Complete Classification of Bilinear Hard-Core Functions
Thomas Holenstein, Ueli Maurer, and Johan Sjödin
Let $f:\{0,1\}^n\rightarrow\{0,1\}^{l}$ be a one-way function. A function $h: \{0,1\}^n\rightarrow\{0,1\}^m$ is called a hard-core function for $f$ if, when given $f(x)$ for a (secret) $x$ drawn uniformly from $\{0,1\}^n$, it is computationally infeasible to distinguish $h(x)$ from a uniformly random $m$-bit string. A (randomized) function $h: \{0,1\}^n\times\{0,1\}^k \rightarrow\{0,1\}^m$ is a general hard-core function if it is hard-core for every one-way function $f:\{0,1\}^n\rightarrow\{0,1\}^{l}$, where the second input to $h$ is a $k$-bit uniform random string $r$. Hard-core functions are a crucial tool in cryptography, in particular for the construction of pseudo-random generators and pseudo-random functions from any one-way function. The first general hard-core predicate, proposed by Goldreich and Levin, and several subsequently proposed hard-core functions, are bilinear functions in the two arguments $x$ and $r$. In this paper we introduce a parameter of bilinear functions $h: \{0,1\}^n\times\{0,1\}^k \rightarrow\{0,1\}^m$, called exponential rank loss, and prove that it characterizes exactly whether or not $h$ is a general hard-core function. The security proofs for the previously proposed bilinear hard-core functions follow as simple consequences. Our results are obtained by extending the class of list-decodable codes and by generalizing Hast's list-decoding algorithm from the Reed-Muller code to general codes.
BibTeX Citation
@inproceedings{HoMaSj04,
author = {Thomas Holenstein and Ueli Maurer and Johan Sjödin},
title = {Complete Classification of Bilinear Hard-Core Functions},
editor = {Matthew Franklin},
booktitle = {Advances in Cryptology --- CRYPTO 2004},
pages = {73--91},
series = {Lecture Notes in Computer Science},
volume = {3152},
year = {2004},
month = {8},
publisher = {Springer-Verlag},
}