upgrade structures and migrate to nextra v4
This commit is contained in:
Zheyuan Wu
161
content/CSE442T/CSE442T_L13.md
Normal file
161
content/CSE442T/CSE442T_L13.md
Normal file
@@ -0,0 +1,161 @@
|
||||
# Lecture 13
|
||||
|
||||
## Chapter 3: Indistinguishability and Pseudorandomness
|
||||
|
||||
### Pseudorandom Generator (PRG)
|
||||
|
||||
#### Definition 77.1 (Pseudorandom Generator)
|
||||
|
||||
$G:\{0,1\}^n\to\{0,1\}^{l(n)}$ is a pseudorandom generator if the following is true:
|
||||
|
||||
1. $G$ is efficiently computable.
|
||||
2. $l(n)> n$ (expansion)
|
||||
3. $\{x\gets \{0,1\}^n:G(x)\}_n\approx \{u\gets \{0,1\}^{l(n)}\}$
|
||||
|
||||
#### Definition 78.3 (Hard-core bit (predicate) (HCB))
|
||||
|
||||
Hard-core bit (predicate) (HCB): $h:\{0,1\}^n\to \{0,1\}$ is a hard-core bit of $f:\{0,1\}^n\to \{0,1\}^*$ if for every adversary $A$,
|
||||
|
||||
$$
|
||||
Pr[x\gets \{0,1\}^n;y=f(x);A(1^n,y)=h(x)]\leq \frac{1}{2}+\epsilon(n)
|
||||
$$
|
||||
|
||||
Ideas: $f:\{0,1\}^n\to \{0,1\}^*$ is a one-way function.
|
||||
|
||||
Given $y=f(x)$, it is hard to recover $x$. A cannot produce all of $x$ but can know some bits of $x$.
|
||||
|
||||
$h(x)$ is just a yes/no question regarding $x$.
|
||||
|
||||
Example:
|
||||
|
||||
In RSA function, we pick $p,q\in \Pi^n$ as primes and $N=pq$. $e\gets \mathbb{Z}_N^*$ and $f(x)=x^e\mod N$.
|
||||
|
||||
$h(x)=x_n$ is a HCB of $f$. Given RSA assumption.
|
||||
|
||||
**h(x) is not necessarily one of the bits of $x=x_1x_2\cdots x_n$.**
|
||||
|
||||
#### Theorem Any one-way function has a HCB.
|
||||
|
||||
A HCB can be produced for any one-way function.
|
||||
|
||||
Let $f:\{0,1\}^n\to \{0,1\}^*$ be a strong one-way function.
|
||||
|
||||
Define $g:\{0,1\}^{2n}\to \{0,1\}^*$ as $g(x,r)=(f(x), r),x\in \{0,1\}^n,r\in \{0,1\}^n$. $g$ is a strong one-way function. (proved in homework)
|
||||
|
||||
$$
|
||||
h(x,r)=\langle x,r\rangle=x_1r_1+ x_2r_2+\cdots + x_nr_n\mod 2
|
||||
$$
|
||||
|
||||
$\langle x,1^n\rangle=x_1+x_2+\cdots +x_n\mod 2$
|
||||
|
||||
$\langle x,0^{n-1}1\rangle=x_ n$
|
||||
|
||||
Ideas of proof:
|
||||
|
||||
If A could reliably find $\langle x,1^n\rangle$, with $r$ being completely random, then it could find $x$ too often.
|
||||
|
||||
### Pseudorandom Generator from HCB
|
||||
|
||||
1. $G(x)=\{0,1\}^n\to \{0,1\}^{n+1}$
|
||||
2. $G(x)=\{0,1\}^n\to \{0,1\}^{l(n)}$
|
||||
|
||||
For (1),
|
||||
|
||||
#### Theorem HCB generates PRG
|
||||
|
||||
Let $f:\{0,1\}^n\to \{0,1\}^n$ be a one-way permutation (bijective) with a HCB $h$. Then $G(x)=f(x)|| h(x)$ is a PRG.
|
||||
|
||||
Proof:
|
||||
|
||||
Efficiently computable: $f$ is one-way so $h$ is efficiently computable.
|
||||
|
||||
Expansion: $n<n+1$
|
||||
|
||||
Pseudorandomness:
|
||||
|
||||
We proceed by contradiction.
|
||||
|
||||
Suppose $\{G(U_n)\}\cancel{\approx} \{U_{n+1}\}$. Then there would be a next-bit predictor $A$ such that for some bit $i$.
|
||||
|
||||
$$
|
||||
Pr[x\gets \{0,1\}^n;t=G(x);A(t_1t_2\cdots t_{i-1})=t_i]\geq \frac{1}{2}+\epsilon(n)
|
||||
$$
|
||||
|
||||
Since $f$ is a bijection, $x\gets U_n$ and $f(x)\gets U_n$.
|
||||
|
||||
$G(x)=f(x)|| h(x)$
|
||||
|
||||
So $A$ could not predict $t_i$ with advantage $\frac{1}{2}+\epsilon(n)$ given any first $n$ bits.
|
||||
|
||||
$$
|
||||
Pr[t_i=1|t_1t_2\cdots t_{i-1}]= \frac{1}{2}
|
||||
$$
|
||||
|
||||
So $i=n+1$ the last bit, $A$ could predict.
|
||||
|
||||
$$
|
||||
Pr[x\gets \{0,1\}^n;y=f(x);A(y)=h(x)]>\frac{1}{2}+\epsilon(n)
|
||||
$$
|
||||
|
||||
This contradicts the HCB definition of $h$.
|
||||
|
||||
### Construction of PRG
|
||||
|
||||
$G'=\{0,1\}^n\to \{0,1\}^{l(n)}$
|
||||
|
||||
using PRG $G:\{0,1\}^n\to \{0,1\}^{n+1}$
|
||||
|
||||
Let $s\gets \{0,1\}^n$ be a random string.
|
||||
|
||||
We proceed by the following construction:
|
||||
|
||||
$G(s)=X_1||b_1$
|
||||
|
||||
$G(X_1)=X_2||b_2$
|
||||
|
||||
$G(X_2)=X_3||b_3$
|
||||
|
||||
$\cdots$
|
||||
|
||||
$G(X_{l(n)-1})=X_{l(n)}||b_{l(n)}$
|
||||
|
||||
$G'(s)=b_1b_2b_3\cdots b_{l(n)}$
|
||||
|
||||
We claim $G':\{0,1\}^n\to \{0,1\}^{l(n)}$ is a PRG.
|
||||
|
||||
#### Corollary: Combining constructions
|
||||
|
||||
$f:\{0,1\}^n\to \{0,1\}^n$ is a one-way permutation with a HCB $h: \{0,1\}^n\to \{0,1\}$.
|
||||
|
||||
$G(s)=h(x)||h(f(x))||h(f^2(x))\cdots h(f^{l(n)-1}(x))$ is a PRG. Where $f^a(x)=f(f^{a-1}(x))$.
|
||||
|
||||
Proof:
|
||||
|
||||
$G'$ is a PRG:
|
||||
|
||||
1. Efficiently computable: since we are computing $G'$ by applying $G$ multiple times (polynomial of $l(n)$ times).
|
||||
2. Expansion: $n<l(n)$.
|
||||
3. Pseudorandomness: We proceed by contradiction. Suppose the output is not pseudorandom. Then there exists a distinguisher $\mathcal{D}$ that can distinguish $G'$ from $U_{l(n)}$ with advantage $\frac{1}{2}+\epsilon(n)$.
|
||||
|
||||
Strategy: use hybrid argument to construct distributions.
|
||||
|
||||
$$
|
||||
\begin{aligned}
|
||||
H^0&=U_{l(n)}=u_1u_2\cdots u_{l(n)}\\
|
||||
H^1&=u_1u_2\cdots u_{l(n)-1}b_{l(n)}\\
|
||||
H^2&=u_1u_2\cdots u_{l(n)-2}b_{l(n)-1}b_{l(n)}\\
|
||||
&\cdots\\
|
||||
H^{l(n)}&=b_1b_2\cdots b_{l(n)}
|
||||
\end{aligned}
|
||||
$$
|
||||
|
||||
By the hybrid argument, there exists an $i$ such that $\mathcal{D}$ can distinguish $H^i$ and $H^{i+1}$ $0\leq i\leq l(n)-1$ by $\frac{1}{p(n)l(n)}$
|
||||
|
||||
Show that there exists $\mathcal{D}$ for
|
||||
|
||||
$$
|
||||
\{u\gets U_{n+1}\}\text{ vs. }\{x\gets U_n;G(x)=u\}
|
||||
$$
|
||||
|
||||
with advantage $\frac{1}{2}+\epsilon(n)$. (contradiction)
|
||||
|
||||
Reference in New Issue
Block a user