Paper 2017/312

Limits on Low-Degree Pseudorandom Generators (Or: Sum-of-Squares Meets Program Obfuscation)

Boaz Barak, Zvika Brakerski, Ilan Komargodski, and Pravesh K. Kothari

Abstract

Consider a pseudorandom generator $G$ with $m$ outputs, whose seed contains $n$ blocks of $b$ bits each. Further, assume that this PRG has block-locality $\ell$, i.e. each output bit depends on at most $\ell$ out of the $n$ blocks. The question of the maximum stretch $m$ that such PRGs can have, as a function of $n,b,\ell$ recently emerged in the context of constructing provably secure program obfuscation. It also relates to the question of refuting constraint satisfaction problems on predicates with large alphabets in complexity theory. We show that such $$-block local PRGs can have output length at most $$, by presenting a polynomial time algorithm that distinguishes inputs of the form $$ (for any $$) from inputs where each coordinate is sampled independently according to the marginal distributions of the coordinates of $$. As a corollary, we refute some conjectures recently made in the context of constructing provably secure indistinguishability obfuscation (iO). This includes refuting the assumptions underlying Lin and Tessaro's \cite{LinT17} recently proposed candidate iO from bilinear maps. Specifically, they assumed the existence of a secure pseudorandom generator $$ as above for large enough $$ with $$. (Following this work, and an independent work of Lombardi and Vaikuntanthan \cite{LombardiV17a}, Lin and Tessaro retracted the bilinear maps based candidate from their manuscript.) Our results follow from a general framework that handles more general class of pseudorandom generators. Namely they work even if the outputs are not binary valued and are computed using low-degree polynomial over $$ (instead of the more restrictive local/block-local assumption). Specifically, we prove that for every function $$ ($$ = reals), if every output of $$ is a polynomial (over the real numbers $$) of degree at most $$ of at most $$ monomials and $$, then there is a polynomial time algorithm for the distinguishing task above. This implies that any such map $$ cannot be a pseudorandom generator. Our results yield, in particular, that natural modifications to notion of generators that are still sufficient for obtaining indistinguishability obfuscation from bilinear maps run into similar barriers. Our algorithms follow the Sum of Squares (SoS) paradigm, and in most cases can even be defined more simply using a semidefinite program. We complement our algorithm by presenting a class of candidate generators with block-wise locality $$ and constant block size, that resists both Gaussian elimination and sum of squares (SOS) algorithms whenever $$. This class is extremely easy to describe: Let $$ be any simple non-abelian group with the group operation ``$$'', and interpret the blocks of $$ as elements in $$. The description of the pseudorandom generator is a sequence of $$ triples of indices $$ chosen at random and each output of the generator is of the form $$.