Low Complexity Pseudorandom Generators and Indistinguishability Obfuscation by Alex Lombardi A.B., Harvard University (2016) A.M., Harvard University (2016)
Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of
Master of Science in Computer Science and Engineering at the
MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2018
0 Massachusetts Institute of Technology 2018. All rights reserved.
Signature redacted A uth or ...... Department of Electrical Engineering and Computer Science Signature redacted May 23, 2018 C ertified by ...... Vinod Vaikuntanathan Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor
Accepted by ...... Signature redacted...... Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science Chairman, Department Committee on Graduate Theses MASSACHUSETS INSTITUTE OF TECHNOWOGY- 1
JUN 18 2018
LIBRARIES 4i Low Complexity Pseudorandom Generators and Indistinguishability Obfuscation by Alex Lombardi
Submitted to the Department of Electrical Engineering and Computer Science on May 23, 2018, in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering
Abstract In the study of cryptography in NCO, it was previously known that Goldreich's candi- date pseudorandom generator (PRG) is insecure when instantiated with a predicate P in 4 or fewer variables, if one wants to achieve polynomial stretch. On the other hand, there is a standard candidate PRG with locality 5 based on the "tri-sum-and" predicate TSA(x) = XOR3 D AND 2 (X) = X1 E X 2 ( @ X 4 x5 . However, locality is only one complexity measure of a PRG that one could hope to minimize. In this work, we consider the problem of minimizing three other complexity measures of a (local) PRG: decision tree (DT-)complexity, Q-degree (i.e., the degree of P as a polynomial over Q), and the recent notion of blockwise locality (due to Lin and Tessaro). These three complexity measures are all of interest for their possible applications to constructing indistinguishability obfuscation (IO) schemes based on low-degree multilinear maps. Indeed, Lin and Tessaro recently proposed an intriguing candidate IO scheme based on bilinear maps and a non-standard assumption on "Goldreich-like" pseudorandom generators. We obtain both positive and negative results on the existence of low complexity PRGs. First, we give a candidate predicate for Goldreich's PRG with DT-complexity 4 and Q-degree 3. We also show that all predicates with either DT-complexity less than 4 or Q-degree less than 3 yield insecure PRGs, so our candidate predicate simul- taneously achieves the best possible locality, DT-complexity, Q-degree, and F2-degree according to all known attacks. Finally, we show polynomial-time attacks on the blockwise 2-local PRGs required in the Lin-Tessaro work, invalidating the security of their IO and FE candidates based on bilinear maps. Our attack uses tools from the literature on two-source extractors (Chor and Goldreich, SICOMP 1988) and efficient refutation of random 2-XOR instances (Charikar and Wirth, FOCS 2004).
Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science
3 4 Acknowledgments
First of all, I thank my advisor, Vinod Vaikuntanathan, for the incredible amount of encouragement and patience that he has provided since I started working with him.
Vinod has also consistently been able to come up with (and help me come up with) intriguing, important, and somehow tractable problems to think about. I have no idea how he (or anyone else) manages this, but I am certainly grateful for it. I would also like to thank Salil Vadhan for taking in a curious math undergraduate who knew nothing about computer science for a summer research project, and for giving extremely good advice thereafter. The discussions I had with Salil, Boaz Barak, and Madhu Sudan during my last two undergraduate years are without a doubt the reason I am studying theoretical computer science. Boaz in addition taught my first course in cryptography, without which I would certainly not be where I am today. My friends in the theory group at MIT CSAIL have been a constant source of inspiration, support, and fun for the last two years. I thank them for that, and I hope that this doesn't change even as we come and go. Finally, I thank my parents, who have been putting up with my nonsense for far longer than everyone else and have handled it remarkably well.
5 6 Contents
1 Introduction 9 1.1 O ur R esults ...... 14 1.1.1 Predicates Over the Binary Alphabet .... . 15 1.1.2 Predicates Over a Large Alphabet ...... 16 1.2 Conclusions and Open Questions ...... 20 1.3 Organization ...... 22
2 Preliminaries 23 2.1 Pseudorandom generators ...... 24 2.2 Analysis of Boolean Functions ...... 25 2.3 A Review of Goldreich's PRG and its Security ...... 26 2.3.1 The Choice of Predicates in Goldreich's PRG ...... 27 2.3.2 Generalization to Blockwise Local PRGs ...... 29
3 Minimizing DT-Complexity and Q-Degree 31 3.1 New Candidate Predicates for Goldreich's PRG ...... 32 3.1.1 A Predicate with Decision Tree-Complexity 4 ...... 32 3.1.2 A Predicate with Decision-Tree Complexity 4 and Q-degree 3 33 3.2 Predicates with Depth-3 Decision Trees Yield Insecure PRGs .... . 35 3.3 Predicates with Q-degree 2 Yield Insecure PRGs ...... 39
4 An Attack on Blockwise 2-Local PRGs 43 4.1 Outline of the Attack ...... 44
7 4.2 Alphabet Reduction ...... 46 4.2.1 Limits of Alphabet Reduction ...... 51 4.3 From Small Alphabet Refutation to Large Alphabet Distinguishing . 53 4.3.1 Proof of Theorem 4.3.1 ...... 56 4.3.2 Generalization of Theorem 4.3.1 to Multiple Predicates .. . . 59
8 Chapter 1
Introduction
9 While hard problems occur abundantly in nature, useful hard problems are some- what rare. In particular, to be useful in cryptography, the (conjuctured) hard prob- lems need several additional properties: at the minimum, average-case hardness and the ability to sample hard instances with their solutions (a property that is required for building one-way functions). It is hard enough to come up with cryptographically useful hard problems, but to make our life even harder, we also often want the cryptographic constructions to be as simple as possible. For example, take the case of (cryptographic) pseudorandom generators (PRGs), the object of study in this work. Here, we ask for a functioni G: {0, 1}' -+ {o, 1}' which is: (a) expanding, meaning that m > n and ideally, m is a large polynomial in n; (b) pseudorandom, meaning that G(Un) is computationally indistinguishable from Ur, where U, and Un are uniform distributions on n and m bits, respectively; and (c) simple, meaning that G is computable by a (uniform) NC0 circuit.
In a remarkable tour-de-force, Applebaum, Ishai and Kushilevitz [AIK06] showed how to "compile" any PRG computable in a large complexity class, say NC1 , into one that'can be computed in NCO. Their PRGs even had locality as small as 4, meaning that each output bit depends on only 4 input bits. This gave us candidate PRGs under essentially any standard complexity assumption, e.g., the hardness of factoring, that of the decisional Diffie-Hellman problem, the worst-case hardness of approximating shortest vectors in lattices, and so forth. The main deficiency of the AIK work is that even if you start with a PRG with large, polynomial, stretch in NC1 , the compiler only produces a PRG with sub-linear (additive) stretch in NC0 , that is m = n + o(n). Indeed, as Mossel, Shpilka and Trevisan [MST06] showed, there are no PRGs in NC0 with polynomial stretch and locality 4, so in a sense, the [AIK06] construction is nearly optimal.
However, we cannot help but ask for more. Polynomial stretch PRGs, also called
PPRGs (where m = nc for some c > 1) in NC0 have several applications including
'To be more precise, we ask for a family of functions {Gn}ncN where G, maps n bits to m = m(n) > n bits.
10 secure two-party computation with constant overhead [IKOS08] and more recently, indistinguishability obfuscation (IO) from constant-degree multilinear maps [Lini6a, LV16, AS16, Linl6b, LT17]. PPRGs are much trickier to construct; indeed, our best hope is a candidate con- struction (actually, a family of constructions) first proposed by Goldreich [Gol00] in 2000. Goldreich's generator and its properties in the polynomial stretch regime are the central themes of this paper.
Goldreich's Pseudorandom Generator. Goldreich's candidate pseudorandom generator, first introduced in [Gol00] (then as a candidate one-way function), can be instantiated with any k-ary predicate P : {0, 1}k -+ {0, 1} and any k-uniform (directed) hypergraph H on n vertices and m hyperedges. Given H and P, we define a PRG G: {0, 1} - {0, 1} m as follows: Identify each vertex in H with an index in
[n] and each hyperedge with an index i C [m]. For each i c [Tm], let FH (i) E k be the sequence of k vertices in the ith hyperedge. Then, Goldreich's PRG is the function from {0, 1} to {0, 1}m defined by
GH,P(X) - (P(XrH(i)))j [m]
That is, the ith bit of GH,p(x) is the output of P when given the FH(i)-restriction of x as input. For the rest of this paper, we think of k as an absolute constant.
Many predicates P : {0, I}k - {0, 1} are known to yield insecure PRGs when plugged into Goldreich's generator GH,P. In particular, call a predicate degenerate if it is either affine or not pairwise-independent, that is it is correlated to some pair of its input bits.2 A long sequence of results [MST06, BQ12, ABR12, OW14, KMOW17] show the following beautiful dichotomy theorem: every predicate is either (a) degen- erate, in which case it can be broken by a F 2-linear attack, or (b) non-degenerate, in which case it resists a large class of attacks including F 2-linear attacks [ABR12] and attacks that can be implemented in the Lasserre/Parrilo sum-of-squares (SOS) hierarchy, a powerful SDP hierarchy which generalizes the Sherali-Adams (SA+) and 2 This means that there are input locations i and j such that Pr[P(x) = e X] # -.
11 Lovdsz-Schrijver (LS+) proof systems [OW14, KMOW17]. The latter class of attacks is of particular interest in the context of Goldreich's generator as the problem of breaking it is closely tied to the problem of refuting random instances of CSPs (see [OW14, KMOW17, BS16] for context on SOS and refutation of CSPs). Moreover, the security result against SOS attacks from [KMOW17] holds even when the stretch of the PRG is a large polynomial: the stretch achievable by a predicate P is entirely characterized by its t-wise independence properties.
As a special case of the dichotomy results, any predicate P with locality at most 4 (i.e., k < 4) is degenerate and therefore Goldreich's PRG using P is broken. In addition, given these results, when looking for candidate predicates that could achieve polynomial stretch, one can take the view that any non-degenerate predicate is a viable candidate. For a more detailed discussion of Goldreich's PRG, we refer the reader to Section 2.3.
Application to Constructing Program Obfuscation. There has been much re- cent progress on constructing indistinguishability obfuscation (IO) schemes [BGI+01, GR07] starting from the work of Garg, Gentry, Halevi, Raykova, Sahai and Wa- ters [GGH+16]. Most recently, Lin [Linl6a] and others [LV16, Linl6b, AS16, LT17] showed a pathway to constructing IO schemes using two ingredients: multilinear maps of constant degree and pseudorandom generators with "low complexity." Mini- mizing the "degree of the cryptographic multilinear maps" in these constructions is a vital research direction; indeed, achieving multi-linearity 2 will imply a construction of program obfuscation, and indeed nearly all of cryptography, from hard Diffie- Hellman-like problems on elliptic curves. As a result, there has a been great interest in understanding precisely what kind of simplicity is required of a PRG in order to facilitate an IO construction.
As we already alluded, the above constructions do not necessarily need small locality, but rather they care about optimizing other parameters of the predicate P. We now highlight two of the results obtained by this line of work.
12 IO from Low Degree MMaps and Low Degree PRGs. [Linl6a, LV161 showed that if polynomial-stretch PRGs in NCO exit, and cryptographic multilinear maps with (sufficiently large) constant degree exist, then so does indistinguishability ob- fuscation. In fact, the connection between multi-linearity and Q-degree is precise and quantitative: they showed that if Goldreich's PRG is secure with a predicate P with Q-degree d, and multilinear maps with degree D = 6d + 4 (and a secure Diffie- Hellman-like problem) exist, then IO exists. The dependence of D on d was improved by a subsequent work [Linl6b], so that multilinear maps of degree D = 3d are now sufficient. We emphasize that for this construction, it is really the Q-degree of the predicate that governs the result rather than its locality. This means that the result stated here is actually incomparable to that of subsequent works.
10 from L-Linear Maps and (Blockwise) L-Local PRGs. [Linl6b], building upon the works of [Linl6a, LV16j, proved that if Goldreich's PRG is secure with a predicate P with locality L, and multilinear maps with degree D = L exist, then IO ex- ists. Instantiating Goldreich's PRG with the "TSA predicate" P(Xi, X 2, X3 , x 4, X 5 ) :=
X 1 Ix 2 DX 3 E)X 4x5 , this immediately gives a candidate construction of IO from 5-linear maps. 3 Unfortunately, as we already noted, 4-local PRGs of polynomial stretch do not exist, and so this line of work appears to get stuck. But less than a year later, Lin and Tessaro [LT17] constructed an IO candidate from standard assumptions on bilinear maps and non-standard assumptions on "Goldreich-like" pseudorandom gen- erators [GolOO] with "blockwise" locality 2. This is a remarkable development: we previously had 10 candidates based on constant degree (most recently, degree 5) multilinear maps and constant locality (most recently, locality 5) PRGs. We did not have any candidates for the degree 5 multilinear maps that satisfied the required assumptions (namely, a version of the decisional Diffie-Hellman assumption); however, we did have candidates for locality 5 PRGs that are known to resist a large class of attacks [OW14, AL16]. The Lin-Tessaro
3 [AS16], concurrently with [Linl6b], also gave a construction of 10 from 5-linear maps and 5-local PRGs.
13 result dramatically changed the landscape by shifting the burden of existence from degree 5 multilinear maps to pseudorandom generators with (so-called) blockwise locality 2 and polynomial stretch. In other words, we have candidates for degree 2 multilinear maps (also known as bilinear maps) [BF03, Jou02, JouOOI; however, there are no locality 2 PRGs, and the security of blockwise locality 2 PRGs is highly questionable.
This Thesis. Our discussion above has established that while (conjecturally) the security of low locality PRGs over the binary alphabet is well-understood, this no- tion of "simplicity" is by no means the only important one within the realm of low- complexity PRGs. In this work, consider three alternative notions - Q-degree and decision tree (DT)-complexity for predicates over a binary alphabet, and blockwise locality for predicates over a large alphabet - and ask the following question.
What is the smallest (Q-degree, DT-complexity, blockwise locality) for a predicate P that makes Goldreich'sfunction a PPRG?
Because locality is an upper bound for all three of these notions of complexity, we know the answer is at most 5 for all three questions. But how small can it be?
1.1 Our Results
In this work, we propose answers to all three of the above questions. Namely,
" We give evidence that Q-degree 3 PPRGs exist, while proving that Q-degree 2 PPRGs do not exist.
" We give evidence that DT-complexity 4 PPRGs exist, while proving that DT- complexity 3 PPRGs do not exist.
* We show an attack on blockwise 2-local PRGs that breaks the Lin-Tessaro 10 candidate from bilinear maps. Combined with the [LT17] candidate blockwise 3-local PPRG, this indicates that "3" is the minimum possible blockwise locality one can hope for.
14 We now give a more detailed description of our results.
1.1.1 Predicates Over the Binary Alphabet
We study two measures of complexity of a predicate P, namely its Q-degree and the minimum depth of a decision tree that computes it (we call this the DT-complexity of P), and show positive and negative results. On the negative side, we show that no predicates with Q-degree at most 2 or decision tree depth at most 3 can result in a secure PPRG.4 Previously, Mossel, Shpilka and Trevisan [MST06] who show that locality-4 predicates cannot result in a secure PRG.
Theorem 1.1.1 (Informal). All predicates computable by a degree-2 polynomial over Q or a depth 3 decision tree are either affine or fail to be pairwise-independent. Sub- sequently, Goldreich's PRG is insecure when instantiated with such predicates for m = Q(nl+6).
On the positive side, we construct a predicate P which has locality 5, decision- tree depth 4, Q-degree 3 and F 2-degree 2 which is "Goldreich-friendly". That is, Goldreich's PRG instantiated with P resists precisely the class of attacks considered in [ABR12, OW14, KMOW17], namely F2-linear attacks and attacks that can be implemented in the Lasserre/Parrilo sum-of-squares (SOS) hierarchy. Our predicate TSPA ("tri-sum-paired-and") is defined as follows
f (ui, 2, 3, 4, 5) = X1 e X2 ( 3 e (X2 (@ 4)(X3 e X5). and is inspired by work of Ambainis [Amb06] who constructs a similar predicate in the context of quantum query complexity.
Theorem 1.1.2. There is a non-degenerate predicate Q : {0, 1}5 - {0, 1} on 5 variables which is computable by a degree 3 polynomial over Q as well as by a depth 4 decision tree. When instantiated with Q, Goldreich's PRG is (subexponentially) 4 This also yields a negative result for secure predicates with Fp-degree 2 for p > 2k.
15 2 5 secure against F 2-linear attacks for all m = O(n. -) as well as attacks from the Lasserre/Parrilosum-of-squares hierarchy for all m = 0(n"-c).
The results from this subsection originally appeared in joint work with Vinod Vaikuntanathan ILV17b].
1.1.2 Predicates Over a Large Alphabet
We show a polynomial-time attack against the pseudorandom generators required for the Lin-Tessaro construction. As such, this constitutes a break of the Lin-Tessaro 10
(as well as functional encryption) constructions that use bilinear maps. We remark that our attacks do not apply to the Lin-Tessaro 10 construction based on 3-linear maps. This leaves us in a curious state of affairs regarding constructions of IO from multilinear maps.
* There is a construction [LT17] of IO from trilinear maps (whose existence is questionable) and "blockwise 3-local PRGs" (for which we have plausible can- didates); and
" There is a construction [LT17] of IO from bilinear maps (for which we have candidates that have been around for almost two decades) and "blockwise 2- local PRGs" (which are broken in this work).
Since cryptographically secure trilinear maps have so far eluded us, it is not sur- prising that the difficulty of achieving JO arises from the gap between bilinear and trilinear maps. However, we find it quite surprising that this transition appears to be related to the pseudorandomness of 2-local functions and 3-local functions (over a large alphabet, no less)!
Goldreich's PRGs with Blockwise 2-Local Predicates. We start by describing the object we attack. Let P be a predicate from E2 to {0, 1}, for some polynomial size alphabet ZEJ = q = poly(n). As before, let H be a (directed) graph with n vertices and m edges; we will refer to H as the constraint graph. The pseudorandom
16 m E' {0, i} is thengenerator defined by GH,P(x)GHP i(P(X,Z xj))(i 3j)EE(H) as before. We call this an (n, m, q)- Goldreich-like pseudorandom generator since it uses predicates over a large alphabet. This construction can also be thought of as a "blockwise local" pseudorandom generator, a terminology that Lin and Tessaro introduce and use [LT17]. In an (L, w)-block-wise PRG, the nw-bit input is divided into blocks of size w bits each, and each output bit of the PRG can depend on at most L blocks. It is easy to see that a Goldreich PRG as defined above with alphabet size q is a (2, [log ql)-block-wise PRG. With this terminology, we are ready to state our main result on blockwise 2-local PRGs.
Theorem 1.1.3. There is a poly(n, q) time algorithm D which, for any m ;> (q -n), any predicate P : [q] 2 -- {0, 1}, and any graph H with n vertices and m edges, distinguishes between a uniformly random string z <- U.. and a random output z <-
GH,P (Un,q) (with a constant distinguishing advantage).
The Lin-Tessaro Theorem and Connection to Goldreich-like PRGs. In or- der to understand the implications of of Theorem 1.1.3, we have to understand which blockwise 2-local PRGs suffice for constructing IO. As mentioned earlier, Lin and Tes- saro [LT17] showed an IO candidate based on the hardness of standard assumptions on bilinear maps and the existence of a Goldreich-like PRG with blockwise locality 2 and sufficiently large stretch. More precisely, they show:
Under standard assumptions on bilinear maps and the existence of a subexponentially secure (n, m, q)-Goldreich-like PRG with q = poly(n)
and m = (nq3 )1 6 for some constant E > 0, there is an IO scheme. As- suming the existence of such a generator with quasipolynomial security, there is a compact FE scheme.
Our main theorem (Theorem 1.1.3) now implies that a natural class of candidates for such PRGs, proposed and analyzed in [LT17], can be broken in polynomial-time.
17 Random Random Different vs. Stretch Predicate? Graph? Same Predicate Reference Per Output m = Q(q- n) Worst-case Random Same [LV17c] m = O(q n) Random Random Same [BBKK17] m = Q(q 2 -n) Worst-case Worst-case Different [BBKK171; later, [LV17a] m = Q(q n) Worst-case Worst-case Same [LV17a]; [BBKK18] m = ((q n) Worst-case Worst-case Different Open Figure 1-1: The State of the Art on Attacks against Blockwise 2-local PRGs.
In fact, we show something stronger: even a potential extension of the Lin-Tessaro theorem that requires only blockwise 2-local PRGs with minimal expansion, namely m = Q(nq), can be broken using our attack. The results from this subsection originally appeared in joint work with Vinod Vaikuntanathan [LV17a].
History of Blockwise Locality Results and the Current State of Affairs The presentation of this work has changed significantly since the original preprint [LV17c]. We originally proved the following weaker version of Theorem 1.1.3; see also the first line of Figure 1-1.
Theorem 1.1.4. There is a poly(n, q) time algorithm D which, for any m > Q(q -n), any predicate P : [q] 2 - {0, 1}, and a (1 - o(1)) fraction of graphs H with n vertices and m edges, distinguishes between a uniformly random string z +- U and a random output z <- GH,P(Un,q) (with a constant distinguishing advantage).
In a concurrent work, Barak, Brakerski, Komargodski and Kothari [BBKK17] showed a completely different attack on a blockwise 2-local PRG with different pa- rameter settings. Barak et al. show how to attack blockwise 2-local PRGs for worst- case graphs and a worst-case collection of possibly different predicates for each output bit. However, they need to assume that the PRG had a larger stretch, namely that m = Q(q 2 - n). They also achieve a threshold of m = Q(q -n) for the restricted case
18 of random graphs and random, single predicate. See the second and third line of Figure 1-1.
Our main theorem (as it appeared in [LV17a]) draws inspiration from [BBKK17] and applies our main technique that we refer to as alphabet reduction in a different way than we originally conceived. In an updated version of their work [BBKK18], the authors of [BBKK17] also combined their techniques with ours to obtain this result. See the fourth line of Figure 1-1.
There is still a gap between Theorem 1.1.3 and a complete break of the [LT17] candidate: Theorem 1.1.3 breaks blockwise 2-local PRGs in which the predicate com- puting each output bit is the same. This breaks Lin and Tessaro's concrete PRG candidate. However, their theorem can be instantiated with more general block-wise local PRGs where each output bit is computed using a different predicate, a setting that [BBKK17] break. We remark here that our techniques (to be described below) can also be used to break this multiple-predicate variant at the cost of the same worse distinguishing threshold, namely m ;> Q(nq2 ).
On the negative side, in [LV17a], we provide evidence that our own technique is unlikely to achieve a better threshold than m > Q(q 2 - n) for worst-case graphs and worst-case multiple predicates. In addition, in an updated version of their work [BBKK18], the authors of [BBKK17] prove a sum-of-squares lower bound for breaking Goldreich's PRG when instantiated with a random graph and independent random predicates, with m = Q(q - n).
The current state of attacks against blockwise 2-local PRGs is summarized in Figure 1-1. As one can see from the table, there is a very narrow set of possibilities that neither our attack nor [BBKK18] rule out just yet. Namely, we cannot rule out the possibility that (a) the Lin-Tessaro theorem could be improved to work with stretch Q((nq)1 *6); and (b) there is a PRG with such a stretch that necessarily has to employ a specially tailored graph and different predicates for each output bit. An exceedingly narrow window, indeed!
19 1.2 Conclusions and Open Questions
We are left with many interesting and unresolved questions. First of all, as mentioned earlier, we still do not understand precisely the stretch at which blockwise 2-local PRGs become insecure. In particular, we ask
Question 1.2.1. Does there exist a blockwise 2-local PRG of stretch (nq)1 e?
We know that stretch n -q2 is impossible and stretch n -q is plausible; in between, the answer remains unclear.
Low-Degree PRGs There are also a number of remaining questions about proving the security of low degree PRGs (over a binary alphabet) that we do not know how to attack.
Question 1.2.2. What additionalsecurity properties can we prove (or disprove) about
Goldreich's PRG when instantiatedwith the TSPA predicate and stretch n-. 5 -? What about with stretch n-01 ?
More concretely, there remains a gap between the stretch (Q(n'. 2 5-)) at which we know that Goldreich's PRG (instantiated with non-degenerate predicates) has small bias and the stretch (Q(n 1 5 )) at which we know efficient attacks on the PRG.
In particular, small bias guarantees up to stretch O(n 1 5 -c) would provide stronger evidence that Goldreich's PRG is secure when instantiated with the TSPA predicate. Additionally, in [AL16], another class of attacks on local PRGs is studied, namely algebraic attacks (attacks from the Polynomial Calculus proof system). The lower bounds proved in tAL16] are insufficient to establish the security of Goldreich's PRG with the TSPA predicate against these attacks, but the established upper bounds do not rule out the PRG. Closing the gap between upper and lower bounds here would be extremely interesting and would also be relevant to higher degree candidate PRGs, whose security properties are more uncertain. Furthermore, while this paper focused on achieving any polynomial stretch, it is both intrinsically interesting and and potentially useful for cryptographic applications
20 to understand the tradeoff between the Q-degree of a PRG and the maximum stretch it can attain. In particular, a positive answer to the following question would yield another IO construction from 4-linear maps.
Question 1.2.3. Can a Q-degree d PRG achieve stretch n 4d ?
The later work [BBKK17] shows that PRGs computable by sufficiently sparse polynomials cannot achieve this stretch, but the question in general remains open.
A Better Bootstrapping Theorem For Degree. The work [LV17b] originally considered the question of constructing degree 3 PRGs in the hope that it would lead to a construction of IO from trilinear maps. However, the best construction of IO (due to a combination of [LV16, Linl6b]) still requires 3d-linear maps along with a degree d PRG). The works [Linl6b, LT17] circumvent this problem by relying on locality and blockwise locality, respectively, rather than degree, but it remains interesting to understand how tight the connection between Q-degree d PRGs and D = f(d)-linear maps can be made. In particular, we ask:
Question 1.2.4. Can IO be constructed from d-linear maps and Q-degree d PRGs?
A positive answer to this question would yield another candidate construction of IO from trilinear maps; this construction would in addition rely on the security of PRGs defined over a binary alphabet (as opposed to the blockwise 3-local PRG candidates of [LT17, BBKK18]).
Other Notions of "Simple" PRGs Finally, it remains unclear that any of the notions studied so far (locality, Q-degree, DT-complexity, blockwise locality) are the "right" notion of simplicity of a PRG for applications to IO. Very broadly, it would be very interesting to isolate weaker properties of PRGs that suffice for FE-to-JO bootstrapping theorems. Most optimistically, we could hope that such a development would lead to an IO construction from bilinear maps.
21 1.3 Organization
We start with some basic preliminaries in Chapter 2. In Chapter 3, we present our results on minimizing the Q-degree and DT-complexity of Goldreich's PRG. Finally, in Chapter 4, we present our attack on blockwise 2-local PRGs.
22 Chapter 2
Preliminaries
23 Notation. We let U, denote the uniform distribution on n bits, i.e., on the set
{O, 1}. Additionally, we let Un,q denote the uniform distribution on the set [q]fn. Let negl(n) : N - R denote any function that is smaller than any inverse polynomial in n. That is, we require that for every polynomial p, there is an nri c N such that for all n > np, negl(n) < l/p(n).
2.1 Pseudorandom generators
We say that a function G: {0, 1} _, {0, 1}' is a pseudorandom generator (PRG) if it has the following properties: (1) G is computable in (uniform) time poly(n), and
(2) any probabilistic polynomial time adversary A: {0, 1}" - {0, 1} has the property that E [A(G(x))] - E [A(y)] = negl(n) X+-Un Y<--Um
We say that a PRG G : {0, 1} - {0, 1}m has stretch m = m(n). In this paper, we focus on the polynomial stretch regime, namely where m = O(nc) for some constant c > 1. If G is computable in NCO, then we define the locality of G to be the maximum number of input bits on which any output bit of G depends. As positive evidence for a particular function G : {O, 1} -+ {0, 1}m to be a PRG, one can prove that G resists attacks by more specific kinds of adversaries (instead of all polynomial-time adversaries). We focus on two kinds of attacks here. First, we consider F2-linear attacks.
Definition 1 (small-bias generator). A polynomial-time computable function G
{O, 1}" _, {0, 1} is a small-bias generatorif the advantage of every F2-linear function
A : {0, 1} m - {0, 1} in distinguishing between the distributions G(Un) and U is negl(n). See [NN93] for a general exposition on small-bias generators.
The other class of attacks we consider are those from the Lasserre/Parrilo sum-of-squares (SOS) hierarchy, a powerful SDP hierarchy which generalizes the Sherali-Adams (SA+) and Lovdsz-Schrijver (LS+) proof systems. See [BS16] for
24 a general introduction to the SOS hierarchy. As we will see, SDP-based attacks are of particular interest to us because the security of Goldreich's PRG is closely tied to the problem of refuting random instances of CSPs.
2.2 Analysis of Boolean Functions
Let f : {O, I}k 4 {O, 1} be a function on k variables.
Definition 2 (bias). f is balanced, or unbiased, if E f(x) =; otherwise, we say X-Uk2 that f is biased.
Definition 3 (t-wise independence). For t > 0, f is t-wise independent if for all s < t
and all sets of s variables {xi, ... , i,}, the function f(x) @ xi, e ... D xi, is balanced.
Finally, we define two complexity measures of f besides its locality: degree and decision tree complexity.
Definition 4 (degree). For any field K, the K-degree of f is the degree of the unique multilinear polynomial over K computing f.
For our purposes, the fields of interest are K = Q and K = F 2, giving us notions of Q-degree and F 2-degree.
Definition 5 (decision tree). A decision tree is a directed binary tree T in which each non-leaf vertex is labeled by a variable xi and each leaf is labeled by a bit b C {0, 1}. Any v C {0, I}k defines a path in T which starts at the root of T and traverses from a vertex labeled by xi to its left child if vi = 0 and to its right child if vi 1. We say that a decision tree T computes a function f if the following holds: for each v C {0, 1}k, the leaf at the end of the path in T defined by v is labeled by f(v).
25 X1
0 1 1 0
Figure 2-1: This is a depth 2 decision tree computing the function f(x1, x 2) = X1 (DX2. We only consider nodes labeled by variables when calculating the depth of a decision tree
Definition 6 (decision tree complexity). Let f : {0, I}k -÷ {0, 1} be a boolean function. The decision tree complexity (DT-complexity) of f is the smallest depth of a decision tree computing f.
Our three main complexity measures - Q-degree, DT-complexity, and locality - are related to each other in the following way.
Lemma 2.2.1. Let f : {0, I}k - {0, 1} be a boolean function with Q-degree d and DT-complexity D. Then d < D < k.
Proof. To see that D < k, note that there exists a (complete) depth k decision tree T computing f in which the ith layer of T consists only of variables xi and the "k + ith layer" of T consists of 2 k leaves spelling out the truth table for f. To see that d < D, note that a decision tree with root xi and children TL and TR has the property that T(x) = xiTR(x) + (1 - xi)TL(x) (where T(x) := f(x) when T computes f); a quick induction allows us to conclude that T(x) can be written as a rational polynomial of degree at most D, as desired. E
2.3 A Review of Goldreich's PRG and its Security
Goldreich's candidate pseudorandom generator, first introduced in [Goloo] (then as a candidate one-way function), can be instantiated with any k-ary predicate P :
26 {0, I} -+ {0, 1} and any k-uniform (directed) hypergraph H on n vertices and m hyperedges. Given H and P, we identify each vertex in H with an index in [n] and
each hyperedge with an index i E [m]. For each i c [m], let FH(i) E [n]k be the sequence of k vertices in the ith hyperedge. Then, Goldreich's PRG is the function from {O, 1} to {0, 1}m defined by
GH,P(X) = (P(X FH(i)))iG[mjn
That is, the ith bit of GHP(X) is the output of P when given the FH(i)-restriction of x as input. Goldreich's generator is often instantiated with a uniformly random choice of hy- pergraph H; in this setting, we say that "Goldreich's generator instantiated with P is
a PRG" for some predicate P if for a random k-uniform hypergraph H, GH,P is a PRG with high probability (say, probability 1 - o(1)). Often (see [AL16, OW14, ABR121) instead of proving results for random hypergraphs it suffices to use hypergraphs with "good expansion" for varying definitions of expansion. It is sometimes useful to think of the hypergraph H and predicate P as defining a constraint satisfaction problem (CSP) using predicates P and -,P as constraints: the task of breaking Goldreich's PRG can be thought of distinguishing a random planted instance of this CSP from a truly random instance of the CSP. From this point of view, it is natural to consider SDP-based attacks and desirable to have security results against such attacks. For a more in-depth survey and discussion of Goldreich's PRG, see [App161.
2.3.1 The Choice of Predicates in Goldreich's PRG
Many predicates P : {O, I}k -+ {0, 1} are known to yield insecure PRGs when plugged into Goldreich's generator GH,P. Define a predicate P to be degenerate if it is either affine or correlated to some pair of its input bits.
Definition 7. A predicate P : {0, 1 }k {0, 1} is called degenerate if it is either
(a) affine: that is, the F2-degree of P is at most 1; or
27 (b) not pairwise-iindependent: that is, there is a pair of input locations i and j such
that Pr[P(x) = xi e x] - }.
If neither of the above conditions hold, P is called non-degenerate.
There have been many attacks on degenerate predicates [MST06, BQ12, ABR12]. Perhaps most interestingly, Applebaum, Bogdanov, and Rosen [ABR12] show the following result.
Theorem 2.3.1 ([ABR12], Theorem 2). If P is degenerate, then Goldreich's PRG is insecure when instantiated with P as long as m = n + Q(n). In fact, the PRG has
O(1( ) bias with probability 1 - o(1).
So when using a degenerate predicate, Goldreich's PRG cannot even pass all F 2- linear tests. Theorem 2.3.1 is a result in the "random hypergraph" model, but in some cases (e.g., when P has locality at most 4), even stronger insecurity results are known. In [MST06], an efficient (but non-linear) attack is described on Goldreich's PRG when instantiated with any predicate of locality at most 4 (which is necessarily degenerate) and any hypergraph H. On the other hand, the "tri-sum-and" predicate
TSA(xi, X2 , X 3 , X 4, X 5 ) = X 1 G X2 G X3 G X 4 x 5 is an oft-cited candidate predicate for Goldreich's PRG. In [MST06], Mossel, Shpilka, and Trevisan show that when instantiated with the TSA predicate, a variant of Gol- dreich's PRG is secure against F2-linear attacks (that is, the PRG has subexponen- tially mall bias) for m = O(n1 2 5-c), and in [OW14j, O'Donnell and Witmer extend this result (again for TSA) to m = 0(n1 5--E) in the uniformly random hypergraph setting. Moreover, they show that up to m = O(n 1.5-c), the PRG is subexponentially secure against the SOS hierarchy (in a slightly modified random hypergraph setting). There have also been results proving that Goldreich's PRG is secure against var- ious attacks as long as the chosen predicate P is non-degenerate. Applebaum, Bog- danov, and Rosen [ABR12] show the following converse to Theorem 2.3.1.
28 Theorem 2.3.2 ([ABR12], Theorem 1). If P is non-degenerate, then for m =
Q(nl 1 -) Goldreich's PRG has subexponentially small bias with probability 1 - o(1).
1 5 This does not match the stretch of n - achieved in [OW14] for the TSA pred- icate; however, there are no known attacks against any non-degenerate predicate in this setting for m = o(n1 5 ), and it remains an open problem to extend Theorem 2.3.2 to stretch m = O(n" 5 c). However, it does show that any non-degenerate predicate gives rise to a small bias generator with polynomial stretch. As for SOS lower bounds, a recent result of Kothari, Mori, O'Donnell, and Wit- mer IKMOW17] matches the lower bounds in [OW14] for any pairwise-independent predicate (and hence for any non-degenerate predicate).
Theorem 2.3.3 ([KMOW17], Theorem 1.2, rephrased). If P is pairwise-independent, then Goldreich's PRG instantiated with P is secure against the SOS hierarchy up to degree Q(2 ). Therefore, against SOS attacks the PRG has subexponential security up to stretch m = n
In summary, given these results, when looking for candidate predicates that could achieve polynomial stretch (in fact, stretch up to nl-5--E), we take the view that any non-degenerate predicate is a viable candidate.
2.3.2 Generalization to Blockwise Local PRGs
In our discussion of Goldreich's PRG so far, we have assumed that an input x is treated as a sequence of bits, and complexity measures such as locality are defined in terms of the individual bits x1 ,..., x, of x. However, as noted by Lin and Tessaro [LT17], one can think of instantiating Goldreich's PRG with any k-ary predicate P : Ek -- {0, 1} for an arbitrary alphabet size ZE) = q. We refer to such PRGs as "blockwise k-local PRGs." The analogous definition of Goldreich's PRG is as follows.
Definition 8. Given a predicate P and hypergraph H, Goldreich's PRG is the func- tion from En to {0, 1}1 defined by
GH,P(x) = (P(Xr'H(0))iG[ml
29 That is, the ith bit of GH,P(X) is the output of P when given the IH'(i)-restriction of x as input.
In terms of security, the SDP lower bounds - in particular, the lower bound of [KMOW17] - extend to the case of blockwise locality. This means that it really is strictly easier to construct blockwise k-local PRGs than it is to construct k-local PRGs. However, prior attacks on k-local PRGs - in particular, those matching the lower bounds of [KMOW17] - do not obviously extend to the case of blockwise locality. Indeed, the work IBBKK18] (a later version of the work [BBKK17]) shows that the lower bounds of jKMOW17] are not tight for blockwise local PRGs. In Chapter 4, we specialize to the case of k = 2; that is, we consider attacks on blockwise 2-local PRGs. Ultimately, the attacks on GH,P that we describe in this paper hold for all graphs H, rather than just random graphs.
Finally, we note that one can analogously define GHP for a collection of m pred- icates P1 , ... , Pm (in which the ith output bit of GH, is obtained using Pi). As we sketch later, our attack can be extended to this case as well, although a larger stretch is required for the attack to work.
30 Chapter 3
Minimizing DT-Complexity and Q-Degree
31 3.1 New Candidate Predicates for Goldreich's PRG
In this section, we focus on the problem of finding non-degenerate predicates of min- imal decision tree (DT)-complexity and Q-degree, respectively. Prior to tLV17b], no such predicates were known to have either DT-complexity or Q-degree less than 5, while the commonly used non-degenerate predicate
TSA(xi,..., X 5) = X1 e X2 e X3 (DX 4x5 has DT-complexity 5 and Q-degree 5.
3.1.1 A Predicate with Decision Tree-Complexity 4
As a first step, we come up with a predicate that has DT-complexity 4 and Q- degree 4. Indeed, the TSA predicate can be modified in a simple way to decrease its DT-complexity down to 4 while maintaining pairwise independence. Consider the predicate
P( I, ... , X5) =i e X2 e 5X3 e 514
Theorem 3.1.1. The predicate P defined above has a decision tree of depth 4, has Q-degree 4, and is non-degenerate (namely, pairwise independent and not affine).
Proof. We first show that P can be computed by a decision tree of depth 4. First, note that the functions X1 e x 2 G X 3 and x1 e X2 G X4 both have DT-complexity 3, as they are functions of three variables each. Now P can be computed by a depth-
4 decision tree which first queries for X5 and, depending on whether X5 is 0 or 1, computes the function X1 @ X2 e 13 or X1 e 12 e 14 respectively. Since Q-degree is bounded above by DT-complexity, this means that degQ(P) < 4 as well. In fact, P has degree exactly 4, as P can be written as
P(x) = X 1 G X2 G (X5X4 + (1 - 15)13)
It is easy to see that P has a nonzero Xi2X4X5 term (as well as a nonzero 1112X3X5
32 term) when written as a multilinear polynomial over Q. To see that P is pairwise independent, note that P can be written as
P(Xi, ... , X5) = X1 E x2 ( X3 ( 335(33 G 34).
It suffices to show that all the functions P, P exi (ic {1, 2, 3, 4, 5}) and P G xi e xj (i,Cj {1, 2, 3, 4, 5}) are all balanced. First, note that P is balanced. Secondly, note that P(x) e xi is also balanced be- cause it will have either an independent x, summand or an independent X2 summand remaining. Finally, note that the same clearly holds for P(x) G xi E xj except for the case of P(X)e X 1 (X 2 = X3X 5(X 3 eX 4 ). In this last case, choosing (X3, X4, 35 ) E {0, 1}3 independently at random is the same as choosing (3, 333 ( X4, 35) E {0, 1}3) indepen- dently at random. With this change of variables, one sees that P(x) ( x, e X2 is balanced as well. Finally, we note that P is clearly not affine. E
3.1.2 A Predicate with Decision-Tree Complexity 4 and Q- degree 3
One way to try to find a predicate with Q-degree smaller than 4 is to find one with decision trees of depth smaller than 4. Unfortunately, as we will see in Section 3.2, there are no non-degenerate predicates with DT-complexity 3, so we cannot achieve Q-degree 3 by looking for shallower decision trees. Moreover, the predicate P defined in Section 3.1.1 has Q-degree 4. Indeed, at least in low degree, there are not too many examples of Boolean functions exhibiting a gap between DT-complexity and Q-degree. One function which does exhibit such a gap, studied by Ambainis [Amb06] for its applications to quantum query complexity, is the function
f (Xi, X2, 33, 34) = X1 + X2 + X334 - Xi2 - X2X3 - X1X4.
The function f, which has Q-degree 2 and DT-complexity 3, is our starting point.
33 In [Amb06], the sensitivity properties of f were used to obtain nontrivial quantum query complexity lower bounds for functions obtained as iterated compositions of f with itself, which leads to a gap between quantum query complexity and Q-degree; see [Amb06] for a longer discussion.
Lemma 3.1.2 ([Amb06]). The function f defined above has Q-degree 2 and DT- complexity 3.
For our purposes, the key additional insight is that f can be rewritten in the form
f (Xi, X 2, X 3, x 4 ) = X1 e X2 E (X 1 e(x 3)(X2 eX4).
This leads to the following result.
Lemma 3.1.3. The function f defined above is 1-wise independent.
Proof. (of Lemma 3.1.3.) Note that f can be written as
f (Xi, X2 , X 3 , x 4 ) = X 1 + X2 + X3X4 - XiX 2 - X2 x 3 - XiX4
X1 + X 2 + (X 1 + X 3)(x 2 + X4 ) (mod 2).
Note also that choosing (X1 , X 2 , X3 , x4 ) - {0, 1}4 independently at random is equivalent to choosing (X 1 , X 2 , x 1 X 3 , x 2 (X 4 ) independently at random, so f(x) is balanced and f (x) e x is balanced for any choice of i (for i = 1 and i = 3, we have an "independent" x 2 summand, while for i = 2 and i = 4, we have an "independent" x1 summand). Thus, f is 1-wise independent. El
Since f is 1-wise independent, f(x) ( X5 is a pairwise-independent function of 5 variables. Renaming variables for convenience, we have our candidate predicate:
TSPA(x) := X1 G (X2 + X3 + X4X5 - X2X3 - X3X4 - X2X5)
X1 + X2 + X3 + (X2 + X4)(X3 + X5) (mod 2).
By analogy to the usual TSA predicate, we call this the TSPA predicate, or "tri- sum-paired-and" predicate, as X4 and X5 are each paired (via XOR) with an earlier
34 variable before being AND-ed together. TSPA(x) has F 2-degree 2, Q-degree 3, DT- complexity 4, locality 5, where the statements about the Q-degree and DT-complexity follow immediately from Lemma 3.1.2. Thus, we have:
Theorem 3.1.4. There is a predicate TSPA which is non-degenerate and has:
* F2-degree 2;
* Q-degree 3;
* DT-complexity 4; and
e locality 5.
We will see in Sections 3.2 and 3.3 that TSPA(x) is optimal according to all four of these complexity measures.
3.2 Predicates with Depth-3 Decision Trees Yield In- secure PRGs
To show that predicates with DT-complexity at most 3 lead to insecure PRGs, by [BQ12] and [ABR121 it suffices to show that any P computable by a depth 3 de- cision tree is degenerate, i.e. either (1) affine or (2) not pairwise-independent. In order to do this, we first suppose that P is an unbiased predicate computable by a depth 3 decision tree and argue that the further condition of 1-wise independence constrains the number of variables that can appear in the decision tree. Namely, 1-wise independence constrains the "leaf variables" as defined below.
Definition 9. Let T be a decision tree computing a predicate P on variables x1, ... ,n which is minimal in the sense that both Os and Is appear as descendants of any variable node in T. We say that xi is a leaf variable if all nodes labeled by xi have no variable children.
35 1 X2 0 X3
X 4 0 X5
0 1 1 0
Figure 3-1: This is a depth 3 decision tree computing a balanced predicate P on five variables. The variables X4 and X5 are "leaf variables" in this tree. Note that this
predicate P is correlated with the values of x 4 and x 5 , respectively.
Lemma 3.2.1. Suppose that P is a balanced predicate on n variables and T is a
minimal decision tree (in the sense of Definition 9) computing P. If xi is a leaf
variable which occurs only once in T, then P (D xi is biased.
Proof. Suppose that the variable xi occurs at depth d within the tree and has left child b and right child 1 - b. Then, we have that
1 1 E[P (D xi] - -E[P(x) | xi = 0] + - - E[1 - P(x) | xi = 1] 2 2
= (2-db + ( - 2-d) + - 2 -d (1 - b) + (1 - 2-d)- 2 2 2 2 2
1 1 - 1 = - + 2(2b - 1) 7-. 2 2 2
The evaluation of E[P(x) I x= 0] follows from further conditioning on the event that the node containing xi is reached when evaluating the decision tree. We conclude that under the given hypotheses, P a xi is biased, as claimed.
As a result, we have the following corollary
Corollary 3.2.2. Suppose that P is a 1-wise independent predicate on n variables
36 and T is a minimal decision tree computing P. Then every leaf variable xi occurs at least twice in T.
In the particular case we are considering, i.e. when T has depth at most 3, this gives an upper bound on the number of variables occurring in T: it is not hard to see that if P is 1-wise independent, T can have at most 5 distinct variables. We already know from [MST06] that predicates in at most 4 variables are degenerate, so all we have to do is analyze the depth 3, locality 5 case. Up to renaming of variables, there are only three possible tree structures for such a 1-wise independent predicate, shown below.
Case 1:
X1
X2 X 3
X4 X4 X5 X5
b - b i- b b c -C 1-C c
Case 2:
X1
X2 33
b 1- b I- b b c -c -- C c
37 Case 3:
X1
X2 X3
X4 X5 X5 X4
b 1- b I- b b c 1C 1-cCc
Figure 3-2: Locality 5, 1-wise independent predicates computable by depth 3 decision trees.
These are the only possible structures because (1) space constraints tell us that
X4 and x5 (the leaf variables) must each occur exactly twice, and (2) the fact that
P e 4 must be unbiased tells us that if b is the left child of one occurrence of X4, then 1 - b must be the left child of the other occurrence of X4 (and similarly for X5).
We now analyze these three cases to show that none of these predicates are 2-wise independent.
In Case 1, the predicate P is correlated with X 2 G X4 (the left branch of x, is exactly the function 2 ( X4 e b, so the same analysis as in Lemma 3.2.1 works), so
P is never 2-wise independent.
In Case 2 and Case 3, P is also correlated with X2 e 4 . To see this, we compute
1 1 E[P(x) (D X2 (D X41 = -E[P(x) E X2 (D X4 I X1 = 0] + - 2 4
(as when x= 1, P(x) is independent of 2 and so P(x) e 2 ( X4 is unbiased)
- -E[P( ) X2 D X 4 I X1 = X2 = 0] + - 4 8
(as when x1 = 0 and 2 = 1, P(x) is independent of X4, and so P( ) ( 2 G 4 is unbiased)
38 1 3 1 4 8 2 This completes the case analysis, showing that if P is computable by a depth 3 decision tree, then P is degenerate, in which case Goldreich's PRG is insecure when instantiated with P.
3.3 Predicates with Q-degree 2 Yield Insecure PRGs
In this section, we show that all predicates of Q-degree 2 lead to insecure PRGs. We do this by bounding the locality of a predicate as a function of its Q-degree. In particular, we show that any predicate P expressible as a rational polynomial of degree 2 has locality at most 4. Our bound sharpens the best previous result along these lines due to Nisan and Szegedy in [NS941, in which it is shown that a predicate of degree d has locality at most d -2d, giving an upper bound of locality 8 in our case. It may be of independent interest to tighten the result of [NS94] for larger values of d.
Theorem 3.3.1. Any predicate P expressible as a rational polynomial of degree at most 2 depends on at most 4 input bits.
Theorem 3.3.1 implies the desired result because we already know that predicates of locality at most 4 are degenerate (and so yield insecure PRGs - even, by [MST06], with an arbitrary hypergraph H instead of a random hypergraph), so we proceed directly to the proof of Theorem 3.3.1.
Proof. Since boolean functions of degree at most 1 are all of the form P(x) = 0,
P(x) = 1, P(x) = xi, or P(x) = 1 - xi for some i, we restrict to predicates of degree exactly 2. We prove by induction on k > 5 the following statement: a k-ary predicate
P of degree 2 depends on at most 4 variables. We prove the base case of k = 5 using a computer search and then prove the inductive step by hand.
39 The case k = 5:
For 0 < j < 5, let Nj denote the number of boolean functions on j variables which are also polynomials of degree at most 2, and let NI denote the number of such boolean functions that depend on exactly j variables. Then, we see by a counting argument that
i=O
We calculate by computer search that No = 2, NI = 4, N2 = 16, N3 = 70, N4 =
222, and N5 = 552. Using these values, we calculate that N5 = 0, proving the base case.
The inductive step:
Suppose that for some k > 5 we know that all k-ary predicates of degree 2 have locality at most 4. We now want to show that the same is true for k-+ 1-ary predicates.
Consider any k + 1-ary predicate P(Xo, ... , X,) of degree 2, which (assuming without loss of generality that P depends on xO) can be written as a polynomial expression
P(Xo, ... , Xk) = XOPI(Xi, ... , Xk) + P2 (Xi, ... , Xk)
where P1(Xi, ... , X,) is some polynomial of degree at most 1 and P 2(Xi, ... , Xk) is some polynomial of degree at most 2. Because we have that
P(0, X 2, ... , Xk) = P 2 (Xi, ... , Xk),
we see that P2 - a degree 2 polynomial - computes a boolean function on k variables.
Furthermore, we claim the following about P2 : either every present variable in P2 occurs in a degree 2 term of P2 , or P2 is has degree at most 1. This is true for the following reason: if the variable x 1 (without loss of generality) occurs only as a degree
1 term in P 2, then we can write P2 (x) = ax1 + P2(X 2 ,... , Xk) where P2(X 2 , ... , Xk) =
P2(, X2, ... ,iXk) is a boolean function and ax, = P2 (x1 , 0, ..., 0) - P2(0, ... , 0) implies
40 that a = 1. If P2 is nonconstant (i.e. if P2 has degree 2), then we obtain a
contradiction because we can force P2 to take either the value -1 or 2 (depending on
whether a =1 or a = -1) on a suitable choice of x. Thus, either P2 has degree at
most 1 or every variable in P2 occurs in a degree 2 term.
By similar argument to the previous paragraph (applied to P instead of P2), we see that either P has degree at most 1 (and so depends on at most one variable, so we are done) or x0 appears in a degree 2 term in P, i.e. P has degree exactly 1.
Finally, we use the fact that P1(Xi, ..., Xz) + P2 (Xi, ... , Xk) = P(0, X1, ... , 1k) is also a boolean function on k variables, and hence depends on at most 4 variables by the
inductive hypothesis. In the case that P2 has degree 2, we note that any variable
occurring in the expression for P or occurring in the expression for P2 necessarily
occurs in the expression for P1 + P2, because P has degree 1 and all variables occurring
in P2 occur in a degree 2 term, so there can be no cancellation when adding P and
P2 . This allows us to conclude that P(x) = xoP1(x) + P2(x) depends on at most 5
variables (the variables that P and P2 depend on along with 1o), implying that P depends on at most 4 variables by the base case.
On the other hand, if P2 has degree exactly 0 then the same argument as above
applies, while if P2 has degree exactly 1, then without loss of generality P2 (x) = x1 (applying a logical negation to P and changing variable names if necessary). If
P1(XI, ... ,Xk) does not contain the exact term "-xi", then the argument of the previous paragraph applies, while in this special case we have
P(x) = - 011 + X1 + XoP3 (X 2, ... , 1k)
where P3 (X2 , ... , 1k) = P(1, 0,12, X21, k) is a boolean function of degree at most 1.
We conclude that P3 depends on at most one variable, and so P depends on at most 3 variables in this degenerate case. Having covered all cases, this completes the inductive step and hence proves Theorem 3.3.1. E
41 42 Chapter 4
An Attack on Blockwise 2-Local PRGs
43 4.1 Outline of the Attack
In this chapter, we present our attack on blockwise 2-local PRGs. More specifically, we prove Theorem 1.1.3 and discuss its extensions and limitations.
We start with a description of our original attack, namely the proof of Theo- rem 1.1.4 [LV17c], which exploited the well-known connection between our problem of distinguishing a Goldreich PRG output from a uniform string and problems studied in the setting of random constraint satisfaction (CSP). In particular, we utilized a result of Allen, O'Donnell, and Witmer [AOW15] who developed a polynomial-time algorithm for a problem related to ours, namely that of refutation of random CSPs.
Any graph H with n nodes and m edges, any predicate P, and any string z E {0, 1}" together define an instance I of the following constraint satisfaction problem with predicates P and -P.
P(Xj, Xj) = 1 for every e = (i,j) where ze =1
-,P(xi,Xj) = 1 for every e = (i, j) where ze = 0
The task of breaking the PRG GH,P can be thought of as distinguishing CSP instances I in which the negations of P are chosen uniformly at random from instances I in which the negations of P are determined by a random planted solution x E [q]".
Allen, O'Donnell, and Witmer [AOW15 developed a polynomial time algorithm for a different problem, namely that of random CSP refutation. In their setting (specialized to 2-CSPs), a random instance I is generated by choosing a random graph
H along with random negation patterns (ae, be) E Z' for each edge e = (i, j) cE (H) and including constraints P(xi + a,, xj + be) = 1
Their algorithm can certify that Opt(I), the largest fraction of constraints satisfied by any input, is less than 1 provided at least Q(n -poly(q)) constraints (for an unspecified polynomial poly). Namely, their algorithm outputs 1 with probability 1 - o(1), but never outputs 1 if I is satisfiable. Clearly, this suffices to distinguish satisfiable
44 instances I from uniformly random instances.1 In fact, they achieve a much stronger property called strong refutation which will turn out to be crucial for us: given Q(- poly(q)) constraints, their algorithm outputs 1 with probability 1 - o(1), but never outputs 1 if I is "somewhat close" to being satisfiable, that is, if Opt(I) > 1/2 + e (when P is balanced). Finally, we note that their result only holds over random graphs H, but analogous results in the so-called semi-random setting, in which the graph H is worst-case but negation patterns are still random, have been shown in, e.g., [Wit17].
The most glaring difference between our setting and that of random CSP refuta- tion [AOW15] is that our CSP instance has an "outer negation pattern" (randomly negating the predicate P) while theirs have an "inner negation pattern" as described above. However, it turns out that a refutation algorithm for the random CSP model of [AOW15] can nevertheless be turned into a distinguishing algorithm, but at a cost; the resulting algorithm requires m > Q(n-poly(q)) for some large polynomial (roughly q2 times the unspecified polynomial in [AOW15]). Such a result is already nontrivial in the PRG setting, although it is far from the m > ((q -n) threshold that we would like to achieve. This is the major challenge that this paper overcomes: how can we reduce this potentially large poly(q)-dependence to an explicit, small poly(q)-dependence?
Our main idea called alphabet reduction now comes to the rescue. Alphabet reduction is a way to convert our CSP on an alphabet of size q to a related CSP on a new alphabet whose size is an absolute constant independent of q. If the original CSP is random, so is the new CSP. If the original CSP is satisfiable, the new one is "somewhat close to being satisfiable", that is, there is an assignment that satisfies at least 1/2 + Q(1/V) of its clauses. We then leverage the "strong refutation" property of the algorithm in [AOW15] to break the pseudorandomness of GH,P by certifying that a random CSP with constant-sized predicate Q is not 1/2 + Q(1/v/q)-satisfiable,
'We note that refutation seems to give us a significantly stronger guarantee than distinguishing. An analogous "refutation algorithm" in our PRG setting would be able to distinguish a random m string z +- {0, 1}" from z +- GH,P(x) for any distribution of the input x, not just the uniformly random one.
45 which can be done using the algorithm of [AOW15] with only Q(n -q'/6 2 ) Q(r. q) clauses, since q' = 0(1) and c = Q(1//d). In other words, we traded a dependence on q in the number of required clauses for a dependence on q in the error parameter
C = Q(1/g); since the required number of clauses is proportional to 1/c 2 , this reduces the overall dependence on q to linear.
We achieve alphabet reduction by showing that any predicate P : [q]2 -. {O, 1} is (1/2+ (1/d.))-correlated to another predicate P' : [q] 2 -+ {0, 1} which "depends on only one bit of each input". This uses, and refines, a classical lower bound due to Chor and Goldreich [CG88] on 2-source extractors. If our alphabet reduction produced a CSP instance whose alphabet size was some large constant, then this would be the end of the story. However, we can actually reduce to the binary alphabet. In the binary alphabet setting, it turns out that we can use the old MAX-2-XOR approximation algorithm of Charikar and Wirth [CW04] which achieves the following guarantee: for stretch m = (g), it can distinguish m between a random string z <- U and any string z C {0, 1} which is within 2 -e (fractional) Hamming distance of the image G({0, 1}n) of the PRG. 2 This allows us to obtain a much simpler algorithm (making a single black box call to the [CWO4] algo- rithm instead of the [AOW15 algorithm) achieving the same m = Q(n -q) threshold, even for worst-case graphs.
Organization. We now proceed to the formal proof of Theorem 1.1.3. Our alpha- bet reduction technique is presented in Section 4.2, and our attack which combines alphabet reduction with the 2-XOR algorithm of [CWO41 is presented in Section 4.3.
4.2 Alphabet Reduction
Our main result relies on a technique that we call alphabet reduction which reduces the 2 problem of distinguishing the Goldreich PRG that uses a predicate P : E - {0, 1} to that of distinguishing the PRG that uses a different predicate Q : E'2 {O, 1}
2 The problem in the PRG setting that Charikar-Wirth solves is called the image refutation problem for G.
46 that acts on a smaller alphabet E'. In this section, we show the existence of such a suitable predicate Q (for every predicate P) and in the next, we use it to break the PRG. We start with the definition of alphabet reduction.
2 Definition 10 ((E, E', 6)-Alphabet Reduction). Let P : E - {0, 1} be a balanced predicate in two variables. A (E, E', 6)-alphabet reduction for P is defined to be a 2 tuple (Q, f, g) where Q : E' - {0, 1} is a balanced predicate defined on an alphabet
E', and f and g are (exactly) L1 -to-one maps from E to E', and
E [P(x, y) e Q(f (x),g(y))] < 6.
In other words, P(x, y) is nontrivially correlated to the decomposed predicate Q(f(x), g(y)). We use the shorthand "(q', 6)-alphabet reduction" when IE'I = q'.
Note that if P(x, y) is perfectly correlated to P'(x, y) := Q(f(x), g(y)), then the expectation defined above is 0, and if they are perfectly uncorrelated, it is 1/2. In words, this definition asks for a way to approximately compute P by first compressing the two inputs x and y independently, and then computing a different predicate Q on the compressed inputs. In this section, we prove a feasibility result for alphabet reduction: namely, that
{, 1} has a (E, E',any 1/2-Q(1/ predicate / E)-alphabet P : reductionE2 where0 E' = {0, 1} is an alphabet of size two. In other words Q(f(x), g(y)) is mildly, but non-trivially, correlated to P. The predicate Q as well as the compression functions f and g are efficently computable given the truth table of P. Our result is a refinement of a lower bound on the possible error of two-source extractors, due to Chor and Goldreich [CG88].
Theorem 4.2.1. Suppose that P : E2 {0, 1} is a balanced predicate and |E| is
divisible by 2. Then, there exists a (E, ', 1/2 - c/ EY1j)-alphabet reduction (Q, f, g) for P, for some universal constant c. Moreover, given P we can find such a triple (Q, f, g) in (expected) poly( E1) time.
Proof. Throughout this proof, we will equate E with the set [q] (so that IE = q) and
47 E' with the set {0, 1} (so that E'J = 2). Also, for ease of exposition, we consider P taking values in {I } instead of {0, 1}.
2 Given P: [q] _+ { 1}, consider P as a 1-valued q x q matrix. At a high level, the proof goes as follows: we first find a 12 x 2q submatrix of P with substantially more +ls than -is in it (or vice-versa). Such a submatrix is not hard to construct: picking a random collection T of 2. columns and then choosing the collection S of 2i rows optimizing the number of +Is (or -is) in the S x T submatrix suffices. Then, we pick f (a function of the q rows) and g (a function of the q columns) to be indicator functions for S and T respectively; there then turns out to be a choice of function
Q : {O, 1} x {0, 1} - { 1} (in particular, with Q(1, 1) set to be the majority value of P in the submatrix S x T) such that (Q, f, g), with outputs transformed back to {0, 1}, is a valid alphabet reduction for P.
We now proceed with the full proof. For each x C [q] and subset T C [q], define
B(x, T) = P(x, y) yET that is, the absolute value of the T-partial row sum of row x. In [CG88] (Lemma 2),
Chor and Goldreich show that if we choose T to be a uniformly random subset of 2q columns, then for every x,
Pr B(x, T) > - > . Tc[q],ITI= 2 8
Therefore, we have that
E -- # z E[q] : B (x, T) > - > - TC[q],IT| =2 _q _ 8
Since the random variable # {x c [q] : B(x, T) > } takes values in the interval [0, 1] and has expectation at least 1, we conclude by Markov's inequality that
Pr P 1-- # x E [q][1~BxT4 : B (x, T) > 2 - I- < -, TC[q],JTJ=1 q 2 16_ 15'
48 so that with probability > 15I over the choice of T, there will be at least -I-16 rows x E [q] such that B(x, T) > V. Fixing any such set T, we then have that
B(x, T)> q2 . XC[q] 16v'2
Now, let S c [q] be the set of 1 rows x 1 ,..., ii with the largest values of B(x, T)
EyT P(x, y). We claim that
I:B(xT) + E 3(XT ) xES xgS - 48V' that is, we claim that a significant fraction of the B(x, T) terms do not cancel with each other when we sum over x E S and x V S separately. To see this, let
C,= E B(x,T) x:5(x,T);>O and
C2= E B(x,T) x:B(x,T)
3(x, T) +5 3(x, T) = B(x, T) + max(E B(x, T), - 5b(x, T)) xES xOS xGS x S xIS
1 2 >q V q > max(C1 - C2, C2) > -(C1 - C2) + -C 2 3 3 48vT2 as desired. Thus, either the submatrix S x T or ([q] - S) x T has the intermediate property we were looking for.
Finally, we can construct Q, f, and g as follows: let S0 = S, Si = [q] - S, To = T,
49 T, = [q] - T, and for i, j C {0, 1} we define
Etj =q P (X, y). (x, y)EC-Si x Tj
For i, j E {0, 1}, define Q(i, j) = 1 if E j is one of the two largest elements of the
(multi)set {Eiji,j E {0, 1}} (and Q(i,j) = -1 otherwise). Moreover, we define f (x) = i if and only if x E Si, and we define g(y) = j if and only if y E T. Intuitively, for (x, y) E Si x T we want to set Q(f(x), g(y)) to be the majority value of P(x', y') for (x', y') C Si x T, but to make Q a balanced predicate we may have to disagree with this majority function on some inputs.
By essentially the same argument about cancellation as before, we will show that P(x, y) is -+ Q (-)-correlated to Q(f(x), g(y)). That is, we show that
1 1 E [P(x, y)Q(f (x), g(y))] > - (JEool + E01 + |E10 | + |E111) = Q( (X,Y)+-U2,q 2
To see this, re-order the four numbers Eij into E, < E2 < E3 < E4; we know that
E1 + E2 + E3+ E4 = 0 since P(x, y) is balanced. If exactly two of these four numbers are negative, then the expected value above is exactly equal to IE + E21 + E3 + IE41, so we are done. On the other hand, it may be that three of {E1, E2, E3, E4} have the same sign; suppose without loss of generality that E3 < 0. Then, we see that
E [P(x, y)Q(f (x), g (y))] = IEl + IE21 - IE31 + IE41 (x,y) +-U2,q
1 > E4| (|E1 + |E | + + 2 2 |E3 | |E41), completing the existence proof. Moreover, our existence proof above is constructive: to find a valid triple (Q, f, g), we repeatedly choose T C [q] of size 2- uniformly at random, check if Exc[q] B(x, T) = Q(q,'7) (for suitably chosen constant c), and proceed to construct S, Q, f, and g as described. In expectation only a constant number of sets T will be selected before S, Q, f, and g are successfully constructed,
50 so we are done. El
4.2.1 Limits of Alphabet Reduction
Alphabet reduction is one of the two main ingredients to our distinguishing algorithm. In order to obtain distinguishers for an even larger class of PRGs, namely, instantia- tions of Goldreich's PRG in which m possibly different predicates p(l), p(2 ), ... ) P(, are used instead of a repeated single predicate, one can analogously define an "average case alphabet reduction" for an m-tuple of predicates P.
Definition 11 (Average Case (E, E', 6)-Alphabet Reduction). Let p(), p(), .. . p E2 {0, 1} be a collection of balanced predicates in two variables. A (E, E', 6)- average case alphabet reduction for P is defined to be a tuple (Q, f, g) such that each
2 Q() : E' - {o, 1} is a balanced predicate defined on an alphabet of size q', f and g are (exactly) -- to-one maps from E - E', and
E [Pi)(X, y) QMS)(f(), (y)) < 6.
In other words, P) (x, y) is nontrivially correlated to Q) (f(x), g(y)) on average over the choice of i. We use the shorthand "(q', 6)-average case alphabet reduction" for P when IE'l = q'.
Note that we require the same alphabet reduction functions f and g to work for all the predicates Pi) simultaneously. It turns out that average case alphabet reduction is significantly more difficult to achieve than alphabet reduction. In general, one cannot find a constant size average case alphabet reduction with 6< 1-6().
In particular, when P is a good 3-source extractor P : [q] x [q] x [in] - {0, 1}, no such alphabet reduction can be done. Our impossibility result for alphabet reduction boils down to a (slightly modified) folklore construction of 3-source extractors, which we include for completeness.
51 Theorem 4.2.2. Let P = (P. P)) be a uniformly random 1-entry q x q x m 3-tensor subject to the contraint that p(k) is balanced for every k, and suppose that q < m. Then, for any constant C, we have that with overwhelming probability, every E x x subtensor PISxTxU of P has discrepancy Z(ij,k)EsxTxU -- q)mq
Corollary 4.2.3. If P is a uniformly random collection of m balanaced predicates 2 P(i) : [q] _+ {0, 1}, then for any constant C, there is no (C, 1 - -(g~mq))average case alphabet reduction for P with overwhelming probability.
q q Proof. First, consider any fixed subtensor P SXTxU of size C x C x E,C' and suppose that (P&C)) is a uniformly random tensor (not constrained to be balanced). Then,
PlSxTxU is a uniformly random i-tensor whose discrepancy is governed by the Chernoff bound:
Pr cp(k)< 222T iESjGT,kcU j
The number of subtensors we are considering is (m) () ( ), and the probability that a random tensor P has the property that P(k) is balanced for all k is bounded by
(Q(j))m (as the discrepancy of each p(k) follows the distribution Binomial(q 2 , 1)).
Thus, the probability that a random F satisfies this c-discrepancy property after conditioning on balanced is bounded by
m 2 0(q) (i)(Tq " q2 (q)2f- 2) '( C C)
5 Choosing c = 0( CI lg(mq)) suffices to make this probability negligible, so we are q done.
As a result of Theorem 4.2.2, it is unlikely for alphabet reduction to be sufficient for breaking GHJ; with m = Q(q.n) output length, because the refutation algorithms with which we combine predicate reduction have a I dependence in the required output length for c-refutation (and this dependence is typical). Therefore, it is unlikely for average case alphabet reduction to lead to a distinguisher for G Hp when the output length m = IE(H) is less than q 2 n.
52 However, we note for completeness' sake that Theorem 4.2.2 is tight up to log factors; that is, - Q() )average case alphabet reduction is possible. The con- struction is as follows: pick sets S, T uniformly at random (of size i), choose f, g : E - {0, 1} to be indicator functions for S and T, as before, and for each f E [m] define Qe(i, i) to be 1 if and only if the average value E(j] is in the top two out of four E.), as before. Using average-case alphabet reduction, one can distinguish multiple-predicate Goldreich PRGs GHP when m ;> (q 2 - n); we will elaborate on this in Section 4.3.2.
4.3 From Small Alphabet Refutation to Large Al- phabet Distinguishing
We now describe how alphabet reduction is used to obtain distinguishing algorithms for the (single predicate) Goldreich PRG GH,P; combining this section with Theo- rem 4.2.1 yields Theorem 1.1.3. The cleanest interpretation of our application of alphabet reduction uses the notion of an "image refutation algorithm" for a function G : [q]l -+ {0, 1}m, which was formally defined in [BBKK17]. Interpreted in this language, our result says that any image refutation algorithm for Goldreich's PRG can be converted into a distinguishing algorithm for Goldreich's PRG with a signifi- cantly improved dependence on the alphabet size. The new distinguishing threshold is a simple function of the quality of the alphabet reduction that was used and the refutation threshold for the image refutation algorithm.
Definition 12 (Image Refutation). Let G : [q]n --+ {0, 1}m be any function. An image refutation algorithm for G is an algorithm A which receives G and a string zE {0, 1} as input, with the following properties:
1. (Soundness) If z E G([q]n), then A(G, z) ="fail".
2. (Completeness) If z +- U, then A(G, z) ="z is not in the image of G" with
probability 1 - o(1).
53 Furthermore, A is an (I-6)-image refutation algorithm for G if it has the following properties:
1. (Strong Soundness) If z has Hamming distance less than or equal to ( -)m from G([q)n), then A(G, z) ="fail".
2. (Strong Completeness) If z +- Urn, then A(G, z) ="z is ( - 6)-far from the image of G" with probability 1 - o(1).
Given this definition, we are ready to state our reduction theorem.
{,1} be a predicate. AssumeTheorem the existence of4.3.1. the Let P : [q] 2 , following two ingredients:
" An efficiently computable (q', - e)-alphabet reduction for P that produces a
tuple (Q, f, g) where Q : [q'] 2 - {0, 1}; and
" An image refutation algorithm A that runs in poly(n, m,q', ) time and does (I - 6)-image refutation for the function GH,Q for any predicate Q : []
{0, 1}, any 6 > 0 and any graph H satisfying m = E(H)j ;> T(n, q', 6) for some threshold function T(.).
Then, there is a distingusherD that, for any graph H with m = |E(H) I > T(2n, q', e-
O( , runs in poly(n, q, time and distinguishes a random string z <- U from
a random output z +- GH,P(Un,q) of GH,P-
In particular, since Theorem 4.2.1 efficiently produces a (2, 1 - Q(-!))-alphabet reduction for any balanced predicate P, Theorem 4.3.1 implies that any strong image refutation algorithm for Goldreich's PRG over the binary alphabet immediately yields a distinguishing algorithm for Goldreich's PRG over larger alphabets.
Image Refutation Algorithms for Goldreich's PRG. In [LV17c], we originally combined an alphabet reduction (with q' = 0(1)) with the random CSP refutation algorithm of {AOW15] in place of a PRG image refutation algorithm, which turned
54 out to be sufficient to obtain a distinguisher for GH,P over random graphs for all m = f(q - n).
The improved version of this result (as presented above) appears in [LV17a]. With an alphabet reduction using q' = 2, the state of affairs is much simpler; indeed, the Charikar-Wirth algorithm [CW04] directly gives us a PRG image refutation algorithm which can then be used to obtain a distinguisher for worst case graphs and worst case single predicates for m = Q(q m)n (for a sufficiently large logarithmic factor).
This is because Charikar-Wirth (I - e)-refutes random 2-XOR instances with m
(2) constraints, and strongly refuting Goldreich's PRG instantiated with a balanced predicate Q :{, 1}2 -+ {0, 1} is exactly the same as strongly refuting a random 2-XOR instance (or a random 1-XOR instance, which is even easier). In particular, a balanced predicate Q : {0, 112 - {0, 1} is either Q(x, y) = x, Q(x, y) = y, Q(x, y) = x @ y, or a negation of the previous three examples. Thus, any Goldreich PRG GH,Q defines a random 2-XOR instance or a random 1-XOR instance, either of which can be efficiently (strongly) refuted.
In the multiple predicate case, a Goldreich PRG GH, (still over the binary al- phabet) defines both a random 2-XOR instance and a random 1-XOR instance. It is not hard to see that if m is sufficiently large, at least one of these two CSP instances will be above its refutation threshold, yielding the necessary strong image refutation algorithm for GRt,. We will use this stronger fact for Theorem 4.3.3. Furthermore, we note that this theorem can still be useful in regimes where general 2 alphabet reduction is impossible; it says that if a predicate P : [q] -- {0, 1} happens to have an alphabet reduction, then GH,P may be less secure than one would expect for the given alphabet size q. We now prove Theorem 4.3.1. The intuition is quite simple: given an alphabet reduction (Q, f, g) for P and an image z = GH,P(x) for a random x, one would expect that z is noticeably closer to the point GH,P'(X) for P'(x, y) = Q(f(x), g(y)). Indeed, this is true in expectation over x, and holds with high probability by a concentration argument. Therefore, a strong refutation algorithm for the predicate Q should be able to distinguish GH,P(x) from a random string.
55 4.3.1 Proof of Theorem 4.3.1
Fix any predicate P : [q] 2 -+ {0, 1}, efficiently computable (q', 6)-alphabet reduction
(Q, f, g), 3 and graph H with n vertices and m edges. Let GH,P : [q]fn {0, 1}m be Goldreich's PRG instantiated with P and H. We want to construct a distinguisher D(H, P, z) which, given P, H, and a string z E {0, 1} (where m is the number of edges in H), outputs a bit b E {0, 1} such that E [D(P, H, z)] is noticeably different Z+ Ur from E [D(P, H, z)]. Our distinguisher D is defined as follows. z+-GH,P(Un)
1. Compute (Q, f, g) given P.
2. Let H be the bipartite double-cover of H, i.e. a graph with vertex set [n] x {0, 1} and edges from (i, 0) to (j, 1) for every (i, j) c E(H).
3. Call A(I , Q, c - 5 Vj, Iz).
4. Return 1 if and only if the call to A returns "z is (c - e + 5 )-far from the image of Gf Q".
Note that by assumption on A, for z +- U, D(P, H, z) will output 1 with prob- ability 1 - o(1) as long as m > T(2n, q', e - 5 d). What remains is to analyze the "pseudorandom" case.
Lemma 4.3.2. With constant probability over x <- Un,q, z = GH,P(X) will have
Hamming distance at most ( - e + 5 .)m from GftQ(k), where x E (Z")2 is defined by zj,o = f (xi) and zi,1 = g(xi).
Since the call to A(H, Q, e -5 , z) must return "fail" whenever z has Hamming distance at most ( c - e+5 72)m from GftQ (Z,) (again for m > T(2n, q', e -5i)), Lemma 4.3.2 suffices to prove that
E [D(H, P, GH,P(X))] = 1 - Q(1). X+ Un,q 3This alphabet reduction may be randomized; this does not affect the proof.
56 Proof. Let P'(x, y) = Q(f (x), g(y)) so that Pr [P(x, y) = P'(x, y)] = a> +, (X,Y)<-U2,q as guaranteed by the fact that (Q, f, g) is a (I - e)-alphabet reduction for P. We are interested in the quantity dH(z, GftQ(i)) = dH(z, GH,p'(x)), where dH denotes
fractional Hamming distance. First, we note that in expectation over x <- Un,q,
E := 1 - E [dH(GH,P(X), GRQ(R)) x<-U,,q
E Pr [P' (Xi, X) = P(Xz' j)11 x<--Un~ _( ,j) E(H)
m 1n 2 m where the m"L term comes from the fraction of edges in H which are self loops (we cannot say that P(xi, Xi) is necessarily correlated to P'(xi, xi)). Now, we compute the variance (over x) of this quantity to be
Var [1 - dH(GH,P(x), Gt Q(R))] X-Un,,q - 2 = E Pr [P'(xi, xj) = P(xi, xj)] E2 X--Un,'q ((i ))E(H)
= 2(P'(Xi, E 1 Xj) = P(Xi, Xj)) x (P'(Xk, XI) = P(Xk, X1)) - E2 X<-Un,q K (ij)EE(H) (k,l)EE(H)
2 = 2 Pr [P'(xi, xj) = P(xi, xj) and P'(xk, X1) = P(xk, X1)] - E (ij) EE(H) x< Un,q (k,l)CE(H)
Note that if the edges (i, j), (k, 1) E E(H) have no vertices in common, the events
"P'(xi, xj) = P(xi, xj)" and "P'(Xk, X 1) = P(xk, xj)" are independent. This means that our variance is upper bounded by
57 Pr [P'(xi, xj) = P(xi, xj)] Pr [P'(xk, X1) = P(Xk, X1 )] + mbad - E2 m 2 x Xm2 (i,j)EE(H) (k,I)CE(H)
mbad M2 where mbad is defined to be the number of pairs of edges ((i, j), (k, 1)) which have a vertex in common. This is bounded by the quantity
mbad E degH(i) 2 < 2n - degH (i)= 4mn. iE[n] iE[n] Therefore, we conclude that
4n Var [1 - dH(GH,P(x), GQ (R))]I -. X+ -Un, q m
By Chebyshev's inequality, this means that with constant probability over x <-- Un,q, we have that
n n 1 n 1 - dH(GH,P(x) , GH (3)) > a - -- 4 -> - + -5 -, m m 2m so that dH(GH,p(X), GH, ()) - +5- , completing the proof of the lemma. E
Lemma 4.3.2 tells us that for m > T(2n, q', e - 5 ), with constant probability over x +- Gn,q the call made to A will return "fail", and so
E [D(H, P, GH,P(X))] 1 - 1). X+_ G,,q
Thus, we conclude that D achieves a constant distinguishing advantage between the "truly random z" case and the "pseudorandom z" case, completing the proof of The- orem 4.3.1.
58 4.3.2 Generalization of Theorem 4.3.1 to Multiple Predicates
We note that the proof of Theorem 4.3.1 does not fundamentally use the fact that the
predicates used in Goldreich's PRG GH,p are identical. Indeed, the following result holds by the same argument.
Theorem 4.3.3. Let P(1), p(2 ) P(M) : [q] 2 -+ {0, 1} be a collection of m predi- cates. Assume the existence of the following two ingredients:
* An efficiently computable (q', 2 - e)-average case alphabet reduction for P that {,1}; and produces a tuple (Q, f, g) where each Q(M : [q']2 ,
* An image refutation algorithm A that runs in poly(n, m, qj) time and does (I - 3)-image refutation for the function GHN for any predicate collection QM [q']- {0, 1}, any 6 > 0 and any graph H satisfying m E(H)| ;> T(n, q', 5) for some threshold function T(-).
Then, there is a distingusherD that, for any graph H with m = IE(H) I > T (2n, q', c-
O( h)), runs in poly(n, q, ) time and distinguishes a random string z <- U, from
a random output z <- GH, (Un,q) of GH,'
Theorem 4.3.3, combined with the Charikar-Wirth algorithm and an average- case alphabet reduction with correlation Q(!), gives us a distinguisher for multiple
predicate Goldreich PRGs G HP : [q]' -+ {0, 1}' for all m > Q(q 2 n).
59 60 Bibliography
[ABR12 Benny Applebaum, Andrej Bogdanov, and Alon Rosen. A dichotomy for local small-bias generators. In Theory of Cryptography Conference, pages 600-617. Springer, 2012.
[AIK06] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. Cryptography in NCO. SIAM Journal on Computing, 36(4):845-888, 2006.
[A J15] Prabhanjan Ananth and Abhishek Jain. Indistinguishability obfuscation from compact functional encryption. In Rosario Gennaro and Matthew Robshaw, editors, Advances in Cryptology - CRYPTO 2015 - 35th An- nual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, volume 9215 of Lecture Notes in Computer Science, pages 308-326. Springer, 2015.
[AL16] Benny Applebaum and Shachar Lovett. Algebraic attacks against ran- dom local functions and their countermeasures. In Proceedings of the 48th Annual ACM SIGACT Symposium on Theory of Computing, pages 1087-1100. ACM, 2016.
[Amb06] Andris Ambainis. Polynomial degree vs. quantum query complexity. Journal of Computer and System Sciences, 72(2):220-238, 2006.
[AOW15] Sarah R. Allen, Ryan O'Donnell, and David Witmer. How to refute a random csp. In Foundations of Computer Science (FOCS), 2015 IEEE 56th Annual Symposium on, pages 689-708. IEEE, 2015.
[App16] Benny Applebaum. Cryptographic hardness of random local functions. Computational complexity, 25(3):667-722, 2016.
[AS16] Prabhanjan Ananth and Amit Sahai. Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. IACR Cryptology ePrint Archive, 2016:1097, 2016.
[BBKK17 Boaz Barak, Zvika Brakerski, Ilan Komargodski, and Pravesh K. Kothari. Limits on low-degree pseudorandom generators (or: Sum-of- squares meets program obfuscation). 2017. http: //eprint. iacr. org/ 2017/312, version 20170411:133059. Submitted 9 April, 2017.
61 [BBKK18 Boaz Barak, Zvika Brakerski, Ilan Komargodski, and Pravesh K. Kothari. Limits on low-degree pseudorandom generators (or: Sum-of- squares meets program obfuscation). 2018.
[BF03] Dan Boneh and Matthew Franklin. Identity-based encryption from the weil pairing. SIAM journal on computing, 32(3):586-615, 2003.
[BGI+01] Boaz Barak, Oded Goldreich, Rusell Impagliazzo, Steven Rudich, Amit Sahai, Salil Vadhan, and Ke Yang. On the (im) possibility of obfuscating programs. In Annual International Cryptology Conference, pages 1-18. Springer, 2001.
[BQ121 Andrej Bogdanov and Youming Qiao. On the security of Goldreich's one-way function. Computational complexity, 21(1):83-127, 2012.
[BS16] Boaz Barak and David Steurer. Proofs, beliefs, and al- gorithms through the lens of sum-of-squares. Course notes: http://www. sumofsquares. org/public/index.html, 2016. fBV151 Nir Bitansky and Vinod Vaikuntanathan. Indistinguishability obfusca- tion from functional encryption. In Venkatesan Guruswami, editor, IEEE 56th Annual Symposium on Foundations of Computer Science, FOCS 2015, Berkeley, CA, USA, 17-20 October, 2015, pages 171-190. IEEE Computer Society, 2015.
[CG88] Benny Chor and Oded Goldreich. Unbiased bits from sources of weak randomness and probabilistic communication complexity. SIAM Journal on Computing, 17(2):230-261, 1988.
[CW04] Moses Charikar and Anthony Wirth. Maximizing quadratic programs: Extending grothendieck's inequality. In Foundations of Computer Sci- ence, 2004. Proceedings. 45th Annual IEEE Symposium on, pages 54-60. IEEE, 2004.
[GGH+ 161 Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, Amit Sa- hai, and Brent Waters. Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM Journal on Computing, 45(3):882-929, 2016.
[Gol00] Oded Goldreich. Candidate one-way functions based on expander graphs. IACR Cryptology ePrint Archive, 2000:63, 2000.
[GR07] Shafi Goldwasser and Guy Rothblum. On best-possible obfuscation. In Theory of Cryptography Conference, pages 194-213. Springer, 2007.
[GVW12 Sergey Gorbunov, Vinod Vaikuntanathan, and Hoeteck Wee. Functional encryption with bounded collusions via multi-party computation. In
62 Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptol- ogy - CRYPTO 2012 - 32nd Annual Cryptology Conference, Santa Bar- bara, CA, USA, August 19-23, 2012. Proceedings, volume 7417 of Lecture Notes in Computer Science, pages 162-179. Springer, 2012.
[IKOS08] Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, and Amit Sahai. Cryp- tography with constant computational overhead. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17-20, 2008, pages 433-442, 2008.
[Jou00 Antoine Joux. A one round protocol for tripartite diffie-hellman. In International algorithmic number theory symposium, pages 385-393. Springer, 2000.
lJou02] Antoine Joux. The weil and tate pairings as building blocks for public key cryptosystems. In ANTS, volume 2369, pages 20--32. Springer, 2002.
[KMOW17] Pravesh K. Kothari, Ryuhei Mori, Ryan O'Donnell, and David Wit- mer. Sum of squares lower bounds for refuting any CSP. arXiv preprint arXiv:1701.04521, 2017.
[Linl6a] Huijia Lin. Indistinguishability obfuscation from constant-degree graded encoding schemes. In Advances in Cryptology - EUROCRYPT 2016 - 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8-12, 2016, Pro- ceedings, Part I, pages 28-57, 2016.
[Linl6b] Huijia Lin. Indistinguishability obfuscation from DDH on 5-linear maps and locality-5 PRGs. Preprint: http://eprint.iacr.org/2016/1096.pdf, 2016.
[LPST16] Huijia Lin, Rafael Pass, Karn Seth, and Sidharth Telang. Indistin- guishability obfuscation with non-trivial efficiency. In Chen-Mou Cheng, Kai-Min Chung, Giuseppe Persiano, and Bo-Yin Yang, editors, Public- Key Cryptography - PKC 2016 - 19th IACR International Conference on Practice and Theory in Public-Key Cryptography, Taipei, Taiwan, March 6-9, 2016, Proceedings, Part II, volume 9615 of Lecture Notes in Computer Science, pages 447-462. Springer, 2016.
[LT17] Huijia Lin and Stefano Tessaro. Indistinguishability obfuscation from bi- linear maps and block-wise local prgs. IA CR Cryptology ePrint Archive, 2017:250, 2017. Version 20170320:142653.
[LV16] Huijia Lin and Vinod Vaikuntanathan. Indistinguishability obfusca- tion from DDH-like assumptions on constant-degree graded encodings. In Foundations of Computer Science (FOCS), 2016 IEEE 57th Annual Symposium on, pages 11-20. IEEE, 2016.
63 [LV17a] Alex Lombardi and Vinod Vaikuntanathan. Limits on the locality of pseudorandom generators and applications to indistinguishability obfus- cation. In Theory of Cryptography - 15th Theory of Cryptography Con- ference, TCC 2017. Proceedings, 2017.
[LV17b] Alex Lombardi and Vinod Vaikuntanathan. Minimizing the complex- ity of goldreich's pseudorandom generator. Cryptology ePrint Archive, Report 2017/277, 2017. https: //eprint . iacr. org/2017/277.
[LV17c] Alex Lombardi and Vinod Vaikuntanathan. On the non-existence of blockwise 2-local prgs with applications to indistinguishability obfus- cation. Cryptology ePrint Archive, Report 2017/301, 2017. http: //eprint. iacr. org/2017/301, version 20170409:183008. Submitted 6 April, 2017.
[MST06] Elchanan Mossel, Amir Shpilka, and Luca Trevisan. On E-biased gener- ators in NCO. Random Structures & Algorithms, 29(1):56-81, 2006. [NN93 Joseph Naor and Moni Naor. Small-bias probability spaces: Efficient constructions and applications. SIAM journal on computing, 22(4):838- 856, 1993.
[NS941 Noam Nisan and Mario Szegedy. On the degree of boolean functions as real polynomials. Computational complexity, 4(4):301-313, 1994.
[OW14 Ryan O'Donnell and David Witmer. Goldreich's PRG: evidence for near- optimal polynomial stretch. In Computational Complexity (CCC), 2014 IEEE 29th Conference on, pages 1-12. IEEE, 2014.
ISS10] Amit Sahai and Hakan Seyalioglu. Worry-free encryption: functional en- cryption with public keys. In Ehab Al-Shaer, Angelos D. Keromytis, and Vitaly Shmatikov, editors, Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October 4-8, 2010, pages 463-472. ACM, 2010.
[Wit17] David Witmer. Refutation of random constraint satisfaction problems using the sum of squares proof system. PhD thesis, Carnegie Mellon University, 2017.
64