Low Complexity Pseudorandom Generators and Indistinguishability Obfuscation by Alex Lombardi A.B., Harvard University (2016) A.M., Harvard University (2016) Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2018 0 Massachusetts Institute of Technology 2018. All rights reserved. Signature redacted A uth or ....... ..................... Department of Electrical Engineering and Computer Science Signature redacted May 23, 2018 C ertified by ..... ..................... Vinod Vaikuntanathan Associate Professor of Electrical Engineering and Computer Science Thesis Supervisor Accepted by ....... Signature redacted..................... Leslie A. Kolodziejski Professor of Electrical Engineering and Computer Science Chairman, Department Committee on Graduate Theses MASSACHUSETS INSTITUTE OF TECHNOWOGY- 1 JUN 18 2018 LIBRARIES 4i Low Complexity Pseudorandom Generators and Indistinguishability Obfuscation by Alex Lombardi Submitted to the Department of Electrical Engineering and Computer Science on May 23, 2018, in partial fulfillment of the requirements for the degree of Master of Science in Computer Science and Engineering Abstract In the study of cryptography in NCO, it was previously known that Goldreich's candi- date pseudorandom generator (PRG) is insecure when instantiated with a predicate P in 4 or fewer variables, if one wants to achieve polynomial stretch. On the other hand, there is a standard candidate PRG with locality 5 based on the "tri-sum-and" predicate TSA(x) = XOR3 D AND 2 (X) = X1 E X 2 ( @ X 4 x5 . However, locality is only one complexity measure of a PRG that one could hope to minimize. In this work, we consider the problem of minimizing three other complexity measures of a (local) PRG: decision tree (DT-)complexity, Q-degree (i.e., the degree of P as a polynomial over Q), and the recent notion of blockwise locality (due to Lin and Tessaro). These three complexity measures are all of interest for their possible applications to constructing indistinguishability obfuscation (IO) schemes based on low-degree multilinear maps. Indeed, Lin and Tessaro recently proposed an intriguing candidate IO scheme based on bilinear maps and a non-standard assumption on "Goldreich-like" pseudorandom generators. We obtain both positive and negative results on the existence of low complexity PRGs. First, we give a candidate predicate for Goldreich's PRG with DT-complexity 4 and Q-degree 3. We also show that all predicates with either DT-complexity less than 4 or Q-degree less than 3 yield insecure PRGs, so our candidate predicate simul- taneously achieves the best possible locality, DT-complexity, Q-degree, and F2-degree according to all known attacks. Finally, we show polynomial-time attacks on the blockwise 2-local PRGs required in the Lin-Tessaro work, invalidating the security of their IO and FE candidates based on bilinear maps. Our attack uses tools from the literature on two-source extractors (Chor and Goldreich, SICOMP 1988) and efficient refutation of random 2-XOR instances (Charikar and Wirth, FOCS 2004). Thesis Supervisor: Vinod Vaikuntanathan Title: Associate Professor of Electrical Engineering and Computer Science 3 4 Acknowledgments First of all, I thank my advisor, Vinod Vaikuntanathan, for the incredible amount of encouragement and patience that he has provided since I started working with him. Vinod has also consistently been able to come up with (and help me come up with) intriguing, important, and somehow tractable problems to think about. I have no idea how he (or anyone else) manages this, but I am certainly grateful for it. I would also like to thank Salil Vadhan for taking in a curious math undergraduate who knew nothing about computer science for a summer research project, and for giving extremely good advice thereafter. The discussions I had with Salil, Boaz Barak, and Madhu Sudan during my last two undergraduate years are without a doubt the reason I am studying theoretical computer science. Boaz in addition taught my first course in cryptography, without which I would certainly not be where I am today. My friends in the theory group at MIT CSAIL have been a constant source of inspiration, support, and fun for the last two years. I thank them for that, and I hope that this doesn't change even as we come and go. Finally, I thank my parents, who have been putting up with my nonsense for far longer than everyone else and have handled it remarkably well. 5 6 Contents 1 Introduction 9 1.1 O ur R esults ...... ...... ....... ... 14 1.1.1 Predicates Over the Binary Alphabet .... 15 1.1.2 Predicates Over a Large Alphabet . ..... 16 1.2 Conclusions and Open Questions ..... ..... 20 1.3 Organization ..... .... ..... .... ... 22 2 Preliminaries 23 2.1 Pseudorandom generators .. .. .. .... .. .... ..... 24 2.2 Analysis of Boolean Functions .... ...... .. ......... 25 2.3 A Review of Goldreich's PRG and its Security . .. ......... 26 2.3.1 The Choice of Predicates in Goldreich's PRG . ...... .. 27 2.3.2 Generalization to Blockwise Local PRGs . ..... .... 29 3 Minimizing DT-Complexity and Q-Degree 31 3.1 New Candidate Predicates for Goldreich's PRG .... ....... 32 3.1.1 A Predicate with Decision Tree-Complexity 4 ... ..... 32 3.1.2 A Predicate with Decision-Tree Complexity 4 and Q-degree 3 33 3.2 Predicates with Depth-3 Decision Trees Yield Insecure PRGs .... 35 3.3 Predicates with Q-degree 2 Yield Insecure PRGs ........... 39 4 An Attack on Blockwise 2-Local PRGs 43 4.1 Outline of the Attack .......................... 44 7 4.2 Alphabet Reduction ........................... 46 4.2.1 Limits of Alphabet Reduction .................. 51 4.3 From Small Alphabet Refutation to Large Alphabet Distinguishing . 53 4.3.1 Proof of Theorem 4.3.1 .... .................. 56 4.3.2 Generalization of Theorem 4.3.1 to Multiple Predicates .. 59 8 Chapter 1 Introduction 9 While hard problems occur abundantly in nature, useful hard problems are some- what rare. In particular, to be useful in cryptography, the (conjuctured) hard prob- lems need several additional properties: at the minimum, average-case hardness and the ability to sample hard instances with their solutions (a property that is required for building one-way functions). It is hard enough to come up with cryptographically useful hard problems, but to make our life even harder, we also often want the cryptographic constructions to be as simple as possible. For example, take the case of (cryptographic) pseudorandom generators (PRGs), the object of study in this work. Here, we ask for a functioni G: {0, 1}' -+ {o, 1}' which is: (a) expanding, meaning that m > n and ideally, m is a large polynomial in n; (b) pseudorandom, meaning that G(Un) is computationally indistinguishable from Ur, where U, and Un are uniform distributions on n and m bits, respectively; and (c) simple, meaning that G is computable by a (uniform) NC0 circuit. In a remarkable tour-de-force, Applebaum, Ishai and Kushilevitz [AIK06] showed how to "compile" any PRG computable in a large complexity class, say NC1 , into one that'can be computed in NCO. Their PRGs even had locality as small as 4, meaning that each output bit depends on only 4 input bits. This gave us candidate PRGs under essentially any standard complexity assumption, e.g., the hardness of factoring, that of the decisional Diffie-Hellman problem, the worst-case hardness of approximating shortest vectors in lattices, and so forth. The main deficiency of the AIK work is that even if you start with a PRG with large, polynomial, stretch in NC1 , the compiler only produces a PRG with sub-linear (additive) stretch in NC0 , that is m = n + o(n). Indeed, as Mossel, Shpilka and Trevisan [MST06] showed, there are no PRGs in NC0 with polynomial stretch and locality 4, so in a sense, the [AIK06] construction is nearly optimal. However, we cannot help but ask for more. Polynomial stretch PRGs, also called PPRGs (where m = nc for some c > 1) in NC0 have several applications including 'To be more precise, we ask for a family of functions {Gn}ncN where G, maps n bits to m = m(n) > n bits. 10 secure two-party computation with constant overhead [IKOS08] and more recently, indistinguishability obfuscation (IO) from constant-degree multilinear maps [Lini6a, LV16, AS16, Linl6b, LT17]. PPRGs are much trickier to construct; indeed, our best hope is a candidate con- struction (actually, a family of constructions) first proposed by Goldreich [Gol00] in 2000. Goldreich's generator and its properties in the polynomial stretch regime are the central themes of this paper. Goldreich's Pseudorandom Generator. Goldreich's candidate pseudorandom generator, first introduced in [Gol00] (then as a candidate one-way function), can be instantiated with any k-ary predicate P : {0, 1}k -+ {0, 1} and any k-uniform (directed) hypergraph H on n vertices and m hyperedges. Given H and P, we define a PRG G: {0, 1} - {0, 1} m as follows: Identify each vertex in H with an index in [n] and each hyperedge with an index i C [m]. For each i c [Tm], let FH (i) E k be the sequence of k vertices in the ith hyperedge. Then, Goldreich's PRG is the function from {0, 1} to {0, 1}m defined by GH,P(X) - (P(XrH(i)))j [m] That is, the ith bit of GH,p(x) is the output of P when given the FH(i)-restriction of x as input. For the rest of this paper, we think of k as an absolute constant. Many predicates P : {0, I}k - {0, 1} are