Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

  • Boaz Barak
  • Zvika Brakerski
  • Ilan Komargodski
  • Pravesh K. Kothari
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10821)


An m output pseudorandom generator \(\mathcal {G}:(\{\pm 1\}^b)^n \rightarrow \{\pm 1\}^m\) that takes input n blocks of b bits each is said to be \(\ell \)-block local if every output is a function of at most \(\ell \) blocks. We show that such \(\ell \)-block local pseudorandom generators can have output length at most \(\tilde{O}(2^{\ell b} n^{\lceil \ell /2 \rceil })\), by presenting a polynomial time algorithm that distinguishes inputs of the form \(\mathcal {G}(x)\) from inputs where each coordinate is sampled from the uniform distribution on m bits.

As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro’s [47] recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator \(\mathcal {G}:\{ \pm 1 \}^{nb} \rightarrow \{\pm 1\}^{2^{cb}n}\) as above for large enough \(c>3\) and \(\ell =2\). (Following this work, and an independent work of Lombardi and Vaikuntanthan [49], Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.)

Our results actually hold for the much wider class of low-degree, non-binary valued pseudorandom generators: if every output of \(\mathcal {G}:\{\pm 1\}^n \rightarrow \mathbb R^m\) (\(\mathbb R\) = reals) is a polynomial (over \(\mathbb R\)) of degree at most d with at most s monomials and \(m \ge \tilde{\varOmega }(sn^{\lceil d/2 \rceil })\), then there is a polynomial time algorithm for distinguishing the output \(\mathcal {G}(x)\) from z where each coordinate \(z_i\) is sampled independently from the marginal distribution on \(\mathcal {G}_i\). Furthermore, our results continue to hold under arbitrary pre-processing of the seed. This implies that any such map \(\mathcal {G}\), with arbitrary seed pre-processing, cannot be a pseudorandom generator in the mild sense of fooling a product distribution on the output space. This allows us to rule out various natural modifications to the notion of generators suggested in other works that still allow obtaining indistinguishability obfuscation from bilinear maps.

Our algorithms are based on the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a canonical semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality 3 and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever \(m = n^{1.5-\varepsilon }\). This class is extremely easy to describe: Let \(\mathbb G\) be any simple non-abelian group with the group operation “\(*\)”, and interpret the blocks of x as elements in \(\mathbb G\). The description of the pseudorandom generator is a sequence of m triples of indices (ijk) chosen at random and each output of the generator is of the form \(x_i *x_j *x_k\).



We thank Prabhanjan Ananth, Dakshita Khurana and Amit Sahai for discussions regarding the class of generators needed for obfuscation. Thanks to Rachel Lin and Stefano Tessaro for discussing the parameters of their construction with us. We thank Avi Wigderson and Andrei Bulatov for references regarding Gaussian elimination in non-abelian groups.


  1. 1.
    Allen, S.R., O’Donnell, R., Witmer, D.: How to refute a random CSP. In: FOCS, pp. 689–708. IEEE Computer Society (2015)Google Scholar
  2. 2.
    Allen, S.R., O’Donnell, R., Witmer, D.: How to refute a random CSP. In: 2015 IEEE 56th Annual Symposium on Foundations of Computer Science—FOCS 2015, pp. 689–708. IEEE Computer Society, Los Alamitos, CA (2015)Google Scholar
  3. 3.
    Ananth, P., Brakerski, Z., Khurana, D., Sahai, A.: Private communication (2017)Google Scholar
  4. 4.
    Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation from functional encryption for simple functions. IACR Cryptology ePrint Archive 2015, 730 (2015)Google Scholar
  5. 5.
    Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree-5 multilinear maps. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10210, pp. 152–181. Springer, Cham (2017). Scholar
  6. 6.
    Applebaum, B.: Pseudorandom generators with long stretch and low locality from random local one-way functions. SIAM J. Comput. 42(5), 2008–2037 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
  7. 7.
    Applebaum, B.: Cryptographic hardness of random local functions - survey. Comput. Complex. 25(3), 667–722 (2016)CrossRefzbMATHGoogle Scholar
  8. 8.
    Applebaum, B., Barak, B., Wigderson, A.: Public-key cryptography from different assumptions. In: Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC, pp. 171–180. ACM (2010)Google Scholar
  9. 9.
    Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC\({}^{\text{0 }}\). SIAM J. Comput. 36(4), 845–888 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  10. 10.
    Applebaum, B., Lovett, S.: Algebraic attacks against random local functions and their countermeasures. In: STOC, pp. 1087–1100. ACM (2016)Google Scholar
  11. 11.
    Applebaum, B., Raykov, P.: Fast pseudorandom functions based on expander graphs. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9985, pp. 27–56. Springer, Heidelberg (2016). Scholar
  12. 12.
    Barak, B., Brakerski, Z., Komargodski, I., Kothari, P.K.: Limits on low-degree pseudorandom generators (or: Sum-of-squares meets program obfuscation). IACR Cryptology ePrint Archive 2017, 312 (2017)Google Scholar
  13. 13.
    Barak, B., Chan, S.O., Kothari, P.K.: Sum of squares lower bounds from pairwise independence [extended abstract]. In: Proceedings of the 2015 ACM Symposium on Theory of Computing, STOC 2015, pp. 97–106. ACM, New York (2015)Google Scholar
  14. 14.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). Scholar
  15. 15.
    Barak, B., Raghavendra, P., Steurer, D.: Rounding semidefinite programming hierarchies via global correlation. In: 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, pp. 472–481. IEEE Computer Society, Los Alamitos, CA (2011).
  16. 16.
    Barak, B., Steurer, D.: Proofs, beliefs, and algorithms through the lens of sum-of-squares (2017).
  17. 17.
    Boneh, D., Franklin, M.K.: Identity-based encryption from the weil pairing. SIAM J. Comput. 32(3), 586–615 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  18. 18.
    Brakerski, Z., Gentry, C., Halevi, S., Lepoint, T., Sahai, A., Tibouchi, M.: Cryptanalysis of the quadratic zero-testing of GGH. Cryptology ePrint Archive, Report 2015/845 (2015)Google Scholar
  19. 19.
    Charikar, M., Wirth, A.: Maximizing quadratic programs: extending grothendieck’s inequality. In: FOCS, pp. 54–60. IEEE Computer Society (2004)Google Scholar
  20. 20.
    Cheon, J.H., Fouque, P.-A., Lee, C., Minaud, B., Ryu, H.: Cryptanalysis of the new CLT multilinear map over the integers. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 509–536. Springer, Heidelberg (2016). Scholar
  21. 21.
    Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 3–12. Springer, Heidelberg (2015). Scholar
  22. 22.
    Cheon, J.H., Jeong, J., Lee, C.: An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without an encoding of zero. Cryptology ePrint Archive, Report 2016/139 (2016)Google Scholar
  23. 23.
    Conder, M., Dobcsányi, P.: Applications and adaptations of the low index subgroups procedure. Math. Comput. 74(249), 485–497 (2005)MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Coron, J.-S., et al.: Zeroizing without low-level zeroes: new MMAP attacks and their limitations. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 247–266. Springer, Heidelberg (2015). Scholar
  25. 25.
    Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 476–493. Springer, Heidelberg (2013). Scholar
  26. 26.
    Coron, J.-S., Lepoint, T., Tibouchi, M.: New multilinear maps over the integers. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 267–286. Springer, Heidelberg (2015). Scholar
  27. 27.
    Cryan, M., Miltersen, P.B.: On pseudorandom generators in NC0. In: Sgall, J., Pultr, A., Kolman, P. (eds.) MFCS 2001. LNCS, vol. 2136, pp. 272–284. Springer, Heidelberg (2001). Scholar
  28. 28.
    Feige, U.: Relations between average case complexity and approximation complexity. In: Proceedings of the Thirty-Fourth Annual ACM Symposium on Theory of Computing, pp. 534–543. ACM, New York (2002). (electronic)
  29. 29.
    Feige, U.: Refuting smoothed 3CNF formulas. In: FOCS, pp. 407–417. IEEE Computer Society (2007)Google Scholar
  30. 30.
    Feige, U., Ofek, E.: Easily refutable subformulas of large random 3CNF formulas. Theory Comput. 3, 25–43 (2007). Scholar
  31. 31.
    Feldman, V., Perkins, W., Vempala, S.: On the complexity of random satisfiability problems with planted solutions. In: STOC, pp. 77–86. ACM (2015)Google Scholar
  32. 32.
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 1–17. Springer, Heidelberg (2013). Scholar
  33. 33.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS 2013, pp. 40–49 (2013).
  34. 34.
    Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9015, pp. 498–527. Springer, Heidelberg (2015). Scholar
  35. 35.
    Goldmann, M., Russell, A.: The complexity of solving equations over finite groups. Inf. Comput. 178(1), 253–262 (2002). Scholar
  36. 36.
    Goldreich, O.: Candidate one-way functions based on expander graphs. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 7, no. 90 (2000)Google Scholar
  37. 37.
    Grötschel, M., Lovász, L., Schrijver, A.: The ellipsoid method and its consequences in combinatorial optimization. Combinatorica 1(2), 169–197 (1981). Scholar
  38. 38.
    Hada, S.: Zero-knowledge and code obfuscation. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 443–457. Springer, Heidelberg (2000). Scholar
  39. 39.
    Hu, Y., Jia, H.: Cryptanalysis of GGH map. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 537–565. Springer, Heidelberg (2016). Scholar
  40. 40.
    Ishai, Y., Kushilevitz, E., Ostrovsky, R., Prabhakaran, M., Sahai, A.: Efficient non-interactive secure computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 406–425. Springer, Heidelberg (2011). Scholar
  41. 41.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. In: Bosma, W. (ed.) ANTS 2000. LNCS, vol. 1838, pp. 385–393. Springer, Heidelberg (2000). Scholar
  42. 42.
    Klíma, O., Tesson, P., Thérien, D.: Dichotomies in the complexity of solving systems of equations over finite semigroups. Theory Comput. Syst. 40(3), 263–297 (2007)MathSciNetCrossRefzbMATHGoogle Scholar
  43. 43.
    Kothari, P.K., Mori, R., O’Donnell, R., Witmer, D.: Sum of squares lower bounds for refuting any CSP. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC, pp. 132–145. ACM (2017)Google Scholar
  44. 44.
    Lasserre, J.B.: New positive semidefinite relaxations for nonconvex quadratic programs. In: Hadjisavvas, N., Pardalos, P.M. (eds.) Advances in Convex Analysis and Global Optimization. Nonconvex Optimization and Its Applications, vol. 54, pp. 319–331. Kluwer Academic Publishers, Dordrecht (2001). (Pythagorion, 2000)CrossRefGoogle Scholar
  45. 45.
    Lin, H.: Indistinguishability obfuscation from constant-degree graded encoding schemes. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016). Scholar
  46. 46.
    Lin, H.: Indistinguishability obfuscation from SXDH on 5-Linear maps and locality-5 PRGs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 599–629. Springer, Cham (2017). Scholar
  47. 47.
    Lin, H., Tessaro, S.: Indistinguishability obfuscation from bilinear maps and block-wise local PRGs. IACR Cryptology ePrint Archive, p. 250 (2017)Google Scholar
  48. 48.
    Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from DDH-like assumptions on constant-degree graded encodings. In: IEEE 57th Annual Symposium on Foundations of Computer Science, FOCS, pp. 11–20. IEEE Computer Society (2016)Google Scholar
  49. 49.
    Lombardi, A., Vaikuntanathan, V.: Limits on the locality of pseudorandom generators and applications to indistinguishability obfuscation. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10677, pp. 119–137. Springer, Cham (2017). Scholar
  50. 50.
    Lombardi, A., Vaikuntanathan, V.: Minimizing the complexity of Goldreich’s pseudorandom generator. IACR Cryptology ePrint Archive, p. 277 (2017)Google Scholar
  51. 51.
    Miles, E., Sahai, A., Zhandry, M.: Annihilation attacks for multilinear maps: cryptanalysis of indistinguishability obfuscation over GGH13. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9815, pp. 629–658. Springer, Heidelberg (2016). Scholar
  52. 52.
    Mossel, E., Shpilka, A., Trevisan, L.: On epsilon-biased generators in NC\({}^{\text{0 }}\). Random Struct. Algorithms 29(1), 56–81 (2006)CrossRefzbMATHGoogle Scholar
  53. 53.
    O’Donnell, R.: Analysis of Boolean Functions. Cambridge University Press, Cambridge (2014)CrossRefzbMATHGoogle Scholar
  54. 54.
    O’Donnell, R., Witmer, D.: Goldreich’s PRG: evidence for near-optimal polynomial stretch. In: IEEE 29th Conference on Computational Complexity–CCC 2014, pp. 1–12. IEEE Computer Society, Los Alamitos, CA (2014).
  55. 55.
    Parrilo, P.A.: Structured semidefinite programs and semialgebraic geometry methods in robustness and optimization. Ph.D. thesis, Citeseer (2000)Google Scholar
  56. 56.
    Raghavendra, P., Rao, S., Schramm, T.: Strongly refuting random CSPs below the spectral threshold. In: Proceedings of the 49th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2017, pp. 121–131. ACM (2017)Google Scholar
  57. 57.
    Rozenman, E., Shalev, A., Wigderson, A.: Iterative construction of cayley expander graphs. Theory Comput. 2(5), 91–120 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
  58. 58.
    Sahai, A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Symposium on Theory of Computing, STOC, pp. 475–484. ACM (2014)Google Scholar
  59. 59.
    Shor, N.Z.: Quadratic optimization problems. Izv. Akad. Nauk SSSR Tekhn. Kibernet. 222(1), 128–139 (1987)MathSciNetzbMATHGoogle Scholar
  60. 60.
    Witmer, D.: On refutation of random constraint satisfaction problems (thesis proposal) (2017).

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Boaz Barak
    • 1
  • Zvika Brakerski
    • 2
  • Ilan Komargodski
    • 3
  • Pravesh K. Kothari
    • 4
    • 5
  1. 1.Harvard UniversityCambridgeUSA
  2. 2.Weizmann Institute of ScienceRehovotIsrael
  3. 3.Cornell TechNew YorkUSA
  4. 4.Princeton UniversityPrincetonUSA
  5. 5.IASPrincetonUSA

Personalised recommendations