Pseudo-random Synthesizers, Functions and Permutations Doctor of Philosophy Constructions of Pseudo-random Functions Constructions of Pseudo-random Permutations a Study of Some Number-theoretical Assumptions

The research re ected in this dissertation is a study of (computational) pseudo-randomness. More speci cally, the main objective of this research is the e cient and simple construction of pseudo-random functions and permutations [62, 90], where e ciency refers both to the sequential and parallel time complexity of the computation. Pseudo-random functions and permutations are fundamental cryptographic primitives with many applications in cryptography and more generally in computational complexity. Constructions of Pseudo-Random Functions For our constructions of pseudo-random functions, we introduce and study a new cryptographic primitive which we call a pseudo-random synthesizer and a generalization of this primitive which we call a k-dimensional pseudo-random synthesizer. These primitives are of independent interest as well. In addition, we consider various applications of our constructions and study some of the underlying cryptographic assumptions used in these constructions. The main results obtained by this research are: Introducing new cryptographic primitives called pseudo-random synthesizer and kdimensional pseudo-random synthesizer. Using pseudo-random synthesizers for a parallel construction of a pseudo-random function (the depth of the functions is larger by a logarithmic factor than the depth of the synthesizers). Showing several NC1 implementations of synthesizers based on concrete intractability assumptions such as factoring and the computational Di e-Hellman assumption. Showing a very simple, parallel construction of synthesizers based on what we call weak pseudo-random functions which implies simple constructions of synthesizers based on trapdoor one-way permutations and based on any hard-to-learn problem (under the de nition of [23]). These results yield the rst parallel pseudo-random functions (based on computational intractability assumptions) and the rst alternative to the original construction of Goldreich, Goldwasser and Micali [62]. In addition, we show two new constructions of pseudorandom functions (that are related to the construction based on synthesizers). The pseudorandomness of one construction is proven under the assumption that factoring is hard while v vi ABSTRACT the other construction is pseudo-random if the decisional version of the Di e-Hellman assumption holds. These functions have the following properties: They are much more e cient than previous proposals: Computing the value of our functions at any given point involves two subset products. They are in TC0 (the class of functions computable by constant depth circuits consisting of a polynomial number of threshold gates). This fact has several interesting applications. They have a simple algebraic structure that implies additional features. In particular, we show a zero-knowledge proof for statements of the form \y = fs(x)" and \y 6= fs(x)" given a commitment to a key s of a pseudo-random function fs. We discuss some applications of our constructions in cryptography (including applications in public-key cryptography) as well as their consequences in computational complexity and in computational learning-theory. Constructions of Pseudo-Random Permutations Luby and Racko [90] showed a method for constructing a pseudo-random permutation from a pseudo-random function. The method is based on composing four (or three for weakened security) so called Feistel permutations, each of which requires the evaluation of a pseudorandom function. We reduce somewhat the complexity of the construction and simplify its proof of security by showing that two Feistel permutations are su cient together with initial and nal pair-wise independent permutations. The revised construction and proof provide a framework in which similar constructions may be designed and their security can be easily proved. We demonstrate this by presenting some additional adjustments of the construction that achieve the following: Reduce the success probability of the adversary. Provide a construction of pseudo-random permutations with large input-length using pseudo-random functions with small input length. A Study of Some Number-Theoretical Assumptions Our research includes a study of two number-theoretical assumptions that are related to the Di e-Hellman key-exchange protocol and that are used in our constructions of pseudorandom functions. The rst is the decisional version of the Di e-Hellman assumption (DDHAssumption). This assumption is relatively new, or more accurately, was explicitly considered only recently. We therefore survey some of the di erent applications of the assumption and the current knowledge on its security. Furthermore, we show a randomized reduction of the worst-case DDH-Assumption to its average case (based on the random-self-reducibility of the DDH-Problem that was previously used by Stadler [143]). We consider our research of the DDH-Assumption to be of independent importance given that the assumption was recently used in quite a few interesting applications (e.g., [45]). vii The second assumption we study is the generalized Di e-Hellman assumption (GDHAssumption). This assumption was originally considered in the context of a generalization of the Di e-Hellman key-exchange protocol to k > 2 parties. We prove that breaking this assumption modulo a so called Blum-integer would imply an e cient algorithm for factoring Blum-integers. Therefore, both the generalized key-exchange protocol and our pseudo-random function (that is based on the GDH-Assumption) are secure as long as factoring Blum-integers is hard. Our reduction strengthens a previous \worst-case" reduction of Shmuely [139].