Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes ACT by Sergey Benditkis, Boris Temkin and Il’ya Safro. 1 Introduction In this lecture we’ll cover: Definition of pseudorandom generators Computational indistinguishability Statistical closeness Multiple samples Application of pseudorandom generators Amplification of the stretch function One-way function Hard-core predicate ACT 2 Definition of PRG A Pseudorandom Generator is an efficient program which stretches short random seeds into long pseudorandom sequences. Efficiency Seed PRG Stretching Mmmm… They look the same to me! Pseudorandom Sequence Random Sequence ACT Efficient Algorithm 3 13.1 Computational Indistinguishability Def: A probability ensemble X is a family X = {Xn}nN such that Xn is a probability distribution on some finite domain. Def: Two probability ensembles, {Xn}nN and {Yn}nN , are called computationally indistinguishable if for any probabilistic polynomial-time algorithm A, for any positive polynomial p(.), and for all sufficiently large n’s PrxXn Ax 1 PryYn Ay 1 p1n ACT 4 Defining PRG 13.2 Def: A deterministic polynomial-time algorithm G is called a pseudorandom generator if there exists a stretching function l:NN, s.t. the following two probability ensembles, denoted {Gn}nN and {Rn}nN, are computationally indistinguishable 1. Distribution Gn is defined as the output of G on a uniformly selected seed in {0,1}n. 2. Distribution Rn is defined as the uniform distribution on {0,1}l(n). ACT 5 Statistical Closeness 13.3 Def (statistical closeness): The statistical difference between two distributions, X and Y, is defined as X, Y 21 PrX PrY Two probability ensembles {Xn}nN and {Yn}nN are statistically close if for all polynomials p(.) and for all sufficiently large n Xn , Yn p1n ACT Prop: If two probability ensembles are statistically close then they are computationally indistinguishable. 6 Poly-time Constructible 13.4 Def: An ensemble {Zn}nN is probabilistic polynomialtime constructible if there exists a probabilistic polynomial-time algorithm S such that for every n, S(1n) = Zn ACT 7 Independent Samples Thm: Let {Xn} and {Yn} be computational indistinguishable and probabilistic polynomialtime constructible. Let t(.) be a positive polynomial. Define {Xn’} and {Yn’} as follows: Xn’ = Xn1 Xn2 … Xnt(n) Yn’ = Yn1 Yn2 … Ynt(n) ACT where the Xni’s (Yni’s) are independent copies of Xn (Yn). Then {Xn’} and {Yn’} are computationally indistinguishable 8 Hybrid Distribution Proof: Assume a distinguisher D for {Xn’} and {Yn’} s.t. Prx~X'n Dx 1 Pry~Y'n Dy 1 p1n for a polynomial p(.) and all sufficiently large n’s. Define the hybrid distributions for 0it(n): Hn(i)=(Xn(1) Xn(2)…Xn(i) Yn(i+1)… Yn(t(n))) Note that Hn(0)= Y’n and Hn(t(n))= X’n Define an algorithm D’ as follows: For taken from Xn or Yn D’()=D(Xn(1) Xn(2)…Xn(i-1)Yn(i+1)… Yn(t(n))) where i is chosen uniformly in {1,2,…,t(n)} ACT 9 Hybrid Argument Therefore, Prx~Xn D'x 1 1 t n 1 t n According to the definition of D’ ‘i’ is chosen uniformly from {1..t(n)} t n 1 i1 i1 1 Prx~Xn DXn ... Xn x Yn ... Yn t n i1 t n Prx'~Hni Dx' 1 i1 and Pry~Yn D'y 1 ACT 1 t n 1 t n According to the definition of Hn(i) t n 1 i1 i1 1 Pry~Yn DXn ... Xn y Yn ... Yn t n i1 t n Pry'~Hni1 Dy' 1 i1 Note: only up to i-1 we have X’s so we get Hn(i-1) 10 Hybrid Argument It’s a telescopic sum Thus, Pr D'x~Xn x 1 Pr D'y~Yn y 1 ACT t n t n i1 i1 Prx'~Hni Dx' 1 Pry'~Hni1 Dy' 1 1 t n 1 t n Prx'~H t n Dx' 1 Pry'~H 0 Dy' 1 1 t n Pr Dx'~X'n x' 1 Pry'~Y'n Dy' 1 n n 1 t n p n 11 Application of PRG 13.5 Let A be a probabilistic algorithm, and (n) denote a polynomial upper bound on its randomness complexity. Let A(x,r) denote the output of A on input x and coin tosses sequence r{0,1}(n). Let G be a pseudorandom generator with stretching function l:NN Then AG is a randomized algorithm that, on input x ACT • Sets k=k(|x|) to be the smallest integer s.t. l(k) (|x|) • Uniformly selects s{0,1}k • Outputs A(x,r), where r is the (|x|)-bit long prefix of G(s) 12 Application of PRG (2) Thm: Let A and G be as above. Then for every pair of probabilistic polynomial-time algorithms, a finder F and a distinguisher D, every positive polynomial p(.) and all sufficiently large n’s n n PrF1 x A,D x p1n x0,1 where A,D x Prr~U n Dx, Ax, r 1 Prs~Uk n Dx, AG x, s 1 and the probabilities are taken over the Um’s as well as over the coin tosses of F and D. ACT 13 Amplifying the Stretch Function (2) n Output Sequence G n 1 G n 1 G n ACT 1 14 Amplifying the Stretch Function 13.6 Thm: Let G be a pseudorandom generator with stretch function l(n)=n+1, and l’ be any polynomially bounded stretch function, which is polynomial-time computable. Let G1(x) denote the |x|-bit long prefix of G(x), and G2(x) denote the last bit of G(x). Then G’(s)=12…l’(|s|) where x0=s, i=G2(xi-1) and xi=G1(xi-1), is a pseudorandom generator with stretch function l’. ACT The theorem is proven using the hybrid technique. 15 One-Way Functions 13.7 Def: A one-way function, f, is a polynomial-time computable function s.t. for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s Prx~Un A'fx f1 fx p1n where Un is the uniform distribution over {0,1}n. Popular candidates for one-way functions are based on the conjectured intractability of: Integer factorization Discrete logarithm problem Decoding of random linear code ACT 16 Hard-Core Predicate 13.8 Def (hard-core predicate): A polynomial-time computable predicate b:{0,1}*{0,1} is called a hard-core of a function f if for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s Prx~U A'fx bx 21 p1n n Thm (generic hard-core): Let f be an arbitrary one-way function, and let g be defined by g(x,r)=(f(x),r), where |x|=|r|. Let b(x,r) denote the inner-product mod 2 of the binary vectors x and r. Then b is a hard-core of g. ACT 17 Hard-Core Predicate (2) Thm: Let b be a hard-core predicate of a polynomialtime computable 1-1 function f. Then, G(s)=f(s)b(s) is a pseudorandom generator. Proof Sketch: Clearly the |s|-bit long prefix of G(s) is uniformly distributed (since f is 1-1 and onto {0,1}|s|). Hence, we only have to show that distinguishing f(s)b(s) from f(s), where is a random bit, contradicts the hypothesis that b is a hard-core of f. Intuitively, such a distinguisher also distinguishes f(s)b(s) from f(s)b(s) , and so yields an algorithm for predicting b(s) based on f(s). ACT 18 The Existence of PRG 13.9 Thm: Pseudorandom generators exist iff one-way functions exist. Proof: 1) Let G be a pseudorandom generator with stretch function l(n)=2n. For x,y{0,1}n, define f(x,y)=G(x), and so f is polynomial-time computable. Suppose, by way of contradiction, that f is not one-way. Then there exists an algorithm A’ such that PrxU2n A'fx f1 fx p1n for some polynomial p(.). We define the following polynomial-time algorithm D: For an input z{0,1}2n, ACT 19 The existence of PRG (2) 1 if fA'z z Dz 0 otherwise So we have PrxUn DGx 1 p1n , n 2 while PrzU2n Dz 1 PrzU2n z Imf 22n 2n . Therefore, D distinguishes G(Un) from U2n, with contradiction to the hypothesis that G is a pseudorandom generator. 2) ACT Proof outline: Suppose f is a one-way function. f is not necessarily 1-1, so the construction G(s)=f(s)b(s) where b is a hard-core of f cannot be used directly. 20 The Existence of PRG (3) One idea is to hash f(Un) to an almost uniform string of length related to its entropy, using universal hash functions. But this means shrinking the length of the output to some n’<n. Thus, we can add n-n’+1 bits by extracting them from the seed Un, by hashing Un. The adding of this hash value does not make the inverting task any easier. f hash function n-bit seed n bits hash function ACT n bits 21