Download Pseudorandom Generators

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts
no text concepts found
Transcript 
Slides by Vera Asodi & Tomer Naveh.
Updated by : Avi Ben-Aroya & Alon Brook
Adapted from Oded Goldreich’s course lecture notes
ACT
by Sergey Benditkis, Boris Temkin
and Il’ya Safro.
1
Introduction
In this lecture we’ll cover:
Definition of pseudorandom generators
 Computational indistinguishability
 Statistical closeness
 Multiple samples
 Application of pseudorandom generators
 Amplification of the stretch function
 One-way function
 Hard-core predicate

ACT
2
Definition of PRG
A Pseudorandom Generator is an efficient program
which stretches short random seeds into long
pseudorandom sequences.
Efficiency
Seed
PRG
Stretching
Mmmm…
They
look the
same to
me!
Pseudorandom Sequence
Random Sequence
ACT
Efficient
Algorithm
3
13.1
Computational Indistinguishability
Def: A probability ensemble X is a family X =
{Xn}nN such that Xn is a probability
distribution on some finite domain.
Def: Two probability ensembles, {Xn}nN and
{Yn}nN , are called computationally
indistinguishable if for any probabilistic
polynomial-time algorithm A, for any
positive polynomial p(.), and for all
sufficiently large n’s
PrxXn Ax   1  PryYn Ay   1  p1n 
ACT
4
Defining PRG
13.2
Def: A deterministic polynomial-time algorithm G is
called a pseudorandom generator if there exists
a stretching function l:NN, s.t. the following
two probability ensembles, denoted {Gn}nN and
{Rn}nN, are computationally indistinguishable
1. Distribution Gn is defined as the output of
G on a uniformly selected seed in {0,1}n.
2. Distribution Rn is defined as the uniform
distribution on {0,1}l(n).
ACT
5
Statistical Closeness
13.3
Def (statistical closeness): The statistical
difference between two distributions, X
and Y, is defined as
X, Y   21  PrX    PrY  

Two probability ensembles {Xn}nN and
{Yn}nN are statistically close if
for all polynomials p(.) and for all
sufficiently large n
Xn , Yn   p1n 
ACT
Prop: If two probability ensembles are
statistically close then they are
computationally indistinguishable.
6
Poly-time Constructible
13.4
Def: An ensemble {Zn}nN is probabilistic polynomialtime constructible if there exists a probabilistic
polynomial-time algorithm S such that for every n,
S(1n) = Zn
ACT
7
Independent Samples
Thm: Let {Xn} and {Yn} be computational
indistinguishable and probabilistic polynomialtime constructible.
Let t(.) be a positive polynomial.
Define {Xn’} and {Yn’} as follows:
Xn’ = Xn1  Xn2 …  Xnt(n)
Yn’ = Yn1  Yn2 …  Ynt(n)
ACT
where the Xni’s (Yni’s) are independent copies
of Xn (Yn).
Then {Xn’} and {Yn’} are computationally
indistinguishable
8
Hybrid Distribution
Proof:
Assume a distinguisher D for {Xn’} and {Yn’} s.t.
Prx~X'n Dx   1  Pry~Y'n Dy   1  p1n 
for a polynomial p(.) and all sufficiently large n’s.
Define the hybrid distributions for 0it(n):
Hn(i)=(Xn(1) Xn(2)…Xn(i) Yn(i+1)… Yn(t(n)))
Note that Hn(0)= Y’n and Hn(t(n))= X’n
Define an algorithm D’ as follows:
For  taken from Xn or Yn
D’()=D(Xn(1) Xn(2)…Xn(i-1)Yn(i+1)… Yn(t(n)))
where i is chosen uniformly in {1,2,…,t(n)}
ACT
9
Hybrid Argument

Therefore,
Prx~Xn D'x   1 

1
t n 

1
t n 
According to the definition of D’
‘i’ is chosen uniformly from {1..t(n)}
 t n  
1 
i1 
i1 
  1 
 Prx~Xn DXn  ...  Xn  x  Yn  ...  Yn
t n 
i1
t n 
 Prx'~Hni  Dx'  1
i1
and
Pry~Yn D'y   1 
ACT

1
t n 

1
t n 
According to the
definition of Hn(i)
 t n  
1 
i1 
i1 
  1 
 Pry~Yn DXn  ...  Xn  y  Yn  ...  Yn
t n 
i1
t n 
 Pry'~Hni1  Dy'  1
i1
Note: only up to i-1 we
have X’s so we get Hn(i-1)
10
Hybrid Argument

It’s a telescopic sum
Thus,




Pr D'x~Xn x   1  Pr D'y~Yn y   1 
ACT
t n 
t n 
i1
i1
 Prx'~Hni  Dx'  1   Pry'~Hni1  Dy'  1 

1
t n 

1
t n 
Prx'~H t n   Dx'  1  Pry'~H 0  Dy'  1 

1
t n 
Pr Dx'~X'n x'  1  Pry'~Y'n Dy'  1 

n

n
1
t n p n 
11
Application of PRG
13.5
Let A be a probabilistic algorithm, and (n)
denote a polynomial upper bound on its
randomness complexity.
Let A(x,r) denote the output of A on input x
and coin tosses sequence r{0,1}(n).
Let G be a pseudorandom generator with
stretching function l:NN
Then AG is a randomized algorithm that, on
input x
ACT
• Sets k=k(|x|) to be the smallest integer s.t.
l(k) (|x|)
• Uniformly selects s{0,1}k
• Outputs A(x,r), where r is the (|x|)-bit long
prefix of G(s)
12
Application of PRG (2)
Thm: Let A and G be as above. Then for every pair of
probabilistic polynomial-time algorithms, a finder F and a
distinguisher D, every positive polynomial p(.) and all
sufficiently large n’s
n
 n PrF1   x  A,D x   p1n 
x0,1
where
A,D x   Prr~U n  Dx, Ax, r  1  Prs~Uk n  Dx, AG x, s   1
and the probabilities are taken over the Um’s as well as
over the coin tosses of F and D.
ACT
13
Amplifying the Stretch Function (2)
n
Output Sequence
G
n
1
G
n
1
G
n
ACT
1
14
Amplifying the Stretch Function
13.6
Thm: Let G be a pseudorandom generator with
stretch function l(n)=n+1, and l’ be any
polynomially bounded stretch function,
which is polynomial-time computable.
Let G1(x) denote the |x|-bit long prefix of
G(x), and G2(x) denote the last bit of G(x).
Then
G’(s)=12…l’(|s|)
where x0=s, i=G2(xi-1) and xi=G1(xi-1), is a
pseudorandom generator with stretch
function l’.
ACT
The theorem is proven using the hybrid
technique.
15
One-Way Functions
13.7
Def: A one-way function, f, is a polynomial-time
computable function s.t. for every probabilistic
polynomial-time algorithm A’, every positive polynomial
p(.), and all sufficiently large n’s
Prx~Un A'fx   f1 fx   p1n 
where Un is the uniform distribution over {0,1}n.
Popular candidates for one-way functions are based on
the conjectured intractability of:
 Integer factorization
 Discrete logarithm problem
 Decoding of random linear code
ACT
16
Hard-Core Predicate
13.8
Def (hard-core predicate): A polynomial-time
computable predicate b:{0,1}*{0,1} is called a
hard-core of a function f if for every
probabilistic polynomial-time algorithm A’,
every positive polynomial p(.), and all
sufficiently large n’s
Prx~U A'fx   bx   21  p1n 
n
Thm (generic hard-core): Let f be an arbitrary
one-way function, and let g be defined by
g(x,r)=(f(x),r), where |x|=|r|. Let b(x,r) denote
the inner-product mod 2 of the binary vectors
x and r. Then b is a hard-core of g.
ACT
17
Hard-Core Predicate (2)
Thm: Let b be a hard-core predicate of a polynomialtime computable 1-1 function f. Then, G(s)=f(s)b(s) is
a pseudorandom generator.
Proof Sketch: Clearly the |s|-bit long prefix of G(s) is
uniformly distributed (since f is 1-1 and onto {0,1}|s|).
Hence, we only have to show that distinguishing
f(s)b(s) from f(s), where  is a random bit,
contradicts the hypothesis that b is a hard-core of f.
Intuitively, such a distinguisher also distinguishes
f(s)b(s) from f(s)b(s) , and so yields an algorithm for
predicting b(s) based on f(s).
ACT
18
The Existence of PRG
13.9
Thm: Pseudorandom generators exist iff one-way
functions exist.
Proof:
1)
Let G be a pseudorandom generator with stretch
function l(n)=2n. For x,y{0,1}n, define f(x,y)=G(x),
and so f is polynomial-time computable. Suppose, by
way of contradiction, that f is not one-way. Then
there exists an algorithm A’ such that
PrxU2n A'fx   f1 fx   p1n  for some polynomial
p(.). We define the following polynomial-time
algorithm D: For an input z{0,1}2n,
ACT
19
The existence of PRG (2)
 1 if fA'z   z
Dz   
0 otherwise
So we have PrxUn DGx   1  p1n  ,
n
2
while PrzU2n Dz   1  PrzU2n z  Imf  22n  2n .
Therefore, D distinguishes G(Un) from U2n, with
contradiction to the hypothesis that G is a
pseudorandom generator.
2)
ACT
Proof outline: Suppose f is a one-way function. f
is not necessarily 1-1, so the construction
G(s)=f(s)b(s) where b is a hard-core of f cannot
be used directly.
20
The Existence of PRG (3)
One idea is to hash f(Un) to an almost uniform string of
length related to its entropy, using universal hash
functions. But this means shrinking the length of the
output to some n’<n.
Thus, we can add n-n’+1 bits by extracting them from the
seed Un, by hashing Un. The adding of this hash value
does not make the inverting task any easier.
f
hash
function
n-bit seed
n bits
hash
function
ACT
n bits
21
Related documents
296.1 theoretical computer science introduction
296.1 theoretical computer science introduction
296.1 theoretical computer science introduction
296.1 theoretical computer science introduction
Newass4
Newass4
Test Assignment for Metric Space Topology 304a
Test Assignment for Metric Space Topology 304a
Polynomial Functions Test
Polynomial Functions Test
Lecture 10: Pseudorandom Generators (Sep 29, Karn Seth)
Lecture 10: Pseudorandom Generators (Sep 29, Karn Seth)
1 Probability spaces 2 Events and random variables
1 Probability spaces 2 Events and random variables
Document
Document
Advanced Algebra II Notes 7.1 Polynomial Degree and Finite
Advanced Algebra II Notes 7.1 Polynomial Degree and Finite
Functions of Several Variables A function of two variables is a rule
Functions of Several Variables A function of two variables is a rule
Computational Complexity: A Modern Approach
Computational Complexity: A Modern Approach
Immunoblot Detection of Proteins That Contain Cysteine
Immunoblot Detection of Proteins That Contain Cysteine