ACT 1

Slides by Vera Asodi & Tomer Naveh.Slides by Vera Asodi & Tomer Naveh.

Updated by : Avi Ben-Aroya & Alon BrookUpdated by : Avi Ben-Aroya & Alon Brook

Adapted from Oded Goldreich’s course lecture Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis, Boris Temkin and Il’ya notes by Sergey Benditkis, Boris Temkin and Il’ya Safro.Safro.

ACT 2

IntroductionIntroduction

In this lecture we’ll cover:Definition of pseudorandom generatorsComputational indistinguishabilityStatistical closenessMultiple samplesApplication of pseudorandom generatorsAmplification of the stretch functionOne-way functionHard-core predicate

ACT 3

Definition of PRGDefinition of PRG

A Pseudorandom Generator is an efficient program which stretches short random seeds into long pseudorandom sequences.

Stretching

Seed

PRG

Pseudorandom Sequence

Random Sequence

EfficientAlgorithm

Efficiency Mmmm

…They look the

same to me!

ACT 4

Computational IndistinguishabilityComputational Indistinguishability

Def: A probability ensemble X is a family X = {Xn}nN such that Xn is a probability distribution on some finite domain.

Def: Two probability ensembles, {Xn}nN

and {Yn}nN , are called computationally indistinguishable if for any probabilistic polynomial-time algorithm A, for any positive polynomial p(.), and for all sufficiently large n’s

np1

YyXx 1yAPr1xAPr nn

np1

YyXx 1yAPr1xAPr nn

13.1

ACT 5

Defining PRGDefining PRG

Def: A deterministic polynomial-time algorithm G is called a pseudorandom generator if there exists a stretching function l:NN, s.t. the following two probability ensembles, denoted {Gn}nN and {Rn}nN, are computationally indistinguishable

1. Distribution Gn is defined as the output of G on a uniformly selected seed in {0,1}n.

2. Distribution Rn is defined as the uniform distribution on {0,1}l(n).

13.2

ACT 6

Statistical ClosenessStatistical Closeness

Def (statistical closeness): The statistical difference between two distributions, X and Y, is defined as

Two probability ensembles {Xn}nN and {Yn}nN are statistically close if for all polynomials p(.) and for all sufficiently large n

Prop: If two probability ensembles are statistically close then they are computationally indistinguishable.

YPrXPr Y,X 21

YPrXPr Y,X 2

1

np1

nn Y,X np1

nn Y,X

13.3

ACT 7

Poly-time ConstructiblePoly-time Constructible

Def: An ensemble {Zn}nN is probabilistic polynomial-time constructible if there exists a probabilistic polynomial-time algorithm S such that for every n, S(1n) = Zn

13.4

ACT 8

Thm: Let {Xn} and {Yn} be computational indistinguishable and probabilistic polynomial-time constructible.Let t(.) be a positive polynomial.Define {Xn’} and {Yn’} as follows:

Xn’ = Xn1 Xn

2 … Xnt(n)

Yn’ = Yn1 Yn

2 … Ynt(n)

where the Xni’s (Yn

i’s) are independent copies of Xn (Yn).Then {Xn’} and {Yn’} are computationally indistinguishable

Independent SamplesIndependent Samples

ACT 9

Hybrid DistributionHybrid DistributionProof:Assume a distinguisher D for {Xn’} and {Yn’} s.t.

for a polynomial p(.) and all sufficiently large n’s.Define the hybrid distributions for 0it(n):

Hn(i)=(Xn

(1) Xn(2)…Xn

(i) Yn(i+1)… Yn

(t(n)))Note that Hn

(0)= Y’n and Hn(t(n))= X’n

Define an algorithm D’ as follows:For taken from Xn or Yn

D’()=D(Xn(1) Xn

(2)…Xn(i-1)Yn

(i+1)… Yn(t(n)))

where i is chosen uniformly in {1,2,…,t(n)}

np1

'Y~y'X~x 1yDPr1xDPr nn

np1

'Y~y'X~x 1yDPr1xDPr nn

ACT 10

Hybrid ArgumentHybrid Argument

Therefore,

and

1x'DPrnX~x 1x'DPrnX~x

nt

1i

ntn

1in

1in

1nX~xnt

1 1Y...YxX...XDPrn

nt

1i

ntn

1in

1in

1nX~xnt

1 1Y...YxX...XDPrn

nt

1iH~'xnt

1 1'xDPr in

nt

1iH~'xnt

1 1'xDPr in

1y'DPrnY~y 1y'DPrnY~y

nt

1i

ntn

1in

1in

1nY~ynt

1 1Y...YyX...XDPrn

nt

1i

ntn

1in

1in

1nY~ynt

1 1Y...YyX...XDPrn

nt

1i H~'ynt1 1'yDPr 1i

n

nt

1i H~'ynt1 1'yDPr 1i

n

According to the definition of D’‘i’ is chosen uniformly from {1..t(n)}

According to the definition of Hn(i)

Note: only up to i-1 wehave X’s so we get Hn(i-1)

ACT 11

Hybrid ArgumentHybrid Argument

Thus,

1y'DPr1x'DPr nn Y~yX~x 1y'DPr1x'DPr nn Y~yX~x

1'yDPr1'xDPr

nt

1i H~'y

nt

1iH~'xnt

11i

ni

n

1'yDPr1'xDPr

nt

1i H~'y

nt

1iH~'xnt

11i

ni

n

1'yDPr1'xDPr 0n

ntn H~'yH~'xnt

1 1'yDPr1'xDPr 0

nnt

n H~'yH~'xnt1

npnt1

'Y~'y'X~'xnt1 1'yDPr1'xDPr

nn npnt1

'Y~'y'X~'xnt1 1'yDPr1'xDPr

nn

It’s a telescopic sum

ACT 12

Application of PRGApplication of PRG

Let A be a probabilistic algorithm, and (n) denote a polynomial upper bound on its randomness complexity.Let A(x,r) denote the output of A on input x and coin tosses sequence r{0,1}(n).Let G be a pseudorandom generator with stretching function l:NN

Then AG is a randomized algorithm that, on input x• Sets k=k(|x|) to be the smallest integer s.t.

l(k) (|x|)• Uniformly selects s{0,1}k

• Outputs A(x,r), where r is the (|x|)-bit long prefix of G(s)

13.5

ACT 13

Application of PRG (2)Application of PRG (2)

Thm: Let A and G be as above. Then for every pair of probabilistic polynomial-time algorithms, a finder F and a distinguisher D, every positive polynomial p(.) and all sufficiently large n’s

where

and the probabilities are taken over the Um’s as well as over the coin tosses of F and D.

n1,0xnp1

D,An xx1FPr

n1,0xnp1

D,An xx1FPr

1s,xA,xDPr1r,xA,xDPr x GU~sU~rD,A nkn

1s,xA,xDPr1r,xA,xDPr x GU~sU~rD,A nkn

ACT 14

Amplifying the Stretch Function (2)Amplifying the Stretch Function (2)

n

G

n

G

n

G

n 1

1

1

Output Sequence

ACT 15

Thm: Let G be a pseudorandom generator with stretch function l(n)=n+1, and l’ be any polynomially bounded stretch function, which is polynomial-time computable.Let G1(x) denote the |x|-bit long prefix of G(x), and G2(x) denote the last bit of G(x).Then

G’(s)=12…l’(|s|)

where x0=s, i=G2(xi-1) and xi=G1(xi-1), is a pseudorandom generator with stretch function l’.

The theorem is proven using the hybrid technique.

Amplifying the Stretch FunctionAmplifying the Stretch Function13.6

ACT 16

One-Way Functions One-Way Functions

Def: A one-way function, f, is a polynomial-time computable function s.t. for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s

where Un is the uniform distribution over {0,1}n.

Popular candidates for one-way functions are based on the conjectured intractability of:

Integer factorization Discrete logarithm problem Decoding of random linear code

np11

U~x xffxf'APrn

np11

U~x xffxf'APrn

13.7

ACT 17

Hard-Core PredicateHard-Core Predicate

Def (hard-core predicate): A polynomial-time computable predicate b:{0,1}*{0,1} is called a hard-core of a function f if for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s

Thm (generic hard-core): Let f be an arbitrary one-way function, and let g be defined by g(x,r)=(f(x),r), where |x|=|r|. Let b(x,r) denote the inner-product mod 2 of the binary vectors x and r. Then b is a hard-core of g.

np1

21

U~x xbxf'APrn

np1

21

U~x xbxf'APrn

13.8

ACT 18

Hard-Core Predicate (2)Hard-Core Predicate (2)

Thm: Let b be a hard-core predicate of a polynomial-time computable 1-1 function f. Then, G(s)=f(s)b(s) is a pseudorandom generator.

Proof Sketch: Clearly the |s|-bit long prefix of G(s) is uniformly distributed (since f is 1-1 and onto {0,1}|s|). Hence, we only have to show that distinguishing f(s)b(s) from f(s), where is a random bit, contradicts the hypothesis that b is a hard-core of f. Intuitively, such a distinguisher also distinguishes f(s)b(s) from , and so yields an algorithm for predicting b(s) based on f(s).

)s(b)s(f

ACT 19

The Existence of PRGThe Existence of PRG

Thm: Pseudorandom generators exist iff one-way functions exist.

Proof: 1) Let G be a pseudorandom generator with stretch

function l(n)=2n. For x,y{0,1}n, define f(x,y)=G(x), and so f is polynomial-time computable. Suppose, by way of contradiction, that f is not one-way. Then there exists an algorithm A’ such that

for some polynomial p(.). We define the following polynomial-time algorithm D: For an input z{0,1}2n,

np11

Ux xffxf'APrn2

np11

Ux xffxf'APrn2

13.9

ACT 20

The existence of PRG (2)The existence of PRG (2)

So we have ,while .Therefore, D distinguishes G(Un) from U2n, withcontradiction to the hypothesis that G is apseudorandom generator.

2) Proof outline: Suppose f is a one-way function. f is not necessarily 1-1, so the construction G(s)=f(s)b(s) where b is a hard-core of f cannot be used directly.

otherwise 0

zz'Af if 1zD

otherwise 0

zz'Af if 1zD

np1

Ux 1xGDPrn

n22

UzUz 2fImzPr1zDPr n2

n

n2n2

ACT 21

The Existence of PRG (3)The Existence of PRG (3)

One idea is to hash f(Un) to an almost uniform string of length related to its entropy, using universal hash functions. But this means shrinking the length of the output to some n’<n.

Thus, we can add n-n’+1 bits by extracting them from the seed Un, by hashing Un. The adding of this hash value does not make the inverting task any easier.

n-bit seed

f hashfunction

n bitsn bits

hashfunction