic>(<italic>x</italic>) cannot be efficiently guessed (substantially better than 50-50) given only ƒ(<italic>x</italic>). Both <italic>b</italic>, ƒ are computable in polynomial time. [Yao 82] transforms any one-way function ƒ into a more complicated one, ƒ<supscrpt>*</supscrpt>, which has a hard-core predicate. The construction applies the original ƒ to many small pieces of the input to ƒ<supscrpt>*</supscrpt> just to get one “hard-core” bit. The security of this bit may be smaller than any constant positive power of the security of ƒ. In fact, for inputs (to ƒ<supscrpt>*</supscrpt>) of practical size, the pieces effected by ƒ are so small that ƒ can be inverted (and the “hard-core” bit computed) by exhaustive search. In this paper we show that every one-way function, padded to the form ƒ(<italic>p</italic>, <italic>x</italic>) = (<italic>p</italic>, <italic>g</italic>(<italic>x</italic>)), ‖‖<italic>p</italic>‖‖ = ‖<italic>x</italic>‖, has by itself a hard-core predicate of the same (within a polynomial) security. Namely, we prove a conjecture of [Levin 87, sec. 5.6.2] that the scalar product of Boolean vectors <italic>p</italic>, <italic>x</italic> is a hard-core of every one-way function ƒ(<italic>p</italic>, <italic>x</italic>) = (<italic>p</italic>, <italic>g</italic>(<italic>x</italic>)). The result extends to multiple (up to the logarithm of security) such bits and to any distribution on the <italic>x</italic>'s for which ƒ is hard to invert.

[1]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[2]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[3]  M. Rabin DIGITALIZED SIGNATURES AND PUBLIC-KEY FUNCTIONS AS INTRACTABLE AS FACTORIZATION , 1979 .

[4]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[5]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[6]  Adi Shamir,et al.  On the generation of cryptographically strong pseudorandom sequences , 1981, TOCS.

[7]  Avi Wigderson,et al.  How discreet is the discrete log? , 1983, STOC.

[8]  Vijay V. Vazirani,et al.  Efficient and Secure Pseudo-Random Number Generation , 1984, CRYPTO.

[9]  Leonid A. Levin,et al.  One-way functions and pseudorandom generators , 1985, STOC '85.

[10]  Silvio Micali,et al.  How to construct random functions , 1986, JACM.

[11]  Manuel Blum,et al.  A Simple Unpredictable Pseudo-Random Number Generator , 1986, SIAM J. Comput..

[12]  Umesh V. Vazirani,et al.  Efficiency considerations in using semi-random sources , 1987, STOC.

[13]  Leonid A. Levin,et al.  One way functions and pseudorandom generators , 1987, Comb..

[14]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[15]  Hugo Krawczyk,et al.  On the existence of pseudorandom generators , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[16]  A. Kolmogorov,et al.  ALGORITHMS AND RANDOMNESS , 1988 .

[17]  Burton S. Kaliski,et al.  Elliptic curves and cryptography: a pseudorandom bit generator and other tools , 1988 .

[18]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[19]  Leonid A. Levin,et al.  Homogeneous measures and polynomial time invariants , 1988, [Proceedings 1988] 29th Annual Symposium on Foundations of Computer Science.

[20]  Peter Elias,et al.  Error-correcting codes for list decoding , 1991, IEEE Trans. Inf. Theory.