On the Power of the Randomized Iterate

Abstract

We consider two of the most fundamental theorems in cryptography. The first, due to Håstad et al. [SIAM J. Comput., 28 (1999), pp. 1364–1396] is that pseudorandom generators can be constructed from any one-way function. The second, due to Yao [Proceedings of the $23$rd Annual Symposium on Foundations of Computer Science (FOCS), 1982, pp. 80–91], states that the existence of weak one-way functions implies the existence of full-fledged one-way functions. These powerful plausibility results shape our understanding of hardness and randomness in cryptography, but unfortunately their proofs are not as tight (i.e., security preserving) as one may desire. This work revisits a technique that we call the randomized iterate, introduced by Goldreich, Krawczyk, and Luby [SIAM J. Comput., 22 (1993), pp. 1163–1175]. This technique was used by Goldreich, Krawczyk, and Luby [SIAM J. Comput., 22 (1993), pp. 1163–1175] to give a construction of pseudorandom generators from regular one-way functions. We simplify and strengthen this technique in order to obtain a similar construction, where the seed length of the resulting generators is as short as $\Theta(n \log n)$ (rather than $\Theta(n^3)$ achieved by Goldreich, Krawczyk, and Luby [SIAM J. Comput., 22 (1993), pp. 1163–1175]). Our technique has the potential of implying seed length $\Theta(n)$, and the only bottleneck for such a result are the parameters of current generators against bounded-space computations. We give a construction with similar parameters for security amplification of regular one-way functions. This improves upon the construction of Goldreich et al. [Proceedings of the $31$st Annual Symposium on Foundations of Computer Science, (FOCS), 1990, pp. 318–326] in that the construction does not need to “know" the regularity parameter of the functions (in terms of security, the two reductions are incomparable). In addition, we use the randomized iterate to show a construction of a pseudorandom generator based on an exponentially hard one-way function that has a seed length of only $\Theta(n^2)$. This improves a recent result of Holenstein [Proceedings of the Theory of Cryptography, Third Theory of Cryptography Conference (TCC), 2006] that shows a construction with seed length $\Theta(n^5)$ based on such one-way functions. Finally, we show that the randomized iterate may even be useful in the general context of Håstad et al. [SIAM J. Comput., 28 (1999), pp. 1364–1396]. In particular, we use the randomized iterate to replace the basic building block of the Håstad et al. [SIAM J. Comput., 28 (1999), pp. 1364–1396] construction. Interestingly, this modification improves efficiency by an $\Theta(n^2)$ factor and reduces the seed length to $\Theta(n^7)$ (which also implies improvement in the security of the construction).