View
212
Download
0
Tags:
Embed Size (px)
Citation preview
ACT 1
Slides by Vera Asodi & Tomer Naveh.Slides by Vera Asodi & Tomer Naveh.
Updated by : Avi Ben-Aroya & Alon BrookUpdated by : Avi Ben-Aroya & Alon Brook
Adapted from Oded Goldreich’s course lecture Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis, Boris Temkin and Il’ya notes by Sergey Benditkis, Boris Temkin and Il’ya Safro.Safro.
ACT 2
IntroductionIntroduction
In this lecture we’ll cover:Definition of pseudorandom generatorsComputational indistinguishabilityStatistical closenessMultiple samplesApplication of pseudorandom generatorsAmplification of the stretch functionOne-way functionHard-core predicate
ACT 3
Definition of PRGDefinition of PRG
A Pseudorandom Generator is an efficient program which stretches short random seeds into long pseudorandom sequences.
Stretching
Seed
PRG
Pseudorandom Sequence
Random Sequence
EfficientAlgorithm
Efficiency Mmmm
…They look the
same to me!
ACT 4
Computational IndistinguishabilityComputational Indistinguishability
Def: A probability ensemble X is a family X = {Xn}nN such that Xn is a probability distribution on some finite domain.
Def: Two probability ensembles, {Xn}nN
and {Yn}nN , are called computationally indistinguishable if for any probabilistic polynomial-time algorithm A, for any positive polynomial p(.), and for all sufficiently large n’s
np1
YyXx 1yAPr1xAPr nn
np1
YyXx 1yAPr1xAPr nn
13.1
ACT 5
Defining PRGDefining PRG
Def: A deterministic polynomial-time algorithm G is called a pseudorandom generator if there exists a stretching function l:NN, s.t. the following two probability ensembles, denoted {Gn}nN and {Rn}nN, are computationally indistinguishable
1. Distribution Gn is defined as the output of G on a uniformly selected seed in {0,1}n.
2. Distribution Rn is defined as the uniform distribution on {0,1}l(n).
13.2
ACT 6
Statistical ClosenessStatistical Closeness
Def (statistical closeness): The statistical difference between two distributions, X and Y, is defined as
Two probability ensembles {Xn}nN and {Yn}nN are statistically close if for all polynomials p(.) and for all sufficiently large n
Prop: If two probability ensembles are statistically close then they are computationally indistinguishable.
YPrXPr Y,X 21
YPrXPr Y,X 2
1
np1
nn Y,X np1
nn Y,X
13.3
ACT 7
Poly-time ConstructiblePoly-time Constructible
Def: An ensemble {Zn}nN is probabilistic polynomial-time constructible if there exists a probabilistic polynomial-time algorithm S such that for every n, S(1n) = Zn
13.4
ACT 8
Thm: Let {Xn} and {Yn} be computational indistinguishable and probabilistic polynomial-time constructible.Let t(.) be a positive polynomial.Define {Xn’} and {Yn’} as follows:
Xn’ = Xn1 Xn
2 … Xnt(n)
Yn’ = Yn1 Yn
2 … Ynt(n)
where the Xni’s (Yn
i’s) are independent copies of Xn (Yn).Then {Xn’} and {Yn’} are computationally indistinguishable
Independent SamplesIndependent Samples
ACT 9
Hybrid DistributionHybrid DistributionProof:Assume a distinguisher D for {Xn’} and {Yn’} s.t.
for a polynomial p(.) and all sufficiently large n’s.Define the hybrid distributions for 0it(n):
Hn(i)=(Xn
(1) Xn(2)…Xn
(i) Yn(i+1)… Yn
(t(n)))Note that Hn
(0)= Y’n and Hn(t(n))= X’n
Define an algorithm D’ as follows:For taken from Xn or Yn
D’()=D(Xn(1) Xn
(2)…Xn(i-1)Yn
(i+1)… Yn(t(n)))
where i is chosen uniformly in {1,2,…,t(n)}
np1
'Y~y'X~x 1yDPr1xDPr nn
np1
'Y~y'X~x 1yDPr1xDPr nn
ACT 10
Hybrid ArgumentHybrid Argument
Therefore,
and
1x'DPrnX~x 1x'DPrnX~x
nt
1i
ntn
1in
1in
1nX~xnt
1 1Y...YxX...XDPrn
nt
1i
ntn
1in
1in
1nX~xnt
1 1Y...YxX...XDPrn
nt
1iH~'xnt
1 1'xDPr in
nt
1iH~'xnt
1 1'xDPr in
1y'DPrnY~y 1y'DPrnY~y
nt
1i
ntn
1in
1in
1nY~ynt
1 1Y...YyX...XDPrn
nt
1i
ntn
1in
1in
1nY~ynt
1 1Y...YyX...XDPrn
nt
1i H~'ynt1 1'yDPr 1i
n
nt
1i H~'ynt1 1'yDPr 1i
n
According to the definition of D’‘i’ is chosen uniformly from {1..t(n)}
According to the definition of Hn(i)
Note: only up to i-1 wehave X’s so we get Hn(i-1)
ACT 11
Hybrid ArgumentHybrid Argument
Thus,
1y'DPr1x'DPr nn Y~yX~x 1y'DPr1x'DPr nn Y~yX~x
1'yDPr1'xDPr
nt
1i H~'y
nt
1iH~'xnt
11i
ni
n
1'yDPr1'xDPr
nt
1i H~'y
nt
1iH~'xnt
11i
ni
n
1'yDPr1'xDPr 0n
ntn H~'yH~'xnt
1 1'yDPr1'xDPr 0
nnt
n H~'yH~'xnt1
npnt1
'Y~'y'X~'xnt1 1'yDPr1'xDPr
nn npnt1
'Y~'y'X~'xnt1 1'yDPr1'xDPr
nn
It’s a telescopic sum
ACT 12
Application of PRGApplication of PRG
Let A be a probabilistic algorithm, and (n) denote a polynomial upper bound on its randomness complexity.Let A(x,r) denote the output of A on input x and coin tosses sequence r{0,1}(n).Let G be a pseudorandom generator with stretching function l:NN
Then AG is a randomized algorithm that, on input x• Sets k=k(|x|) to be the smallest integer s.t.
l(k) (|x|)• Uniformly selects s{0,1}k
• Outputs A(x,r), where r is the (|x|)-bit long prefix of G(s)
13.5
ACT 13
Application of PRG (2)Application of PRG (2)
Thm: Let A and G be as above. Then for every pair of probabilistic polynomial-time algorithms, a finder F and a distinguisher D, every positive polynomial p(.) and all sufficiently large n’s
where
and the probabilities are taken over the Um’s as well as over the coin tosses of F and D.
n1,0xnp1
D,An xx1FPr
n1,0xnp1
D,An xx1FPr
1s,xA,xDPr1r,xA,xDPr x GU~sU~rD,A nkn
1s,xA,xDPr1r,xA,xDPr x GU~sU~rD,A nkn
ACT 14
Amplifying the Stretch Function (2)Amplifying the Stretch Function (2)
n
G
n
G
n
G
n 1
1
1
Output Sequence
ACT 15
Thm: Let G be a pseudorandom generator with stretch function l(n)=n+1, and l’ be any polynomially bounded stretch function, which is polynomial-time computable.Let G1(x) denote the |x|-bit long prefix of G(x), and G2(x) denote the last bit of G(x).Then
G’(s)=12…l’(|s|)
where x0=s, i=G2(xi-1) and xi=G1(xi-1), is a pseudorandom generator with stretch function l’.
The theorem is proven using the hybrid technique.
Amplifying the Stretch FunctionAmplifying the Stretch Function13.6
ACT 16
One-Way Functions One-Way Functions
Def: A one-way function, f, is a polynomial-time computable function s.t. for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s
where Un is the uniform distribution over {0,1}n.
Popular candidates for one-way functions are based on the conjectured intractability of:
Integer factorization Discrete logarithm problem Decoding of random linear code
np11
U~x xffxf'APrn
np11
U~x xffxf'APrn
13.7
ACT 17
Hard-Core PredicateHard-Core Predicate
Def (hard-core predicate): A polynomial-time computable predicate b:{0,1}*{0,1} is called a hard-core of a function f if for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s
Thm (generic hard-core): Let f be an arbitrary one-way function, and let g be defined by g(x,r)=(f(x),r), where |x|=|r|. Let b(x,r) denote the inner-product mod 2 of the binary vectors x and r. Then b is a hard-core of g.
np1
21
U~x xbxf'APrn
np1
21
U~x xbxf'APrn
13.8
ACT 18
Hard-Core Predicate (2)Hard-Core Predicate (2)
Thm: Let b be a hard-core predicate of a polynomial-time computable 1-1 function f. Then, G(s)=f(s)b(s) is a pseudorandom generator.
Proof Sketch: Clearly the |s|-bit long prefix of G(s) is uniformly distributed (since f is 1-1 and onto {0,1}|s|). Hence, we only have to show that distinguishing f(s)b(s) from f(s), where is a random bit, contradicts the hypothesis that b is a hard-core of f. Intuitively, such a distinguisher also distinguishes f(s)b(s) from , and so yields an algorithm for predicting b(s) based on f(s).
)s(b)s(f
ACT 19
The Existence of PRGThe Existence of PRG
Thm: Pseudorandom generators exist iff one-way functions exist.
Proof: 1) Let G be a pseudorandom generator with stretch
function l(n)=2n. For x,y{0,1}n, define f(x,y)=G(x), and so f is polynomial-time computable. Suppose, by way of contradiction, that f is not one-way. Then there exists an algorithm A’ such that
for some polynomial p(.). We define the following polynomial-time algorithm D: For an input z{0,1}2n,
np11
Ux xffxf'APrn2
np11
Ux xffxf'APrn2
13.9
ACT 20
The existence of PRG (2)The existence of PRG (2)
So we have ,while .Therefore, D distinguishes G(Un) from U2n, withcontradiction to the hypothesis that G is apseudorandom generator.
2) Proof outline: Suppose f is a one-way function. f is not necessarily 1-1, so the construction G(s)=f(s)b(s) where b is a hard-core of f cannot be used directly.
otherwise 0
zz'Af if 1zD
otherwise 0
zz'Af if 1zD
np1
Ux 1xGDPrn
n22
UzUz 2fImzPr1zDPr n2
n
n2n2
ACT 21
The Existence of PRG (3)The Existence of PRG (3)
One idea is to hash f(Un) to an almost uniform string of length related to its entropy, using universal hash functions. But this means shrinking the length of the output to some n’<n.
Thus, we can add n-n’+1 bits by extracting them from the seed Un, by hashing Un. The adding of this hash value does not make the inverting task any easier.
n-bit seed
f hashfunction
n bitsn bits
hashfunction