On the Concrete Security of Goldreich’s Pseudorandom Generator

Couteau, Geoffroy; Dupin, Aurélien; Méaux, Pierrick; Rossi, Mélissa; Rotella, Yann

doi:10.1007/978-3-030-03329-3_4

Cited by 20 publications

(55 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…-Our first result is a novel guess-and-determine-style attack with much lower complexity than the results presented in [18]. We develop theoretical and also numerical analysis about how many guesses that are needed for various (n, s) parameters, where n and s denote the seed size and stretch, respectively, and experimentally verify the analysis for some small parameters.…”

Section: B Contributionsmentioning

confidence: 86%

“…In [22], Applebaum and Lovett analyzed how the underlying predicate affects pseudorandomness using algebraic attacks and gave some advice on the choices of predicates in terms of resiliency, algebraic degree and bit fixing degree. Algebraic attacks based on linearization and Gröbner base algorithms were further considered in [18], and some results on concrete choices of parameters were given.…”

Section: A Related Work In Cryptanalysismentioning

confidence: 99%

“…The mentioned works above all focus on checking the existence of potential PRGs in NC 0 , establishing asymptotic security guarantees for them and exploring appealing theoretical applications based on them; one main obstacle, however, for these advanced cryptographic primitives towards being practical comes from the lack of a stable understanding on the concrete security of these PRGs. In [18], Gouteau et al first studied the concrete security of Goldreich's PRGs, especially the important instantiation on the P 5 predicate. Specifically, they developed a guess-and-determine-style attack and gave more fine-grained security guarantees for them.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Revisiting the Concrete Security of Goldreich's Pseudorandom Generator

Yang¹,

Guo²,

Johansson³

et al. 2021

Preprint

View full text Add to dashboard Cite

Local pseudorandom generators are a class of fundamental cryptographic primitives having very broad applications in theoretical cryptography. Following Couteau et al.'s work in ASIACRYPT 2018, this paper further studies the concrete security of one important class of local pseudorandom generators, i.e., Goldreich's pseudorandom generators. Our first attack is of the guess-and-determine type. Our result significantly improves the state-of-the-art algorithm proposed by Couteau et al., in terms of both asymptotic and concrete complexity, and breaks all the challenge parameters they proposed. For instance, for a parameter set suggested for 128 bits of security, we could solve the instance faster by a factor of about 2 61 , thereby destroying the claimed security completely. Our second attack further exploits the extremely sparse structure of the predicate P5 and combines ideas from iterative decoding. This novel attack, named guess-and-decode, substantially improves the guess-anddetermine approaches for cryptographic-relevant parameters. All the challenge parameter sets proposed in Couteau et al.'s work in ASIACRYPT 2018 aiming for 80-bit (128-bit) security levels can be solved in about 2 58 (2 78 ) operations. We suggest new parameters for achieving 80-bit (128-bit) security with respect to our attacks. We also extend the attack to other promising predicates and investigate their resistance.

show abstract

Section: B Contributionsmentioning

confidence: 86%

Section: A Related Work In Cryptanalysismentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Revisiting the Concrete Security of Goldreich's Pseudorandom Generator

Yang¹,

Guo²,

Johansson³

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…PRGs in NC 0 are tightly connected to the fundamental topic of Constraint Satisfaction Problems (CSPs) in complexity theory, and were first proposed for cryptographic use by Goldreich [62,75,87] 20 years ago. The complexity theory and cryptography communities have jointly developed a rich body of literature on the cryptanalysis and theory of constant-locality Boolean PRGs [9,10,12,13,15,16,28,29,59,61,62,75,101,107,108].…”

Section: Assumptions In More Detailmentioning

confidence: 99%

Indistinguishability obfuscation from well-founded assumptions

Jain

Lin

Sahai

2021

Proceedings of the 53rd Annual ACM SIGACT Symposium on Theory of Computing

164

View full text Add to dashboard Cite

Indistinguishability obfuscation, introduced by [Barak et. al. Crypto 2001], aims to compile programs into unintelligible ones while preserving functionality. It is a fascinating and powerful object that has been shown to enable a host of new cryptographic goals and beyond. However, constructions of indistinguishability obfuscation have remained elusive, with all other proposals relying on heuristics or newly conjectured hardness assumptions.In this work, we show how to construct indistinguishability obfuscation from subexponential hardness of four well-founded assumptions. We prove: Informal Theorem: Let 𝜏 ∈ (0, ∞), 𝛿 ∈ (0, 1), 𝜖 ∈ (0, 1) be arbitrary constants. Assume sub-exponential security of the following assumptions:-the Learning With Errors (LWE) assumption with subexponential modulus-to-noise ratio 2 𝑘 𝜖 and noises of magnitude polynomial in 𝑘, where 𝑘 is the dimension of the LWE secret, -the Learning Parity with Noise (LPN) assumption over general prime fields Z 𝑝 with polynomially many LPN samples and error rate 1/ℓ 𝛿 , where ℓ is the dimension of the LPN secret, -the existence of a Boolean Pseudo-Random Generator (PRG) in NC 0 with stretch 𝑛 1+𝜏 , where 𝑛 is the length of the PRG seed, -the Decision Linear (DLIN) assumption on symmetric bilinear groups of prime order. Then, (subexponentially secure) indistinguishability obfuscation for all polynomial-size circuits exists. Further, assuming only polynomial security of the aforementioned assumptions, there exists collusion resistant public-key functional encryption for all polynomial-size circuits. CCS CONCEPTS• Theory of computation → Cryptographic primitives.

show abstract

“…The security of Goldreich's PRG is a well-established and widely studied assumption, which provably resists large classes of attacks[2,3,13,40,42].…”

mentioning

confidence: 99%

Non-interactive Zero-Knowledge in Pairing-Free Groups from Weaker Assumptions

Couteau¹,

Katsumata²,

Ursu³

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We provide two new constructions of non-interactive zero-knowledge arguments (NIZKs) for NP from discrete-logarithm-style assumptions over cyclic groups, without relying on pairings. A previous construction from (Canetti et al., Eurocrypt'18) achieves such NIZKs under the assumption that no efficient adversary can break the key-dependent message (KDM) security of (additive) ElGamal with respect to all (even inefficient) functions over groups of size 2 λ , with probability better than poly(λ)/2 λ . This is an extremely strong, non-falsifiable assumption. In particular, even mild (polynomial) improvements over the current best known attacks on the discrete logarithm problem would already contradict this assumption. (Canetti et al. STOC'19) describe how to improve the assumption to rely only on KDM security with respect to efficient functions while additionally assuming public-key encryption schemes, therefore obtaining an assumption that is (in spirit) falsifiable. Our first construction improves this state of affairs. We provide a construction of NIZKs for NP under the CDH assumption together with the assumption that no efficient adversary can break the key-dependent message one-wayness of ElGamal with respect to efficient functions over groups of size 2 λ , with probability better than poly(λ)/2 cλ (denoted 2 −cλ -OW-KDM), for a constant c = 3/4. Unlike the previous assumption, our assumption leaves an exponential gap between the best known attack and the required security guarantee. Our second construction is interested in the case where CDH does not hold. Namely, as a second contribution, we construct an infinitely often NIZK argument system for NP (where soundness and zero-knowledge are only guaranteed to hold for infinitely many security parameters), under the assumption that CDH is easy together with the 2 −cλ -OW-KDM security of ElGamal with c = 28/29 + o(1) and the existence of low-depth pseudorandom generators (PRG). Combining our two results, we obtain a construction of (infinitely-often) NIZKs for NP under the 2 −cλ -OW-KDM security of ElGamal with c = 28/29 + o(1) and the existence of low-depth PRG, independently of whether CDH holds. To our knowledge, since neither OW-KDM security of ElGamal nor low-depth PRGs are known to imply public key encryption, this provides the first construction of NIZKs from concrete and falsifiable Minicrypt-style assumptions.

show abstract

On the Concrete Security of Goldreich’s Pseudorandom Generator

Cited by 20 publications

References 38 publications

Revisiting the Concrete Security of Goldreich's Pseudorandom Generator

Revisiting the Concrete Security of Goldreich's Pseudorandom Generator

Indistinguishability obfuscation from well-founded assumptions

Non-interactive Zero-Knowledge in Pairing-Free Groups from Weaker Assumptions

Contact Info

Product

Resources

About