Synthesizers and Their Application to the Parallel Construction of PseudoRandom Functions y z Moni Naor Omer Reingold Abstract A pseudorandom function is a fundamental cryptographic primitive that is essential for encryp tion identication and authentication We present a new cryptographic primitive called pseudo random synthesizer and show how to use it in order to get a parallel construction of a pseudorandom function We show several NC implementations of synthesizers based on concrete intractability assumptions as factoring and the DieHellman assumption This yields the rst parallel pseudo random functions based on standard intractability assumptions and the only alternative to the original construction of Goldreich Goldwasser and Micali In addition we show parallel construc tions of synthesizers based on other primitives such as weak pseudorandom functions or trap do or oneway p ermutations The security of all our constructions is similar to the security of the under lying assumptions The connection with problems in Computational Learning Theory is discussed A preliminary version of this pap er app eared at the Proc th IEEE Symp on Foundations of Computer Science pp y Incumbent of the Morris and Rose Goldman Career Development Chair Dept of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot Israel Research supp orted by BSF grant no and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences Email naorwisdomweizmannacil z Dept of Applied Mathematics and Computer Science Weizmann Institute of Science Rehovot Israel Research supp orted by a Clore Scholars award and by a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences Email reingoldwisd omweizmannacil Introduction A pseudorandom function as dened by Goldreich Goldwasser and Micali is a function that is indistinguishabl e from a truly random function to a p olynomialtime b ounded observer who can access the function as a blackbox ie can provide inputs of his choice and gets to see the value of the function on these inputs Pseudorandom functions are the key comp onent of privatekey cryptography They allow parties who share a common key to send secret messages to each other to identify themselves and to authenticate messages In addition they have many other applications essentially in any setting that calls for a random function that is provided as a blackbox Goldreich Goldwasser and Micali provided a construction of such functions For roughly a decade this was the only known construction even under sp ecic assumptions such as factoring is hard Their construction is sequential in nature and consists of n successive invocations of a pseudorandom generator where n is the number of bits in the input to the function Our goal in this pap er is to present an alternative construction for pseudorandom functions that can b e implemented in log n phases We introduce a new cryptographic primitive which we call pseudorandom synthesizer A pseudorandom synthesizer is a two variable function S so that if many but p olynomially b ounded random assignments hx x i and hy y i are chosen to b oth variables then m m m is indistinguishabl e the output of S on all the combinations of these assignments f x y i j ij from random to a p olynomialtime observer Our main results are A construction of pseudorandom functions based on pseudorandom synthesizers Evaluating such a function involves log n phases where each phase consists of several parallel invocations of a synthesizer with a total of n invocations altogether Constructions of parallel NC synthesizers based on standard numbertheoretic assumptions such as factoring is hard RSA it is hard to extract ro ots mo dulo a comp osite and Die Hellman In addition a very simple construction based on a problem from learning The keygenerating algorithm of these constructions is sequential for RSA and factoring non uniformly parallel for DieHellman and parallel for the learning problem An extremely simple and also parallel construction of synthesizers based on what we call a weak pseudorandom function A weak pseudorandom function is indistinguishable from a truly random function to a p olynomialtime b ounded observer who gets to see the value of the function on uniformly distributed inputs instead of any input of its choice This construction almost immediately implies constructions of synthesizers based on trap do or one way p ermutations and based on any hardtolearn problem under the denition of Taking and together we get a pseudorandom function that can b e evaluated in NC We note that our constructions do not weaken the security of the underlying assumptions Take for instance the construction that is based on factoring If there is an algorithm for breaking this construction in time t and success success means that the observer has advantage of at least in distinguishing the pseudorandom function from the random one then there is an algorithm that works in time pol y t and factors Blumintegers with probability pol y t See for a discussion of security preserving reductions In their terminology such a reduction is called p olypreserving In fact most of our reductions as the reduction from the security of the pseudorandom functions to the security of the pseudorandom synthesizers are linear preserving The only place were our reductions are not linearpreserving is when they rely on the hardcard bits of Our constructions of pseudorandom functions have additional attractive prop erties First it is p ossible to obtain from the constructions a sharp timespace tradeo Lo osely sp eaking by keeping m strings as the key we can reduce the amount of work for computing the functions from n n invocations of the synthesizer to ab out invocations in log n log log m phases thus also log m reducing the paralleltime complexity In addition the construction obtains a nice incremental prop erty For any y of Hamming distance one from x given the computation of f x we can compute f y with only log n invocations of the synthesizer we can also make this prop erty hold for y x We discuss b oth prop erties in Section Applications of NC Computable PseudoRandom Functions The class NC has b een criticized as a mo del for parallel computation for two main reasons It ignores communication delays and other parameters that determine the execution time on an actual parallel machine It overemphasizes latency rather than the sp eedup of problems These criticisms seem less valid for the problem of constructing pseudorandom functions since a It is likely that it will b e implemented in a sp ecial purp ose circuit as there are DES chips and b For some applications of pseudorandom functions minimizing the latency of computing the functions is essential Such an application is the encryption of messages on a network where the latency of computing the function is added to the latency of the network Furthermore if the complexity of evaluating a synthesizer on a given input is comparable to that of a pseudorandom generator then the work p erformed by our construction is comparable to the one in and we can get optimal sp eedup Note that many of the applications of pseudorandom functions preserve the paralleltime com plexity of the functions An imp ortant example is the Luby and Racko construction of pseudorandom permutations from pseudorandom functions Their construction is very simple and involves four invocations of a pseudorandom function in order to evaluate the pseudorandom p ermutation at a given p oint see also for an optimal construction that requires only two invocations Therefore our constructions yield strong pseudorandom permutations in NC as well There is a deep connection b etween pseudorandom functions and hardness results for learning Since a random function cannot b e learned if a concept class is strong enough to contain pseudo random functions we cannot hop e to learn it eciently Since no construction of pseudorandom functions in NC was known several ways of bypassing this were suggested However these are weaker unlearnabilityresults than the one obtained by pseudorandom functions The existence of pseudorandom functions in a concept class implies that there exists a distribution of concepts in this class that is hard for every learning algorithm for every nontrivial distribution on inputs even when membership queries are allowed Finding such a distribution of concepts is still of interest to learning theory We discuss the connection b etween our work and learningtheory in Section Another application of pseudorandom functions in complexity was suggested by the work of Razb orov and Rudich on Natural Pro ofs They showed that if a circuitclass contains pseudo random functions that are secure against a sub exp onentialtime adversary then there are no what they called Natural Pro ofs which include all known lower b ound techniques for separating this class from P pol y Given our constructions the existence of Natural Pro ofs for separating NC from P pol y would imply that several wellestablished intractability assumptions are false The question of whether pseudorandom functions exist in NC is also interesting in contrast to the lower b ound of Linial Mansour and Nisan that there are no pseudorandom functions in AC Previous Work In addition to introducing pseudorandom functions Goldreich Goldwasser and Micali have suggested a construction of such functions from pseudorandom generators that expand the input