From NC1 OWF to NC0 OWF

1
From NC1 OWF to NC0 OWF
2
Recap

• Let f(x) be an NC1 OWF.
• We have constructed an f(x,r) such that
• Given f(x), it is easy to sample f(x,Um)
• For any x, r, we can easily deduce f(x) from
  f(x, r)
• ? If f(x)!f(y), f(x,?) and f(y,?) are
  disjoint.

3
Goal

• Prove that f is one way.
• Prove that f is computable in NC0.

4
f is one way

• Assume that f is not one way, we show f is not,
  either.
• Given f(x) where xUn,
• sample f(x, Um)
• Use the inverter of f to invert the output of
  Step 1. This outputs a (x, r)
• Output x

5
f is one way

• Assume that f is not one way, we show f is not,
  either.
• Given f(x) where xUn,
• sample f(x, Um)
• Use the inverter of f to invert the output of
  Step 1. This outputs a (x, r)
• Output x

Distributed as f(Un, Um).
6
f is one way

• Assume that f is not one way, we show f is not,
  either.
• Given f(x) where xUn,
• sample f(x, Um)
• Use the inverter of f to invert the output of
  Step 1. This outputs a (x, r)
• Output x

Distributed as f(Un, Um).
If the inversion succeeds, f(x, r)f(x, Um)
? f(x)f(x)!
7
Theorem. If f is an NC1 one way function, f is
an NC04 one way function.
8
From NC1 PRG to NC0 PRG
9
Almost the same as in the case for OWF!
10
Recap

• Let G(x) be an NC1 PRG, with stretch l.
• We have constructed an G(x,r) such that
• Given f(x), it is easy to sample f(x,Um)
• The above sampler (denoted S) is length regular
  and outputs uniformly random bits on Ul.
• For any x, r, we can easily deduce G(x) from
  G(x, r)

11
The proof

• If G is not a PRG, let M be a distinguisher from
  G(Un, Um) to Ut
• On input y, supposedly G(Un) or Ul
• Compute S(y)
• Output M(S(y))

S(y) is G(Un,Um) if y is G(Un) Ut if y is Ul.
12
The proof

• If G is not a PRG, let M be a distinguisher from
  G(Un) to Ul
• On input y, supposedly G(Un) or Ul
• Compute S(y)
• Output M(S(y))

Distinguishable!
S(y) is G(Un,Um) if y is G(Un) Ut if y is Ul.
13
Proof complete?

• We have shown that G(Un, Um) must be
  indistinguishable from Ut.
• We must also show that G stretches its input!

14
L(x) for the BP of the 1st bit of G

L(x) for the BP of the last bit of G
15

L(x) for the BP of the 1st bit of G
Identifying the input bits excluding x.
L(x) for the BP of the last bit of G
16


L(x) for the BP of the 1st bit of G
L(x) for the BP of the 1st bit of G
Identifying the output bits excluding x.

L(x) for the BP of the last bit of G
17

L(x) for the BP of the 1st bit of G
L(x) for the BP of the 1st bit of G
Suppose for a moment we are outputting the upper
triangular matrices only.
L(x) for the BP of the last bit of G
18

L(x) for the BP of the 1st bit of G
L(x) for the BP of the 1st bit of G
Additive stretch is preserved!
L(x) for the BP of the last bit of G
19
This entry will correspond to outputs (T1-r1,
T2-r2, , Tk-rk, r1-r1, r1r2-r2,,
rk-2rk-2-rk-1, rk-1rk), a total of 2k bits.
20
Thus, in the actual G, there are 2k-1 more bits
corresponding to this entry.
21
Thus, in the actual G, there are 2k-1 more bits
corresponding to this entry. There are, however,
2k-1 more inputs bits r1,r2,,rk,r1,r2,,rk-1.
22
G has the same additive stretch as G

• So G also stretches its input. ?

23
Theorem. If G is an NC1 PRG, then G is an NC04
PRG.