PseudoRandom Synthesizers Functions and Permutations Thesis for the Degree of DOCTOR of PHILOSOPHY by Omer Reingold Department of Applied Mathematics and Computer Science Weizmann Institute of Science Submitted to the Scientic Council of The Weizmann Institute of Science Rehovot Israel November i ii Thesis Advisor Professor Moni Naor Department of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot Israel Acknowledgments Writing these lines I realize how many p eople to ok part in my initiation into the world of science In the following few paragraphs I will try to acknowledge some of these many contributions Naturallymywarmest thanks are to Moni Naor my advisor and much more than that Thanking Moni for all he has done and b een to me these last four years is extremely easy and extremely hard at the same time Extremely easy since I havesomuchIwant to thank him for and Im grateful for this opp ortunity to do so a cynic might say that this is the ve so much I want most imp ortant function of the dissertation Extremely hard since I ha to thank him for what chance is there to do a go o d enough job Im sure that in the silent understanding b etween us Moni is more aware of the extent of friendship admiration and gratitude I have for him than I am able to express in words But this is not only for his eyes so letmedomy b est Thank you Moni for your close guidance in all dierent asp ects of the scientic pro cess In all things large and small I always knew that I can count on you Thank you for your constant encouragement for treating me as a colleague from the rst time I stepp ed into your oce when I deserved it even less than now and at the same time for sheltering me in a parental manner Thank you for pushing me forward when p ossible and for laying o in times work could not have b een a high priority for me Thank you for sharing with me in hours and hours of conversation your deep understanding and amazing knowledge of computer science as well as your scientic philosophy and an abundance of ideas all of which will surely nd their way into my research for years to come Last but certainly not least thank you for your friendship which was most explicitly articulated by Yael but was very clear to me all along The nest you have built for me is so warm that I hate leaving it Therefore at least in my mind I will not Before picking up the pace sp ecial thanks are due to one other friend teacher and Although my joint research with Ran Raz is not presented in this dis colleague of mine sertation I enjoyed it enormously and have learned much from it I enjoyed viewing Rans sup erb research capabilities and creativity in action hop e some of it has rubb ed o on me to o I admire his relentless optimism and enthusiasm I treasure his friendship so very deeply I wish for many more years of all of that lessons they have I thank my teachers at the Weizmann Institute for the invaluable taught me both inside and outside of the class ro om Sp ecial thanks to each member of the Cryptography group Oded Goldreich Sha Goldwasser Moni Naor and Adi Shamir I take great pride and pleasure in the fact that I have learned from this incredible group of researchers and even in being asso ciated with them I often toy with the idea of not iii iv ACKNOWLEDGMENTS graduating in order to continue learning in the presence of these exp erts I also thank Itai Benjamini Uri Feige Yoram Moses and David Peleg for their enlightening courses A group of researchers to whom I have sp ecial sentiments are my teachers from under graduate studies at TelAviv University Noga Alon Yossi Azar Amos Fiat Ron Shamir and Uri Zwick I thank them for installing in me the love for the foundations of computer science Over the years I have learned with and from many of myfello w students I will list only a few but I thank them all for many hours of work and fun Sp ecial thanks are due to my close brothers at the house of Moni namely Kobbi Nissim and BennyPinkas Having you guys around was priceless Many thanks are also due to Avishai Wo ol and to the new recruit Yehuda Lindell I also thank Tal Malkin for our jointwork at the coee shops of Manhattan and Tal Yadid for an extremely valuable time we sp ent together in undergraduate scho ol There are so many other p eople to whom I am in debt for sharing their knowledge and ideas with me The partial list that comes to mind rightnow includes Eli Biham Dan Boneh Ran Canetti Cynthia Dwork Russell Impagliazzo Daniele Micciancio Noam Nisan Steven Rudich Amnon TaShma Avi Wigderson and Shiyu Zhou I ap ologize to anyone I have forgetfully omitted and thank you all for many stimulating conversations Sp ecial thanks to Cynthia Russell and Steven for extending to me part of their sentiments for Moni Iwould also like to thank Joan Feigenbaum Christos Papadimitriou Charlie Racko and Umesh Vazirani for their warm hospitalityduringafew memorable visits I would like to acknowledge now the direct contributions to the work presented in this dissertation Most of the work is based on my joint research with Moni Section is based on jointwork with Eli Biham and Dan Boneh My research during this time was supp orted by a Clore Scholars award and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences We thank Sha Goldwasser and Jon Sorenson who brought to our attention and Mihir Bellare for his observation describ ed in Section Sp ecial thanks to Victor Shoup for suggesting the improved pro of of Lemma and for p ointing out We thank Ran Canetti Oded Goldreich Jo e Kilian Kobbi Nissim Benny Pinkas Amnon TaShma and the anonymous referees of the relevant journals and conferences for many helpful comments and for their diligent reading of some of the work included here It is dicult to overestimate Odeds contribution to the presentation of the work describ ed in Chapter Iwould also like to thank Oded Goldreich Jo e Kilian Yehuda Lindell and Alon Rosen for their comments on several parts of the dissertation Finally many thanks are due to my family and friends However they deserve their thanks in p erson and hop efuly I did not let them wait till now Abstract The research reected in this dissertation is a study of computational pseudorandomness More sp ecically the main ob jective of this research is the ecient and simple construction of pseudorandom functions and permutations where eciency refers b oth to the sequential and parallel time complexity of the computation Pseudorandom functions and permutations are fundamental cryptographic primitives with many applications in cryptog raphy and more generally in computational complexity Constructions of PseudoRandom Functions For our constructions of pseudorandom functions we intro duce and study a new crypto graphic primitive which we call a pseudorandom synthesizer and a generalization of this primitive whichwecallak dimensional pseudorandom synthesizer These primitiv es are of indep endent interest as well In addition we consider various applications of our construc tions and study some of the underlying cryptographic assumptions used in these construc tions The main results obtained by this research are Intro ducing new cryptographic primitives called pseudorandom synthesizer and k dimensional pseudorandom synthesizer Using pseudorandom synthesizers for a parallel construction of a pseudorandom func tion the depth of the functions is larger by a logarithmic factor than the depth of the synthesizers Showing several NC implementations of synthesizers based on concrete intractability assumptions such as factoring and the computational DieHellman assumption Showing a very simple parallel construction of synthesizers based on what we call weak pseudorandom functions which implies simple constructions of synthesizers based on trap do or oneway permutations and based on any hardtolearn problem under the denition of These results yield the rst parallel pseudorandom functions based on computational in tractability assumptions and the rst alternative to the original construction of Goldre ich Goldwasser and Micali In addition we show two new constructions of pseudo random functions that are related to the construction based on synthesizers The pseudo randomness of one construction is proven under the assumption that factoring is hard while v vi ABSTRACT the other construction is pseudorandom if the decisional version of the DieHel lman as sumption holds These functions have the following prop erties They are much more ecient than previous prop osals Computing the value of our functions at any given pointinvolves two subset pro ducts They are in TC the class of functions computable by constant depth circuits con sisting of a p olynomial number of threshold gates This fact has several interesting applications They have a simple algebraic structure that implies additional features In particular weshow a zeroknowledge pro of for statements of the form y f x and y f x s s given a commitmenttoa key s of a pseudorandom function f s We discuss some applications of our constructions in cryptography including applications in publickey cryptography as well as their consequences in computational complexity and in computational learningtheory Constructions of PseudoRandom Permutations Luby and Racko showed a metho d for constructing a pseudorandom p ermutation from a pseudorandom function The metho d is based on comp osing four or three for weakened security so called Feistel p ermutations each of which requires the evaluation of a pseudo random function