Constructing a Pseudorandom Generator Requires an Almost Linear Number of Calls

Abstract: We show that a black-box construction of a pseudorandom generator from a one-way function needs to make Ω( n log(n) ) calls to the underlying one-way function. The bound even holds if the one-way function is guaranteed to be regular. In this case it matches the best known construction due to Goldreich, Krawczyk, and Luby (SIAM J. Comp. 22, 1993), which uses O( n log(n) ) calls.

“…uniform distribution over Y), which costs n random bits despite that the entropy of Y may be far less than n. Quite naturally (following [23,3]), the construction invests n bits (to sample a random y←f (U n )) at initialization, runs g in iterations, and outputs O(log (1/ε)) bits per iteration. The stretch becomes positive after O(n/ log (1/ε)) iterations, which matches the lower bounds of [16]. The seed length remains of order Θ(n) by reusing the coins for universal hash and G-L functions at every iteration, thanks to the hybrid argument.…”

“…Therefore, for any unknown-regular OWF with known hardness, we obtain a PRG with linear seed length, and by letting s ∈ Θ(log(1/εn)) the number of calls ∈ Θ(n/s) = Θ(n/ log(1/εn)) matches the lower bound of [16]. This extends to the general case (where the hardness parameter is unknown) by repetition.…”

“…From another perspective, the merge would remove the dependency on the regularity and thus result in a generic construction that does a single call to any unknown regular OWFs, which is a contradiction to [16]. Furthermore, it seems necessary to extract from X at least twice, namely, using h 2 and h c to get statistically and computationally random bits respectively.…”

“…Let us mention all aforementioned approaches are characterized by a parallel construction, namely, they run sufficiently many independent copies of the underlying OWFs (rather than running a single trail and feeding its output back to the input iteratively) and there seems an inherent lower bound on the number of copies needed. This is recently formalized by Holenstein and Sinha [16], in particular, they showed that any black-box construction of a PRG from an arbitrary OWF f requires Ω(n/ log n) calls to f in general. 2 PRGs from Special OWFs.…”

“…We are also grateful to Thomas Holenstein for clarifying his lower bound results [16] at the very early stage of this work. We thank the anonymous reviewers of ASIACRYPT 2013 for very helpful comments and suggestions that significantly improve the presentations of the PRG constructions.…”

Pseudorandom generators from regular one-way functions: New constructions with improved parameters

“…uniform distribution over Y), which costs n random bits despite that the entropy of Y may be far less than n. Quite naturally (following [23,3]), the construction invests n bits (to sample a random y←f (U n )) at initialization, runs g in iterations, and outputs O(log (1/ε)) bits per iteration. The stretch becomes positive after O(n/ log (1/ε)) iterations, which matches the lower bounds of [16]. The seed length remains of order Θ(n) by reusing the coins for universal hash and G-L functions at every iteration, thanks to the hybrid argument.…”

“…Therefore, for any unknown-regular OWF with known hardness, we obtain a PRG with linear seed length, and by letting s ∈ Θ(log(1/εn)) the number of calls ∈ Θ(n/s) = Θ(n/ log(1/εn)) matches the lower bound of [16]. This extends to the general case (where the hardness parameter is unknown) by repetition.…”

“…From another perspective, the merge would remove the dependency on the regularity and thus result in a generic construction that does a single call to any unknown regular OWFs, which is a contradiction to [16]. Furthermore, it seems necessary to extract from X at least twice, namely, using h 2 and h c to get statistically and computationally random bits respectively.…”

“…Let us mention all aforementioned approaches are characterized by a parallel construction, namely, they run sufficiently many independent copies of the underlying OWFs (rather than running a single trail and feeding its output back to the input iteratively) and there seems an inherent lower bound on the number of copies needed. This is recently formalized by Holenstein and Sinha [16], in particular, they showed that any black-box construction of a PRG from an arbitrary OWF f requires Ω(n/ log n) calls to f in general. 2 PRGs from Special OWFs.…”

“…We are also grateful to Thomas Holenstein for clarifying his lower bound results [16] at the very early stage of this work. We thank the anonymous reviewers of ASIACRYPT 2013 for very helpful comments and suggestions that significantly improve the presentations of the PRG constructions.…”

Pseudorandom generators from regular one-way functions: New constructions with improved parameters

On the Query Complexity of Constructing PRFs from Non-adaptive PRFs

Simple Constructions from (Almost) Regular One-Way Functions