### On Pseudorandom Generators with linear stretch in NC0

```FOC-2
Cryptography with Low Complexity: 2
Benny Applebaum and Iftach Haitner
Tel-Aviv University
Reminder: Local Functions
Function fG,Q defined by:
• (m,n,d) graph G
• single predicate Q:{0,1}d{0,1}
Fm,n,Q collection {fG,Q} where G is random (m,n,d) graph
yi= Q(x1,x2,x5)
y1
ym
OUTPUT
INPUT
X1
Xn
Goldreich’s Assumption [ECCC ‘00]
Conjecture:
for random
Q ,(single)
and  expander
G, m=n
Use
expander
graph predicate
+ “good”
predicate
inversion takes exp((n))-time
• First candidate for optimal one-way function
• Random local function is whp exp-hard to invert
• Constraint Satisfaction Problems are cryptographically-hard
yi= Q(x1,x2,x5)
OUTPUT
expander: every set of n/3
outputs touch 2n/3 inputs
INPUT
X
X
Generalization to Long Output
OW-Conjecture: for properly chosen predicate Q, any graph G
inversion complexity is exponential in the expansion of G
Params: output length m, predicate Q, locality d, expansion quality
• Larger m  easier to attack  security requires more “robust” predicates
• Weaker variant: for random graphs no poly-time inversion
• Strong variant confirmed for many classes of attacks
[CEMT09,ABW10,A12,ABR12,BR11,BQ12,OW14,FPV15,AL16, KMOW16]
yi= Q(x1,x2,x5)
y1
ym
See survey [A15]
OUTPUT
INPUT
X
X
PRG variant
PRG conjecture: for most graphs and properly chosen
predicate Q, the resulting function is a pseudorandom generator
Parameters: output length m, predicate Q, locality d
Q: For output length m=ns, which predicates satisfy conjecture?
Call such predicates s-pseudorandom
yi= Q(x1,x2,x5)
y1
ym
OUTPUT
INPUT
X1
Xn
Known Necessary Conditions [MST03,…]
To achieve s-pseudorandommness Q must have
• Resiliency of k=2s-1 [O’DonnelWitmer14]
• Q is uncorrelated with parities of k-subsets of the input
• Equivalently, Q is an extractor for bit fixing source
Q(x1,x2,x5)
y1
ym
OUTPUT
INPUT
X1
Xn
Known Necessary Conditions [MST03,…]
To achieve s-pseudorandommness Q must have
• Resiliency of 2s-1 [O’DonnelWitmer14]
• Algebraic degree of s over the binary field
• Otherwise, attack based on linearization + Gaussian
elimination
yi= XOR(x1,x2,x5)
y1
ym
OUTPUT
INPUT
X1
Xn
Degree+Resiliency Psdrandomness?
Intuition: Resiliency defeats all local attacks
• Sub-exponential AC0 circuits [ABogdanovRosen12]
• Semidefinite programs [O’DonnelWitmer14]
• Statistical algorithms [FeldmanPerkinsVempala15]
except for Gaussian Elimination which is defeated by degree
Q1: large degree & resiliency  s-psdrandomness ?
• Conjectured by [FPV15] for planted CSP
• Candidate [OW14, A14]: (W1…  W2k)  (W2k+1…  W3k) is k-psd
Evidence: Hardness against Linear Tests
Q1: large degree & resiliency  s-psdrandomness ?
Thm [ABR12]: deg,res≥2  1.24-psd. against linear attacks
y6 … y11
y1
ym
OUTPUT
INPUT
X1
Xn
Evidence: Hardness against Linear Tests
Q1: large degree & resiliency  s-psdrandomness ?
Thm [ABR12]: deg,res≥2  1.24-psd. against linear attacks
• f is low-bias generator (for most graphs)
• Linear tests require both resiliency and degree
• Capture most known attacks (local/global)
• [OW14] Extended to s=1.5 for XOR-AND predicate
Today (part 1)
1. Power of Linear Attacks for longer outputs
2. Power of Algebraic Attacks
Refute the above conjecture & provide fixes
Characterization of Security against Linear Tests
Thm 1: Q is s-psd against Linear Tests 
Q is k-resilient & r-bit fixing degree e for k,r,e=(s).
after fixing r inputs deg(Q) e
Characterization of Security against Linear Tests
Thm 1: Q is s-psd against Linear Tests 
Q is k-resilient & r-bit fixing degree e for k,r,e=(s).
• Works for arbitrarily long outputs
Cor 1:  d-local low-bias generators with output n(d)
Cor 2: degree+resiliency NOT imply pseudorandomness
• (W1…  W2k)  (W2k+1…  W3k) is not 2-psd against linear tests
Necessity of bit-fixing degree
Lemma: r-bit fixing degree e  NOT (r+e)-psd for linear tests
For 1-o(1) fraction of graphs G, exists linear test L s.t.
biasL(fG,P)=|Prx[L(fG,Q(x)=1]-Pr[L(U)=1]| is positive constant
Necessity of bit-fixing degree
Lemma: r-bit fixing degree e  NOT (r+e)-psd for linear tests
• Assume deg(Q|w1,..,wr =0)=e
• S=set of outputs whose first r-inputs are x1,..,xr
OUTPUT
|S|=ns/nr>2ne
INPUT
X1
Xr
Xn
Necessity of bit-fixing degree
Lemma: r-bit fixing degree e  NOT (r+e)-psd for linear tests
• Conditioned on x1=…=xr=0 all S-outputs are deg-e poly’s
 many linear dependencies over these polynomials
Pr[L1(yS)=0 &… & Lr+1(yS)=0]>Pr[x1=…=xr=0]=2-r
• The r.v’s L1,…,Lr+1 are (1)-far from uniform
OUTPUT
|S|=ns/nr>2ne
INPUT
X1
Xr
Xn
Necessity of bit-fixing degree
Lemma: r-bit fixing degree e  NOT (r+e)-psd for linear tests
• Conditioned on x1=…=xr=0 all S-outputs are deg-e poly’s
 many linear dependencies over these polynomials
Pr[L1(yS)=0 &… & Lr+1(yS)=0]>Pr[x1=…=xr=0]=2-r
• The r.v’s L1,…,Lr+1 are (1)-far from uniform
•  Linear test over y’s with constant bias
OUTPUT
|S|=ns/nr>2ne
INPUT
X1
Xr
Xn
Bit-fixing degree+Resiliency low-bias
y1
ym
OUTPUT
INPUT
X1
Xn
Bit-fixing degree+Resiliency low-bias
Proof plan
• “Short test” handled by resiliency+expansion [ABR12]
• “Long test” is handled by large fixing-degree + expansion
y1
ym
OUTPUT
INPUT
X1
Xn
Bit-fixing degree+Resiliency low-bias
OUTPUT
INPUT
X1
Xn
More Details (long tests)
A
OUTPUT
INPUT
More Details (long tests)
A
OUTPUT
K
INPUT
More Details (long tests)
OUTPUT
INPUT
Proof
Step 1: Handling frequent inputs & their neighbors.
Fix all “frequent inputs” of degree>2d/t |A|.
• By Markov, at most t/2 such nodes.
OUTPUT
INPUT
Proof
OUTPUT
INPUT
Proof
OUTPUT
INPUT
Proof
Step 2: Finding pairwise disjoint outputs
Fix all inputs which do not touch a green output (potential leader)
OUTPUT
INPUT
Proof
OUTPUT
INPUT
Proof
OUTPUT
INPUT
Algebraic Attacks
Beyond Bit-Fixing Degree
• The predicate Q=ORXOR has (k-1)-bit fixing degree of k
• But Q(w)=0 implies XOR(w1,..,wd)=0
OR
k
k
Beyond Bit-Fixing Degree
• The predicate Q=ORXOR has (k-1)-bit fixing degree of k
• But Q(w)=0 implies XOR(w1,..,wd)=0
• Q is insecure: replace 0-outputs with low-degree equations
• New attack (is not captured by a linear distinguisher)
How to analyze this attack? How to model it? Can we resist it?
0= XOR(x1,x2,x5)
0= Q(x1,x2,x5)
y1
ym
OUTPUT
INPUT
k
Algebraic Attacks [Shannon49, Patarin95,…]
Goal: Given y=f(x) recover hidden vars x=(x1,…,xn)
• Write y=f(x) as a system of polynomial equations
f1(x)-y1=0,…., fm(x)-ym=0
• The system is further manipulated and extended
- e.g., by multiplying the polynomials by some low-degree polynomial
• Eventually a solution is found
- e.g., via linearization & Gaussian elimination, or by Grobner basis
• Well studied in the cryptanalysis literature (e.g., for LFSR-based ciphers)
[Courtois01-03, CMeier03, CourtoisKlimovPatarinShamir00, Faugere99-02]
• Attacks & counter measures typically lack formal analysis
• No formal model of such attacks
Formalizing Algebraic Attacks
We formalize algebraic attacks via the Polynomial Calculus Proof system
[CleggEdmondsImpagliazzo96]
Goal: Given y=f(x) recover hidden vars x=(x1,…,xn)
1. Initialize system of polynomial equations
S={f1(x)-y1=0,…., fm(x)-ym=0}
2. “Scheduler” extends S by adding either
• xi*P(x)=0 for some xi and some PS or
• P(x)+R(x)=0 for some P,R S
3. Terminate with solution b if S contains xi-bi=0 for all i[n]
4. Else goto 2
• Scheduler can be arbitrary
• Covers known algebraic attacks
• Complexity: list size or degree
Algebraic Refutation Attacks
Goal: Given y=f(x) show that there’s no valid solution x=(x1,…,xn)
1. Initialize system of polynomial equations
S={f1(x)-y1=0,…., fm(x)-ym=0}
2. “Scheduler” extends S by adding either
• xi*P(x)=0 for some xi and some PS or
• P(x)+R(x)=0 for some P,R S
3. Terminate with “un-sat” if S contains 1=0
4. Else goto 2
• Transcript of successful attack yields a proof for unsatifiability
• The proof is in Polynomial Calculus
Algebraic Attacks
Thm 2: Q is s-psd against Algebraic Attacks 
Q has rational degree of (s).
Rational degree = minimal r s.t Q(w)=b  deg-r relation P(w)=0
• Ex: Implies e-bit fixing degree of r-e for every e<r.
Lower-bound holds against sub-exp time inversion/refutation and all outputs y
Similar criteria appear in cryptanalysis literature for LFSR’s with no proofs
(cf. [Carlet10])
Cor 3: psd against linear attacks NOT imply general psd.
• s Q which is s-psd against linear attacks but NOT 2.01-psd in general.
Proof of Corollary
The predicate Q=ORXOR+XOR
• has (k-1)-bit fixing degree of k
• has k-resiliency
But rational degree of 2
OR
k
k
Q
Necessity of Rational Degree
Lem: r-rational degree  Alg. refutation w/p 1-o(1) for m=nr
Assume Q(w)=0 R(w)=0 where deg(R)=r
Naïve Attempt: certify that a random y is not in the image
• Replace each equation Q(xS)=0 with R(xS)=0
• Linearize and try to solve
• If no solution output “y is NOT in the image”
R(x1,x2,x5)
0= Q(x
OUTPUT
INPUT
Necessity of Rational Degree
Lem: r-rational degree  Alg. refutation w/p 1-o(1) for m=nr
Assume Q(w)=0 R(w)=0 where deg(R)=r
• This attack can be implemented as algebraic refutation attack
• But completely fails!
- R(w1,w2,w3)=w1w2w3+w1w2+w2w3+w1w3
- Linearized eq’s of the form Xijk+Xij+Xik+Xjk=0
- Always exists (fake) solution
Fix: identify fake solutions by using (some) original Q-equations
Necessity of Rational Degree
Certificate that y is not in the image
• Set A of 2d “disjoint” outputs
•  d-subset S Input(A), the eq. R(xS)=0 derived via
linearization
• yA is balanced
Show: certify unsatisfiability & exists whp & yields algebraic attack
OUTPUT
INPUT
Rational Degree defeats Algebraic Attacks
• Lower-bound against Polynomial-Calculus [AlekRazb01]
 (strong) security against algebraic refutation attacks
 security against algebraic inversion attacks
for log space
functions
```