Minimizing the Complexity of Goldreich's Pseudorandom Generator

In the study of cryptography in NC, it was previously known that Goldreich’s candidate pseudorandom generator (PRG) is insecure when instantiated with a predicate P in 4 or fewer variables, if one wants to achieve polynomial stretch (that is, stretching n bits to n bits for some constant > 0). The current standard candidate predicate for this setting is the “tri-sumand” predicate TSA(x) = XOR3⊕AND2(x) = x1⊕x2⊕x3⊕x4x5, yielding a candidate PRG of locality 5. Moreover, Goldreich’s PRG, when instantiated with TSA as the predicate, is known to be secure against several families of attacks, including F2-linear attacks and attacks using SDP hierarchies such as the Lasserre/Parrilo sum-of-squares hierarchy. However, it was previously unknown if TSA is an “optimal” predicate according to other complexity measures: in particular, decision tree (DT-)complexity (i.e., the smallest depth of a binary decision tree computing P ) and Q-degree (i.e., the degree of P as a polynomial over Q), which are important measures of complexity in cryptographic applications such as the construction of an indistinguishability obfuscation scheme. In this work, we ask: Can Goldreich’s PRG be instantiated with a predicate with DT-complexity or Q-degree less than 5? We show that this is indeed possible: we give a candidate predicate for Goldreich’s PRG with DT-complexity 4 and Q-degree 3; in particular, this candidate PRG therefore has the property that every output bit is a degree 3 polynomial in its input. Moreover, Goldreich’s PRG instantiated with our predicate has security properties similar to what is known for TSA, namely security against F2-linear attacks and security against attacks from SDP hierarchies such as the Lasserre/Parrilo sum-of-squares hierarchy. We also show that all predicates with either DT-complexity less than 4 or Q-degree less than 3 yield insecure PRGs, so our candidate predicate simultaneously achieves the best possible locality, DT-complexity, Q-degree, and F2-degree according to all known attacks. ∗E-mail: [email protected]. Supported by an Akamai Presidential Fellowship. †E-mail: [email protected]. Research supported in part by NSF Grants CNS-1350619 and CNS-1414119, Alfred P. Sloan Research Fellowship, Microsoft Faculty Fellowship, the NEC Corporation, a Steven and Renee Finn Career Development Chair from MIT. This work was also sponsored in part by the Defense Advanced Research Projects Agency (DARPA) and the U.S. Army Research Office under contracts W911NF-15-C-0226.