TY - GEN
T1 - Structural Lower Bounds on Black-Box Constructions of Pseudorandom Functions
AU - Beimel, Amos
AU - Malkin, Tal
AU - Mazor, Noam
N1 - Publisher Copyright:
© International Association for Cryptologic Research 2024.
PY - 2024/1/1
Y1 - 2024/1/1
N2 - We address the black-box complexity of constructing pseudorandom functions (PRF) from pseudorandom generators (PRG). The celebrated GGM construction of Goldreich, Goldwasser, and Micali (Crypto 1984) provides such a construction, which (even when combined with Levin’s domain-extension trick) has super-logarithmic depth. Despite many years and much effort, this remains essentially the best construction we have to date. On the negative side, one step is provided by the work of Miles and Viola (TCC 2011), which shows that a black-box construction which just calls the PRG once and outputs one of its output bits, cannot be a PRF. In this work, we make significant further progress: we rule out black-box constructions of PRF from PRG that follow certain structural constraints, but may call the PRG adaptively polynomially many times. In particular, we define “tree constructions” which generalize the GGM structure: they apply the PRG G along a tree path, but allow for different choices of functions to compute the children of a node on the tree and to compute the next node on the computation path down the tree. We prove that a tree construction of logarithmic depth cannot be a PRF (while GGM is a tree construction of super-logarithmic depth). We also show several other results and discuss the special case of one-call constructions. Our main results in fact rule out even weak PRF constructions with one output bit. We use the oracle separation methodology introduced by Gertner, Malkin, and Reingold (FOCS 2001), and show that for any candidate black-box construction FG from G, there exists an oracle relative to which G is a PRG, but FG is not a PRF.
AB - We address the black-box complexity of constructing pseudorandom functions (PRF) from pseudorandom generators (PRG). The celebrated GGM construction of Goldreich, Goldwasser, and Micali (Crypto 1984) provides such a construction, which (even when combined with Levin’s domain-extension trick) has super-logarithmic depth. Despite many years and much effort, this remains essentially the best construction we have to date. On the negative side, one step is provided by the work of Miles and Viola (TCC 2011), which shows that a black-box construction which just calls the PRG once and outputs one of its output bits, cannot be a PRF. In this work, we make significant further progress: we rule out black-box constructions of PRF from PRG that follow certain structural constraints, but may call the PRG adaptively polynomially many times. In particular, we define “tree constructions” which generalize the GGM structure: they apply the PRG G along a tree path, but allow for different choices of functions to compute the children of a node on the tree and to compute the next node on the computation path down the tree. We prove that a tree construction of logarithmic depth cannot be a PRF (while GGM is a tree construction of super-logarithmic depth). We also show several other results and discuss the special case of one-call constructions. Our main results in fact rule out even weak PRF constructions with one output bit. We use the oracle separation methodology introduced by Gertner, Malkin, and Reingold (FOCS 2001), and show that for any candidate black-box construction FG from G, there exists an oracle relative to which G is a PRG, but FG is not a PRF.
UR - http://www.scopus.com/inward/record.url?scp=85202293504&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-68388-6_16
DO - 10.1007/978-3-031-68388-6_16
M3 - Conference contribution
AN - SCOPUS:85202293504
SN - 9783031683879
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 459
EP - 488
BT - Advances in Cryptology – CRYPTO 2024 - 44th Annual International Cryptology Conference, Proceedings
A2 - Reyzin, Leonid
A2 - Stebila, Douglas
PB - Springer Science and Business Media Deutschland GmbH
T2 - 44th Annual International Cryptology Conference, CRYPTO 2024
Y2 - 18 August 2024 through 22 August 2024
ER -