On One-way Functions and Kolmogorov Complexity
OOn One-way Functions and Kolmogorov Complexity
Yanyi LiuCornell University [email protected]
Rafael Pass ∗ Cornell Tech [email protected]
September 25, 2020
Abstract
We prove that the equivalence of two fundamental problems in the theory of computing. Forevery polynomial t ( n ) ≥ (1 + ε ) n, ε >
0, the following are equivalent: • One-way functions exists (which in turn is equivalent to the existence of secure private-keyencryption schemes, digital signatures, pseudorandom generators, pseudorandom functions,commitment schemes, and more); • t -time bounded Kolmogorov Complexity, K t , is mildly hard-on-average (i.e., there exists apolynomial p ( n ) > PPT algorithm can compute K t , for more than a 1 − p ( n ) fraction of n -bit strings).In doing so, we present the first natural, and well-studied, computational problem characterizingthe feasibility of the central private-key primitives and protocols in Cryptography. ∗ Supported in part by NSF Award SATC-1704788, NSF Award RI-1703846, AFOSR Award FA9550-18-1-0267, anda JP Morgan Faculty Award. This research is based upon work supported in part by the Office of the Director ofNational Intelligence (ODNI), Intelligence Advanced Research Projects Activity (IARPA), via 2019-19-020700006. Theviews and conclusions contained herein are those of the authors and should not be interpreted as necessarily representingthe official policies, either expressed or implied, of ODNI, IARPA, or the U.S. Government. The U.S. Government isauthorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright annotationtherein. a r X i v : . [ c s . CC ] S e p Introduction
We prove the equivalence of two fundamental problems in the theory of computing: (a) the exis-tence of one-way functions, and (b) mild average-case hardness of the time-bounded KolmogorovComplexity problem.
Existence of One-way Functions: A one-way function [DH76] (OWF) is a function f that canbe efficiently computed (in polynomial time), yet no probabilistic polynomial-time ( PPT ) al-gorithm can invert f with inverse polynomial probability for infinitely many input lengths n .Whether one-way functions exist is unequivocally the most important open problem in Cryp-tography (and arguably the most importantly open problem in the theory of computation,see e.g., [Lev03]): OWFs are both necessary [IL89] and sufficient for many of the most cen-tral cryptographic primitives and protocols (e.g., pseudorandom generators [BM88, HILL99],pseudorandom functions [GGM84], private-key encryption [GM84], digital signatures [Rom90],commitment schemes [Nao91], identification protocols [FS90], coin-flipping protocols [Blu82],and more). These primitives and protocols are often referred to as private-key primitives ,or “Minicrypt” primitives [Imp95] as they exclude the notable task of public-key encryption[DH76, RSA83]. Additionally, as observed by Impagliazzo [Gur89, Imp95], the existence ofa OWF is equivalent to the existence of polynomial-time method for sampling hard solved instances for an NP language (i.e., hard instances together with their witnesses).While many candidate constructions of OWFs are known—most notably based on factoring[RSA83], the discrete logarithm problem [DH76], or the hardness of lattice problems [Ajt96]—the question of whether there exists some natural average-case hard problem that characterizesthe hardness of OWFs (and thus the feasibility of the above central cryptographic primitives)has been a long-standing open problem: Does there exists some natural average-case hard computational problem (i.e., boththe computational problem and the distribution over instances is “natural”), whichcharacterizes the existence of one-way functions?
This problem is particularly pressing given recent advances in quantum computing [AAB + Average-case Hardness of K poly -Complexity: What makes the string 12121212121212121 lessrandom than 60484850668340357492? The notion of
Kolmogorov complexity ( K -complexity),introduced by Solomonoff [Sol64], Kolmogorov [Kol68] and Chaitin [Cha69], provides an elegantmethod for measuring the amount of “randomness” in individual strings: The K -complexityof a string is the length of the shortest program (to be run on some fixed universal Turingmachine U ) that outputs the string x . From a computational point of view, however, thisnotion is unappealing as there is no efficiency requirement on the program. The notion of t ( · ) -time-bounded Kolmogorov Complexity ( K t -complexity) overcomes this issue: K t ( x ) is definedas the length of the shortest program that outputs the string x within time t ( | x | ). As surveyedby Trakhtenbrot [Tra84], the problem of efficiently determining the K t -complexity for t ( n ) = poly ( n ) predates the theory of NP -completeness and was studied in the Soviet Union since the Note that Levin [Lev85] presents an ingenious construction of a universal one-way function —a function that isone-way if one-way functions exists. But his construction (which relies on an enumeration argument) is artificial. Levin[Lev03] takes a step towards making it less artificial by constructing a universal one-way function based on a newspecially-tailored
Tiling Expansion problem .
10s as a candidate for a problem that requires “brute-force search” (see Task 5 on page 392 in[Tra84]). The modern complexity-theoretic study of this problem goes back to Sipser [Sip83],Ko [Ko86] and Hartmanis [Har83].Intriguingly, Trakhtenbrot also notes that a “frequential” version of this problem was consideredin the Soviet Union in the 60s: the problem of finding an algorithm that succeeds for a “high”fraction of strings x —in more modern terms from the theory of average-case complexity [Lev86],whether K t can be computed by a heuristic algorithm with inverse polynomial error, overrandom inputs x . We say that K t is mildly hard-on-average (mildly HoA) if there exists somepolynomial p ( · ) > PPT fails in computing K t ( · ) for at least a p ( · ) fractionof n -bit strings x for all sufficiently large n , and that K poly is mildly HoA if there exists somepolynomial t ( n ) > K t is mildly HoA.Our main result shows that the existence of OWFs is equivalent to mild average-case hardness of K poly . In doing so, we resolve the above-mentionned open problem, and present the first natural(and well-studied) computational problem, characterizing the feasibility of the central private-keyprimitives in Cryptography. Theorem 1.1.
The following are equivalent: • One-way functions exist; • K poly is mildly hard-on-average. In other words,
Secure private-key encryption, digial dignatures, pseudorandom generators, pseudoran-dom functions, commitment schemes, etc., are possible iff K poly -complexity is mildlyhard-on-average. In fact, our main theorem is stronger than stated: we show that for every polynomial t ( n ) ≥ (1 + ε ) n , where ε > K t is equivalent to the existenceof one-way functions. On the Hardness of Approximating K poly -complexity Our connection between OWFs and K t -complexity has direct implications to the theory of K t -complexity. Trakhtenbrot [Tra84] alsodiscusses average-case hardness of the approximate K t -complexity problem: the problem of, given arandom x , outputting an “approximation” y that is β ( | x | )-close to K t ( x ) (i.e., | K t ( x ) − y | ≤ β ( | x | )).He observes that there is a trivial heuristic approximation algorithm that succeeds with probabilityapproaching 1 (for large enough n ): Given x , simply output | x | . In fact, this trivial algorithmproduces a ( d log n )-approximation with probability ≥ − n d over random n -bits strings. We notethat our proof that OWFs imply mild average-case hardness of K poly actually directly extends toshow that K poly is mildly-HoA also to ( d log n )-approximate. We thus directly get: Theorem 1.2. If K poly is mildly hard-on-average, then for every constant d , K poly is mildly hard-on-average to ( d log n ) -approximate. In other words, any efficient algorithm that only slightly beats the success probability of the“trivial” approximation algorithm, can be used to break OWFs. At most 2 n − d log n out of 2 n strings have K t -complexity that is smaller than n − d log n . xistential v.s. Constructive K t complexity Trakhtenbrot [Tra84] considers also “construc-tive” variant of the K t -complexity problem, where the task of the solver is to, not only determine the K t -complexity of a string x , but to also output a minimal-length program Π that generates x . Weremark that for our proof that mild average-case hardness of K poly implies OWFs, it actually sufficesto assume mild average-case hardness of the “constructive” K poly problem, and thus we obtain anequivalence between the “existential” and “constructive” versions of the problem in the average-caseregime. On Decisional Time-Bounded Kolmogorov Complexity Problems
We finally note thatour results also show an equivalence between one-way functions and mild average-case hardness ofa decisional K poly problem: Let MINK t [ s ] denote the set of strings x such that K t ( | x | ) ( x ) ≤ s ( | x | ).Our proof directly shows that there exists some constant c such that for every constant ε > t ( n ) ≥ (1 + ε ) n , and letting s ( n ) = n − c log n , mild average-case hardness of the language MINK t [ s ] (with respect to the uniform distribution over instances) is equivalent the existence ofone-way functions. We refer the reader to Goldreich’s textbook [Gol01] for more context and applications of OWFs(and complexity-based cryptography in general); we highly recommend Barak’s survey on candidateconstructions of one-way functions [Bar17]. We refer the reader to the textbook of Li and Vitanyi[LV08] for more context and applications of Kolmogorov complexity; we highly recommend Allender’ssurveys on the history, and recent applications, of notions of time-bounded Kolmogorov complexity[All20a, All20b, All17].
On Connections between K poly -complexity and OWFs We note that some (partial) connec-tions between K t -complexity and OWFs already existed in the literature: • Results by Kabanets and Cai [KC00] and Allender et al [ABK +
06] show that the existence ofOWFs implies that K poly must be worst-case hard to compute; their results will be the startingpoint for our result that OWFs also imply average-case hardness of K poly . • Allender and Das [AD17] show that every problem in
SZK (the class of promise problemshaving statistical zero-knowledge proofs [GMR89]) can be solved in probabilistic polynomial-time using a K poly -complexity oracle. Furthermore, Ostrovsky and Wigderson [Ost91, OW93]show that if SZK contains a problem that is hard-on-average, then OWFs exist. In contrast,we show the existence of OWFs assuming only that K poly is hard-on-average. • A very recent elegant work by Santhanam [San20] is also explicitly motivated by the above-mentionned open problem, and presents an intruiging connection between one-way functionsand error-less average-case hardness of the circuit minimization problem (MCSP) [KC00]—i.e.,the problem of, given a truth table of a boolean function, determining the size of the smallestcircuit that computes the function; the MCSP problem is closely related to the time-boundedKolmogorov complexity problem [Tra84, ABK + On Worst-case to Average-case Reductions for K poly -complexity We highlight a very el-egant recent result by Hirahara [Hir18] that presents a worst-case (approximation) to average-case3eduction for K poly -complexity. Unfortunately, his result only gives average-case hardness w.r.t. errorless heuristics —namely, heuristics that always provide either the correct answer or output ⊥ (and additionally only output ⊥ with small probability). For our construction of a OWF, however,we require average-case hardness of K t also with respect to heuristics that may err (with smallprobability). Santhanam [San20], independently, obtains a similar result for a related problem.Hirahara notes that it is an open problem to obtain a worst-case to average-case reduction for K poly w.r.t. heuristics that may err. Let us emphasize that average-case hardness w.r.t. error-less heuristics is a much weaker property that just “plain” average-case hardness (with respect toheuristics that may err): Consider a random 3SAT formula on n variables with 1000 n clauses. Itis well-known that, with high probability, the formula is not be satisfiable. Thus, there is a trivialheuristic algorithm for solving 3SAT on such random instances by simply outputting “No”. Yet,the question of whether there exists an efficient errorless heuristic for this problem is still open, andnon-existence of such an algorithm is implied by Feige’s Random 3SAT conjecture [Fei02]. On Universal Extrapolation
Impagliazzo and Levin [IL90] consider a problem of universal ex-trapolation : Roughly speaking, extrapolation with respect to some polynomial-time Turing machine M requires, given some prefix string x pre , sampling a random continuation x post such that M (oninput a random tape) generates x pre || x post . Universal extrapolation is said to be possible if all polynomial-time Turing machines can be extrapolated. Impagliazzo and Levin demonstrate theequivalence of one-way functions and the infeasibility of universal extrapolation.As suggested by an anonymous FOCS reviewer, universal extrapolation seems related to time-bounded Kolmogorov complexity: Extrapolation with respect to a universal Turing machine should,intuitively, be equivalent to approximating K poly (for random string x ) by counting the number ofpossible continuations x post to a prefix x pre of x : Strings with small K poly -complexity should havemany possible continuation, while strings with large K poly -complexity should have few.While this method may perhaps be used to obtain an alternative proof of one direction (existenceof one-way function from hardness of K poly ) of our main theorem, as far as we can tell, the actualproof is non-trivial and would result in a significantly weaker conclusion than what we obtain: Itwould only show that average-case hardness of approximating K poly implies infeasibility of universalextrapolation and thus one-way functions, whereas we show that even average-case hardness of exactly computing K poly implies the existence of one-way functions.For the converse direction, the infeasibility of universal extrapolation only means that there exists some polynomial-time Turing machine M that is hard to extrapolate, and this M is not necessarilya universal Turing machine. It is not a-priori clear whether infeasibility of extrapolation w.r.t. some M implies infeasibility of extrapolation w.r.t. a universal Turing machine.A direct corollary of our main theorem is a formal connection between universal extrapolationand average-case hardness of K poly : Infeasibility of universal extrapolation is equivalent to mildaverage-case hardness of K poly (since by [IL90], infeasibility of universal extrapolation is equivalentto the existence of one-way functions). We provide a brief outline for the proof of Theorem 1.1.
OWFs from Avg-case K poly -Hardness We show that if K t is mildly average-case hard forsome polynomial t ( n ) >
0, then a weak one-way function exists ; the existence of (strong) one-way Recall that an efficiently computable function f is a weak OWF if there exists some polynomial q > f cannot be efficiently inverted with probability better than 1 − q ( n ) for sufficiently large n . c be a constant suchthat every string x can be output by a program of length | x | + c (running on the fixed UniversalTuring machine U ). Consider the function f ( (cid:96) || Π (cid:48) ), where (cid:96) is a bitstring of length log( n + c ) andΠ (cid:48) is a bitstring of length n + c , that lets Π be the first (cid:96) bits of Π (cid:48) , and outputs (cid:96) || y where y is theoutput generated by running the program Π for t ( n ) steps. We aim to show that if f can be inverted with high probability—significantly higher than 1 − /n —then K t -complexity of random strings z ∈ { , } n can be computed with high probability. Ourheuristic H , given a string z , simply tries to invert f on (cid:96) || z for all (cid:96) ∈ [ n + c ], and outputs thesmallest (cid:96) for which inversion succeeds. First, note that since every length (cid:96) ∈ [ n + c ] is selectedwith probability 1 / ( n + c ), the inverter must still succeed with high probability even if we conditionthe output of the one-way function on any particular length (cid:96) (as we assume that the one-way functioninverter fails with probability significantly smaller than n ). This, however, does not suffice to provethat the heuristic works with high probability, as the string y output by the one-way function is notuniformly distributed (whereas we need to compute the K t -complexity for uniformly chosen strings).But, we show using a simple counting argument that y is not too “far” from uniform in relativedistance. The key idea is that for every string z with K t -complexity w , there exists some programΠ z of length w that outputs it; furthermore, by our assumption on c , w ≤ n + c . We thus have that f ( U n + c +log( n + c ) ) will output w || z with probability at least n + c · − w ≥ n + c · − ( n + c ) = − n O ( n ) (we needto pick the right length, and next the right program). So, if the heuristic fails with probability δ , thenthe one-way function inverter must fail with probability at least δO ( n ) , which leads to the conclusionthat δ must be small (as we assumed the inverter fails with probability significantly smaller than n ). Avg-case K poly -Hardness from EP-PRGs To show the converse direction, our starting pointis the earlier result by Kabanets and Cai [KC00] and Allender et al [ABK +
06] which shows thatthe existence of OWFs implies that K t -complexity, for every sufficiently large polynomial t ( · ), mustbe worst-case hard to compute. In more detail, they show that if K t -complexity can be computedin polynomial-time for every input x , then pseudo-random generators (PRGs) cannot exist (andPRGs are implied by OWF by [HILL99]). This follows from the observations that (1) randomstrings have high K t -complexity with overwhelming probability, and (2) outputs of a PRG alwayshave small K t -complexity as long as t ( n ) is sufficiently greater than the running time of the PRG(as the seed plus the constant-sized description of the PRG suffice to compute the output). Thus,using an algorithm that computes K t , we can easily distinguish outputs of the PRG from randomstrings—simply output 1 if the K t -complexity is high, and 0 otherwise. This method, however, relieson the algorithm working for every input. If we only have access to a heuristic H for K t , we haveno guarantees that H will output a correct value when we feed it a pseudorandom string, as thosestrings are sparse in the universe of all strings. Formally, the program/description Π is an encoding of a pair (
M, w ) where M is a Turing machine and w is someinput, and we evaluate M ( w ) on the Universal Turing machine U . We remark that although our construction of the function f is somewhat reminiscent of Levin’s construction ofa universal OWF, the actual function (and even more so the analysis) is actually quite different. Levin’s function ˆ f ,roughly speaking, parses the input into a Turing machine M of length log n and an input x of length n , and nextoutputs M ( x ). As he argues, if a OWF f (cid:48) exists, then with probability n , ˆ f will compute output f (cid:48) ( x ) for a randomlyselected x , and is thus hard to invert. In contrast, in our candidate OWF construction, the key idea is to vary thelength of a “fully specified” program Π (including an input). Or, in case, we also want to break the “constructive” K poly problem, we also output the (cid:96) -bit truncation of theprogram Π (cid:48) output by the inverter. We note that, although it was not explictly pointed out, their argument actually also extends to show that K t doesnot have an errorless heuristic assuming the existence of PRGs. The point is that even on outputs of the PRG, anerrorless heuristic must output either a small value or ⊥ (and perhaps always just output ⊥ ). But for random strings,the heuristic can only output ⊥ with small probability. Dealing with heuristics that may err will be more complicated.
5o overcome this issue, we introduce the concept of an entropy-preserving PRG (EP-PRG) .This is a PRG that expands the seed by O (log n ) bits, while ensuring that the output of the PRGloses at most O (log n ) bits of Shannon entropy —it will be important for the sequel that we rely onShannon entropy as opposed to min-entropy. In essence, the PRG preserves (up to an additive termof O (log n )) the entropy in the seed s . We next show that any good heuristic H for K t can breaksuch an EP-PRG. The key point is that since the output of the PRG is entropy preserving, by anaveraging argument, there exists a 1 /n fraction of “good” seeds S such that, conditioned on the seedbelonging to S , the output of the PRG on input seeds of length n has min-entropy n − O (log n ).This means that the probability that H fails to compute K t on output of the PRG, conditioned onpicking a “good” seed, can increase at most by a factor poly ( n ). We conclude that H can be usedto determine (with sufficiently high probability) the K t -complexity for both random strings and foroutputs of the PRG. EP-PRGs from Regular OWFs
We start by noting that the standard Blum-Micali-Goldreich-Levin [BM84, GL89] PRG construction from one-way permutations is entropy preserving. To seethis, recall the construction: G f ( s, h GL ) = f ( s ) || h GL || h GL ( s )where f is a one-way permutation and h GL is a hardcore function for f —by [GL89], we can select arandom hardcore function h GL that output O (log n ) bits. Since f is a permutation, the output of thePRG fully determines the input and thus there is actually no entropy loss. We next show that thePRG construction of [GKL93, HILL99, Gol01, YLW15] from regular OWFs also is an EP-PRG. Werefer to a function f as being r -regular if for every x ∈ { , } ∗ , f ( x ) has between 2 r ( | x | ) − and 2 r ( | x | ) many preimages. Roughly speaking, the construction applies pairwise independent hash functions(that act as strong extractors) h , h to both the input and output of the OWF (parametrized tomatch the regularity r ) to “squeeze” out randomness from both the input and the output, and finallyalso applies a hardcore function that outputs O (log n ) bits: G rf ( s || h || h || h GL ) = h GL || h || h || [ h ( s )] r − O (log n ) || [ h ( f ( s ))] n − r − O (log n ) || h GL ( s ) , (1)where [ a ] j means a truncated to j bits. As already shown in [Gol01] (see also [YLW15]), the output ofthe function excluding the hardcore bits is actually 1 / poly ( n ) -close to uniform in statistical distance(this follows directly from the Leftover Hash Lemma [HILL99]), and this implies (using an averagingargument) that the Shannon entropy of the output is at least n − O (log n ), thus the constructionis an EP-PRG. We finally note that this construction remains both secure and entropy preserving,even if the input domain of the function f is not { , } n , but rather any set S of size 2 n /n ; this willbe useful to us shortly. Cond EP-PRGs from Any OWFs
Unfortunately, constructions of PRGs from OWFs [HILL99,Hol06, HHR06, HRV10] are not entropy preserving as far as we can tell. We, however, remark thatto prove that K t is mildly HoA, we do not actually need a “full-fledged” EP-PRG: Rather, it sufficesto have what we refer to as a conditionally-secure EP-PRG G : a conditionally-secure EP-PRG (condEP-PRG) is an efficiently computable function G having the property that there exists some event E such that:1. G ( U n (cid:48) | E ) has Shannon entropy n (cid:48) − O (log n (cid:48) );2. G ( U n (cid:48) | E ) is indistinguishable from U m for some m ≥ n (cid:48) + O (log n (cid:48) ).6n other words, there exists some event E such that conditionned on the event E , G behaves likesan EP-PRG. We next show how to adapt the above construction to yield a cond EP-PRG from anyOWF f . Consider G ( i || s || h , h , h GL ) = G if ( s, h , h , h GL ) where | s | = n , | i | = log n , and G if isthe PRG construction defined in equation 1. We remark that for any function f , there exists someregularity i ∗ such that at least a fraction 1 /n of inputs x have regularity i ∗ . Let S i ∗ denote the set ofthese x ’s. Clearly, | S i ∗ | ≥ n /n ; thus, by the above argument, G i ∗ f ( U n (cid:48) | S i ∗ ) is both pseudorandomand has entropy n (cid:48) − O (log n (cid:48) ). Finally, consider the event E that i = i ∗ and s ∈ S i ∗ . By definition, G ( U log n ||U n ||U m | E ) is identically distributed to G i ∗ f ( U n (cid:48) | S i ∗ ), and thus G is a cond EP-PRG fromany OWF. For clarity, let us provide the full expanded description of the cond EP-PRG G : G ( i || s || h || h || h GL ) = h GL || h || h || [ h ( s )] i − O (log n ) || [ h ( f ( s ))] n − i − O (log n ) || h GL ( s )Note that this G is not a PRG: if the input i (cid:54) = i ∗ (which happens with probability 1 − n ), the outputof G may not be pseudorandom! But, recall that the notion of a cond EP-PRG only requires theoutput of G to be pseudorandom conditioned on some event E (while also being entropy preservingconditioned on the same event E ).Finally, the above outline only shows that K t is mildly HoA if t ( · ) is larger than running time ofthe cond EP-PRG that we constructed; that is, so far, we have only shown that OWFs imply that K t is mildly HoA for some polynomial t . To prove that this holds for every t ( n ) ≥ (1 + ε ) n , ε > n + O ( n α ), where α < rate-1 efficient PRG . Using such a rate-1efficient cond EP-PRG, we can show that K t is mildly HoA for every t ( n ) ≥ (1 + ε ) n , ε > We assume familiarity with basic concepts such as Turing machines, polynomial-time algorithms andprobabilistic polynomial-time algorithms (
PPT ). A function µ is said to be negligible if for everypolynomial p ( · ) there exists some n such that for all n > n , µ ( n ) ≤ p ( n ) . A probability ensemble isa sequence of random variables A = { A n } n ∈ N . We let U n the uniform distribution over { , } n . We recall the definition of one-way functions [DH76]. Roughly speaking, a function f is one-way ifit is polynomial-time computable, but hard to invert for PPT attackers.
Definition 2.1.
Let f : { , } ∗ → { , } ∗ be a polynomial-time computable function. f is said to bea one-way function (OWF) if for every PPT algorithm A , there exists a negligible function µ suchthat for all n ∈ N , Pr[ x ← { , } n ; y = f ( x ) : A (1 n , y ) ∈ f − ( f ( x ))] ≤ µ ( n )We may also consider a weaker notion of a weak one-way function [Yao82], where we only requireall PPT attackers to fail with probability noticeably bounded away from 1:
Definition 2.2.
Let f : { , } ∗ → { , } ∗ be a polynomial-time computable function. f is said to bea α -weak one-way function ( α -weak OWF) if for every PPT algorithm A , for all sufficiently large n ∈ N , Pr[ x ← { , } n ; y = f ( x ) : A (1 n , y ) ∈ f − ( f ( x ))] < − α ( n ) We say that f is simply a weak one-way function (weak OWF) if there exists some polynomial q > such that f is a q ( · ) -weak OWF. Theorem 2.3 ([Yao82]) . Assume there exists a weak one-way function. Then there exists a one-wayfunction.
Let U be some fixed Universal Turing machine that can emulate any Turing machine M with poly-nomial overhead. Given a description Π ∈ { , } ∗ which encodes a pair ( M, w ) where M is a(single-tape) Turing machine and w ∈ { , } ∗ is an input, let U (Π , t ) denote the output of M ( w )when emulated on U for t steps. Note that (by assumption that U only has polynomial overhead) U (Π , t ) can be computed in time poly ( d, t ).The t -time bounded Kolmogorov Complexity, K t ( x ) , of a string x [Kol68, Sip83, Tra84, Ko86] isdefined as the length of the shortest description Π such that U (Π , t ) = x : K t ( x ) = min Π ∈{ , } ∗ {| Π | : U (Π , t ( | x | ) ) = x } . A central fact about K t -complexity is that the length of a string x essentially (up to an additiveconstant) bounds the K t -complexity of the string for every t ( n ) > M, x ) where M is a constant-lengthTuring machine that directly halts; consequently, M simply outputs its input and thus M ( x ) = x . Fact 2.1.
There exists a constant c such that for every function t ( n ) > and every x ∈ { , } ∗ itholds that K t ( x ) ≤ | x | + c . We turn to defining what it means for a function to be average-case hard (for
PPT algorithms).
Definition 2.4.
We say that a function f : { , } ∗ → { , } ∗ is α ( · ) hard-on-average ( α -HoA) if forall PPT heuristic H , for all sufficiently large n ∈ N , Pr[ x ← { , } n : H ( x ) = f ( x )] < − α ( | n | )In other words, there does not exist a PPT “heuristic” H that computes f with probability1 − α ( n ) for infinitely many n ∈ N . We also consider what it means for a function to be average-casehard to approximate . Definition 2.5.
We say that a function f : { , } ∗ → { , } ∗ is α hard-on-average ( α -HoA) to β ( · )-approximate if for all PPT heuristic H , for all sufficiently large n ∈ N , Pr[ x ← { , } n : |H ( x ) − f ( x ) | ≤ β ( | x | )] < − α ( | n | )In other words, there does not exists a PPT heuristic H that approximates f within a β ( · ) additiveterm, with probability 1 − α ( n ) for infinitely many n ∈ N .Finally, we refer to a function f as being mildly HoA (resp HoA to approximate) if there existsa polynomial p ( · ) > f is p ( · ) -HoA (resp. HoA to approximate).8 .4 Computational Indistinguishability We recall the definition of (computational) indistinguishability [GM84].
Definition 2.6.
Two ensembles { A n } n ∈ N and { B n } n ∈ N are said to be µ ( · )-indistinguishable , if forevery probabilistic machine D (the “distinguisher”) whose running time is polynomial in the lengthof its first input, there exists some n ∈ N so that for every n ≥ n : | Pr[ D (1 n , A n ) = 1] − Pr[ D (1 n , B n ) = 1] | < µ ( n ) We say that are { A n } n ∈ N and { B n } n ∈ N simply indistinguishable if they are p ( · ) -indistinguishable forevery polynomial p ( · ) . For any two random variables X and Y defined over some set V , we let SD ( X, Y ) = (cid:80) v ∈V | Pr[ X = v ] − Pr[ Y = v ] | denote the statistical distance between X and Y . For a random variable X , let H ( X ) = E [log X = x ] ] denote the (Shannon) entropy of X , and let H ∞ ( X ) = min x ∈ Supp ( X ) log X = x ] denotethe min-entropy of X .We next demonstrate a simple lemma showing that any distribution that is statistically close torandom, has very high Shannon entropy. Lemma 2.2.
For every n ≥ , the following holds. Let X be a random variable over { , } n suchthat SD ( X, U n ) ≤ n . Then H ( X n ) ≥ n − . Proof:
Let S = { x ∈ { , } n : Pr[ X = x ] ≤ − ( n − } . Note that for every x / ∈ S , x will contributeat least 12 (Pr[ X = x ] − Pr[ U n = x ]) ≥ (cid:18) Pr[ X = x ] − Pr[ X = x ]2 (cid:19) = Pr[ X = x ]4to SD ( X, U n ). Thus, Pr[ X / ∈ S ] ≤ · n . Since for every x ∈ S , log X = x ] ≥ n − X ∈ S is at least 1 − /n , itfollows that H ( X ) ≥ Pr[ X ∈ S ]( n − ≥ (1 − n )( n − ≥ n − n − ≥ n − . Theorem 3.1.
The following are equivalent:(a) The existence of one-way functions.(b) The existence of a polynomial t ( n ) > such that K t is mildly hard-on-average.(c) For all constants d > , ε > , and every polynomial t ( n ) ≥ (1 + ε ) n , K t is mildly hard-on-average to ( d log n ) -approximate. We prove Theorem 3.1 by showing that (b) implies (a) (in Section 4) and next that (a) implies(c) (in Section 5). Finally, (c) trivially implies (b).Note that a consequence of 3.1 is that for every polynomial t ( n ) ≥ (1 + ε ) n , where ε > t ( n ), mild average-case hardness of K t is equivalent to the existence of one-way functions.9 OWFs from Mild Avg-case K t -Hardness In this section, we state our main theorem.
Theorem 4.1.
Assume there exist polynomials t ( n ) > , p ( n ) > such that K t is p ( · ) -HoA. Thenthere exists a weak OWF f (and thus also a OWF). Proof:
Let c be the constant from Fact 2.1. Consider the function f : { , } n + c + (cid:100) log( n + c ) (cid:101) → { , } ∗ ,which given an input (cid:96) || Π where | (cid:96) | = (cid:100) log( n + c ) (cid:101) and | Π | = n + c , outputs (cid:96) || U (Π , t ( n ) ) whereΠ is the (cid:96) -bit prefix of Π (cid:48) . This function is only defined over some input lengths, but by an easypadding trick, it can be transformed into a function f defined over all input lengths, such that if f is(weakly) one-way (over the restricted input lengths), then f will be (weakly) one-way (over all inputlengths): f ( x (cid:48) ) simply truncates its input x (cid:48) (as little as possible) so that the (truncated) input x now becomes of length m = n + c + (cid:100) log( n + c ) (cid:101) for some n and outputs f ( x ).We now show if K t is p ( · ) -HoA, then f is a q ( · ) -weak OWF, where q ( n ) = 2 c +3 np ( n ) , whichconcludes the proof of the theorem. Assume for contradiction that f is not a q ( · ) -weak OWF. Thatis, there exists some PPT attacker A that inverts f with probability at least 1 − q ( n ) ≤ − q ( m ) for infinitely many m = n + c + (cid:100) log( n + c ) (cid:101) . Fix some such m, n >
2. By an averaging argument,except for a fraction p ( n ) of random tapes r for A , the deterministic machine A r (i.e., machine A with randomness fixed to r ) fails to invert f with probability at most p ( n ) q ( n ) . Fix some such “good”randomness r for which A r succeeds to invert f with probability 1 − p ( n ) q ( n ) .We next show how to use A r to compute K t with high probability over random inputs z ∈ { , } n .Our heuristic H r ( z ) runs A r ( i || z ) for all i ∈ [ n + c ] where i is represented as a (cid:100) log( n + c ) (cid:101) bit string,and outputs the length of the smallest program Π output by A r that produces the string z within t ( n ) steps. Let S be the set of strings z ∈ { , } n for which H r ( z ) fails to compute K t ( z ). Note that H r thus fails with probability f ail r = | S | n . Consider any string z ∈ S and let w = K t ( z ) be its K t -complexity. By Fact 2.1, we have that w ≤ n + c . Since H r ( z ) fails to compute K t ( z ), A r must fail to invert ( w || z ). But, since w ≤ n + c ,the output ( w || z ) is sampled with probability1 n + c · w ≥ n + c ) 12 n + c ≥ n c +1 · n in the one-way function experiment, so A r must fail with probability at least | S | · n c +1 · n = 1 n c +1 · | S | n = f ail r n c +1 which by assumption (that A r is a good inverter) is at most that p ( n ) q ( n ) . We thus conclude that f ail r ≤ c +2 np ( n ) q ( n )Finally, by a union bound, we have that H (using a uniform random tape r ) fails in computing K t with probability at most 12 p ( n ) + 2 c +2 np ( n ) q ( n ) = 12 p ( n ) + 2 c +2 np ( n )2 c +3 np ( n ) = 1 p ( n ) . Thus, H computes K t with probability 1 − p ( n ) for infinitely many n ∈ N , which contradicts theassumption that K t is p ( · ) -HoA. 10 Mild Avg-case K t -Hardness from OWFs We introduce the notion of a (conditionally-secure) entropy-preserving pseudo-random generator(EP-PRG) and next show (1) the existence of a condEP-PRG implies that K t is hard-on-average(even to approximate), and (2) OWFs imply condEP-PRGs. We start by defining the notion of a conditionally-secure entropy-preserving PRG . Definition 5.1.
An efficiently computable function G : { , } n → { , } n + γ log n is a µ ( · )-conditionallysecure entropy-preserving pseudorandom generator ( µ -condEP-PRG) if there exist a sequence ofevents = { E n } n ∈ N and a constant α (referred to as the entropy-loss constant ) such that the followingconditions hold: • (pseudorandomness): { G ( U n | E n ) } n ∈ N and {U n + γ log n } n ∈ N are µ ( n ) -indistinguishable; • (entropy-preserving): For all sufficiently large n ∈ N , H ( G ( U n | E n )) ≥ n − α log n .If for all n , E n = { , } n (i.e., there is no conditioning), we say that G is an µ -secure entropy-preserving pseudorandom generator ( µ -EP-PRG) . We say that G has rate-1 efficiency if its running time on inputs of length n is bounded by n + O ( n ε ) for some constant ε < K t -Hardness from Cond EP-PRGs Theorem 5.2.
Assume that for every γ > , there exists a rate-1 efficient µ -condEP-PRG G : { , } n → { , } n + γ log n where µ ( n ) = 1 /n . Then, for every constant d > , ε > , for everypolynomial t ( n ) ≥ (1 + ε ) n , K t is mildly hard-on-average to ( d log n ) -approximate. Proof:
Let γ ≥ max (8 , d ), and let G (cid:48) : { , } n → { , } m (cid:48) ( n ) where m (cid:48) ( n ) = n + γ log n be arate-1 efficient µ -condEP-PRG, where µ = 1 /n . For any constant c , let G c ( x ) be a function thatcomputes G (cid:48) ( x ) and truncates the last c bits. It directly follows that G c is also a rate-1 efficient µ -condEP-PRG (since G (cid:48) is so). Consider any ε > t ( n ) ≥ (1 + ε ) n and let p ( n ) = 2 n α + γ +1) .Assume for contradiction that there exists some PPT H that β -approximates K t with probability1 − p ( m ) for infinitely many m ∈ N , where β ( n ) = γ/ n ≥ d log n . Since m (cid:48) ( n +1) − m (cid:48) ( n ) ≤ γ +1,there must exist some constant c ≤ γ +1 such that H succeeds (to β -approximate K t ) with probability1 − p ( m ) for infinitely many m of the form m = m ( n ) = n + γ log n − c . Let G ( x ) = G c ( x ); recallthat G is a rate-1 efficient µ -condEP-PRG (trivially, since G c is so), and let α, { E n } , respectively,be the entropy loss constant and sequence of events, associated with it.We next show that H can be used to break the condEP-PRG G . Towards this, recall that arandom string has high K t -complexity with high probability: for m = m ( n ), we have,Pr x ∈{ , } m [ K t ( x ) ≥ m − γ n ] ≥ m − m − γ log n m = 1 − n γ/ , (2)since the total number of Turing machines with length smaller than m − γ log n is only 2 m − γ log n .However, any string output by the EP-PRG, must have “low” K t complexity: For every sufficientlylarge n, m = m ( n ), we have that, Pr s ∈{ , } n [ K t ( G ( s )) ≥ m − γ n ] = 0 , (3)11ince G ( s ) can be represented by combining a seed s of length n with the code of G (of constantlength), and the running time of G ( s ) is bounded by t ( | s | ) = t ( n ) ≤ t ( m ) for all sufficiently large n ,so K t ( G ( s )) = n + O (1) = ( m − γ log n + c ) + O (1) ≤ m − γ/ n for sufficiently large n .Based on these observations, we now construct a PPT distinguisher A breaking G . On input1 n , x , where x ∈ { , } m ( n ) , A (1 n , x ) lets w ← H ( x ) and outputs 1 if w ≥ m ( n ) − γ log n and 0otherwise. Fix some n and m = m ( n ) for which H succeeds with probability p ( m ) . The followingtwo claims conclude that A distinguishes U m ( n ) and G ( U n | E n ) with probability at least n . Claim 1. A (1 n , U m ) outputs 1 with probability at least − n γ/ . Proof:
Note that A (1 n , x ) will output 1 if x is a string with K t -complexity larger than m − γ/ n and H outputs a γ/ n -approximation to K t ( x ). Thus,Pr[ A (1 n , x ) = 1] ≥ Pr[ K t ( x ) ≥ m − γ/ n ∧ H succeeds on x ] ≥ − Pr[ K t ( x ) < m − γ/ n ] − Pr[ H fails on x ] ≥ − n γ/ − p ( n ) ≥ − n γ/ . where the probability is over a random x ← U m and the randomness of A and H . Claim 2. A (1 n , G ( U n | E n )) outputs 1 with probability at most − n + n α + γ Proof:
Recall that by assumption, H fails to ( γ/ n )-approximate K t ( x ) for a random x ∈{ , } m with probability at most p ( m ) . By an averaging argument, for at least a 1 − n fraction ofrandom tapes r for H , the deterministic machine H r fails to approximate K t with probability atmost n p ( m ) . Fix some “good” randomness r such that H r approximates K t with probability at least1 − n p ( m ) . We next analyze the success probability of A r . Assume for contradiction that A r outputs 1with probability at least 1 − n + n α + γ on input G ( U n | E n ). Recall that (1) the entropy of G ( U n | E n )is at least n − α log n and (2) the quantity − log Pr[ G ( U n | E n ) = y ] is upper bounded by n for all y ∈ G ( U n | E n ) since H ∞ ( G ( U n | E n )) ≤ H ∞ ( U n | E n ) ≤ H ∞ ( U n ) = n . By an averaging argument,with probability at least n , a random y ∈ G ( U n | E n ) will satisfy − log Pr[ G ( U n | E n ) = y ] ≥ ( n − α log n ) − . We refer to an output y satisfying the above condition as being “good” and other y ’s as being “bad”.Let S = { y ∈ G ( U n | E n ) : A r (1 n , y ) = 1 ∧ y is good } , and let S (cid:48) = { y ∈ G ( U n | E n ) : A r (1 n , y ) =1 ∧ y is bad } . SincePr[ A r (1 n , G ( U n | E n )) = 1] = Pr[ G ( U n | E n ) ∈ S ] + Pr[ G ( U n | E n ) ∈ S (cid:48) ] , and Pr[ G ( U n | E n ) ∈ S (cid:48) ] is at most the probability that G ( U n ) is “bad” (which as argued above isat most 1 − n ), we have thatPr[ G ( U n | E n ) ∈ S ] ≥ (cid:18) − n + 1 n α + γ (cid:19) − (cid:18) − n (cid:19) = 1 n α + γ . Furthermore, since for every y ∈ S , Pr[ G ( U n | E n ) = y ] ≤ − n + α log n +1 , we also have,Pr[ G ( U n | E n ) ∈ S ] ≤ | S | − n + α log n +1 | S | ≥ n − α log n − n α + γ = 2 n − (2 α + γ ) log n − However, for any y ∈ G ( U n | E n ), if A r (1 n , y ) outputs 1, then by Equation 3, H r ( y ) > K t ( y ) + γ/ H fails to output a good approximation. (This follows, since by Equation 3, K t ( y ) < n − γ/ n and A r (1 n , y ) outputs 1 only if H r ( y ) ≥ n − γ log n .)Thus, the probability that H r fails (to output a good approximation) on a random y ∈ { , } m is at least | S | / m = 2 n − (2 α + γ ) log n − n + γ log n − c ≥ − α + γ ) log n − = 12 n α + γ ) which contradicts the fact that H r fails with approximate K t probability at most n p ( m ) < n α + γ ) (since n < m ).We conclude that for every good randomness r , A r outputs 1 with probability at most 1 − n + n α + γ .Finally, by union bound (and since a random tape is bad with probability ≤ n ), we have that theprobability that A ( G ( U n | E n )) outputs 1 is at most1 n + (cid:18) − n + 1 n α + γ (cid:19) ≤ − n + 2 n , since γ ≥ γ ≥
8, that A distinguishes U m and G ( U n | E n ) with probability of atleast (cid:18) − n γ/ (cid:19) − (cid:18) − n + 2 n (cid:19) ≥ (cid:18) − n (cid:19) − (cid:18) − n + 2 n (cid:19) = 1 n − n ≥ n for infinitely many n ∈ N . In this section, we show how to construct a condEP-PRG from any OWF. Towards this, we first recallthe construction of [HILL99, Gol01, YLW15] of a PRG from a regular one-way function [GKL93].
Definition 5.3.
A function f : { , } ∗ → { , } ∗ is called regular if there exists a function r : N → N such that for all sufficiently long x ∈ { , } ∗ , r ( | x | ) − ≤ | f − ( f ( x )) | ≤ r ( | x | ) . We refer to r as the regularity of f . As mentioned in the introduction, the construction proceeds in the following two steps given a OWF f with regularity r . • We “massage” f into a different OWF ˆ f having the property that there exists some (cid:96) ( n ) = n − O (log n ) such that ˆ f ( U n ) is statistically close to U (cid:96) ( n ) —we will refer to such a OWF asbeing dense . This is done by applying pairwise-independent hash functions (acting as strongextractors) to both the input and the output of the OWF (parametrized to match the regularity r ) to “squeeze” out randomness from both the input and the output.ˆ f ( s || σ || σ ) = σ || σ || [ h σ ( s )] r − O (log n ) || [ h σ ( f ( s ))] n − r − O (log n ) where [ a ] j means a truncated to j bits. 13 We next modify ˆ f to include additional randomness in the input (which is also revealed in theoutput) to make sure the function has a hardcore function: f (cid:48) ( s || σ || σ || σ GL ) = σ GL || ˆ f ( s || σ || σ ) • We finally use f (cid:48) to construct a PRG G r by simply adding the the Goldreich-Levin hardcorebits [GL89], GL , to the output of the function f (cid:48) : G r ( s || σ || σ || σ GL ) = f (cid:48) ( s || σ || σ || σ GL ) || GL ( s || σ || σ , σ GL ))We note that the above steps do not actually produce a “fully secure” PRG as the statistical distancebetween the output of ˆ f ( U n ) and uniform is only poly ( n ) as opposed to being negligible. [Gol01] thuspresents a final amplification step to deal with this issue—for our purposes it will suffice to get a poly ( n ) indistinguishability gap so we will not be concerned about the amplification step.We remark that nothing in the above steps requires f to be a one-way function defined on thedomain { , } n — all three steps still work even for one-way functions defined over domains S thatare different than { , } n , as long as a lower bound on the size of the domain is efficiently computable(by a minor modification of the construction in Step 1 to account for the size of S ). Let us start byformalizing this fact. Definition 5.4.
Let S = { S n } be a sequence of sets such that S n ⊆ { , } n and let f : S n → { , } ∗ be a polynomial-time computable function. f is said to be a one-way function over S ( S -OWF) if forevery PPT algorithm A , there exists a negligible function µ such that for all n ∈ N , Pr[ x ← S n ; y = f ( x ) : A (1 n , y ) ∈ f − ( f ( x ))] ≤ µ ( n ) We refer to f as being regular if it satisfies Definition 5.3 with the exception that we only quantifyover all n ∈ N and all x ∈ S n (as opposed to all x ∈ { , } n ) . We say that a family of functions { f i } i ∈ I is efficiently computable if there exists a polynomial-timealgorithm M such that M ( i, x ) = f i ( x ). Lemma 5.1 (implicit in [Gol01, YLW15]) . Let S = { S n } be a sequence of sets such that S n ⊆ { , } n ,let s be an efficiently computable function such that s ( n ) ≤ log | S n | , and let f be an S -OWF withregularity r ( · ) . Then, there exists a constant c ≥ such that for every α (cid:48) , γ (cid:48) ≥ , there exists anefficiently computable family of functions { f (cid:48) i } i ∈ N , and an efficiently computable function GL , suchthat the following holds for (cid:96) ( n ) = s ( n ) + 3 n c − α (cid:48) log n , (cid:96) (cid:48) ( n ) = (cid:96) ( n ) + γ (cid:48) log n : • density: For all sufficiently large n , the distributions – (cid:110) x ← S n , σ , σ , σ GL ← { , } n c : f (cid:48) r ( n ) ( x, σ , σ , σ GL ) (cid:111) , and – U (cid:96) ( n ) are n α (cid:48) / -close in statistical distance. • pseudorandomness: The ensembles of distributions, – (cid:110) x ← S n , σ , σ , σ GL ← { , } n c : f (cid:48) r ( n ) ( x, σ , σ , σ GL ) || GL ( x, σ , σ , σ GL ) (cid:111) n ∈ N , and – (cid:8) U (cid:96) (cid:48) ( n ) (cid:9) n ∈ N are n α (cid:48) / -indistinguishable. roof: Given a r ( · )-regular S -OWF f , the construction of f (cid:48) has the form f (cid:48) ( s || σ || σ || σ GL ) = σ GL || σ || σ || [ h σ ( s )] r − α (cid:48) log n || [ h σ ( f ( s ))] s ( n ) − r − α (cid:48) log n where | x | = n, | σ | = | σ | = | σ c | = n c , and GL ( x, σ , σ , σ GL ) is simply the Goldreich-Levin hardcorepredicate [GL89] outputting γ (cid:48) log n inner products between x and vectors in σ GL . The function f (cid:48) r thus maps n (cid:48) = n +3 n c bits to 3 n c + s ( n ) − α (cid:48) log n bits, and once we add the output of GL , the totaloutput length becomes 3 n c + s ( n ) − α (cid:48) log n + γ (cid:48) log n as required. The proof in [Gol01, YLW15]directly works to show that { f i } , GL satisfy the requirements stated in the theorem. (For the reader’sconvenience, we present a simple self-contained proof of this in Appendix A. )We additionally observe that every OWF actually is a regular S -OWFs for a sufficiently large S . Lemma 5.2.
Let f be an one way function. There exists an integer function r ( · ) and a sequence ofsets S = { S n } such that S n ⊆ { , } n , | S n | ≥ n n , and f is a S -OWF with regularity r . Proof:
The following simple claim is the crux of the proof:
Claim 3.
For every n ∈ N , there exists an integer r n ∈ [ n ] such that Pr[ x ← { , } n : 2 r n − ≤ | f − ( f ( x ) | ) ≤ r n ] ≥ n . Proof:
For all i ∈ [ n ], let w ( i ) = Pr[ x ← { , } n : 2 i − ≤ | f − ( f ( x )) | ≤ i ] . Since for all x , the number of pre-images that map to f ( x ) must be in the range of [1 , n ], we knowthat (cid:80) ni =1 w ( i ) = 1. By an averaging argument, there must exists such r n that w ( r n ) ≥ n .Let r ( n ) = r n for every n ∈ N , S n = { x ∈ { , } n : 2 r ( n ) − ≤ | f − ( f ( x )) | ≤ r ( n ) ] } ; regularityof f when the input domain is restricted to S follows directly. It only remains to show that f isa S -OWF; this follows directly from the fact that the set S n are dense in { , } . More formally,assume for contradiction that there exists a PPT algorithm A that inverts f with probability ε ( n )when the input is sampled in S n . Since | S n | ≥ n n , it follows that A can invert f with probability atleast ε ( n ) /n over uniform distribution, which is a contradiction (as f is a OWF).By combining Lemma 5.1 and Lemma 5.2, we can directly get an EP-PRG defined over a subset S . We next turn to showing how to instead get a µ -conditionally secure EP-PRG that is definedover { , } n . Theorem 5.5.
Assume that one way functions exist. Then, there exists a polynomial t ( · ) such thatfor every γ > , δ > , there exists a (cid:0) n δ (cid:1) -condEP-PRG G (cid:48) δ,γ : { , } n → { , } n + γ log n with runningtime bounded by ( γ + δ ) t ( n ) . Proof:
By Lemma 5.2, there exists a sequence of sets S = { S n } such that S n ⊆ { , } n , | S n | ≥ n n , a function r ( · ), and an S -OWF f with regularity r ( · ). Let s ( n ) = n − log n (to ensure that s ( n ) ≤ log | S n | ). Let c be the constant guaranteed to exist by Lemma 5.1 w.r.t. S and f . Considerany δ, γ > α (cid:48) = 8 cδ and γ (cid:48) = ( c + 1) γ + 2 α (cid:48) + 3, and define (cid:96) ( n ) , (cid:96) (cid:48) ( n ) just as in thestament of Lemma 5.1, namely, (cid:96) ( n ) = s ( n ) + 3 n c − α (cid:48) log n and (cid:96) (cid:48) ( n ) = (cid:96) ( n ) + γ (cid:48) log n . Let { f (cid:48) i } i ∈ N This proof may be of independent didactic interest as an elementary proof of the existence of PRGs from regularOWFs. GL be the functions guaranteed to exists by Lemma 5.1 w.r.t. α (cid:48) , γ (cid:48) , and consider the function G δ,γ : { , } log n + n +3 n c → { , } (cid:96) (cid:48) ( n ) defined as follows: G δ,γ ( i, x, σ , σ , σ GL ) = f (cid:48) i ( x, σ , σ , σ GL ) || GL ( x, σ , σ , σ GL )where | i | = log n, i ∈ [ n ] , | x | = n, | σ | = | σ | = | σ GL | = n c . Let n (cid:48) = n (cid:48) ( n ) = log n + n + 3 n c denotethe input length of G δ,γ . Let { E n (cid:48) ( n ) } be a sequence of events where E n (cid:48) ( n ) = { i, x, σ , σ , σ GL : i = r ( n ) , x ∈ S n , σ , σ , σ GL ∈ { , } n c } Note that the two distributions, • { x ← S n , σ , σ , σ GL ← { , } n c : f (cid:48) r ( n ) ( x, σ , σ , σ GL ) || GL ( x, σ , σ , σ GL ) } n ∈ N , and • G δ,γ ( U n (cid:48) | E n (cid:48) )are identically distributed. It follows from Lemma 5.1 that { G δ,γ ( U n (cid:48) | E n (cid:48) ) } n ∈ N and {U (cid:96) (cid:48) ( n ) } n ∈ N are n α (cid:48) / -indistinguishable. Note that for α (cid:48) = 8 cδ , we have that n α (cid:48) / = n cδ ≤ n (cid:48) ( n ) δ for sufficientlylarge n . Thus, G δ,γ satisfies the pseudorandomness property of a (cid:0) n (cid:48) δ (cid:1) -cond EP-PRG.We further show that the output of G δ,γ preserves entropy. Let X n be a random variable uniformlydistributed over S n . By Lemma 5.1, f (cid:48) r ( n ) ( X n , U n c ) is n α (cid:48) / ≤ n cδ ≤ (cid:96) ( n ) close to U (cid:96) ( n ) in statisticaldistance for sufficiently large n . By Lemma 2.2 it thus holds that H ( f (cid:48) r ( n ) ( X n , U n c )) ≥ (cid:96) ( n ) − . It follows that H ( f (cid:48) r ( n ) ( X n , U n c ) , GL ( X n , U n c )) ≥ H ( f (cid:48) r ( n ) ( X n , U n c )) ≥ (cid:96) ( n ) − . Notice that G δ,γ ( U n (cid:48) | E n (cid:48) ) and ( f (cid:48) r ( n ) ( X n , U n c ) , GL ( X n , U n c )) are identically distributed, so oninputs of length n (cid:48) = n (cid:48) ( n ), the entropy loss of G δ,γ is n (cid:48) − ( (cid:96) ( n ) − ≤ (2 α (cid:48) + 2) log n + 2 ≤ (2 α (cid:48) + 4) log n (cid:48) , thus G δ,γ satisfies the entropy-preserving property (by setting the entropy loss α incond EP-PRG to be (2 α (cid:48) + 4)).The function G maps n (cid:48) = log n + n + 3 n c bits to (cid:96) (cid:48) ( n ) bits, and it is thus at least (cid:96) (cid:48) ( n ) − n (cid:48) ≥ ( γ (cid:48) − α (cid:48) −
2) log n -bit expanding. Since n (cid:48) ≤ n c +1 for sufficiently large n and recall that γ (cid:48) =( c + 1) γ + 2 α (cid:48) + 2, G δ,γ will expand its input by at least ( γ (cid:48) − α (cid:48) −
2) log n ≥ ( c + 1) γ log n ≥ γ log n (cid:48) bits.Notice that although G δ,γ is only defined over some input lengths n = n (cid:48) ( n ), by taking “extra”bits in the input and appending them to the output, G δ,γ can be transformed to a cond EP-PRG G (cid:48) δ,γ defined over all input lengths: G (cid:48) δ,γ ( x (cid:48) ) finds a prefix x of x (cid:48) as long as possible such that | x | isof the form n (cid:48) = log n + n + 3 n c for some n , rewrites x (cid:48) = x || y , and outputs G δ,γ ( x ) || y . The entropypreserving and the pseudorandomness property of G (cid:48) δ,γ follows directly; finally, note that if | x (cid:48) | issufficiently large, it holds that n c +1 ≥ | x (cid:48) | , and thus by the same argument as above, G (cid:48) δ,γ will alsoexpand its input by at least γ log | x (cid:48) | bits.We finally show that there exists some polynomial t ( n (cid:48) ) such that for every δ, γ >
1, ( γ + δ ) t ( n (cid:48) )bounds the running time of G (cid:48) δ,γ on inputs of length n (cid:48) . To see this, note that the OWF used inthis construction can be assumed to have some fixed polynomial running time. The hash functionand the GL hardcore function take (no more than) O ( n c ) time to output one bit, and in total thehash function outputs at most O ( n ) bits, so the running time of the hash function is O ( n c +1 ). (If δ increases, then α (cid:48) increases—recall that α (cid:48) ≥ cδ —and the hash function outputs fewer bits and runs16aster.) On the other hand, for all γ, δ , G outputs γ (cid:48) log( n ) = (( c +1) γ +2 α (cid:48) +2) log n = ( γ + δ ) O (log n )GL hardcore bits. Thus, for any γ, δ , G (cid:48) runs in poly ( n ) + O ( n c +1 ) + ( γ + δ ) O ( n c log n ) ≤ ( γ + δ ) t ( n (cid:48) )time for some polynomial t ( n (cid:48) ) over input of length n (cid:48) .We now use a standard padding trick to obtain a rate-1 efficient µ -cond EP-PRG: we simplyoutput the first n − (cid:96) bits unchanged, and next apply a cond EP-PRG on the last (cid:96) bits. Since we onlyhave a cond EP-PRG that satisfies inverse polynomial (as opposed to negligible) indistinguishability,we need to be a bit careful with the choice of the parameters. Theorem 5.6.
Assume that one way functions exist. Then, for every γ > , there exists a rate-1efficient µ -cond EP-PRG G γ : { , } n → { , } n + γ log n , where µ ( n ) = 1 /n . Proof:
Let t ( · ) be the polynomial guaranteed to exist due to Theorem 5.5. Let c be a constantsuch that O ( n c ) ≥ t ( n ). Consider any γ >
1, and let γ (cid:48) = 2 c γ and δ (cid:48) = 4 c and µ (cid:48) ( n ) = n δ (cid:48) . ByTheorem 5.5, there exists a µ (cid:48) -cond EP-PRG G (cid:48) δ (cid:48) ,γ (cid:48) : { , } n → { , } n + γ (cid:48) log n ; let α (cid:48) its associatedentropy-loss constant. Consider a function G γ : { , } n → { , } n + γ log n defined as follows: G γ ( s || s ) = s || G (cid:48) δ (cid:48) ,γ (cid:48) ( s )where | s | = n c . Note that | G (cid:48) δ (cid:48) ,γ (cid:48) ( s ) | = | s | + γ (cid:48) log | s | = n c + γ (cid:48) log( n c ) = n − c + γ log n ,so G γ is ( γ log n )-bit expanding. Furthermore, the entropy-loss of G γ is α (cid:48) log( n c ) = α log n forsome constant α = α (cid:48) c . Since the running time of G (cid:48) δ (cid:48) ,γ (cid:48) is bounded by ( γ (cid:48) + δ (cid:48) ) t ( n c ) ≤ O ( n ),the running time of G γ is | s | + O ( n ) ≤ n + O ( n ). Finally, it holds that µ (cid:48) ( | s | ) = µ (cid:48) ( n c ) = n ,so we conclude that G γ is a rate-1 efficient µ -cond EP-PRG for µ ( n ) = n , that expand n bits to( n + γ log n ) bits. We are very grateful to Eric Allender, Kai-min Chung, Naomi Ephraim, Cody Freitag, Johan H˚astad,Yuval Ishai, Ilan Komargodski, Rahul Santhanam, and abhi shelat for extremely helpful comments.We are also very grateful to the anonymous FOCS reviewers.
References [AAB +
19] Frank Arute, Kunal Arya, Ryan Babbush, Dave Bacon, Joseph C. Bardin, Rami Barends,Rupak Biswas, Sergio Boixo, Fernando G. S. L. Brandao, David A. Buell, Brian Bur-kett, Yu Chen, Zijun Chen, Ben Chiaro, Roberto Collins, William Courtney, AndrewDunsworth, Edward Farhi, Brooks Foxen, Austin Fowler, Craig Gidney, Marissa Giustina,Rob Graff, Keith Guerin, Steve Habegger, Matthew P. Harrigan, Michael J. Hartmann,Alan Ho, Markus Hoffmann, Trent Huang, Travis S. Humble, Sergei V. Isakov, EvanJeffrey, Zhang Jiang, Dvir Kafri, Kostyantyn Kechedzhi, Julian Kelly, Paul V. Klimov,Sergey Knysh, Alexander Korotkov, Fedor Kostritsa, David Landhuis, Mike Lindmark,Erik Lucero, Dmitry Lyakh, Salvatore Mandr`a, Jarrod R. McClean, Matthew McEwen,Anthony Megrant, Xiao Mi, Kristel Michielsen, Masoud Mohseni, Josh Mutus, Ofer Naa-man, Matthew Neeley, Charles Neill, Murphy Yuezhen Niu, Eric Ostby, Andre Petukhov,John C. Platt, Chris Quintana, Eleanor G. Rieffel, Pedram Roushan, Nicholas C. Rubin,Daniel Sank, Kevin J. Satzinger, Vadim Smelyanskiy, Kevin J. Sung, Matthew D. Tre-vithick, Amit Vainsencher, Benjamin Villalonga, Theodore White, Z. Jamie Yao, Ping17eh, Adam Zalcman, Hartmut Neven, and John M. Martinis. Quantum supremacy usinga programmable superconducting processor.
Nature , 574(7779):505–510, 2019.[ABK +
06] Eric Allender, Harry Buhrman, Michal Kouck`y, Dieter Van Melkebeek, and Detlef Ron-neburger. Power from random strings.
SIAM Journal on Computing , 35(6):1467–1493,2006.[AD17] Eric Allender and Bireswar Das. Zero knowledge and circuit minimization.
Inf. Comput. ,256:2–8, 2017.[Ajt96] Mikl´os Ajtai. Generating hard instances of lattice problems. In
Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylva-nia, USA, May 22-24, 1996 , pages 99–108, 1996.[All17] Eric Allender. The complexity of complexity. In
Computability and Complexity - EssaysDedicated to Rodney G. Downey on the Occasion of His 60th Birthday , pages 79–94, 2017.[All20a] Eric Allender. Ker-i ko and the study of resource-bounded kolmogorov complexity. In
Complexity and Approximation - In Memory of Ker-I Ko , pages 8–18, 2020.[All20b] Eric Allender. The new complexity landscape around circuit minimization. In
Languageand Automata Theory and Applications - 14th International Conference, LATA 2020,Milan, Italy, March 4-6, 2020, Proceedings , pages 3–16, 2020.[Bar17] Boaz Barak. The complexity of public-key cryptography. In
Tutorials on the Foundationsof Cryptography , pages 45–77. 2017.[Blu82] Manuel Blum. Coin flipping by telephone - A protocol for solving impossible problems. In
COMPCON’82, Digest of Papers, Twenty-Fourth IEEE Computer Society InternationalConference, San Francisco, California, USA, February 22-25, 1982 , pages 133–137. IEEEComputer Society, 1982.[BM84] Manuel Blum and Silvio Micali. How to generate cryptographically strong sequences ofpseudo-random bits.
SIAM Journal on Computing , 13(4):850–864, 1984.[BM88] L´aszl´o Babai and Shlomo Moran. Arthur-merlin games: A randomized proof system, anda hierarchy of complexity classes.
J. Comput. Syst. Sci. , 36(2):254–276, 1988.[Cha69] Gregory J. Chaitin. On the simplicity and speed of programs for computing infinite setsof natural numbers.
J. ACM , 16(3):407–422, 1969.[CW79] J Lawrence Carter and Mark N Wegman. Universal classes of hash functions.
Journal ofcomputer and system sciences , 18(2):143–154, 1979.[DH76] Whitfield Diffie and Martin Hellman. New directions in cryptography.
IEEE Transactionson Information Theory , 22(6):644–654, 1976.[Fei02] Uriel Feige. Relations between average case complexity and approximation complexity.In
Proceedings on 34th Annual ACM Symposium on Theory of Computing, May 19-21,2002, Montr´eal, Qu´ebec, Canada , pages 534–543, 2002.[FS90] Uriel Feige and Adi Shamir. Witness indistinguishable and witness hiding protocols. In
STOC ’90 , pages 416–426, 1990. 18GGM84] Oded Goldreich, Shafi Goldwasser, and Silvio Micali. On the cryptographic applicationsof random functions. In
CRYPTO , pages 276–288, 1984.[GKL93] Oded Goldreich, Hugo Krawczyk, and Michael Luby. On the existence of pseudorandomgenerators.
SIAM Journal on Computing , 22(6):1163–1175, 1993.[GL89] Oded Goldreich and Leonid A. Levin. A hard-core predicate for all one-way functions.In
STOC , pages 25–32, 1989.[GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryption.
J. Comput. Syst. Sci. ,28(2):270–299, 1984.[GMR89] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity of in-teractive proof systems.
SIAM Journal on Computing , 18(1):186–208, 1989.[Gol01] Oded Goldreich.
Foundations of Cryptography — Basic Tools . Cambridge UniversityPress, 2001.[Gur89] Yuri Gurevich. The challenger-solver game: variations on the theme of p=np. In
Logicin Computer Science Column, The Bulletin of EATCS . 1989.[Har83] J. Hartmanis. Generalized kolmogorov complexity and the structure of feasible compu-tations. In ,pages 439–445, Nov 1983.[HHR06] Iftach Haitner, Danny Harnik, and Omer Reingold. On the power of the randomizediterate. In
CRYPTO , pages 22–40, 2006.[HILL99] Johan H˚astad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudorandomgenerator from any one-way function.
SIAM J. Comput. , 28(4):1364–1396, 1999.[Hir18] Shuichi Hirahara. Non-black-box worst-case to average-case reductions within NP. In , pages 247–258, 2018.[Hol06] Thomas Holenstein. Pseudorandom generators from one-way functions: A simple con-struction for any hardness. In
TCC , pages 443–461, 2006.[HRV10] Iftach Haitner, Omer Reingold, and Salil P. Vadhan. Efficiency improvements in con-structing pseudorandom generators from one-way functions.
Electronic Colloquium onComputational Complexity (ECCC) , 17:89, 2010.[IL89] Russell Impagliazzo and Michael Luby. One-way functions are essential for complexitybased cryptography (extended abstract). In , pages 230–235, 1989.[IL90] Russell Impagliazzo and Leonid A. Levin. No better ways to generate hard NP instancesthan picking uniformly at random. In , pages 812–821,1990.[Imp95] Russell Impagliazzo. A personal view of average-case complexity. In
Structure in Com-plexity Theory ’95 , pages 134–147, 1995.19KC00] Valentine Kabanets and Jin-yi Cai. Circuit minimization problem. In
Proceedings ofthe Thirty-Second Annual ACM Symposium on Theory of Computing, May 21-23, 2000,Portland, OR, USA , pages 73–79, 2000.[Ko86] Ker-I Ko. On the notion of infinite pseudorandom sequences.
Theor. Comput. Sci. ,48(3):9–33, 1986.[Kol68] A. N. Kolmogorov. Three approaches to the quantitative definition of information.
In-ternational Journal of Computer Mathematics , 2(1-4):157–168, 1968.[Lev85] Leonid A. Levin. One-way functions and pseudorandom generators. In
Proceedings ofthe 17th Annual ACM Symposium on Theory of Computing, May 6-8, 1985, Providence,Rhode Island, USA , pages 363–365, 1985.[Lev86] Leonid A. Levin. Average case complete problems.
SIAM J. Comput. , 15(1):285–286,1986.[Lev03] L. A. Levin. The tale of one-way functions.
Problems of Information Transmission ,39(1):92–103, 2003.[LV08] Ming Li and Paul M.B. Vitanyi.
An Introduction to Kolmogorov Complexity and ItsApplications . Springer Publishing Company, Incorporated, 3 edition, 2008.[Nao91] Moni Naor. Bit commitment using pseudorandomness.
J. Cryptology , 4(2):151–158, 1991.[Ost91] Rafail Ostrovsky. One-way functions, hard on average problems, and statistical zero-knowledge proofs. In
Proceedings of the Sixth Annual Structure in Complexity TheoryConference, Chicago, Illinois, USA, June 30 - July 3, 1991 , pages 133–138, 1991.[OW93] Rafail Ostrovsky and Avi Wigderson. One-way functions are essential for non-trivialzero-knowledge. In
Theory and Computing Systems, 1993 , pages 3–17, 1993.[Rom90] John Rompel. One-way functions are necessary and sufficient for secure signatures. In
STOC , pages 387–394, 1990.[RSA83] Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digitalsignatures and public-key cryptosystems (reprint).
Commun. ACM , 26(1):96–99, 1983.[San20] Rahul Santhanam. Pseudorandomness and the minimum circuit size problem. In , pages 68:1–68:26, 2020.[Sho97] Peter W. Shor. Polynomial-time algorithms for prime factorization and discrete loga-rithms on a quantum computer.
SIAM J. Comput. , 26(5):1484–1509, 1997.[Sip83] Michael Sipser. A complexity theoretic approach to randomness. In
Proceedings of the15th Annual ACM Symposium on Theory of Computing, 25-27 April, 1983, Boston,Massachusetts, USA , pages 330–335. ACM, 1983.[Sip96] Michael Sipser. Introduction to the theory of computation.
ACM Sigact News , 27(1):27–29, 1996.[Sol64] R.J. Solomonoff. A formal theory of inductive inference. part i.
Information and Control ,7(1):1 – 22, 1964. 20Tra84] Boris A Trakhtenbrot. A survey of russian approaches to perebor (brute-force searches)algorithms.
Annals of the History of Computing , 6(4):384–400, 1984.[Yao82] Andrew Chi-Chih Yao. Theory and applications of trapdoor functions (extended ab-stract). In , pages 80–91, 1982.[YLW15] Yu Yu, Xiangxue Li, and Jian Weng. Pseudorandom generators from regular one-wayfunctions: New constructions with improved parameters.
Theor. Comput. Sci. , 569:58–69,2015.
A Proof of Lemma 5.1
In this section we provide a proof of Lemma 5.1. As mentionned in the main body, the proof ofthis lemma readily follows using the proofs in [HILL99, Gol01, YLW15], but for the convenienceof the reader, we provide a simple self-contained proof of the lemma (which may be useful fordidactic purposes). We start by recalling the Leftover Hash Lemma [HILL99] and the Goldreich-Levin Theorem [GL89].
The Leftover Hash Lemma
We recall the notion of a universal hash function [CW79].
Definition A.1.
Let H nm be a family of functions where m < n and each function h ∈ H nm maps { , } n to { , } m . We say that H nm is a universal hash family if (i) the functions h σ ∈ H nm can bedescribed by a string σ of n c bits where c is a universal constant that does not depend on n ; (ii) forall x (cid:54) = x (cid:48) ∈ { , } n , and for all y, y (cid:48) ∈ { , } m Pr[ h σ ← H nm : h σ ( x ) = y and h σ ( x (cid:48) ) = y (cid:48) ] = 2 − m It is well-known that truncation preserves pairwise independence; for completeness, we recall theproof:
Lemma A.1. If H nm is a universal hash family and (cid:96) ≤ n , then H (cid:48) n(cid:96) = { h σ ∈ H nm : [ h σ ] (cid:96) } is also auniversal hash family. Proof:
For every x (cid:54) = x (cid:48) ∈ { , } n , y, y (cid:48) ∈ { , } (cid:96) ,Pr[ h σ ← H nm ; [ h σ ( x )] (cid:96) = y and [ h σ ( x (cid:48) )] (cid:96) = y (cid:48) ]= (cid:88) z ∈{ , } n , [ z ] (cid:96) = y (cid:88) z (cid:48) ∈{ , } n , [ z (cid:48) ] (cid:96) = y (cid:48) P r [ h σ ← H nm ; h σ ( x ) = z and h σ ( x (cid:48) ) = z (cid:48) ]= 2 − (cid:96) . Carter and Wegman demonstrate the existence of efficiently computable universal hash functionfamilies.
Lemma A.2 ([CW79]) . There exists a polynomial-time computable function H : { , } n ×{ , } n c →{ , } n such that for every n , H nn = { h σ : σ ∈ { , } n c } is a universal hash family, where h σ : { , } n → { , } n is defined as h σ ( x ) = H ( x, σ ) . We finally recall the Leftover Hash Lemma. 21 emma A.3 (Leftover Hash Lemma (LHL) [HILL99]) . For any integers d < k ≤ n , let H nk − d be auniversal hash family where each h ∈ H nk − d maps { , } n to { , } k − d . Then, for any random variable X over { , } n such that H ∞ ( X ) ≥ k , it holds that SD (( H nk − d , H nk − d ( X )) , ( H nk − d , U k − d )) ≤ − d , where H nk − d denotes a random variable uniformly distributed over H nk − d . Hardcore functions and the Goldreich-Levin Theorem
We recall the notion of a hardcorefunction and the Goldreich-Levin Theorem [GL89].
Definition A.2.
A function g : { , } n → { , } v ( n ) is called a hardcore function for f : { , } n →{ , } ∗ over S = { S n ⊆ { , } n } n ∈ N if the following ensembles are indistinguishable: • { x ← S n : f ( x ) || g ( x ) } n ∈ N • { x ← S n : f ( x ) ||U v ( n ) } n ∈ N While the Goldreich-Levin theorem is typically stated for one-way functions f , it actually appliesto any randomized function f ( x, U m ) of x that hides x . Note that hiding is a weaker property thanone-wayness (where the attacker is only required to find any pre-image, and not necessarily the pre-image x we computed the function on). Such a version of the Goldreich-Levin theorem was explicitlystated in e.g., [HHR06] (using somewhat different terminology). Definition A.3.
A function f : { , } n × { , } m ( n ) → { , } ∗ is said to be entropically-hiding over S = { S n } n ∈ N ( S -hiding ) if for every PPT algorithm A , there exists a negligible function µ such thatfor all n ∈ N , Pr[ x ← S n , r ← { , } m ( n ) ; A (1 n , f ( x, r )) = x ] ≤ µ ( n ) Theorem A.4 ([GL89], also see Theorem 2.12 in [HHR06]) . There exists some c such that forevery γ , and every m ( · ) , there exists a polynomial-time computable function GL : { , } n + m ( n )+ n c →{ , } γ log n such that the following holds: Let S = { S n ⊆ { , } n } n ∈ N and let f : { , } n ×{ , } m ( n ) →{ , } ∗ be S -hiding. Then GL is a hardcore function for f (cid:48) : { , } n × { , } m ( n ) × { , } n c → { , } ∗ ,defined as f (cid:48) ( x, r, σ ) = σ || f ( x, r ) . Given these preliminaries, we are ready to present the proof of Lemma 5.1.
Proof of Lemma 5.1
Let S = { S n } be a sequence of sets such that S n ⊆ { , } n , let s bean efficiently computable function such that s ( n ) ≤ log | S n | , and let f : S n → { , } n be a S -OWF with regularity r ( n ). By Lemma A.2 and Lemma A.1, there exists some constant c and apolynomial-time computable function H : { , } n × { , } n c → { , } n such that for every n, m ≥ n , H nm = { h (cid:48) σ : σ ∈ { , } n c } is a universal hash family, where h (cid:48) σ = [ h σ ] m and h σ ( x ) = H ( x, σ ).We consider a “massaged” function f i , obtained by hashing the input and the output of f : f i : S n × { , } n c × { , } n c → { , } n c × { , } i − α (cid:48) log n × { , } s ( n ) − i − α (cid:48) log n f i ( x, σ , σ ) = σ || σ || [ h σ ( x )] i − α (cid:48) log n || [ h σ ( f ( x ))] s ( n ) − i − α (cid:48) log n where n = | x | and show that the function ˆ f ( x, ( σ , σ )) = f r ( n ) ( x, σ , σ ) is S -hiding. Claim 4.
The function ˆ f ( · , · ) is S -hiding. roof: Assume for contradiction that there exists a
PPT A and a polynomial p ( · ) such that forinfinitely many n ∈ N ,Pr[ x ← S n , σ , σ ← { , } n c : A (1 n , f r ( n ) ( x, σ , σ )) = x ] ≥ p ( n )That is,Pr[ x ← S n , σ , σ ← { , } n c : A (1 n , σ || σ || [ h σ ( x )] r ( n ) − α (cid:48) log n || [ h σ ( f ( x ))] s ( n ) − r ( n ) − α (cid:48) log n ) = x ] ≥ p ( n ) . We show how to use A to invert f . Consider the PPT A (cid:48) (1 n , y ) that samples σ , σ ← { , } n c and a“guess” z ← { , } r ( n ) − α (cid:48) log n , and outputs A (1 n , σ || σ || z || [ h σ ( y )] s ( n ) − r ( n ) − α (cid:48) log n ). Since the guessis correct with probability 2 − r ( n )+ α (cid:48) log n ≥ − r ( n ) , we have thatPr[ x ← S n : A (cid:48) (1 n , f ( x )) = x ] ≥ − r ( n ) p ( n ) . Since the any y ∈ f ( S n ) has at least 2 r ( n ) − pre-images (since f is r ( n )-regular over S ), we have thatPr[ x ← S n : A (cid:48) (1 n , f ( x )) = x ] ≥ Pr[ x ← S n : A (cid:48) (1 n , f ( x )) ∈ f − ( f ( x ))] × − r ( n )+1 . Thus,Pr[ x ← S n : A (cid:48) (1 n , f ( x )) ∈ f − ( f ( x ))] ≥ − r ( n )+1 × Pr[ x ← S n : A (cid:48) (1 n , f ( x )) = x ] ≥ p ( n )which contradicts that f is an S -OWF.Next, consider f (cid:48) i ( s, σ , σ , σ GL ) = σ GL || f i ( s, σ , σ ), and the hardcore function GL guaranteedto exists by Theorem A.4. Since ˆ f is S -hiding, by Theorem A.4, the following ensembles are indis-tinguishable: • { x ← S n , σ , σ , σ GL ← { , } n c : f (cid:48) r ( n ) ( x, σ , σ , σ GL ) || GL ( x, ( σ , σ ) , σ GL ) } n ∈ N • { x ← S n , σ , σ , σ GL ← { , } n c : f (cid:48) r ( n ) ( x, σ , σ , σ GL ) ||U γ (cid:48) log n } n ∈ N We finally show that { x ← S n , σ , σ , σ GL ← { , } n c : f (cid:48) r ( n ) ( x, σ , σ , σ GL ) } is n α (cid:48) / close to uniformfor every n , which will conclude the proof of both the pseudorandomness and the density propertiesby a hybrid argument. Let X be a random variable uniformly distributed over S n , and let R , R , R GL be random variables uniformly distributed over { , } n c . Let REAL = f (cid:48) r ( n ) ( X, R , R , R GL ) = R GL || R || R || [ h R ( X )] r ( n ) − α (cid:48) log n , [ h R ( f ( X ))] s ( n ) − r ( n ) − α (cid:48) log n We observe: • For every y ∈ f ( S n ), H ∞ ( X | f ( X ) = y ) ≥ r ( n ) − f is r ( n )-regular; bythe LHL (i.e., Lemma A.3), it follows that REAL is n α (cid:48) / close in statistical distance to HYB = R GL || R || R ||U r ( n ) − α (cid:48) log n || [ h R ( f ( X ))] s ( n ) − r ( n ) − α (cid:48) log n • H ∞ ( f ( X )) ≥ s ( n ) − r ( n ) due to the fact that f is r ( n )-regular and | S n | ≥ s ( n ); by the LHL,it follows that HYB is n α (cid:48) / close in statistical distance to HYB = R GL || R || R ||U r ( n ) − α (cid:48) log n ||U s ( n ) − r ( n ) − α (cid:48) log n = U s ( n )+3 n c − α (cid:48) log n Thus,
REAL is n α (cid:48) /2