Fast Pseudorandom Functions Based on Expander Graphs

Applebaum, Benny; Raykov, Pavel

doi:10.1007/978-3-662-53641-4_2

Benny Applebaum¹⁵ &
Pavel Raykov¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9985))

Included in the following conference series:

Theory of Cryptography Conference

1964 Accesses
8 Citations

Abstract

We present direct constructions of pseudorandom function (PRF) families based on Goldreich’s one-way function. Roughly speaking, we assume that non-trivial local mappings $f:\{0,1\}^n\rightarrow \{0,1\}^m$ whose input-output dependencies graph form an expander are hard to invert. We show that this one-wayness assumption yields PRFs with relatively low complexity. This includes weak PRFs which can be computed in linear time of O(n) on a RAM machine with $O(\log n)$ word size, or by a depth-3 circuit with unbounded fan-in AND and OR gates (AC0 circuit), and standard PRFs that can be computed by a quasilinear size circuit or by a constant-depth circuit with unbounded fan-in AND, OR and Majority gates (TC0).

Our proofs are based on a new search-to-decision reduction for expander-based functions. This extends a previous reduction of the first author (STOC 2012) which was applicable for the special case of random local functions. Additionally, we present a new family of highly efficient hash functions whose output on exponentially many inputs jointly forms (with high probability) a good expander graph. These hash functions are based on the techniques of Miles and Viola (Crypto 2012). Although some of our reductions provide only relatively weak security guarantees, we believe that they yield novel approach for constructing PRFs, and therefore enrich the study of pseudorandomness.

A full version of this paper is available in [AR16]. Research supported by the European Union’s Horizon 2020 Programme (ERC-StG-2014-2020) under grant agreement no. 639813 ERC-CLC, ISF grant 1155/11, the Blavatnik Interdisciplinary Cyber Research Center and by the Check Point Institute for Information Security. This work was done in part while the first author was visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.

You have full access to this open access chapter, Download conference paper PDF

Fast Pseudorandomness for Independence and Load Balancing

A Dichotomy for Local Small-Bias Generators

Article 08 April 2015

Efficient Pseudorandom Functions via On-the-Fly Adaptation

Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

A pseudorandom function (PRF) is a family of efficiently computable functions with the property that the input-output behavior of a random instance of the family is “computationally indistinguishable” from that of a truly random function. Abstractly, such functions provide a “direct access” to an exponentially long pseudorandom string. Since their discovery by Goldreich, Goldwasser and Micali [GGM86], PRFs have played a central role in cryptography and complexity theory. Correspondingly, the question of minimizing the complexity of PRFs has attracted a considerable amount of attention.

Indeed, apart of being a fundamental object, fast PRFs are strongly motivated by a wide range of applications. Being the core component of symmetric cryptography, highly-efficient PRFs directly imply highly-efficient implementations of Private-Key cryptosystems, Message-Authentication Codes, and Identification Schemes. Fast pseudorandom objects (PRFs and PRGs) can be also used to speed-up several expensive Cryptomania-type applications. For example, secure computation protocols, functional encryption schemes, and program obfuscators that efficiently support a PRF functionality can be bootstrapped with relatively minor cost to general functionalities (cf., [DI05, IKOS08, GVW12, App14]). Interestingly, for these applications parallel-complexity (e.g., circuit depth) seems to be the main relevant complexity measure (affecting round complexity or the number of multilinear levels), while time (e.g., circuit size) is secondary. Another somewhat different motivation comes from the theory of computational complexity. PRFs with low-complexity shed light on the power of low-complexity functions, and partially explain our inability to analyze them. For example, the existence of PRFs in a complexity class $\mathcal {C}$ can be used to show that this class is not PAC-learnable [PW88, Val84] and that certain “natural proof” techniques will fail to prove circuit lower-bounds for functions in $\mathcal {C}$ [RR97]. Last, but not least, identifying the simplest construction of PRFs may provide valuable insights regarding the nature of computational intractability and the way it is achieved by a sequence of cheap and basic operations. This “magic” of hardness which arises from highly-efficient computation can be viewed as the essence of modern cryptography.

Being relatively complicated objects, a considerable research effort has been made to put PRFs on more solid ground at the form of simpler one-wayness assumptions (cf. [GGM86, HILL99, NR95, NR97, NRR00, LW09, BMR10, BPR12]). Annoyingly, the existence of a security reduction seem to incur a cost in efficiency. Indeed, existing theoretical constructions (either based on general primitives or on concrete intractability assumptions) are relatively slow compared to “practical constructions” whose security is based on first-order cryptanalytic principles rather than on a security reduction. As a concrete example, theoretical constructions of PRFs $F_k:\{0,1\}^n\rightarrow \{0,1\}^n$ have super-linear (or even quadratic) circuit size. In contrast, Miles and Viola [MV12] presented a candidate PRF which can be computed by a quasilinear circuit of size $\tilde{O}(n)$. (The notation $\tilde{O}(n)$ subsumes polylogarithmic factors.) Similarly, Akavia et al. [ABG+14] proposed a candidate for a weak PRF^{Footnote 1} which can be computed by a constant-depth circuit with unbounded fan-in AND, OR and XOR gates, whereas it is unknown how to construct such a weak PRF based on one-wayness assumption.

Our goal in this paper is to narrow the gap between provably-secure constructions and highly-efficient candidates. We present several constructions of pseudorandom functions with low-complexity, and show that their security can be reduced to variants of Goldreich’s one-way function. Before introducing our constructions, let us present Goldreich’s one-way function. (For more details see the survey [App15].)

1.1 Goldreich’s One-Way Function

Let n be an input length parameter, $m\ge n$ be an output length parameter and $d\ll n$ be a locality parameter. For a d-local predicate $P:\{0,1\}^d\rightarrow \{0,1\}$ and a sequence $G=(S_1,\ldots ,S_m)$ of d-tuples over the set $[n]:=\left\{ 1,\ldots ,n\right\} $, we let $f_{G,P}:\{0,1\}^n\rightarrow \{0,1\}^{m}$ denote the mapping

$$\begin{aligned} z\mapsto (P(z[S_1]),\ldots ,P(z[S_m])), \end{aligned}$$

i.e., the i-th output bit is computed by applying the predicate P to the input bits which are indexed by the i-th tuple $S_i$. Goldreich [Gol00] conjectured that for $m=n$ and possibly small value of d (e.g., logarithmic or even constant), the function $f_{G,P}$ is one-way as long as the set system $(S_1,\ldots ,S_m)$ is “highly expanding” and the predicate P is sufficiently “non-degenerate”. We elaborate on these two requirements.

Expansion. To formalize the expansion property let us think of $G=(S_1,\ldots ,S_m)$ as a d-uniform hypergraph with m hyperedges (which correspond to the outputs) over n nodes (which correspond to the inputs). The expansion property essentially requires that every not-too-large subset of hyperedges is almost pair-wise disjoint. Formally, for a threshold r, the union of every set of $\ell \le r$ hyperedges $S_{i_1},\ldots , S_{i_{\ell }}$ should contain at least $(1-\beta ) d \ell $ nodes, i.e., $|\bigcup _{j=1}^{\ell } S_{i_j}|\ge (1-\beta ) d \ell $, where $\beta $ is some constant smaller than $\frac{1}{2}$ (e.g., 0.1).

Secure Predicates. A noticeable amount of research was devoted to studying the properties of “secure” predicates accumulating in several algebraic criteria (cf., [Ale03, MST03, ABW10, BQ12, ABR12, OW14, FPV15]). It is known for example, that in order to support an output length of $m=n^c$ the predicate P must have resiliency of $k=\varOmega (c)$, i.e., P should be uncorrelated with any $\mathrm {GF}(2)$-linear combination of at most k of its inputs. Additionally, the predicate P must have algebraic degree (as a $\mathrm {GF}(2)$ polynomial) of at least c. Moreover, P must have high rational degree in the following sense: any polynomial Q whose roots cover the roots of P or its complement must have algebraic degree of $\varOmega (c)$ [AL15]. An example for such a predicate (suggested in [AL15]) is the d-ary $\mathrm {XOR\text{- }MAJ}_d$ predicate which partitions its input $w=(w_1,\ldots ,w_d)$ into two parts $w_L=(w_1,\ldots ,w_{\lfloor d/2 \rfloor })$ and $w_R=(w_{\lfloor d/2 \rfloor +1},\ldots ,w_d)$, computes the XOR of the left part and the majority of the right part, and XOR’s the results together.^{Footnote 2} This predicate achieves resiliency of d / 2 and rational degree of d / 4 and therefore seems to achieve security for $m=n^{\varOmega (d)}$ outputs.

Security. Intuitively, large expansion (together with high resiliency) provide security against local algorithms that employ some form of divide-and-conquer approach. Due to the expansion of the input-output hypergraph, any small subset of the outputs gives very little information on the global solution x. High rational degree provides security against more global approaches which rely on different forms of linearization and algebraic attacks. These intuitions were formalized and proved for several classes of algorithms in previous works (cf. [AHI05, ABW10, CEMT14, ABR12, BR13, OW14]). Following these works, we make the following strong version of Goldreich’s conjecture:

Assumption 1 (Expander-based OWFs (Informal))

For some universal constant $\alpha \in (0,1)$ and every d-uniform hypergraph G with n nodes and $m < n^{\alpha d}$ hyperedges which is expanding for sets of size $r=n^{\varOmega (1)}$, the function $f_{G,\mathrm {XOR\text{- }MAJ}_d}$ cannot be inverted in polynomial time.^{Footnote 3}

This assumption is consistent with known attacks. In fact, hardness results (against limited families of attacks) suggest that inversion is hard even for adversaries of complexity $\exp (r)$ where r is the expansion threshold. We refer to this variant as the strong $\mathsf {EOWF}$ assumption. We further mention that although previous works mainly focused on the case where the locality d is constant or logarithmic in n (which is going to be our main setting here as well), it seems reasonable to conjecture that the assumption holds even for larger values of d (e.g., $d=n^{\delta }$ for constant $\delta \in (0,1)$). Finally, we note that the expansion requirement implicitly puts restrictions on the values of n, m and d. Roughly speaking, an expansion of $r=n^{1-\beta }$ requires $\varTheta (1/\beta ^2) \le d \le n^{\varTheta (\beta )}$ and restricts m to be at most $n^{\varTheta (d\beta ^2)}$.

1.2 Results and Techniques

We present several constructions of expander-based PRFs.

Weak PRF. Let P be some d-ary predicate (e.g., $\mathrm {XOR\text{- }MAJ}_d$). In our first construction $F_1$, we think of the input $x\in \{0,1\}^n$ as specifying a hypergraph $G_x$ and let the output y be the value of $f_{G_x,P}$ applied to the collection key $k\in \{0,1\}^n$. Namely, we think of the data x as specifying a computation that should be applied to k. The hypergraph $G_x$ is defined in the natural way: Partition x to $(d\log n)$-size substrings, and view each substring as a d-tuple of elements in [n] where each element is given in its binary representation. An adversary that makes q queries $x_1,\ldots ,x_q$ essentially sees the value of $f_{G,P}(k)$ where $G=\bigcup G_{x_i}$. When the adversary is allowed to choose the queries, the outcome cannot be pseudorandom (think of the case where $G_{x_1}$ and $G_{x_2}$ share the same hyperedge). However, when the queries $x_1,\ldots ,x_q$ are chosen at random (as in the setting of a weak PRF), the resulting hypergraph G is a random hypergraph which is likely to be expanding. At this point, we can employ a search-to-decision reduction from [App13], which shows that for random hypergraphs G, one-wayness implies pseudorandomness. It follows that, for a proper choice of parameters (e.g., $d=\varOmega (\log n)$), our assumption implies that the function $F_1$ is a weak PRF.^{Footnote 4}

This construction can be instantiated with different locality parameters d, ranging from $O(\log n)$ to $n^{\delta }$. In the logarithmic regime, this gives rise to a construction $F_1:\{0,1\}^n\rightarrow \{0,1\}^{n/\log ^2 n}$ which is computable in linear time of O(n) on a RAM machine with $O(\log n)$ word size. Additionally, this function can be computed, for any fixed key k, by a depth-3 circuit with unbounded fan-in AND and OR gates (i.e., an $\mathbf {AC^0}$ circuit).^{Footnote 5} To the best of our knowledge this is the first construction of a weak PRF that achieves such efficiency guarantees.

Concrete Security and Application to Learning. The (strong) $\mathsf {EOWF}$ assumption implies that $F_1$ resists almost-exponential size adversaries (computable by circuits of size $t=\exp (n^{1-\beta })$ for any $\beta >0$) as long as they make only $q=n^{O(d)}$ queries to the function. Hence, logarithmic locality provides only security against a quasi-polynomial number of queries (e.g., $\exp (\mathrm{polylog}(n)$). Similarly, the distinguishing advantage of the adversary is only quasi-polynomial $\varepsilon =\exp (-\mathrm{polylog}(n))$. While this setting of parameters may seem too weak for many cryptographic applications, it provides a useful theoretical insight. The classical learning algorithm of Linial, Mansour and Nisan [LMN93] shows that any $\mathbf {AC^0}$-computable weak PRF can be broken either with quasipolynomial distinguishing advantage or by making quasipolynomial number of queries. (In the computational learning terminology, $\mathbf {AC^0}$ functions are PAC-learnable under the uniform distribution using a quasipolynomial number of samples and time, or weakly learnable in polynomial-time with advantage $1/\mathrm{polylog}(n)$ over $\frac{1}{2}$.) The LMN algorithm relies on the Fourier spectrum of $\mathbf {AC^0}$ functions, and the possibility of improving it to a polynomial-time algorithm is considered to be an important open problem in learning theory. Our construction suggests that this is impossible even for depth-3 circuits, and so the Fourier-based algorithm of [LMN93] is essentially optimal. To the best of our knowledge, this is the first hardness result for learning depth-3 $\mathbf {AC^0}$ circuits over the uniform distribution. Previous hardness results either apply to $\mathbf {AC^0}$ circuits of depth d for large (unspecified) constant depth d [Kha93], to depth-3 arithmetic circuits [KS09], or to depth-2 $\mathbf {AC^0}$ circuits but over a non-uniform distribution [ABW10, DLS14].

Reducing the Distinguishing Advantage. Our second construction attempts to strengthen the distinguishing advantage $\varepsilon $ of $F_1$. In $F_1$ the hypergraph $G=\bigcup G_{x_i}$ fails to be expanding with quasipolynomial probability, and in this case pseudorandomness may be easily violated. As a concrete example note that, with probability $\varOmega (n^{-d})$, the hypergraph G contains a pair of identical hyperedges $S_i=S_j$, and so the corresponding outputs will be identical, and distinguishing (with constant advantage) becomes trivial.

Following [CEMT14], we observe that, although expansion is violated with quasipolynomial small probability, not all is lost, and, except for a tiny (almost exponentially small) probability, the hypergraph G is almost expanding in the sense that after removing a small (say sub-linear) amount of hyperedges the remaining hypergraph is expanding. We use this combinatorial structure to argue that $f_{G,P}(k)$ can be partitioned into two functions $f_1$ and $f_2$, where the input-output hypergraph $G_1$ of $f_1$ is highly expanding and the function $f_2$ depends only on a relatively small (sub-linear) number of inputs. As a result we can show that, for such an almost-expander G, the distribution $f_{G,P}(U_n)$ is pseudorandom except for small number of “bad outputs”.^{Footnote 6} In fact, the number of “bad outputs” is small enough to argue that each block of $f_{G,P}(U_n)$ (corresponding to the i-th query) has a large amount of “pseudoentropy”. Hence, we can get a pseudorandom output (even for almost expanding hypergraphs) by adding a postprocessing stage in which a randomness extractor is applied to the output of $F_1$ (i.e., extraction is performed separately per each block of $f_{G,P}(U_n)$).

Formally, our second construction $F_2$ is keyed by a pair of n-bit strings (k, s), and for a given input x, we output the value ${\mathrm{Ext}}_s(f_{G_x,P}(k))$ where ${\mathrm{Ext}}$ is a strong seeded randomness extractor. Since there are linear-time computable extractors [IKOS08], the construction can be still implemented by a linear-time RAM machine. Moreover, since the extractor can be computed by a linear function (and therefore by a single layer of unbounded fan-in parity gates), the function $F_2$ can be computed by a constant-depth circuit with unbounded fan-in AND, OR and XOR gates (or even in $\mathbf {MOD}_2 \circ \mathbf {AC^0}$). We prove that the distinguishing advantage of the construction is almost exponentially-small. We do not know whether $F_2$ provides security against larger (say subexponential) number of queries, and leave it as an open question.

Handling Non-random Inputs. Our next goal is to move from the weak PRF setting in which the function is evaluated only over random inputs, to the standard setting where the queries can be chosen by the adversary.^{Footnote 7} It is natural to try to achieve this goal by introducing a preprocessing mapping M that maps an input x to a hypergraph M(x) with the property that every set of q queries $x_1 \ldots , x_q$ form together a hypergraph $G=\bigcup _i M(x_i)$ with good expansion properties. This approach faces two challenges. First, it is not clear at all how to implement the mapping M (let alone in a very efficient way). Second, we can no longer rely on the standard search-to-decision reduction from [App13] since it applies only to randomly chosen hypergraphs (as opposed to arbitrary expanders).

Search-to-Decision Reduction for Expander-Based Functions. We solve the second challenge, by proving a new search-to-decision reduction that applies directly to expander hypergraphs. Namely, we show that if $f_{G,P}$ is one-way for every expander hypergraph G (as conjectured by in Assumption 1) then it is also pseudorandom for every expander hypergraph. Technically, the original reduction of [App13] shows that if an adversary A can distinguish $f_{G,P}(U_n)$ from a truly random string, then there exists an adversary B that inverts $f_{H,P}(U_n)$ where G and H are random hypergraphs (with polynomially related parameters). This reduction strongly exploits the ability of A to attack many different hypergraphs G. Roughly speaking, every attack on a hypergraph $G_i$ is translated into a small piece of information on the input x (i.e., a noisy estimation on some bit $x_i$), and by accumulating the information gathered from different $G_i$’s the input x is fully recovered.^{Footnote 8}

In contrast, in the new search-to-decision theorem we are given a distinguisher $A_G$ which succeeds only over some fixed expanding hypergraph G. First, we observe that one can slightly modify G and define, for every index $i\in [n]$, a hypergraph $G_i$ such that given $y=f_{G_i}(x)$ the attacker $A_G$ can be used to obtain an estimation for the i-th bit of x. (This is already implicit in [App13].) One may therefore try to argue that the function $f_{\bigcup _{i} G_i,P}(x)=(f_{G_1}(x),\ldots ,f_{G_n}(x))$ can be inverted by calling $A_G$ for each block separately. This is problematic for two reasons: (1) inversion may fail miserably since the calls to $A_G$ are all over statistically-dependent inputs (the same x is being used); and (2) the resulting hypergraph $H=\bigcup _{i} G_i$ is non-expanding (due to the use of almost identical copies of the same hypergraph G), and so inversion over H does not contradict the theorem.

Fortunately, both problems can be solved by randomizing each of the $G_i$’s (essentially by permuting the names of the inputs). By concatenating the randomized $G_i$’s, we get a probability distribution $\mathcal{D}(G)$ over hypergraphs which satisfies the following two properties: (1) a random hypergraph $H\mathop {\leftarrow }\limits ^{R}\mathcal{D}(G)$ is typically a good expander; and (2) Inverting $f_{H,P}$ for a random $H\mathop {\leftarrow }\limits ^{R}\mathcal{D}(G)$ reduces to inverting $f_{G,P}$. Since we work in a non-uniform model of adversaries (circuits), this suffices to prove the theorem. (See Sect. 3 for details.)

Mapping Inputs to Expanders. Going back to the first challenge, we still need to provide a mapping M(x) which, when accumulated over different inputs, results in a highly expanding hypergraph. Note that although M operates on n-bit inputs, it should satisfy a global property that applies to collection of super-polynomial (or even exponential) number of inputs. Unfortunately, we do not know how to obtain such a mapping deterministically with a low computational cost. Instead, we show how to provide a family of mappings $M_{\sigma }$ with the property that for every fixed sequence of inputs $x_1,\ldots ,x_q$ and for a random $\sigma $, the hypergraph $G=\bigcup _i M_{\sigma }(x_i)$ is highly expanding with all but exponentially small probability. The key idea is to note that in order to guarantee expansion for r-size sets, it suffices to make sure that each set of r hyperedges of G is (almost) uniformly distributed. This means that $M_{\sigma }$ should satisfy the following form of pseudorandomness: For a random $\sigma $, every subset of $R=r d \log (n)$ bits of the random variable $(M_{\sigma }(x))_{x\in \{0,1\}^n}$ should be statistically-close to uniform. This setting is somewhat non-standard: Efficiency is measured with respect to a single invocation of $M_{\sigma }$ (i.e., the complexity of generating a block of m hyperedges), but pseudorandomness should hold for any set of r hyperedges (R bits) across different invocations.

We construct such a mapping $M_{\sigma }$ by tweaking a construction of Miles and Viola [MV12]. We view $\sigma \in \{0,1\}^{2n}$ as a pair of $\mathrm {GF}(2^n)$ elements $\sigma _1,\sigma _2$, and map an input $x\in \mathrm {GF}(2^n)$ to the $\mathrm {GF}(2^n)$-element $(x+\sigma _1)^{-1}\cdot \sigma _2$. (The statistical analysis of $M_{\sigma }$ appears in Sect. 4.3.) The resulting function $F_3$ is keyed by $(k,\sigma ,s)$ and for an input x it outputs the value ${\mathrm{Ext}}_s(f_{M_{\sigma }(x),P}(k))$ where $M_{\sigma }(x)$ is parsed as a d-uniform hypergraph with $m=n/(d\log n)$ hyperedges and d is treated as a parameter. Due to the high efficiency of M (which consists of a single multiplication and a single inversion over $\mathrm {GF}(2^n)$), the function $F_3$ can be computed by a quasilinear circuit $\tilde{O}(n)$ or by a constant-depth circuit with unbounded fan-in AND, OR, and Majority gates (i.e., $\mathbf {TC^0}$ circuit), for any choice of the locality parameter d.

The use of keyed mapping, allows us to prove security against a non-adaptive adversary whose i-th query is independent of the answers for the previous queries. We do not know whether the construction remains secure for adaptive adversaries, however, using the non-adaptive to adaptive transformation of [BH15], we can turn our function into a standard PRF without increasing the asymptotic cost of the construction (in terms of size and depth). We mention that the parallel complexity (i.e., $\mathbf {TC^0}$) seems essentially optimal for PRF and it matches the complexity of the best known PRF constructions based on number-theoretic or lattice assumptions [NR95, NR97, NRR00, BPR12].

Concrete Security. Recall that the locality parameter d can vary from logarithmic to $n^{\delta }$ for some $\delta \in (0,1)$. To get an expansion for sets of size $n^{1-\beta }$ (and therefore security against $\exp (n^{1-\beta })$-size circuits), we must restrict the number of queries q to be smaller than $n^{d\beta ^2}$. In addition, the locality d should satisfy $4/\beta ^2<d<n^{\beta /4}$. Hence, polynomial locality $d=n^{\delta }$ allows to support sub-exponential number of queries while providing security against sub-exponential size circuits with respect to sub-exponential distinguishing advantage. Note that polynomial locality has also some effect on efficiency: The number of output bits per invocations decreases to $\tilde{O}(n/d)$ and so the computational cost per output bit is $\tilde{O}(d)=\tilde{O}(n^{\delta })$. On the other extreme, a logarithmic value of d achieves an almost-optimal complexity per bit (i.e., $\tilde{O}(1)$), and provides security against circuits of almost-exponential size ($\exp (n^{1-\beta })$ for every $\beta >0$) which make a quasipolynomial number of queries.

Security Beyond Expansion. We do not know whether our analysis is tight. To the best of our knowledge, $F_3$ with logarithmic locality may achieve security even in the presence of sub-exponentially many queries. We remark that our analysis is somewhat pessimistic since it essentially assumes that the seed s of the extractor and the seed $\sigma $ of the preprocessing mapping are both given to the adversary. Indeed, in this case the adversary sees the underlying hypergraph and, after sufficiently many queries, it can exploit its non-expanding properties. In contrast, when s and, more importantly, $\sigma $ are not given, the adversary does not get a direct access to the hypergraph. One may assume that as long as M somewhat hides the hypergraph G, lack of expansion cannot be used to break the system. The question of identifying the right (and minimal) notion of hiding remains open for future research.^{Footnote 9}

1.3 Related Candidate PRFs

It is instructive to compare the structure of our constructions to three somewhat related candidates for PRFs.

The BFKL Candidate Weak-PRF [BFKL93] Blum et al. conjectured that the function

$$\begin{aligned} f_{A,B}:x\mapsto \bigg (\bigoplus _{i\in A} x_i\bigg ) \oplus \bigg (\mathrm {MAJ}_{j\in B}(x_j)\bigg ), \end{aligned}$$

is a weak PRF^{Footnote 10}, where the key (A, B) is a random pair of logarithmic size sets $A,B\subseteq [n]$. That is, the function $f_{A,B}$ takes an n-bit vector x, computes the parity of the bits of x which are indexed by A and the majority of the bits which are indexed by B, and outputs the XOR of the two results. This candidate is essentially dual to our first suggestion. Here the sets A and B are used as a secret key and the $\mathrm {XOR\text{- }MAJ}$ predicate is applied to a public random x (the input to the weak PRF). In contrast, we use x as a key (and keep it private) and let the input specify the graph structure. Observe that, unlike our construction, the key of Blum et al. can be described by a string of length $n^{O(\log n)}$ and so it can be broken in quasi-polynomial time and polynomially many samples. In contrast, we conjecture that, in the presence of polynomially many samples, our constructions resist attacks of sub-exponential (or even “almost” exponential) complexity of $\exp (n^{1-\beta })$.

Goldreich’s Suggestion [Gol00]. In the paper which introduced the expander-based one-way functions (leading to Assumption 1), Goldreich suggested to construct a pseudorandom function by iterating the basic (length-preserving) OWF $f_{G,P}:\{0,1\}^n\rightarrow \{0,1\}^n$ a logarithmic number of times and letting the (secret) key specify the sequence of randomly chosen predicates. This construction yields a candidate PRF of circuit complexity $O(n\log n)$ and logarithmic depth. Analyzing the security of this candidate was left as an interesting open question.

A Suggestion by Gowers [Gow96]. Gowers conjectured that, for sufficiently large polynomial m(n), a random m(n)-depth Boolean circuit is a PRF. More accurately, each level of the circuit contains n wires and a single gate $P:\{0,1\}^3\rightarrow \{0,1\}^3$. For each level $\ell $ we select three random indices $(i,j,k)\in [n]$ and use the corresponding wires in the $\ell $-th layer as the incoming wires to the $\ell $-th gate, the output values of the gate are connected to the wires (i, j, k) located at the next level. (All other wires simply copy the previous values to the next layer). When the gate P computes a permutation (over three bits) the resulting circuits computes a permutation over n-bits. Letting the key consists of the description of the circuit (i.e., the wiring of the gates), yields a candidate pseudorandom permutation. Moreover, Gowers proved that the resulting collection is $\ell $-wise independent after $m=\mathrm{poly}(n,\ell )$ levels. (The polynomial dependency in n and $\ell $ was improved by [HMMR05, BH08].)

Unlike the constructions presented in this paper, it is currently unknown how to base any of the above candidates on a one-wayness assumption. Interestingly, all the above candidates (as well as the candidates of Miles and Viola [MV12] and Akavia et al. [ABG+14]) can be naturally viewed as letting the key k specify a “simple” function $F_k$ which is then applied to the (public) input x. In contrast, in our construction every public input x specifies a simple function $f_{x}$ that is applied to the key k. This approach is conceptually similar to the structure of the classical GGM construction [GGM86] which uses the input x to specify a circuit (whose building blocks are length-doubling pseudorandom generators) that is applied to the key.

1.4 Conclusion

We presented several elementary constructions of pseudorandom functions. All our constructions follow a similar template: The input x is mapped to a hypergraph $G_x$, which represents a simple (essentially single-layered) circuit $f_{G_x,P}$, the resulting circuit is applied to the key k, and the output is fed through some randomness extractor. We believe that this structure provides a new methodology for constructing pseudorandom functions which deserves to be further studied.

Following Goldreich, we conjecture that as long as the input-output relations is expanding the computation is hard to invert. We further show that such one-wayness leads to pseudorandomness by extending the techniques of [App13]. We believe that understanding this assumption, or more generally, relating the combinatorial structure of circuits to their cryptographic properties is a key question, which may eventually lead to faster and highly secure PRFs. Our proofs, which fall short of providing optimal security (in some cases they are very far from that), should be viewed as a first step in this direction.

Finally, we believe that the tools developed here (e.g., pseudoranodmness over imperfect expanders, the expander-based search-to-decision reduction, and the expander-generating hash function M) will turn out to be useful for future works in the field.

1.5 Organization

We begin with some standard preliminaries along with a basic hypergraph notation in Sect. 2. In Sect. 3 we give the new search-to-decision reduction that applies to arbitrary expander hypergraphs. The PRF constructions are described in Sect. 4.

2 Preliminaries

General Preliminaries. We let [n] denote the set $\{1,\ldots ,n\}$. For a string $x \in \{0,1\}^n$ and $i \in [n]$, we let x[i] denote the $i^{\textit{th}}$ bit of x. For a tuple $S = (i_1,\ldots ,i_d)$, we let $x[S] = x[i_1,\ldots ,i_d]$ denote the restriction of x to indices in S, i.e., the string $x[i_1] \ldots x[i_d]$. For strings $x_1,\ldots ,x_q$ we write $(x_i)_{i=1}^q$ to denote the concatenation of the strings $x_1||\cdots ||x_q$. We write $\log _d n$ to denote the logarithm of n base d, if $d=2$ we omit writing it explicitly. A function $\varepsilon (\cdot )$ is said to be negligible if $\varepsilon (n) < n^{-c}$ for any constant $c > 0$ and sufficiently large n. We will sometimes use ${\mathrm {neg}}(\cdot )$ to denote an unspecified negligible function. For a function $t(\cdot )$, we write $t = \tilde{O}(n)$, if $t = O(n \log ^k(n))$ for some $k \in \mathbb {N}$.

Probabilistic Notation. For a probability distribution or random variable X (resp., set), we write $x \mathop {\leftarrow }\limits ^{R}X$ to denote the operation of sampling a random x according to X (resp., sampled uniformly from X). We let $U_n$ (resp., $U_S$) denote a random variable uniformly distributed over $\{0,1\}^n$ (resp., over the set S). We write ${\mathrm {supp}}(X)$ to denote the support of the random variable X, i.e., ${\mathrm {supp}}(X) = \{x\ |\ \Pr [X = x] > 0\}$. The statistical distance between two probability distributions X and Y, denoted $\varDelta (X;Y)$, is defined as the maximum, over all functions A, of the distinguishing advantage $\varDelta _{A}(X,Y):=\left| \Pr [A(X) = 1] - \Pr [A(Y) = 1] \right| $. We say that X is $\varepsilon $ -statistically indistinguishable from Y if $\varDelta (X;Y) \le \varepsilon $ and write . The random variable X is $(t,\varepsilon )$ -computationally indistinguishable from Y if for every circuit A of size t, the distinguishing advantage $\varDelta _{A}(X,Y)$ is at most $\varepsilon $, and we write .

Cryptographic Primitives. A random variable X over n-bit strings is called $(t,\varepsilon )$ -pseudorandom if . A function $f:\{0,1\}^n\rightarrow \{0,1\}^{m}$ is $(t,\varepsilon )$ one-way if for every t-size adversary A it holds that $\Pr _x[A(f(x))\in f^{-1}(f(x))]<\varepsilon $.

Definition 1 (PRF)

A keyed function $f: \mathcal {K}\times \mathcal {X}\rightarrow \mathcal {Y}$ is called $(q,t,\varepsilon )$ -pseudorandom if for any t-size circuit $D^{(\cdot )}$ aided with q oracle gates, the distinguishing advantage

$$\begin{aligned} \left| \mathop {\Pr }\limits _{k \mathop {\leftarrow }\limits ^{R}\mathcal {K}}[D^{f_k} = 1] - \mathop {\Pr }\limits _{h \mathop {\leftarrow }\limits ^{R}\mathcal {H}}[D^{h} = 1] \right| \le \varepsilon , \end{aligned}$$

where $\mathcal {H}$ is a set of all functions mapping inputs from $\mathcal {X}$ to $\mathcal {Y}$. An adversary is called non-adaptive if it generates all the queries at the beginning independently of the received responses from the oracle gates.

A $(q,t,\varepsilon )$-PRF family is a sequence of keyed functions $\mathcal {F}=\left\{ f_n: \mathcal {K}_n \times \mathcal {X}_n \rightarrow \mathcal {Y}_n\right\} $ equipped with an efficient key sampling algorithm and an efficient evaluation algorithm where each $f_n$ is $(q(n),t(n),\varepsilon (n))$-pseudorandom. We say that $\mathcal {F}$ is a $(q,t,\varepsilon )$ non-adaptive PRF (resp., weak PRF) if the above holds for non-adaptive adversaries (resp., for adversaries such that each of their queries is chosen independently and uniformly from $\mathcal {X}_n$).

Low-Bias Generators. We employ the following notions of low-bias and bitwise-independence generators. As in the case of PRFs, we view a two-argument function f(k, x) as a keyed function whose first argument k serves as a key. We emphasize this distinction by writing $f_k(x)$ for f(k, x).

Definition 2

Let $g: \{0,1\}^\kappa \times \{0,1\}^m \rightarrow \{0,1\}^n$ be a keyed function. For $x \in \{0,1\}^m$, let Y(x) denote the random variable $g_{k}(x)$ induced by $k\mathop {\leftarrow }\limits ^{R}\{0,1\}^{\kappa }$, and let $\mathbf {Y}$ denote the random variable $(Y(x))_{x\in \{0,1\}^n}$ where the same random key is used for all x’s. We say that g is:

$(t,\varepsilon )$ -bitwise independent if every t-bit subset of $\mathbf {Y}$ is $\varepsilon $-close to uniform (in statistical distance), i.e., for every $\ell \le t$ distinct indices $i_1,\ldots ,i_\ell $ we have that
$$\begin{aligned} \varDelta (U_\ell ; (\mathbf {Y}[{i_j}])_{j=1}^\ell ) \le \varepsilon . \end{aligned}$$
$(t,\varepsilon )$ -biased over $\mathrm {GF}(2)$ if for every $\ell \le t$ distinct indices $\{i_1,\ldots ,i_\ell \}$, we have that
$$\begin{aligned} \left| \Pr \left[ {\sum _{j=1}^\ell \mathbf {Y}[{i_j}] = 1}\right] - \frac{1}{2} \right| \le \varepsilon , \end{aligned}$$
where the sum is computed over $\mathrm {GF}(2)$.
$(t,\varepsilon )$ -linear-fooling over $\mathrm {GF}(2^n)$ if for every t outputs $Y(x_1),\ldots ,Y(x_t)$ (parsed as elements of $\mathrm {GF}(2^n)$) of distinct $x_1,\ldots ,x_t$, every t constants $b_1,\ldots ,b_t$ from $\mathrm {GF}(2^n)$ (that are not all equal to zero), we have that
$$\begin{aligned} \varDelta \left( \sum _{i=1}^t b_i Y(x_i)\ ;\ U_{\mathrm {GF}(2^n)}\right) \le \varepsilon . \end{aligned}$$

Sources and Extractors. The min-entropy of a random variable X is defined to be $\min _{x \in {\mathrm {supp}}(X)} \log \frac{1}{\Pr [X = x]}$ and is denoted by $H_\infty (X)$. A keyed function $E : \mathcal {S}\times \mathcal {X}\rightarrow \mathcal {Y}$ is a strong $(k, \varepsilon )$ -extractor if for every distribution X over $\mathcal {X}$ with $H_\infty (X) \ge k$, it holds that $\varDelta ((s,{\mathrm{Ext}}_s(x))\ ;\ (s,U(\mathcal {Y}))) \le \varepsilon $, where $s \mathop {\leftarrow }\limits ^{R}\mathcal {S}$ , $x \mathop {\leftarrow }\limits ^{R}X$ and $\varDelta (\cdot ; \cdot )$ stands for statistical distance.

We consider the following notion of random sources that can be viewed as a convex combination of the traditional bit-fixing sources [CGH+85].

Definition 3 (Generalized Bit-Fixing Source)

A distribution X over $\{0,1\}^n$ is a generalized k -bit-fixing source if there exist k distinct indices S such that X[S] is distributed like $U_k$ and $X{[[n] {\setminus } S]}$ is independent from X[S].

We use the following simple lemma (whose proof is deferred to the full version [AR16]).

Lemma 1

Let ${\mathrm{Ext}}$ be a strong $(m - r,\delta )$-extractor for m-bit sources. Let $Z = Z_1 || \cdots || Z_q$ be a generalized $(qm - r)$-bit-fixing source, where each $|Z_i| = m$. Then for a uniformly chosen seed s, the random variable $(s,{\mathrm{Ext}}_{s}(Z_1),\ldots ,{\mathrm{Ext}}_{s}(Z_q))$ is $(q \cdot \delta )$-statistically indistinguishable from uniform.

Hypergraphs. An (n, m)-hypergraph G is a hypergraph over vertices [n] with m hyperedges $(S_1, \ldots , S_m)$ where each hyperedge is viewed as a tuple $(i_1, \ldots , i_k)$, i.e., it is ordered and may contain duplications. It is sometimes convenient to think of a hypergraph G as a bipartite graph, where the n vertices represent the lower layer of the graph, the hyperedges represent the upper layer of the graph such that each hyperedge $S = (i_1, \ldots , i_k)$ is connected to the vertices $i_1,\ldots ,i_k$. We say that G is d-uniform (denoted by (n, m, d)-hypergraph) if all the hyperedges are of the same cardinality d. G is almost d-uniform (denoted by [n, m, d]-hypergraph) if $d/2<|S_i|\le d$ for all $i\in [m]$. We let $\mathcal {G}_{n,m,d}$ denote the probability distribution over (n, m, d)-hypergraphs in which each of the m hyperedges is chosen independently and uniformly at random from $[n]^d$. We say that a distribution over (n, m, d)-hypergraphs is $(k,\varepsilon )$ -random if any k hyperedges are $\varepsilon $-close (in statistical distance) to the uniform distribution $\mathcal {G}_{n,k,d}$. A distribution over hypergraphs is $(r,d,\varepsilon )$-random if any $s \le r$ hyperedges $S_1,\ldots ,S_s$ contain at least sd entries that are $\varepsilon $-close to uniform.

For a set of hyperedges $T = \{S_1,\ldots ,S_k\}$ we write $\mathrm{\Gamma }(T)$ to denote the union of tuples $S_1,\ldots ,S_k$ (where the union of tuples is naturally defined to be the set of all indices occuring in $S_1,\ldots ,S_k$). Let $G {\setminus } T$ denote the hypergraph obtained from G by removing hyperedges T and updating the remaining hyperedges by deleting from them vertices that belong to $\mathrm{\Gamma }(T)$. A hypergraph G is an (r, c)-expander if for any set I of hyperedges of size at most r we have $\mathrm{\Gamma }(I) \ge c |I|$. We refer to r as “the expansion threshold” and to c as “the expansion factor”. A hypergraph G is an $r_{{\mathrm{bad}}}$ -imperfect (r, c)-expander if there exists a subset of G’s hyperedges $I_{{\mathrm{bad}}}$ of size $|I_{{\mathrm{bad}}}| \le r_{{\mathrm{bad}}}$ such that $G {\setminus } I_{{\mathrm{bad}}}$ is an (r, c)-expander.

It is well known that a random hypergraph is likely to be highly expanding. The following lemma (whose proof is deferred to the full version [AR16]) generalizes this fact to the case of $(r,d,\varepsilon )$-random hypergraphs and to the case of imperfect expansion. (Note that the failure probability drops down exponentially with the size of the imperfectness parameter t.)

Lemma 2

Let $\beta $ be a constant in (0, 1) and $d \in \mathbb {N}$ such that $4/\beta ^2 \le d \le n^{\beta /4}$. Let $r = n^{1-\beta }$ and $m\le n^{d \beta ^2/4}$. Let $t=t(n)$ be a non-negative function such that $t \le r$. Then, a $(r+t,d,2^{-\varOmega (n)})$-random (n, m)-hypergraph G is t-imperfect $(r,(1-\beta ) d)$-expander except with probability $n^{-(t+1)d\beta ^2/10}$.

The union of an $(n,m_1)$-hypergraph $G=(S_1,\ldots ,S_{m_1})$ and $(n,m_2)$-hypergraph $H=(R_1,\ldots ,R_{m_2})$ is the $(n,m_1+m_2)$-hypergraph $J = G \cup H$ whose hyperedges are $(S_1,\ldots ,S_{m_1},R_1,\ldots ,R_{m_2})$. Since union is an associative operation, the union of q hypergraphs $G_1 \cup \cdots \cup G_q$ is defined unambiguously.

2.1 Expander-Based Functions

For an (n, m)-hypergraph $G=(S_1,\ldots ,S_m)$, a sequence of m predicates $P=(P_1,\ldots ,P_m)$ where $P_i:\{0,1\}^{|S_i|}\rightarrow \{0,1\}$, we let $f_{G,P}:\{0,1\}^n\rightarrow \{0,1\}^{m}$ denote the function that takes an input $x\in \{0,1\}^n$ and maps it to the m-bit string $(P_1(x[S_1]),\ldots ,P_m(x[S_m]))$. (If all predicates are identical we simply write $f_{G,P}$.) In its most abstract form, our assumption is parameterized by an expansion parameter $\beta $ (that quantifies the “expansion loss”), and by a (possibly infinite) predicate family $\mathcal {P}$. Formally, the Expander-based OWF assumption ($\mathsf {EOWF}$) and Expander-based PRG assumption ($\mathsf {EPRG}$) are defined as follows.

Definition 4

( $\mathsf {EOWF}$ and $\mathsf {EPRG}$ ). The $\mathsf {EOWF}(\mathcal {P},m,\beta ,t,\varepsilon )$ assumption asserts that for every [n, m, d]-hypergraph $G=(S_1,\ldots ,S_m)$ that is $(n^{1-\beta },(1-\beta ) d)$-expanding, and every sequence of predicates^{Footnote 11} $P=(P_i)_{i\in [m]}$ taken from $\mathcal {P}$, the function $f_{G,P}$ is $(t,\varepsilon )$ one-way. The $\mathsf {EPRG}(\mathcal {P},m,\beta ,t,\varepsilon )$ is defined similarly except that $f_{G,P}(U_n)$ is $(t,\varepsilon )$ pseudorandom.

A considerable amount of research was devoted to studying the properties of “secure” predicates. (See [App15] and references therein.) These results suggest that for some predicates of logarithmic arity $d=\varTheta (\log n)$, and some constant $\beta <\frac{1}{2}$, the $\mathsf {EOWF}(\mathcal {P},m,\beta ,t,\varepsilon )$ assumption holds for every polynomial m, t and every inverse polynomial $\varepsilon $. We adopt this setting as our main intractability assumption and abbreviate this assumption by $\mathsf {EOWF}(\mathcal {P})$. Similarly, we let $\mathsf {EPRG}(\mathcal {P})$ denote the analogous assumption for pseudorandomness. In fact, known results suggest that for a proper family of predicates $\mathcal {P}$, every $d=d(n)$ and every $\beta <\frac{1}{2}$, the assumption holds against adversaries whose size t and success probability $\varepsilon $ are exponential in the expansion threshold, i.e., $t=\exp (\varOmega (n^{1-\beta }))$ and $\varepsilon =1/t$, as long as the output length satisfies $m<n^{o(d)}$ or even $m<n^{\alpha d}$ for some constant $\alpha $. We refer to this variant of the assumption as the strong $\mathsf {EOWF}(\mathcal {P})$ and strong $\mathsf {EPRG}(\mathcal {P})$.

Concrete Instantiation. A candidate for such a secure predicate (that is suggested in [AL15]) is the d-ary $\mathrm {XOR\text{- }MAJ}_d$ predicate which partitions its input $w=(w_1,\ldots ,w_d)$ into two parts $w_L=(w_1,\ldots ,w_{\lfloor d/2 \rfloor })$ and $w_R=(w_{\lfloor d/2 \rfloor +1},\ldots ,w_d)$, computes the XOR of the left part and the majority of the right part, and XOR’s the results together. This predicate satisfies several useful properties such as high resiliency, high algebraic degree and high rational degree (see Sect. 1.1). In fact, these properties hold for the more general case of XOR-Threshold predicates defined by:

$$\begin{aligned} \mathrm {XOR\text{- }TH}_{d,\alpha ,\tau }(w_1,\ldots ,w_d)= \left( \sum _{j=1}^{\lfloor \alpha d \rfloor } w_{j}>\tau \lfloor \alpha d \rfloor \right) \oplus \left( \bigoplus _{i=\lfloor \alpha d \rfloor +1}^d w_i \right) , \end{aligned}$$

where the first term evaluates to one if $w_{1}+\cdots +w_{\lfloor \alpha d \rfloor }>\tau $ and to zero otherwise. We define^{Footnote 12} $\mathrm {XOR\text{- }TH}_d=\left\{ \mathrm {XOR\text{- }TH}_{d,\alpha ,\tau }: \forall \alpha ,\tau \in (1/3,2/3)\right\} $ and let $\mathrm {XOR\text{- }TH}=\bigcup _{d\in \mathbb {N}}\mathrm {XOR\text{- }TH}_d$. We conjecture that strong $\mathsf {EOWF}$ holds for this family predicates.

3 From One-Wayness to Pseudorandomness

In this section, we show that $\mathsf {EPRG}$ reduces to $\mathsf {EOWF}$ as long as the predicate family $\mathcal {P}$ is sensitive. The latter condition means that every d-ary predicate $P\in \mathcal {P}$ can be written as $P(w)=w_i\oplus P'(w)$ where i is some input variable and $P'$ does not depend on $w_i$. (Namely, the predicate is fully sensitive to one of its coordinates.)

Theorem 1

Let $\beta $ be a constant in (0, 1); and $d=d(n)$, $m=m(n)$ and $\varepsilon =\varepsilon (n)$ be such that:

$$\begin{aligned} \frac{4}{\beta } \le d(1-\beta ) \le n^{\beta /4}~~~\text{ and }~~~\frac{4n m^3 \ln n}{\varepsilon ^2} \le n^{(\beta ^2/4)(1-\beta )d}, \end{aligned}$$

and $\mathcal {P}$ be a sensitive predicate family. Then, the $\mathsf {EPRG}(\mathcal {P},m,\beta ,t,\varepsilon )$ assumption follows from the $\mathsf {EOWF}(\mathcal {P},m',\beta ',t',\varepsilon ')$ assumption where $m'=m\cdot O(n \ln n m^2 /\varepsilon ^2)$, $\beta '=3\beta $, $t'=t\cdot O(n \ln n m^2/\varepsilon ^2)$ and $\varepsilon '=\varOmega (\varepsilon /(mn))$.

Note that once d(n) is logarithmic in n, the conditions in the theorem are satisfied for every polynomial $m=\mathrm{poly}(n)$, every inverse polynomial $\varepsilon (n)$, and every constant $\beta $. We conclude the following corollary.

Corollary 1

For every sensitive family of predicates $\mathcal {P}$, if $\mathsf {EOWF}(\mathcal {P})$ holds then so does $\mathsf {EPRG}(\mathcal {P})$. In particular, this holds for the special case of $\mathcal {P}=\mathrm {XOR\text{- }TH}$.

Note that if we plug in larger (super logarithmic) values of d in Theorem 1, we can support larger (super-polynomial) values of m and smaller values of $\varepsilon $ (at the expense of decreasing $\beta $ to some concrete constant).

3.1 Proof of Theorem 1

Assume, towards a contradiction, that there exists a t-size adversary that breaks the pseudorandomness of $f_{G,P}$ with advantage $\varepsilon $ for some [n, m, d]-hypergraph G which is $(n^{1-\beta },(1-\beta ) d)$-expanding and some sequence of sensitive predicates $P=(P_1,\ldots ,P_m)\in \mathcal {P}^m$. Then, due to Yao’s theorem [Yao82], there exists an adversary $A_G$ of similar complexity that predicts some bit of $f_{G,P}$ with advantage $\varepsilon _p=\varepsilon /m$. To simplify notation, we assume that $A_G$ predicts the last bit^{Footnote 13} of $f_{G,P}$. That is,

$$\begin{aligned} \mathop {\Pr }\limits _{x \mathop {\leftarrow }\limits ^{R}\{0,1\}^n, y=f_{G,P}(x)}[A_G(y{[1,\ldots ,{m-1}]})=y{[m]}] - \frac{1}{2}\ge \varepsilon _p. \end{aligned}$$

(1)

We will prove the following lemma.

Lemma 3

Let $\kappa =4\ln n/\varepsilon _p^2$, $m'=\kappa \cdot m \cdot n$ and $P'=P^{\kappa n}=(P_1,\ldots ,P_m)^{\kappa n}$. There exists a distribution $\mathcal{D}$ over $(n,m',d)$-hypergraphs such that:

1.
A hypergraph H sampled from $\mathcal{D}$ is $(n^{1-3\beta },(1-3\beta ) d)$-expanding with probability $1 - 1/(n\ln n)$.
2.
There exists an adversary B of size $t' = O(\kappa \cdot n \cdot t)$ and a set of inputs ${\mathrm{Good}}\subseteq \{0,1\}^n$ which contains at least $\varepsilon _p/2$-fraction of all n-bit strings, such that for every string $x\in {\mathrm{Good}}$,
$$\begin{aligned} \mathop {\Pr }\limits _{H \mathop {\leftarrow }\limits ^{R}\mathcal{D}}[B(H,f_{H,P'}(x))=x ] \ge 1/(2n). \end{aligned}$$

We show that Theorem 1 follows from Lemma 3. Call H good if

$$\begin{aligned} \mathop {\Pr }\limits _{x \mathop {\leftarrow }\limits ^{R}\{0,1\}^n}[B(H,f_{H,P'}(x))=x | x\in {\mathrm{Good}}] \ge 1/(3n). \end{aligned}$$

By a Markov argument, a random $H \mathop {\leftarrow }\limits ^{R}\mathcal{D}$ is likely to be good with probability $\varOmega (1/n)$. Combing this with the first item, it follows, by a union bound, that there exists a good H which is also $(n^{1-3\beta },(1-3\beta ) d)$-expanding. By hardwiring H to B, we get an adversary $B_H$ which inverts $f_{H,P'}$ with probability of at least

$$ \mathop {\Pr }\limits _{x\mathop {\leftarrow }\limits ^{R}\{0,1\}^n}[x\in {\mathrm{Good}}]\cdot \mathop {\Pr }\limits _{x\mathop {\leftarrow }\limits ^{R}\{0,1\}^n}[B_H(f_{H,P'}(x))=x| x\in {\mathrm{Good}}]\ge \varOmega (\varepsilon _p/n)=\varOmega (\varepsilon /(mn)),$$

contradicting the $\mathsf {EOWF}(\mathcal {P},m',3\beta ,t',\varepsilon /(mn))$ assumption. We move on to prove Lemma 3.

Proof

(Proof of Lemma 3.). Before describing the distribution $\mathcal{D}$, we need some additional notation. For a permutation $\pi : [n] \rightarrow [n]$ and a tuple $S=(i_1,\ldots ,i_d) \subseteq [n]^d$, let $\pi (S)$ denote the tuple $(\pi (i_1),\ldots ,\pi (i_d))$. For an [n, m, d]-hypergraph G with the hyperedges $(S_1,\ldots ,S_m)$, let $\pi (G)$ denote a [n, m, d]-hypergraph with the hyperedges $(\pi (S_1),\ldots ,\pi (S_m))$. For a string $x \in \{0,1\}^n$, let $\pi (x)$ denote the bit-string whose coordinates are permuted under $\pi $. We define the distribution $\mathcal{D}$ based on the hypergraph G via the following procedure: (Fig. 1)

We start by proving the first item of Lemma 3. Consider the distribution $\mathcal{D}'$ resulting from generating $\kappa \cdot n$ uniform and independent permutations $\phi _i^j$ ($j \in [n], i \in [\kappa ]$), and outputting the hypergraph $H '= \cup _{i,j} H'_{i,j}$ where $H'_{i,j}=\phi _i^j(G)$. Observe that $\mathcal{D}$ can be viewed as a two step process in which: (1) $H'$ is sampled from $\mathcal{D}'$; and (2) We modify at most two nodes in every hyperedge of $H'$ based on some random process.^{Footnote 14} Since the second step can reduce the expansion of a set T by at most 2|T|, and since our setting of parameters implies that $\beta d > 2$, it suffices to show that $\Pr _{H'}[H' \text { is } (n^{1-2\beta },(1-2\beta ) d)\text {-expanding}]\ge 1 - 1/(n \ln n)$.

To see this, recall that G is $(r,d'=(1-\beta )d)$-expanding and therefore, for every i, j, the random variable $\phi _i^j(G)$ is $(r,d',0)$-random. Moreover, the permutations $\phi _i^j$ are sampled independently at random, and therefore $H'=\bigcup _{i,j} \phi _i^j(G)$ is a $(r, d',0)$-random $(n,\kappa m n)$-hypergraph. Observe that our parameters satisfy the requirements of Lemma 2 (i.e., $4/\beta ^2 \le d' \le n^{\beta /4}$ and $\kappa m n \le n^{\beta ^2 d' /4}$). By applying the lemma with $t=0$, we conclude that $H'$ is $(n^{1-\beta },(1-\beta )^2 d)$-expanding (and thus also $(n^{1-2\beta },(1-2\beta ) d)$-expanding), except with failure probability of at most $n^{-(\beta ^2/4)(1-\beta )d}$. The latter quantity is upper-bounded by $1/(n \ln n)$ since $\frac{4n m^3 \ln n}{\varepsilon ^2} \le n^{(\beta ^2/4)(1-\beta )d}$. This completes the proof of the first part of Lemma 3.

We proceed with the proof of the second item of Lemma 3. Let $S = (\ell ^*,i_2,\ldots ,i_{d})$ be the last hyperedge of G. Let $S'$ denote the $d-1$ tuple $(i_2,\ldots ,i_{d})$ and let $P_m:\{0,1\}^{d}\rightarrow \{0,1\}$ be the predicate computed by the last output of $f_{G,P}$. We assume (WLOG) that the first input of $P_m$ is sensitive and so it can be written as $P_m(w_1,\ldots ,w_d)=w_1 \oplus Q(w_2,\ldots ,w_d)$ for some $(d-1)$-ary predicate Q.

The algorithm B is a variant of the inversion algorithms given in [App13]. The input is a hypergraph $H = \bigcup _{j\in [n], i \in [\kappa ]} G_i^j$ and a string $y\in \{0,1\}^{\kappa \cdot n \cdot m}$ such that $y=f_{H,P'}(x)$. Let y be parsed as $(y_i^j)_{j\in [n], i \in [\kappa ]}$ where each $y^j_i = f_{G_i^j,P}(x)$. For each $j \in [n]$ and $i \in [\kappa ]$, the algorithm B runs $A_G$ on input $y_i^j[1,\ldots ,m-1]$ and gets a prediction bit $e_i^j$. Let $\sigma _i^j$ be the inverse permutation of $\pi _i^j$, and $x_i^j=\sigma _i^j(x)$; then, we get that $y_i^j=f_{\sigma _i(G_i^j),P}(x_i^j)$. By construction, this means that $y_i^j[1,\ldots , m-1]=f_{G,P}(x_i^j)[1,\ldots , m-1]$ and so $A_G$ attempts to predict the value $P_m(x_i^j[S])=x_i^j[\ell ^*]\oplus Q(x_i^j[S'])$. Note that the bit $y_i^j[m]$ equals to $x_i^j[\sigma _i^j(j)] \oplus Q(x_i^j[S'])$, and so

$$\begin{aligned} P_m(x_i^j[S])\oplus y_i^j[m]= x_i^j[\ell ^*]\oplus x_i^j[\sigma _i^j(j)] = x[\pi _i^j(\ell ^*)]\oplus x[j] = x[\tau ] \oplus x[j]. \end{aligned}$$

Assuming that $x[\tau ]$ is known (indeed, we can either guess it or try both values), the above equation provides an estimation for x[j]. Since our predictor may err, this estimation is “noisy”, i.e., it equals to x[j] only with probability $\frac{1}{2}+\varOmega (\varepsilon _p)$. After collecting $\kappa $ such votes (and arguing that these votes are “independent enough”) we eventually recover the input x bit by bit by deciding on the majority of the votes for each x[j]. We proceed by formally describing the algorithm B (Fig. 2).

We now prove that B inverts $f_{H,P'}$ well. Let ${\mathrm {wt}}(x)$ be the hamming weight of $x \in \{0,1\}^n$ and for $w \in [n]$, let $X_{w} = \left\{ x \in \{0,1\}^n | {\mathrm {wt}}(x)=w\right\} $. Call x good if $A_G$ predicts with advantage $\varepsilon _p/2$ the last bit of $f_{G,P}(x')$ for $x' \mathop {\leftarrow }\limits ^{R}X_{{\mathrm {wt}}(x)}$, i.e.,

$$\begin{aligned} \mathop {\Pr }\limits _{x' \mathop {\leftarrow }\limits ^{R}X_{{\mathrm {wt}}(x)},y=f_{G,P}(x')}[A_G(y{[1\ldots {m-1}]})=y{[m]}] - 1/2 \ge \varepsilon _p/2. \end{aligned}$$

We let ${\mathrm{Good}}$ denote the set of good x’s and show that this set is $\varepsilon _p/2$-dense.

Claim

$\Pr _{x\mathop {\leftarrow }\limits ^{R}\{0,1\}^n}[x\in {\mathrm{Good}}]\ge \varepsilon _p/2$.

Proof

Recall that our predictor $A_G$ has an advantage of $\varepsilon _p$ when it is invoked on $f_{G,P}(x')$ where $x'\mathop {\leftarrow }\limits ^{R}U_n$. Note that we can sample a uniform vector $x'\mathop {\leftarrow }\limits ^{R}\{0,1\}^n$ by first selecting $x\mathop {\leftarrow }\limits ^{R}U_n$ and then selecting $x'\mathop {\leftarrow }\limits ^{R}X_{{\mathrm {wt}}(x)}$. Hence, the claim follows from Markov’s inequality. $\square $

Now fix a good x. Let $S_n$ denote the set of all permutations from [n] to [n]. Observe that sampling $x' \mathop {\leftarrow }\limits ^{R}X_{{\mathrm {wt}}(x)}$ is equivalent to taking a random permutation $\sigma \mathop {\leftarrow }\limits ^{R}S_n$ and computing $x' = \sigma (x)$. Hence, it holds that

$$\begin{aligned} \mathop {\Pr }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}S_n,y=f_{G,P}(\sigma (x))}[A_G(y{[1\ldots {m-1}]})=y{[m]}] - 1/2 \ge \varepsilon _p/2. \end{aligned}$$

By an averaging argument, we get that there exists an index $\tau _x \in [n]$ such that

$$\begin{aligned} \mathop {\Pr }\limits _{\sigma \mathop {\leftarrow }\limits ^{R}\left\{ \pi \in S_n|\pi (\tau _x)=\ell ^*\right\} ,y=f_{G,P}(\sigma (x))}[A_G(y{[1\ldots {m-1}]})=y{[m]}] - 1/2 \ge \varepsilon _p/2. \end{aligned}$$

Next, we show that the algorithm B recovers x with probability at least $\frac{1}{2}$ when invoked with a good input x and with a hypergraph H generated under condition that $\tau = \tau _x$. Since $\tau $ is generated uniformly at random this implies that $\Pr _{H}[B(H,f_{H,P'}(x))=x] \ge 1/(2n)$.

Claim

For every good x, it holds that $\Pr _{H}[B(H,f_{H,P'}(x))=x | \tau = \tau _x]\ge \frac{1}{2}$.

Proof

We assume that $x[\tau ]=0$ and show that, with high probability, $s_0$ is likely to be x. (A similar argument shows that when $x[\tau ]=1$, $s_1$ is likely to be x). We prove that for each $j\in [n]$ the value $z_j$ equals to x[j] with probability $1-1/(2n)$. The theorem then follows by applying a union bound over all n indices.

Fix some index $j\in [n]$. Call a vote $b_i^j$ good if it is equal to x[j]. Our goal is to show that with high probability a majority of the votes are good. Observe that in each iteration $i\in [\kappa ]$, the predictor $A_G$ is invoked on $y_i^j[1,\ldots ,m-1]=f_{G,P}(x_i^j)[1,\ldots ,m-1]$ where $x_i^j=\sigma _i^j(x)$ and that the vote $b_i^j$ is good if the predictor succeeds in predicting $P_m(x_i^j[S])$. Since the permutations $\sigma _i^j$’s (that are the inverses of $\pi _i^j$’s) are independent and are uniform subject to $\sigma _i^j(\tau )=\ell ^*$, and since x is good, each call to the predictor succeeds independently with probability $\frac{1}{2}+\varepsilon _p/2$. Hence, by an additive Chernoff bound, the majority of the votes are good except with probability $\exp (-2\kappa \cdot (\varepsilon _p/2)^2 ) = \exp (-2 \ln n) < 1/(2n)$. $\square $

This completes the proof of Lemma 3. $\square $

4 PRF Constructions

We describe a general template for constructing pseudorandom functions. The template is parameterized with a predicate family $\mathcal {P}=\left\{ P_d\right\} $ where $P_d$ is a d-ary predicate^{Footnote 15} and two (possibly keyed) algorithms: mapper M and extractor E. Let $n \in \mathbb {N}$ denote the security parameter and let $d = d(n)$ be a locality parameter. Given an input $x \in \{0,1\}^n$ and a uniformly chosen key $k \in \{0,1\}^n$ we define the output of the function as follows. First, we use the mapper M to map x to an $(n,n/(d \log n),d)$-hypergraph $G_x$. Second, given the key k we compute a pseudorandom string $y = f_{G_x,{P}}(k)$, where $P=P_d$. Finally, we apply a randomness extractor E to y in order to produce the final output. (The keys of E and M are appended to the key k and are treated as part of the key of the construction.) The main intuition behind this template is that if the hypergraph $G_x$ has good expanding properties, the string y contains enough pseudoentropy which once extracted via E looks pseudorandom.

In the following we describe several instantiations of the template by choosing different M and E.

Notation Switch. Through this section, the symbol x denotes a query to the PRF while k denotes the PRF’s key. Due to the structure of our construction, this means that the input to the function $f_{G,P}$ is denoted by k (the key) and the hypergraph G is computed based on the input x. (Unlike the notation used in Sect. 3.)

4.1 Instantiation $F_1$

The first instantiation $F_1$ can be seen as a “plain” instantiation of the template, where the inputs are mapped to the hypergraphs directly and no extractor is applied in the end (Fig. 3).

Theorem 2

Let n be the security parameter. For every $q=n^{o(\log n)}$, every $t(n),\varepsilon (n)$, and every constant $\beta \in (0,1)$ the function $F_1$ is a $(q,t,\varepsilon + n^{-\varOmega (\log n)})$ weak PRF under assumption $\mathsf {EPRG}(\mathcal {P},n \cdot q,\beta ,t,\varepsilon )$.

Proof

Fix some constant $\beta $ and let $d=\varTheta (\log n)$. Let $x_1,\ldots ,x_q$ be $q=n^{o(\log n)}$ random strings from $\{0,1\}^n$ asked by the adversary. For $i \in [q]$, let $G_i = M(x_i)$. Since the $x_i$’s are uniformly distributed, the hypergraph $H := \bigcup _{i=1}^q{G_i}$ is a $(n^{1-\beta },0)$-random (n, m, d)-hypergraph with $m=qn/(d\log n)<n^{d \beta ^2/4}$. Hence, by Lemma 2 (with imperfectness parameter $t=0$), H is $(n^{1-\beta }, (1-\beta ) d)$-expanding except with probability $\varepsilon _{\textsc {exp}}=n^{-\varOmega (\log n)}$. (The condition $4/\beta ^2 \le d \le n^{\beta /4}$ required for Lemma 2 holds since $\beta $ is constant and $d = \varTheta (\log n)$.) The theorem follows by noting that conditioned on H being $(n^{1-\beta }, (1-\beta ) d)$-expanding, the $\mathsf {EPRG}(\mathcal {P},n \cdot q,\beta ,t,\varepsilon )$ assumption implies that the random variable $V = (F_1(k,x_i))_{i=1}^q$, induced by a uniformly chosen $k\in \{0,1\}^n$, is $(t,\varepsilon )$-pseudorandom.

Remark 1

We note that the theorem extends to the case where $\log _n q+1<\beta ^2 d/4$.

Corollary 2

Suppose that $\mathsf {EOWF}(\mathrm {XOR\text{- }MAJ})$ holds. Then, there exists a weak PRF $F_1:\{0,1\}^n\times \{0,1\}^n\rightarrow \{0,1\}^{n/\log ^2 n}$ which is computable in linear time of O(n) on a RAM machine with $O(\log n)$ word size, or by a boolean circuit of size $\tilde{O}(n)$. Moreover, for every fixed key k, the function $F_1(k,\cdot )$ can be computed by a depth-3 $\mathbf {AC^0}$ circuit.

Proof

By Corollary 1, $\mathsf {EOWF}(\mathrm {XOR\text{- }MAJ})$ implies $\mathsf {EPRG}(\mathrm {XOR\text{- }MAJ})$, which in turn, implies, by Theorem 2, that $F_1$ is a weak PRF.

Observe that the computation of $F_1$ consists of two steps. (1) Access the key k in the $n/\log n$ addresses specified by the input x and retrieve the corresponding content. Namely, for $1\le i\le \ell $ where $\ell =n/\log n$, output the bits $z_i=k[x[(i-1)\log n +1:i\log n]]$ where $x[i:i+j]$ denotes the address represented by the substring $(x[i]\cdots x[i+j])$ under the standard binary representation. (2) Partition the bits $z_1,\ldots ,z_{\ell }$ to d-size $\ell /d$ blocks, and compute for each block $1\le i \le \ell /d$ the bit $y_i=\mathrm {XOR\text{- }MAJ}_d(z_{(i-1)d+1},\ldots ,z_{id})$.

Time. On a RAM machine with $\log n$ word size, the first step is implemented in time O(n) (these are just accesses to an array) and the second step takes $O(n/\log n)$ time.

Size. In Appendix A we show that the first step can be implemented by a circuit of quasilinear size $O(n \log ^2 n \log \log n)$. In the second part, each computation of $z_i$ consists of computing two symmetric functions (XOR and Majority) over d / 2-long inputs. The classical result of [MP75] (see also [Weg87]) shows that every d-ary symmetric predicate can computed by a linear-size circuit (of size O(d)) and so the overall complexity of the second step is linear in n.

Depth. Fix some key k. Observe that both the first part and the second part of the computation have logarithmic locality (each bit $z_i$ depends on at most $O(\log n)$ bits of x and each $y_i$ depends on at most $O(\log n)$ bits of the $z_i$’s). Observe that any such function can be computed by a polynomial size DNF (OR of AND’s) and a polynomial size CNF (AND of OR’s). Hence, the overall computation can be naively computed by a depth-4 circuit. In fact, by using DNF for the first part and CNF for the second part we can collapse the two middle layers of OR gates and implement $F_1$ by a depth-3 $\mathbf {AC^0}$ circuit. $\square $

We note that, under strong $\mathsf {EOWF}(\mathrm {XOR\text{- }MAJ})$, $F_1$ achieves security against adversaries of almost-exponential size ($\exp (n^{1-\beta })$ for every $\beta >0$) who make polynomially many queries (or even slightly super-polynomial number of queries q) with quasipolynomial distinguishing advantage of $\varepsilon =n^{-\varOmega (\log n)}$. As mentioned in the introduction, the quasipolynomial value of $\varepsilon $ is inherent for $\mathbf {AC^0}$ constructions.

We also remark that one can extend the output length of $F_1$ to $\{0,1\}^n$ by stretching the output using a pseudorandom generator $G:\{0,1\}^{n/\log n}\rightarrow \{0,1\}^n$. Using fast constructions of PRGs (e.g., [App13]) one can do this while keeping the efficiency guarantees stated in the theorem.

4.2 Instantiation $F_2$

The second instantiation $F_2$ is a modification of $F_1$, where an extractor is applied in the end. As explained in the introduction, this allows us to reduce the distinguishing advantage $\varepsilon $ (Fig. 4).

Our goal is to provide a tight security reduction from breaking $F_2$ to the $\mathsf {EPRG}$ assumption. For this, we will have to rely on the security of $\mathsf {EPRG}$ over a predicate family $\mathcal {P}_{\beta }$ containing all predicates which can be obtained by selecting some d-ary predicate $P\in \mathcal {P}$ and arbitrarily fixing at most $\beta d$ of its inputs. Although the security of $\mathsf {EOWF}$ with respect to $\mathcal {P}_{\beta }$ may seem like a strong assumption, we will later show that natural candidates for $\mathsf {EOWF}$ already satisfy it.

Theorem 3

Let n be the security parameter. Let $\beta $ be a constant in (0, 1), $q=q(n)$ and $d = d(n)$ such that $4/\beta ^2 \le d \le n^{\beta /4}$ and $q \le n^{d\beta ^2/4 - 1}$. Let $t=t(n)$, $\varepsilon =\varepsilon (n)$ be arbitrary functions. Then, the function $F_2$ is a $(q,t,\varepsilon + n^{-\varOmega (d n^{1-\beta })} + q\cdot 2^{-\varOmega (n)})$ weak PRF, under assumption $\mathsf {EPRG}(\mathcal {P}_\beta ,n \cdot q,\beta ,t,\varepsilon )$.

Proof

Let $x_1,\ldots ,x_q$ be q random strings from $\{0,1\}^n$ asked by the adversary. For $i \in [q]$, let $G_i = M_2(x_i)$. Consider the (n, m, d)-hypergraph $H := \bigcup _{i=1}^q{G_i}$ where $m=nq/ (d\log n)< n^{d \beta ^2/4}$. Since the $G_i$’s are random, the hypergraph H is (2r, 0)-random for $r = n^{1-\beta }$. By applying Lemma 2 with $t=r=n^{1-\beta }$ and d-uniform hypergraphs, we conclude that, except with probability $\varepsilon _{\textsc {exp}}=n^{-\varOmega (d r)}$, the hypergraph H is r-imperfect $(r, (1-\beta ) d)$-expander.

From now on we fix a sequence of queries $(x_1,\ldots ,x_q)$ which leads to such an imperfect expander H. It suffices to prove that, for a uniformly chosen $(k,s)\in \mathcal {K}$, the random variable $V:=(F_2((k,s),x_i))_{i=1}^q$ is $(t,\varepsilon + q\cdot \varepsilon _{{\mathrm{Ext}}})$-pseudorandom for $\varepsilon _{{\mathrm{Ext}}}=2^{-\varOmega (n)}$.

By construction, V can be rewritten as $\overline{{\mathrm{Ext}}}_{s}(f_{H,P}(k))$ where $\overline{{\mathrm{Ext}}}_s(y_1,\ldots ,y_q):=({\mathrm{Ext}}_s(y_1),\ldots ,{\mathrm{Ext}}_s(y_q))$. First, we show that the distribution of $f_{H,P}(k)$ is computationally indistinguishable from a generalized bit-fixing source (the proof is deferred to the full version [AR16]).

Lemma 4

Let G be a [n, m, d]-hypergraph which is $n^{1-\beta }$-imperfect $(n^{1-\beta },(1-\beta )d)$-expander for some constant $\beta \in (0,1)$. Then, given that the assumption $\mathsf {EPRG}(\mathcal {P}_\beta ,m,\beta ,t,\varepsilon )$ holds, the random variable $f_{G,P}(U_n)$ is $(t,\varepsilon )$-computationally indistinguishable from a generalized $(m - n^{1-\beta })$ bit-fixing source.

It follows that $f_{H,P}(k)$ is $(t,\varepsilon )$-computationally indistinguishable from some generalized $(\frac{q n}{d \log n} - r)$ bit-fixing source Y. We therefore conclude that $V=\overline{{\mathrm{Ext}}}_{s}(f_{H,P}(k))$ is $(t,\varepsilon )$-indistinguishable from $\overline{{\mathrm{Ext}}}_{s}(Y)$. By Lemma 1 (Sect. 2), the latter distribution is $(q \cdot \varepsilon _{{\mathrm{Ext}}})$-statistically indistinguishable from uniform. Hence, conditioned on H being an almost expander, V must be $(t,\varepsilon +q\varepsilon _{{\mathrm{Ext}}})$-indistinguishable from uniform. Overall, we conclude that for q random queries, V is $(t,\varepsilon +q\varepsilon _{{\mathrm{Ext}}}+\varepsilon _{\textsc {exp}})$-pseudorandom, as required. $\square $

Corollary 3

Suppose that strong $\mathsf {EPRG}(\mathrm {XOR\text{- }TH})$ holds. Then, there exists a weak PRF $F_2:\{0,1\}^{O(n)} \times \{0,1\}^n\rightarrow \{0,1\}^{n/2\log ^2 n}$ which is $(q,t=\exp (n^{1-\beta }),\varepsilon =\exp (-n^{1-\beta }))$ for every polynomial q and every constant $\beta $, and can be computed in linear time of O(n) on a RAM machine with $O(\log n)$ word size, and by a boolean circuit of size $\tilde{O}(n)$. Moreover, for every fixed key k, the function $F_2(k,\cdot )$ can be computed by an $\mathbf {MOD}_2 \circ \mathbf {AC^0}$ circuit.

Proof

Instantiate $F_2$ with $\mathcal {P}=\mathrm {XOR\text{- }MAJ}$ and observe that $\mathcal {P}_{\beta }=\mathrm {XOR\text{- }TH}$ for sufficiently small $\beta $ (e.g., every $\beta <1/6$). By Theorem 3, the strong $\mathsf {EPRG}(\mathrm {XOR\text{- }TH})$ assumption implies that, for every polynomial q and constant $\beta >0$, $F_2$ is $(q,t=\exp (n^{1-\beta }),\varepsilon =\exp (-n^{1-\beta }))$ weak PRF.

The efficiency analysis is identical to the analysis of $F_1$ except that we need to add the complexity of the extractor. Ishai et al. [IKOS08, Theorem 3.3] constructed a strong $(0.9 \cdot N,2^{-\varOmega (N)})$-extractor for N-bit sources outputting an (N / 2)-bit string using a seed of length O(N) that can be computed by a linear function (over the binary field) whose circuit is of size O(N). By employing this extractor we get a linear-time implementation in the RAM model and quasilinear-size circuit implementation. Furthermore, since the extractor is a linear function it can be implemented by a single layer of XOR gates and so the overall computation is in $\mathbf {MOD}_2 \circ \mathbf {AC^0}$. $\square $

4.3 Instantiation $F_3$

The third instantiation, $F_3$, is a modification of $F_2$, where the input x is mapped to a hypergraph using an $(n,2^{-\varOmega (n)})$-bitwise independent generator $M : \mathcal {K}_m \times \mathcal {X}\rightarrow \mathcal {X}$. An efficient construction of such a $(n,2^{-\varOmega (n)})$-bias generator (with $\mathcal {K}_m=\{0,1\}^{2n}$) is presented in Theorem 5 (Fig. 5).

Theorem 4

Let n be the security parameter. Let $\beta $ be a constant in (0, 1), $q=q(n)$ and $d = d(n)$ such that $4/\beta ^2 \le d \le n^{\beta /4}$ and $q \le n^{d\beta ^2/4 - 1}$. Let $t=t(n)$, $\varepsilon =\varepsilon (n)$ be arbitrary functions. Then, the function $F_3$ is a non-adaptive $(q,t,\varepsilon + n^{-\varOmega (d n^{1-\beta })} + q\cdot 2^{-\varOmega (n)})$-PRF, under assumption $\mathsf {EPRG}(\mathcal {P}_\beta ,n \cdot q,\beta ,t,\varepsilon )$.

Proof

Fix a sequence of q distinct non-adaptive queries $x_1,\ldots ,x_q$. For $i \in [q]$, let $G_i := M_{\sigma }(x_i)$. Since M is $(n,2^{-\varOmega (n)})$-biased, the hypergraph $H := \bigcup _{i=1}^q{G_i}$ is $(\ell ,2^{-\varOmega (n)})$-random hypergraph for $\ell =n/(d\log n)\ge 2n^{1-\beta }$. Recall also that H has at most $n \cdot q \le n^{d \beta ^2/4}$ hyperedges and d is chosen such that $4/\beta ^2 \le d \le n^{\beta /4}$. By applying Lemma 2 with $t=r=n^{1-\beta }$ and d-uniform hypergraphs, we conclude that, except with probability $\varepsilon _{\textsc {exp}}=n^{-\varOmega (d r)}$, the hypergraph H is r-imperfect $(r, (1-\beta ) d)$-expander (where the probability is taken over $\sigma \mathop {\leftarrow }\limits ^{R}\mathcal {K}_m$).

From now on we fix a good $\sigma $ which leads to such an imperfect expander H. It suffices to prove that, for a uniformly chosen (k, s), the random variable $V:=(F_3((k,\sigma ,s),x_i))_{i=1}^q$ is $(t,\varepsilon + q\cdot \varepsilon _{{\mathrm{Ext}}})$-pseudorandom for $\varepsilon _{{\mathrm{Ext}}}=2^{-\varOmega (n)}$. By construction, V can be rewritten as $\overline{{\mathrm{Ext}}}_{s}(f_{H,P}(k))$ where $\overline{{\mathrm{Ext}}}_s(y_1,\ldots ,y_q)$ stands for $({\mathrm{Ext}}_s(y_1),\ldots ,{\mathrm{Ext}}_s(y_q))$. Lemma 4 shows that the random variable $f_{H,P}(k)$ is $(t,\varepsilon )$-computationally close to some generalized $(q n/(d \log n) - r)$ bit-fixing source Y, and Lemma 1 shows that $\overline{{\mathrm{Ext}}}_{s}(Y)$ is $q \cdot \varepsilon _{\mathrm{Ext}}$-close to uniform. The theorem follows. $\square $

In Theorem 5 we show that there exists a $(n,2^{-\varOmega (n)})$-bias generator $M : \{0,1\}^{2n} \times \{0,1\}^n\rightarrow \{0,1\}^n$ which can be computed in quasilinear time $\tilde{O}(n)$ or by a $\mathbf {TC^0}$ circuit (i.e., a constant-depth circuit with unbounded fan-in AND, OR and Majority gates). The following corollary follows.

Corollary 4

Suppose that $\mathsf {EOWF}(\mathrm {XOR\text{- }MAJ})$ holds. Then, there exists a non-adaptive PRF $F_3:\{0,1\}^{3n} \times \{0,1\}^n\rightarrow \{0,1\}^{n/\log ^2 n}$ which is computable by a boolean circuit of size $\tilde{O}(n)$. Moreover, for every fixed key k, the function $F_3(k,\cdot )$ can be computed by a $\mathbf {TC^0}$ circuit.

Proof

Let $\mathcal {P}=\mathrm {XOR\text{- }MAJ}$ and observe that $\mathcal {P}_{\beta }=\mathrm {XOR\text{- }TH}$ for sufficiently small $\beta $ (e.g., every $\beta <1/6$). By Corollary 1, $\mathsf {EOWF}(\mathrm {XOR\text{- }TH})$ implies $\mathsf {EPRG}(\mathrm {XOR\text{- }TH})$, which in turn, implies, by Theorem 4, that $F_3$ is a non-adaptive PRF.

The efficiency analysis is identical to the analysis of $F_2$ except that we need to add the complexity of M which can be computed in quasilinear time $\tilde{O}(n)$ or by a $\mathbf {TC^0}$ circuit (See Theorem 5).

Under the strong $\mathsf {EPRG}(\mathrm {XOR\text{- }TH})$ assumption, a logarithmic d implies that $F_3$ is $(q,t=\exp (n^{1-\beta }),\varepsilon =\exp (-n^{1-\beta }))$ secure for every polynomial q and every constant $\beta $. For polynomial locality $d=n^{\delta }$, for some constant $\delta >0$, we get $q=\exp (n^{\varOmega (\delta )})$, $t=\exp (n^{1-\varOmega (\delta )})$ and $\varepsilon =\exp (-n^{1-\varOmega (\beta )})$.

A Bitwise Independent Generator Construction. We now construct an efficient generator that is $(t,\varepsilon )$-bitwise independent in the regime of $t = n$ and negligible $\varepsilon $.

Theorem 5

Let $k_0,k_1$ be two keys chosen uniformly from $\mathrm {GF}(2^n)$. For $x \in \mathrm {GF}(2^n)$, define the generator $\mathcal {V}_{k_0,k_1}(x) := \frac{k_1}{k_0+x}$. Then, $\mathcal {V}$ is $(d,d \cdot {2^{d/2 + 1 - n}})$-bitwise independent for any $d \le 2^n$. Furthermore, the generator $\mathcal {V}$ can be computed by a circuit of quasilinear size $O(n \log ^2 n \log \log n)$ and by a $\mathbf {TC^0}$ circuit.

Proof

We observe that in order to prove that $\mathcal {V}$ is $(d,d \cdot {2^{d/2 + 1 - n}})$-bitwise independent, it is sufficient to prove that $\mathcal {V}$ is $(d,\frac{d}{2^{n-1}})$-linear-fooling over $\mathrm {GF}(2^n)$. Indeed, we know that $(t,\varepsilon )$-linear-fooling over $\mathrm {GF}(2^n)$ implies $(t,\varepsilon )$-bias over $\mathrm {GF}(2)$ [Tzu09, Theorem 4.5], which in turn implies $(t,2^{t/2}\cdot \varepsilon )$-bitwise independence [NN93, Corollary 2.1].

We now turn to showing that $\mathcal {V}$ is $(d,\frac{d}{2^{n-1}})$-linear-fooling over $\mathrm {GF}(2^n)$ for any $d \le 2^n$. The proof is based on the work of [MV12, Theorem 3.5]. We prove that $\mathcal {V}$ is $(d,\frac{d}{2^{n-1}})$-linear-fooling over $\mathrm {GF}(2^n)$, i.e., for any distinct $a_1,\ldots ,a_d \in \mathrm {GF}(2^n)$, any d constants $b_1,\ldots ,b_t$ from $\mathrm {GF}(2^n)$ (that are not all equal to zero), we have that

$$\begin{aligned} \varDelta \left( \sum _{i=1}^d b_i \mathcal {V}_{k_0,k_1}(a_i)\ ;\ U_{\mathrm {GF}(2^n)}\right) \le \frac{d}{2^{n-1}}. \end{aligned}$$

After letting p(x) denote the polynomial $\sum _{i=1}^d \frac{b_i}{x+a_i} = \sum _{i=1}^d b_i (x+a_i)^{2^n-2}$, we get that $\sum _{i=1}^d b_i\mathcal {V}_{k_0,k_1}(a_i)$ can be rewritten as $k_1 \cdot p(k_0)$. Observe that conditioned on $p(k_0)\ne 0$, we have that $k_1 \cdot p(k_0)$ is uniformly distributed over $\mathrm {GF}(2^n)$. Hence, it suffices to show that p(x) has at most $2d-1$ distinct roots. First, we define auxiliary polynomials:

$$\begin{aligned} \overline{p}(x):=p(x) \cdot \prod _{j=1}^d(a_j + x) = \sum _{i=1}^d \left[ {b_i (x+a_i)^{2^n-1} \prod _{j \ne i} (a_j + x)}\right] , \end{aligned}$$

and

$$\begin{aligned} \overline{p}_*(x):=\sum _{i=1}^d b_i\prod _{j \ne i} (a_j + x). \end{aligned}$$

Observe that any root y of p(x) is also a root of $\overline{p}(x)$. Moreover, note that for any $y \not \in \{a_1,\ldots ,a_d\}$ we have that $\overline{p}(y) = \overline{p}_*(y)$ (since $y^{2^n-1} = 1$ for any non-zero y). Hence, the only possible roots of p(x) are the roots of $\overline{p}_*(x)$ and $\{a_1,\ldots ,a_d\}$. This means that in order to show that p(x) has at most $2d-1$ distinct roots, it is sufficient to show that $\overline{p}_*(x)$ has at most $d-1$ distinct roots. Because $\overline{p}_*(x)$ is a degree $d-1$ polynomial, this will always be the case unless $\overline{p}_*(x)$ is identically zero. This is ruled out by observing that $\overline{p}_*(a_i) \ne 0$, where i is chosen such that $b_i \ne 0$. Indeed, $\overline{p}_*(a_i) = b_i \prod _{j \ne i} (a_j + a_i)$ which is non-zero because $a_1,\ldots ,a_d$ are distinct.

(Complexity of $\mathcal {V}$) Finally, we turn to the analysis of the circuit complexity of $\mathcal {V}$. The complexity of $\mathcal {V}$ equals to the complexity of the division and summation circuits (dividing $k_1$ by $k_0 + x$). As stated in [MV12] this can be done by a $\mathbf {TC^0}$ circuit or by a circuit of size $O(n \log ^2n \log \log n)$ using the techniques of [GvzGPS00].

Notes

1.
A weak PRF is a relaxation of a PRF which is indistinguishable from a random function for an adversary whose queries are chosen uniformly at random.
2.
In fact, it seems better to allocate a larger fraction of the inputs to the Majority part. See [AL15].
3.
In Sect. 2 we provide a more general assumption which allows the hypergraph to be non-uniform, and is parameterized by an expansion parameter, by a predicate family $\mathcal {P}$ and by a concrete bound on the security of the function in terms of the (circuit) size of the adversary and its success probability. The above assumption is given here in a simplified form for ease of presentation.
4.
Formally, Assumption 1 implies that for a random hypergraph G, the function $f_{G,P}$ is one-way (since such a hypergraph is likely to be expanding). Then, we can apply the result of [App13].
5.
When analyzing parallel-complexity it is common to restrict the attention for the case where the key is fixed, cf. [NR95, NR97, NRR00, LW09, BMR10, MV12, ABG+14].
6.
Technically, this requires an extension of our assumption to the case of non-uniform hypergraphs, and the ability to analyze the function with respect to new predicates (obtained by restricting some of the inputs of the original predicate).
7.
We do not use general transformations from weak PRFs to standard PRFs (e.g., [NR97]) since they make a linear number of calls to the underlying weak PRF and therefore incur at least a quadratic overhead in the size of the resulting circuit.
8.
An analogous use of public randomness appears in the seminal Goldreich-Levin theorem [GL89] which can be viewed as search-to-decision reduction for the keyed function $f_k(x)=(g(x),\langle x,k \rangle )$.
9.
It is not hard to show that if M by itself is a PRF then security holds for $F_3$. The hope is to get somewhat weaker form of hiding, ideally, one which can be satisfied by some concrete and highly-efficient mapping M such as the one proposed here.
10.
In the terminology of learning theory this means that a random function from the family is hard to weakly-predict over the uniform distribution.
11.
Here and through the paper, we implicitly assume that for all $i\in [m]$ the arity of the i-th predicate $P_i$ matches the cardinality of the i-th hyperedge $S_i$ of G.
12.
The constants (1 / 3, 2 / 3) in the definition are somewhat arbitrary and it seems that any constants bounded away from 0 and 1 will do.
13.
The choice of the last bit unpredictability is without loss of generality since we can permute the order of the bits of $f_{G,P}$ (see [App13]).
14.
Specifically, sample a random index $\tau \in [n]$, and for every sub-hypergraph $H'_{i,j}$ and hyperedge $S\in H'_{i,j}$ swap the node $\phi _i^j(\ell ^*)$ with the node $\tau $, except for the first entry in the last hyperedge of $H_{i,j}$ which $\phi _i^j(\ell ^*)$ is replaced by j.
15.
The construction can be easily generalized to handle non-uniform hypergraphs and/or different predicates d-ary predicates for each output.

References

Akavia, A., Bogdanov, A., Guo, S., Kamath, A., Rosen, A.: Candidate weak pseudorandom functions in AC$^{0}$ MOD$_{2}$. In: Naor, M. (ed.) Innovations in Theoretical Computer Science, ITCS 2014, Princeton, NJ, USA, 12–14 January 2014, pp. 251–260. ACM (2014)
Google Scholar
Applebaum, B., Bogdanov, A., Rosen, A.: A dichotomy for local small-bias generators. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 600–617. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28914-9_34
Chapter Google Scholar
Applebaum, B., Barak, B., Wigderson, A.: Public-key cryptography from different assumptions. In: Schulman, L.J. (ed.) Proceedings of the 42nd ACM Symposium on Theory of Computing, STOC 2010, Cambridge, Massachusetts, USA, 5–8 June 2010, pp. 171–180. ACM (2010)
Google Scholar
Alekhnovich, M., Hirsch, E.A., Itsykson, D.: Exponential lower bounds for the running time of DPLL algorithms on satisfiable formulas. J. Autom. Reasoning 35(1–3), 51–72 (2005)
MathSciNet MATH Google Scholar
Ajtai, M., Komlós, J., Szemerédi, E.: An o(n log n) sorting network. In: Johnson, D.S., Fagin, R., Fredman, M.L., Harel, D., Karp, R.M., Lynch, N.A., Papadimitriou, C.H., Rivest, R.L., Ruzzo, W.L., Seiferas, J.I. (eds.) Proceedings of the 15th Annual ACM Symposium on Theory of Computing, Boston, Massachusetts, USA, 25–27 April 1983, pp. 1–9. ACM (1983)
Google Scholar
Applebaum, B., Lovett, S.: Algebraic attacks against random local functions, their countermeasures. In: Electronic Colloquium on Computational Complexity (ECCC), STOC 2016, vol. 22, p. 172 (2015, to appear)
Google Scholar
Alekhnovich, M.: More on average case vs approximation complexity. In: 44th Symposium on Foundations of Computer Science (FOCS 2003), Cambridge, MA, USA, Proceedings, 11–14 October 2003, pp. 298–307. IEEE Computer Society (2003)
Google Scholar
Applebaum, B.: Pseudorandom generators with long stretch, low locality from random local one-way functions. SIAM J. Comput. 42(5), 2008–2037 (2013). Preliminary version in STOC 2012
Article MathSciNet MATH Google Scholar
Applebaum, B.: Bootstrapping obfuscators via fast pseudorandom functions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 162–172. Springer, Heidelberg (2014). doi:10.1007/978-3-662-45608-8_9
Google Scholar
Applebaum, B.: Cryptographic hardness of random local functions - survey. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 22, p. 27 (2015)
Google Scholar
Applebaum, B., Raykov, P.: Fast pseudorandom functions based on expander graphs. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 23, p. 82 (2016). Full version of this paper
Google Scholar
Blum, A., Furst, M., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_24
Google Scholar
Brodsky, A., Hoory, S.: Simple permutations mix even better. Random Struct. Algorithms 32(3), 274–289 (2008)
Article MathSciNet MATH Google Scholar
Berman, I., Haitner, I.: From non-adaptive to adaptive pseudorandom functions. J. Cryptol. 28(2), 297–311 (2015)
Article MathSciNet MATH Google Scholar
Boneh, D., Montgomery, H.W., Raghunathan, A.: Algebraic pseudorandom functions with improved efficiency from the augmented cascade. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, 4–8 October 2010, pp. 131–140. ACM (2010)
Google Scholar
Banerjee, A., Peikert, C., Rosen, A.: Pseudorandom functions and lattices. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 719–737. Springer, Heidelberg (2012). doi:10.1007/978-3-642-29011-4_42
Chapter Google Scholar
Bogdanov, A., Qiao, Y.: On the security of Goldreich’s one-way function. Comput. Complexity 21(1), 83–127 (2012)
Article MathSciNet MATH Google Scholar
Bogdanov, A., Rosen, A.: Input locality and hardness amplification. J. Cryptol. 26(1), 144–171 (2013)
Article MathSciNet MATH Google Scholar
Cook, J., Etesami, O., Miller, R., Trevisan, L.: On the one-way function candidate proposed by Goldreich. ACM Trans. Comput. Theor. 6(3), 1401–1435 (2014)
Article MathSciNet Google Scholar
Chor, B., Goldreich, O., Håstad, J., Friedman, J., Rudich, S., Smolensky, R.: The bit extraction problem of t-resilient functions (preliminary version). In: 26th Annual Symposium on Foundations of Computer Science, Portland, Oregon, USA, 21–23 October 1985, pp. 396–407. IEEE Computer Society (1985)
Google Scholar
Damgård, I., Ishai, Y.: Constant-round multiparty computation using a black-box pseudorandom generator. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 378–394. Springer, Heidelberg (2005). doi:10.1007/11535218_23
Chapter Google Scholar
Daniely, A., Linial, N., Shalev-Shwartz, S.: From average case complexity to improper learning complexity. In: Shmoys, D.B. (ed.) Symposium on Theory of Computing, STOC 2014, New York, NY, USA, 31 May – 03 June 2014, pp. 441–448. ACM (2014)
Google Scholar
Feldman, V., Perkins, W., Vempala, S.: On the complexity of random satisfiability problems with planted solutions. In: Servedio, R.A., Rubinfeld, R. (eds.) Proceedings of the Forty-Seventh Annual ACM on Symposium on Theory of Computing, STOC 2015, Portland, OR, USA, 14–17 June 2015, pp. 77–86. ACM (2015)
Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. J. ACM 33(4), 792–807 (1986)
Article MathSciNet MATH Google Scholar
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: Johnson, D.S. (ed.) Proceedings of the 21st Annual ACM Symposium on Theory of Computing, Seattle, Washigton, USA, 14–17 May 1989, pp. 25–32. ACM (1989)
Google Scholar
Goldreich, O.: Candidate one-way functions based on expander graphs. In: Electronic Colloquium on Computational Complexity (ECCC), vol. 7, no. 90 (2000)
Google Scholar
Gowers, W.T.: An almost m-wise independent random permutation of the cube. Comb. Probab. Comput. 5(2), 119–130 (1996)
Article MathSciNet MATH Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_11
Chapter Google Scholar
Gao, S., von Zur Gathen, J., Panario, D., Shoup, V.: Algorithms for exponentiation in finite fields. J. Symb. Comput. 29(6), 879–889 (2000)
Article MathSciNet MATH Google Scholar
Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999). Preliminary versions in STOC 1989 and STOC 1990
Article MathSciNet MATH Google Scholar
Hoory, S., Magen, A., Myers, S., Rackoff, C.: Simple permutations mix well. Theor. Comput. Sci. 348(2–3), 251–261 (2005)
Article MathSciNet MATH Google Scholar
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: Dwork, C. (ed.) Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 17–20, 2008, pp. 433–442. ACM (2008)
Google Scholar
Kharitonov, M.: Cryptographic hardness of distribution-specific learning. In: Kosaraju, S.R., Johnson, D.S., Aggarwal, A. (eds.) Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, San Diego, CA, USA, 16–18 May 1993, pp. 372–381. ACM (1993)
Google Scholar
Klivans, A.R., Sherstov, A.A.: Cryptographic hardness for learning intersections of halfspaces. J. Comput. Syst. Sci. 75(1), 2–12 (2009)
Article MathSciNet MATH Google Scholar
Ladner, R.E., Fischer, M.J.: Parallel prefix computation. J. ACM 27(4), 831–838 (1980)
Article MathSciNet MATH Google Scholar
Linial, N., Mansour, Y., Nisan, N.: Constant depth circuits, fourier transform, and learnability. J. ACM 40(3), 607–620 (1993)
Article MathSciNet MATH Google Scholar
Lewko, A.B., Waters, B.: Efficient pseudorandom functions from the decisional linear assumption and weaker variants. In: Al-Shaer, E., Jha, S., Keromytis, A.D. (eds.) Proceedings of the 2009 ACM Conference on Computer and Communications Security, CCS 2009, Chicago, Illinois, USA, 9–13 November 2009, pp. 112–120. ACM (2009)
Google Scholar
Muller, D.E., Preparata, F.P.: Bounds to complexities of networks for sorting and for switching. J. ACM 22(2), 195–201 (1975)
Article MathSciNet MATH Google Scholar
Mossel, E., Shpilka, A., Trevisan, L.: On e-biased generators in NC0. In: 44th Symposium on Foundations of Computer Science (FOCS 2003), Cambridge, MA, USA, Proceedings, 11–14 October 2003, pp. 136–145. IEEE Computer Society (2003)
Google Scholar
Miles, E., Viola, E.: Substitution-permutation networks, pseudorandom functions, and natural proofs. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 68–85. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32009-5_5
Chapter Google Scholar
Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. SIAM J. Comput. 22(4), 838–856 (1993)
Article MathSciNet MATH Google Scholar
Naor, M., Reingold, O.: Synthesizers and their application to the parallel construction of psuedo-random functions. In: 36th Annual Symposium on Foundations of Computer Science, Milwaukee, Wisconsin, 23–25 October 1995, pp. 170–181. IEEE Computer Society (1995)
Google Scholar
Naor, M., Reingold, O.: Number-theoretic constructions of efficient pseudo-random functions. In: 38th Annual Symposium on Foundations of Computer Science, FOCS 1997, Miami Beach, Florida, USA, 19–22 October 1997, pp. 458–467. IEEE Computer Society (1997)
Google Scholar
Naor, M., Reingold, O., Rosen, A.: Pseudo-random functions and factoring (extended abstract). In: Yao, F.F., Luks, E.M. (eds.) Proceedings of the Thirty-Second Annual ACM Symposium on Theory of Computing, Portland, OR, USA, 21–23 May 2000, pp. 11–20. ACM (2000)
Google Scholar
O’Donnell, R., Witmer, D., Goldreich’s, P.R.G.: Evidence for near-optimal polynomial stretch. In: IEEE 29th Conference on Computational Complexity, CCC 2014, Vancouver, BC, Canada, June 11–13, 2014, pp. 1–12. IEEE (2014)
Google Scholar
Pippenger, N., Fischer, M.J.: Relations among complexity measures. J. ACM 26(2), 361–381 (1979)
Article MathSciNet MATH Google Scholar
Pitt, L., Warmuth, M.K.: Reductions among prediction problems on the difficulty of predicting automata. In: Proceedings: Third Annual Structure in Complexity Theory Conference, Georgetown University, Washington, D.C., USA, 14–17 June 1988, pp. 60–69. IEEE Computer Society (1988)
Google Scholar
Razborov, A.A., Rudich, S.: Natural proofs. J. Comput. Syst. Sci. 55(1), 24–35 (1997)
Article MathSciNet MATH Google Scholar
Tzur, Y.: Notions of weak pseudorandomness and ${\rm GF}(2^n)$-polynomials. Master’s thesis, Weizmann Institute of Science (2009)
Google Scholar
Valiant, L.G.: A theory of the learnable. In: DeMillo, R.A. (ed.) Proceedings of the 16th Annual ACM Symposium on Theory of Computing, Washington, DC, USA, 30 April–2 May1984, pp. 436–445. ACM (1984)
Google Scholar
Wegener, I.: The Complexity of Boolean Functions. Teubner/Wiley, Stuttgart (1987)
MATH Google Scholar
Yao, A.C.: Theory and applications of trapdoor functions (extended abstract). In: 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3–5 November 1982, pp. 80–91. IEEE Computer Society (1982)
Google Scholar

Download references

Acknowledgement

We thank Adam Klivans and Shai Shalev-Shwartz for helpful discussions.

Author information

Authors and Affiliations

School of Electrical Engineering, Tel-Aviv University, Tel Aviv, Israel
Benny Applebaum & Pavel Raykov

Authors

Benny Applebaum
View author publications
You can also search for this author in PubMed Google Scholar
Pavel Raykov
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Benny Applebaum .

Editor information

Editors and Affiliations

Department of Computer Science, ETH Zurich, Zurich, Switzerland
Martin Hirt
Pennsylvania State University, University Park, Pennsylvania, USA
Adam Smith

A Array Multi-access in Quasilinear Time

We consider the following functionality. Given $\ell =n/\log n$ indices of length $\log n$ each $I[1],\ldots ,I[\ell ]$ and a data vector $K\in \{0,1\}^n$ output $K[I[1]],\ldots ,K[I[\ell ]]$. We will show that this can done by $O(n \log ^2 n \log \log n)$-size circuit. We assume that the input indices are sorted which is without loss of generality since t elements of bit-length $b=\log n$ can be sorted by a circuit of size $O(b\ell \log \ell )=O(n \log n)$ (e.g., using a sorting network [AKS83] where comparison is implemented via Parallel Prefix Computation [LF80]). Instead of describing an $O(n \log ^2 n \log \log n)$-size circuit, we describe a Turing Machine M that solves the problem in time $T=O(n \log n)$ using a constant number of tapes. The latter can be simulated by a circuit of size $O(T \log T)$ (e.g., by turning the computation M into an oblivious Turing machine $M'$ of complexity $O(T \log T)$ [PF79] and then moving to a circuit of size $O(T \log T)$). We sketch the description of the machine M. The machine M places the indices I on one tape, the data K on another tape and places the output on a special output tape. During its run, M maintains two counters i and j which are initialized to 1. At each step, M checks if the index I[i] equals to j if this is the case then K[j] is written to the current position in the output tape. Also, the head of the output tape is moved one step and the head of the index tape is moved to the next index. In case of inequality, the head of the data tape is moved forward by one step, and the counter j is increased by one. Since each step costs $O(\log n)$ operations and there are at most n steps, the overall complexity is $O(n \log n)$.

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Applebaum, B., Raykov, P. (2016). Fast Pseudorandom Functions Based on Expander Graphs. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9985. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53641-4_2

Download citation

DOI: https://doi.org/10.1007/978-3-662-53641-4_2
Published: 22 October 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53640-7
Online ISBN: 978-3-662-53641-4
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Fast Pseudorandom Functions Based on Expander Graphs

Abstract

Similar content being viewed by others

Fast Pseudorandomness for Independence and Load Balancing

A Dichotomy for Local Small-Bias Generators

Efficient Pseudorandom Functions via On-the-Fly Adaptation

Keywords

1 Introduction

1.1 Goldreich’s One-Way Function

Assumption 1 (Expander-based OWFs (Informal))

1.2 Results and Techniques

1.3 Related Candidate PRFs

1.4 Conclusion

1.5 Organization

2 Preliminaries

Definition 1 (PRF)

Definition 2

Definition 3 (Generalized Bit-Fixing Source)

Lemma 1

Lemma 2

2.1 Expander-Based Functions

Definition 4

3 From One-Wayness to Pseudorandomness

Theorem 1

Corollary 1

3.1 Proof of Theorem 1

Lemma 3

Proof

Claim

Proof

Claim

Proof

4 PRF Constructions

4.1 Instantiation \(F_1\)

Theorem 2

Proof

Remark 1

Corollary 2

Proof

4.2 Instantiation \(F_2\)

Theorem 3

Proof

Lemma 4

Corollary 3

Proof

4.3 Instantiation \(F_3\)

Theorem 4

Proof

Corollary 4

Proof

Theorem 5

Proof

Notes

References

Acknowledgement

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

A Array Multi-access in Quasilinear Time

A Array Multi-access in Quasilinear Time

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation