TY - JOUR

T1 - A Dichotomy for Local Small-Bias Generators

AU - Applebaum, Benny

AU - Bogdanov, Andrej

AU - Rosen, Alon

N1 - Publisher Copyright:
© 2015, International Association for Cryptologic Research.

PY - 2016/7/1

Y1 - 2016/7/1

N2 - We consider pseudorandom generators in which each output bit depends on a constant number of input bits. Such generators have appealingly simple structure: They can be described by a sparse input–output dependency graph G and a small predicate P that is applied at each output. Following the works of Cryan and Miltersen (MFCS’01) and by Mossel et al (STOC’03), we ask: which graphs and predicates yield “small-bias” generators (that fool linear distinguishers)? We identify an explicit class of degenerate predicates and prove the following. For most graphs, all non-degenerate predicates yield small-bias generators, f: {0 , 1} n→ {0 , 1} m, with output length m= n1 + ϵfor some constant ϵ> 0. Conversely, we show that for most graphs, degenerate predicates are not secure against linear distinguishers, even when the output length is linear m= n+ Ω (n). Taken together, these results expose a dichotomy: Every predicate is either very hard or very easy, in the sense that it either yields a small-bias generator for almost all graphs or fails to do so for almost all graphs. As a secondary contribution, we attempt to support the view that small-bias is a good measure of pseudorandomness for local functions with large stretch. We do so by demonstrating that resilience to linear distinguishers implies resilience to a larger class of attacks.

AB - We consider pseudorandom generators in which each output bit depends on a constant number of input bits. Such generators have appealingly simple structure: They can be described by a sparse input–output dependency graph G and a small predicate P that is applied at each output. Following the works of Cryan and Miltersen (MFCS’01) and by Mossel et al (STOC’03), we ask: which graphs and predicates yield “small-bias” generators (that fool linear distinguishers)? We identify an explicit class of degenerate predicates and prove the following. For most graphs, all non-degenerate predicates yield small-bias generators, f: {0 , 1} n→ {0 , 1} m, with output length m= n1 + ϵfor some constant ϵ> 0. Conversely, we show that for most graphs, degenerate predicates are not secure against linear distinguishers, even when the output length is linear m= n+ Ω (n). Taken together, these results expose a dichotomy: Every predicate is either very hard or very easy, in the sense that it either yields a small-bias generator for almost all graphs or fails to do so for almost all graphs. As a secondary contribution, we attempt to support the view that small-bias is a good measure of pseudorandomness for local functions with large stretch. We do so by demonstrating that resilience to linear distinguishers implies resilience to a larger class of attacks.

KW - Dichotomy

KW - Local functions

KW - NC0

KW - Small-bias generator

UR - http://www.scopus.com/inward/record.url?scp=84927546091&partnerID=8YFLogxK

U2 - 10.1007/s00145-015-9202-8

DO - 10.1007/s00145-015-9202-8

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:84927546091

SN - 0933-2790

VL - 29

SP - 577

EP - 596

JO - Journal of Cryptology

JF - Journal of Cryptology

IS - 3

ER -