upgrade structures and migrate to nextra v4
This commit is contained in:
Zheyuan Wu
189
content/CSE442T/CSE442T_L15.md
Normal file
189
content/CSE442T/CSE442T_L15.md
Normal file
@@ -0,0 +1,189 @@
|
||||
# Lecture 15
|
||||
|
||||
## Chapter 3: Indistinguishability and Pseudorandomness
|
||||
|
||||
### Random Function
|
||||
|
||||
$F:\{0,1\}^n\to \{0,1\}^n$
|
||||
|
||||
For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.
|
||||
|
||||
pick $y=F(x)\gets \{0,1\}^n$ independently at random. ($n$ bits)
|
||||
|
||||
This generates $n\cdot 2^n$ random bits to specify $F$.
|
||||
|
||||
### Equivalent description of $F$
|
||||
|
||||
```python
|
||||
# initialized empty list L
|
||||
L=collections.defaultdict(int)
|
||||
# initialize n bits constant
|
||||
n=10
|
||||
def F(x):
|
||||
""" simulation of random function
|
||||
param:
|
||||
x: n bits
|
||||
return:
|
||||
y: n bits
|
||||
"""
|
||||
if L[x] is not None:
|
||||
return L[x]
|
||||
else:
|
||||
# y is a random n-bit string
|
||||
y=random.randbits(n)
|
||||
L[x]=y
|
||||
return y
|
||||
```
|
||||
|
||||
However, this is not a good random function since two communicator may not agree on the same $F$.
|
||||
|
||||
### Pseudorandom Function
|
||||
|
||||
$f:\{0,1\}^n\to \{0,1\}^n$
|
||||
|
||||
#### Oracle Access (for function $g$)
|
||||
|
||||
$O_g$ is a p.p.t. that given $x\in \{0,1\}^n$ outputs $g(x)$.
|
||||
|
||||
The distinguisher $D$ is given oracle access to $O_g$ and outputs $1$ if $g$ is random and $0$ otherwise. It can make polynomially many queries.
|
||||
|
||||
### Oracle indistinguishability
|
||||
|
||||
$\{F_n\}$ and $\{G_n\}$ are sequence of distribution on functions
|
||||
|
||||
$$
|
||||
f:\{0,1\}^{l_1(n)}\to \{0,1\}^{l_2(n)}
|
||||
$$
|
||||
|
||||
that are computationally indistinguishable
|
||||
|
||||
$$
|
||||
\{f_n\}\sim \{g_n\}
|
||||
$$
|
||||
|
||||
if for all p.p.t. $D$ (with oracle access to $F_n$ and $G_n$),
|
||||
|
||||
$$
|
||||
\left|P[f\gets F_n:D^f(1^n)=1]-P[g\gets G_n:D^g(1^n)=1]\right|< \epsilon(n)
|
||||
$$
|
||||
|
||||
where $\epsilon(n)$ is negligible.
|
||||
|
||||
Under this property, we still have:
|
||||
|
||||
- Closure properties. under efficient procedures.
|
||||
- Prediction lemma.
|
||||
- Hybrid lemma.
|
||||
|
||||
### Pseudorandom Function Family
|
||||
|
||||
Definition: $\{f_s:\{0,1\}^\{0.1\}^{|S|}\to \{0,1\}^P$ $t_0s\in \{0,1\}^n\}$ is a pseudorandom function family if $\{f_s\}_{s\in \{0,1\}^n}$ are oracle indistinguishable.
|
||||
|
||||
- It is easy to compute for every $x\in \{0,1\}^{|S|}$.
|
||||
- $\{s \gets\{0,1\}^n\}_n\approx \{F\gets RF_n,F\}$ is indistinguishable from the uniform distribution over $\{0,1\}^P$.
|
||||
- $R$ is truly random function.
|
||||
|
||||
Example:
|
||||
|
||||
For $s\in \{0,1\}^n$, define $f_s:\overline{x}\mapsto s\cdot \overline{s}$.
|
||||
|
||||
$\mathcal{D}$ gives oracle access to $g(0^n)=\overline{y_0}$, $g(1^n)=\overline{y_1}$. If $\overline{y_0}+\overline{y_1}=1^n$, then $\mathcal{D}$ outputs $1$ otherwise $0$.
|
||||
|
||||
```python
|
||||
def O_g(x):
|
||||
pass
|
||||
|
||||
def D():
|
||||
# bit_stream(0,n) is a n-bit string of 0s
|
||||
y0=O_g(bit_stream(0,n))
|
||||
y1=O_g(bit_stream(1,n))
|
||||
if y0+y1==bit_stream(1,n):
|
||||
return 1
|
||||
else:
|
||||
return 0
|
||||
```
|
||||
|
||||
If $g=f_s$, then $D$ returns $\overline{s}+\overline{s}+1^n =1^n$.
|
||||
|
||||
$$
|
||||
P[f_s\gets D^{f_s}(1^n)=1]=1
|
||||
$$
|
||||
|
||||
$$
|
||||
P[F\gets RF^n,D^F(1^n)=1]=\frac{1}{2^n}
|
||||
$$
|
||||
|
||||
#### Theorem PRG exists then PRF family exists.
|
||||
|
||||
Proof:
|
||||
|
||||
Let $g:\{0,1\}^n\to \{0,1\}^{2n}$ be a PRG.
|
||||
|
||||
$$
|
||||
g(\overline{x})=[g_0(\overline{x})] [g_1(\overline{x})]
|
||||
$$
|
||||
|
||||
Then we choose a random $s\in \{0,1\}^n$ (initial seed) and define $\overline{x}\gets \{0,1\}^n$, $\overline{x}=x_1\cdots x_n$.
|
||||
|
||||
$$
|
||||
f_s(\overline{x})=f_s(x_1\cdots x_n)=g_{x_n}(\dots (g_{x_2}(g_{x_1}(s))))
|
||||
$$
|
||||
|
||||
```python
|
||||
s=random.randbits(n)
|
||||
|
||||
#????
|
||||
|
||||
def g(x):
|
||||
if x[0]==0:
|
||||
return g(f_s(x[1:]))
|
||||
else:
|
||||
return g(f_s(x[1:]))
|
||||
|
||||
def f_s(x):
|
||||
return g(x)
|
||||
|
||||
```
|
||||
|
||||
Suppose $g:\{0,1\}^3\to \{0,1\}^6$ is a PRG.
|
||||
|
||||
| $x$ | $f_s(x)$ |
|
||||
| --- | -------- |
|
||||
| 000 | 110011 |
|
||||
| 001 | 010010 |
|
||||
| 010 | 001001 |
|
||||
| 011 | 000110 |
|
||||
| 100 | 100000 |
|
||||
| 101 | 110110 |
|
||||
| 110 | 000111 |
|
||||
| 111 | 001110 |
|
||||
|
||||
Suppose the initial seed is $011$, then the constructed function tree goes as follows:
|
||||
|
||||
Example:
|
||||
|
||||
$$
|
||||
\begin{aligned}
|
||||
f_s(110)&=g_0(g_1(g_1(s)))\\
|
||||
&=g_0(g_1(110))\\
|
||||
&=g_0(111)\\
|
||||
&=001
|
||||
\end{aligned}
|
||||
$$
|
||||
|
||||
$$
|
||||
\begin{aligned}
|
||||
f_s(010)&=g_0(g_1(g_0(s)))\\
|
||||
&=g_0(g_1(000))\\
|
||||
&=g_0(001)\\
|
||||
&=010
|
||||
\end{aligned}
|
||||
$$
|
||||
|
||||
Assume that $D$ distinguishes $f_s$ and $F\gets RF_n$ with non-negligible probability.
|
||||
|
||||
By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i$ and $H_{i+1}$ with non-negligible probability.
|
||||
|
||||
For $H_0$,
|
||||
|
||||
QED
|
||||
Reference in New Issue
Block a user