A Remark on One-Wayness versus Pseudorandomness
نویسندگان
چکیده
Every pseudorandom generator is in particular a one-way function. If we only consider part of the output of the pseudorandom generator is this still one-way? Here is a general setting formalizing this question. Suppose G : {0, 1} → {0, 1} is a pseudorandom generator with stretch `(n). Let MR ∈ {0, 1}m(n)×`(n) be a linear operator computable in polynomial time given randomness R. Consider the function F (x,R) = ( MRG(x), R ) We obtain the following results. – There exists a pseudorandom generator s.t. for every positive constant μ < 1 and for an arbitrary polynomial time computable MR ∈ {0, 1}(1−μ)n×`(n), F is not one-way. Furthermore, our construction yields a tradeoff between the hardness of the pseudorandom generator and the output length m(n). For example, given α = α(n) and a 2-hard pseudorandom generator we construct a 2-hard pseudorandom generator such that F is not one-way, where m(n) ≤ βn and α+ β = 1− o(1). – We show this tradeoff to be tight for 1-1 pseudorandom generators. That is, for any G which is a 2-hard 1-1 pseudorandom generator, if α + β = 1 + then there is MR ∈ {0, 1}βn×`(n) such that F is a Ω(2 )-hard one-way function.
منابع مشابه
On the Provable Security of an Efficient RSA-Based Pseudorandom Generator
Pseudorandom Generators (PRGs) based on the RSA inversion (one-wayness) problem have been extensively studied in the literature over the last 25 years. These generators have the attractive feature of provable pseudorandomness security assuming the hardness of the RSA inversion problem. However, despite extensive study, the most efficient provably secure RSA-based generators output asymptoticall...
متن کاملRobust Multi-property Combiners for Hash Functions Revisited
A robust multi-property combiner for a set of security properties merges two hash functions such that the resulting function satisfies each of the properties which at least one of the two starting functions has. Fischlin and Lehmann (TCC 2008) recently constructed a combiner which simultaneously preserves collision-resistance, target collision-resistance, message authentication, pseudorandomnes...
متن کاملA short remark on the result of Jozsef Sandor
It is pointed out that, one of the results in the recently published article, ’On the Iyengar-Madhava Rao-Nanjundiah inequality and it’s hyperbolic version’ [3] by J´ozsef S´andor is logically incorrect and new corrected result with it’s proof is presented.
متن کاملOn the Impossibilities of Basing One-Way Permutations on Central Cryptographic Primitives
We know that trapdoor permutations can be used to construct all kinds of basic cryptographic primitives, including trapdoor functions, public-key encryption, private information retrieval, oblivious transfer, key agreement, and those known to be equivalent to one-way functions such as digital signature, private-key encryption, bit commitment, pseudo-random generator and pseudo-random functions....
متن کامل