Naor–Reingold pseudorandom function

In 1997, Moni Naor and Omer Reingold described efficient constructions for various cryptographic primitives in private key as well as public-key cryptography. Their result is the construction of an efficient pseudorandom function. Let p and l be prime numbers with l |p−1. Select an element g ∈ [math]\displaystyle{ {\mathbb F_p}^* }[/math] of multiplicative order l. Then for each (n+1)-dimensional vector a = (a₀,a₁, ..., a_n)∈ [math]\displaystyle{ (\mathbb F_{l})^{n+1} }[/math] they define the function

[math]\displaystyle{ f_{a}(x) = g^{a_{0}\cdot a_{1}^{x_{1}} a_{2}^{x_{2}}...a_{n}^{x_{n}}} \in \mathbb F_p }[/math]

where x = x₁ ... x_n is the bit representation of integer x, 0 ≤ x ≤ 2ⁿ⁻¹, with some extra leading zeros if necessary.^[1]

Example

Let p = 7 and l = 3; so l |p−1. Select g = 4 ∈ [math]\displaystyle{ {\mathbb F_7}^* }[/math] of multiplicative order 3 (since 4³ = 64 ≡ 1 mod 7). For n = 3, a = (1, 1, 2, 1) and x = 5 (the bit representation of 5 is 101), we can compute [math]\displaystyle{ f_{a}(5) }[/math] as follows:

[math]\displaystyle{ f_{a}(x) = g^{a_{0}\cdot a_{1}^{x_{1}} a_{2}^{x_{2}}...a_{n}^{x_{n}}} \in \mathbb F_p }[/math]

[math]\displaystyle{ f_{a}(5) = 4^{1\cdot 1^{1} 2^{0} 1^{1}} = 4^{1} = 4 \in \mathbb F_7 }[/math]

Efficiency

The evaluation of function [math]\displaystyle{ f_{a}(x) }[/math] in the Naor–Reingold construction can be done very efficiently. Computing the value of the function [math]\displaystyle{ f_{a}(x) }[/math] at any given point is comparable with one modular exponentiation and n-modular multiplications. This function can be computed in parallel by threshold circuits of bounded depth and polynomial size.

The Naor–Reingold function can be used as the basis of many cryptographic schemes including symmetric encryption, authentication and digital signatures.

Security of the function

Assume that an attacker sees several outputs of the function, e.g. [math]\displaystyle{ f_{a}(1) = g^{a_{1}}, f_{a}(2) = g^{a_{2}}, f_{a}(3) = g^{a_{1}a_{2}} }[/math], ... [math]\displaystyle{ f_{a}(k) = g^{a_{1}^{x_{1}} a_{2}^{x_{2}}...a_{n}^{x_{n}}} }[/math] and wants to compute [math]\displaystyle{ f_{a}(k + 1) }[/math]. Assume for simplicity that x₁ = 0, then the attacker needs to solve the computational Diffie–Hellman (CDH) between [math]\displaystyle{ f_a (1)= g^{a_{1}} }[/math] and [math]\displaystyle{ f_{a}(k) = g^{a_{2}^{x_{2}} ...a_{n}^{x_{n}}} }[/math] to get [math]\displaystyle{ f_{a}(k+1) = g^{a_{1}a_{2}^{x_{2}} \dots a_{n}^{x_{n}}} }[/math]. In general, moving from k to k + 1 changes the bit pattern and unless k + 1 is a power of 2 one can split the exponent in [math]\displaystyle{ f_{a}(k + 1) }[/math] so that the computation corresponds to computing the Diffie–Hellman key between two of the earlier results. This attacker wants to predict the next sequence element. Such an attack would be very bad—but it's also possible to fight it off by working in groups with a hard Diffie–Hellman problem (DHP).

Example: An attacker sees several outputs of the function e.g. [math]\displaystyle{ f_{a}(5) = 4^{1^{1} 2^{0} 1^{1}} = 4^{1} = 4 }[/math], as in the previous example, and [math]\displaystyle{ f_{a}(1) = 4^{1^{0} 2^{0} 1^{1}} = 4^{1} = 4 }[/math]. Then, the attacker wants to predict the next sequence element of this function, [math]\displaystyle{ f_{a}(6) }[/math]. However, the attacker cannot predict the outcome of [math]\displaystyle{ f_{a}(6) }[/math] from knowing [math]\displaystyle{ f_{a}(1) }[/math] and [math]\displaystyle{ f_{a}(5) }[/math].

There are other attacks that would be very bad for a pseudorandom number generator: the user expects to get random numbers from the output, so of course the stream should not be predictable, but even more, it should be indistinguishable from a random string. Let [math]\displaystyle{ \mathcal{A}^f }[/math] denote the algorithm [math]\displaystyle{ \mathcal{A} }[/math] with access to an oracle for evaluating the function [math]\displaystyle{ f_{a}(x) }[/math] . Suppose the decisional Diffie–Hellman assumption holds for [math]\displaystyle{ \mathbb F_p }[/math], Naor and Reingold show that for every probabilistic polynomial time algorithm [math]\displaystyle{ \mathcal{A} }[/math] and sufficiently large n

[math]\displaystyle{ \text{Pr }[\mathcal{A}^{f_{a}(x)}(p,g) \to 1] - \text{Pr }[\mathcal{A}^{R} (p,g)\to 1] }[/math] is negligible.

The first probability is taken over the choice of the seed s = (p, g, a) and the second probability is taken over the random distribution induced on p, g by [math]\displaystyle{ \mathcal{I}\mathcal{G} (n) }[/math], instance generator, and the random choice of the function [math]\displaystyle{ R_{a}(x) }[/math] among the set of all [math]\displaystyle{ \{0,1\}^{n} \to \mathbb F_p }[/math] functions.^[2]

Linear complexity

One natural measure of how useful a sequence may be for cryptographic purposes is the size of its linear complexity. The linear complexity of an n-element sequence W(x), x = 0,1,2,...,n – 1, over a ring [math]\displaystyle{ \mathcal{R} }[/math] is the length l of the shortest linear recurrence relation W(x + l) = A_l−1 W(x +l−1) + ... + A₀ W(x), x = 0,1,2,..., n – l −1 with A₀, ..., A_l−1 ∈ [math]\displaystyle{ \mathcal{R} }[/math], which is satisfied by this sequence.

For some [math]\displaystyle{ \gamma }[/math] > 0,n ≥ (1+ [math]\displaystyle{ \gamma }[/math]) [math]\displaystyle{ \log l }[/math], for any [math]\displaystyle{ \delta \gt 0 }[/math], sufficiently large l, the linear complexity of the sequence [math]\displaystyle{ f_{a}(x) }[/math],0 ≤ x ≤ 2^n-1, denoted by [math]\displaystyle{ L_a }[/math] satisfies

[math]\displaystyle{ L_{a} \geqslant \begin{cases} l^{1-\ \delta\,\!} &\text{, if } \gamma\,\! \geqslant 2\\ l^{\left (\tfrac{\ \gamma\,\!}{2-\ \delta\,\!}\right )} &\text{, if } \gamma\,\! \lt 2 \end{cases} }[/math]

for all except possibly at most [math]\displaystyle{ 3(l - 1)^{n - \delta} }[/math] vectors a ∈ [math]\displaystyle{ (\mathbb F_{l})^{n} }[/math].^[3] The bound of this work has disadvantages, namely it does not apply to the very interesting case [math]\displaystyle{ \log p \approx \log n \approx {n.} }[/math]

Uniformity of distribution

The statistical distribution of [math]\displaystyle{ f_{a}(x) }[/math] is exponentially close to uniform distribution for almost all vectors a ∈ [math]\displaystyle{ (\mathbb F_{l})^{n} }[/math].

Let [math]\displaystyle{ {\mathbf D}_a }[/math] be the discrepancy of the set [math]\displaystyle{ \{f_a (x)| 0 \leq x \leq 2^{n-1}\} }[/math]. Thus, if [math]\displaystyle{ n = \log p }[/math] is the bit length of p then for all vectors a ∈ [math]\displaystyle{ (\mathbb F_{l})^{n} }[/math] the bound [math]\displaystyle{ {\mathbf D}_a\leq \Delta (l,p) }[/math] holds, where

[math]\displaystyle{ \Delta (l,p) = \begin{cases} p^{\left (\tfrac{1-\ \gamma\,\!}{2}\right )}l^{\left (\tfrac{-1}{2}\right )}\log^{2}p &\text{ if } l \geqslant p^{\gamma\,\!}\\ p^{\left (\tfrac{1}{2}\right )}l^{-1}\log^{2}p &\text{ if } p^{\gamma\,\!} \gt l \geqslant p^{\left (\tfrac{2}{3}\right )} \\ p^{\left (\tfrac{1}{4}\right )}l^{\left (\tfrac{-5}{8}\right )}\log^{2}p &\text{ if } p^{\left (\tfrac{2}{3}\right )} \gt l \geqslant p^{\left (\tfrac{1}{2}\right )} \\ p^{\left (\tfrac{1}{8}\right )}l^{\left (\tfrac{-3}{8}\right )}\log^{2}p &\text{ if } p^{\left (\tfrac{1}{2}\right )} \gt l \geqslant p^{\left (\tfrac{1}{3}\right )} \\ \end{cases} }[/math]

and

[math]\displaystyle{ \gamma = 2.5 - \log 3 = 0.9150\cdots }[/math]

Although this property does not seem to have any immediate cryptographic implications, the inverse fact, namely non uniform distribution, if true would have disastrous consequences for applications of this function.^[4]

Sequences in elliptic curve

The elliptic curve version of this function is of interest as well. In particular, it may help to improve the cryptographic security of the corresponding system. Let p > 3 be prime and let E be an elliptic curve over [math]\displaystyle{ \mathbb F_p }[/math], then each vector a defines a finite sequence in the subgroup [math]\displaystyle{ \langle G\rangle }[/math] as:

[math]\displaystyle{ F_{a}(x) = (a_{1}^{x_{1}} a_{2}^{x_{2}}\dots a_{n}^{x_{n}})G }[/math]

where [math]\displaystyle{ x = x_1 \dots x_n }[/math] is the bit representation of integer [math]\displaystyle{ x, 0 \leq x \leq 2^{n-1} }[/math]. The Naor–Reingold elliptic curve sequence is defined as

[math]\displaystyle{ u_{k} = X (f_{a}(k))\; \mbox{where } X (P) \mbox{ is the abscissa of}\; P \in E. }[/math]^[5]

If the decisional Diffie–Hellman assumption holds, the index k is not enough to compute [math]\displaystyle{ u_k }[/math] in polynomial time, even if an attacker performs polynomially many queries to a random oracle.https://en.wikipedia.org/wiki/Elliptic_curve

See also

• Decisional Diffie–Hellman assumption
• Finite field
• Inversive congruential generator
• Generalized inversive congruential pseudorandom numbers

Notes

References

• Naor, Moni; Reingold, Omer (2004), "Number-theoretic constructions of efficient pseudo-random functions", Journal of the Association for Computing Machinery 51 (2): 231–262, doi:10.1145/972639.972643 .
• Shparlinski, Igor (2003), Cryptographic Applications of Analytic Number Theory: Complexity Lower Bounds and Pseudorandomness (first ed.), Birkhäuser Basel, ISBN 978-3-7643-6654-4 
• Goldreich, Oded (1998), Modern Cryptography, Probabilistic Proofs and Pseudorandomness (first ed.), Springer, ISBN 978-3-540-64766-9 

0.00 (0 votes) Original source: https://en.wikipedia.org/wiki/Naor–Reingold pseudorandom function. Read more