4.2 KiB
Lecture 13
Chapter 3: Indistinguishability and Pseudorandomness
Pseudorandom Generator (PRG)
Definition 77.1 (Pseudorandom Generator)
G:\{0,1\}^n\to\{0,1\}^{l(n)} is a pseudorandom generator if the following is true:
Gis efficiently computable.l(n)> n(expansion)\{x\gets \{0,1\}^n:G(x)\}_n\approx \{u\gets \{0,1\}^{l(n)}\}
Definition 78.3 (Hard-core bit (predicate) (HCB))
Hard-core bit (predicate) (HCB): h:\{0,1\}^n\to \{0,1\} is a hard-core bit of f:\{0,1\}^n\to \{0,1\}^* if for every adversary A,
Pr[x\gets \{0,1\}^n;y=f(x);A(1^n,y)=h(x)]\leq \frac{1}{2}+\epsilon(n)
Ideas: f:\{0,1\}^n\to \{0,1\}^* is a one-way function.
Given y=f(x), it is hard to recover x. A cannot produce all of x but can know some bits of x.
h(x) is just a yes/no question regarding x.
Example:
In RSA function, we pick p,q\in \Pi^n as primes and N=pq. e\gets \mathbb{Z}_N^* and f(x)=x^e\mod N.
h(x)=x_n is a HCB of f. Given RSA assumption.
h(x) is not necessarily one of the bits of x=x_1x_2\cdots x_n.
Theorem Any one-way function has a HCB.
A HCB can be produced for any one-way function.
Let f:\{0,1\}^n\to \{0,1\}^* be a strong one-way function.
Define g:\{0,1\}^{2n}\to \{0,1\}^* as g(x,r)=(f(x), r),x\in \{0,1\}^n,r\in \{0,1\}^n. g is a strong one-way function. (proved in homework)
h(x,r)=\langle x,r\rangle=x_1r_1+ x_2r_2+\cdots + x_nr_n\mod 2
\langle x,1^n\rangle=x_1+x_2+\cdots +x_n\mod 2
\langle x,0^{n-1}1\rangle=x_ n
Ideas of proof:
If A could reliably find \langle x,1^n\rangle, with r being completely random, then it could find x too often.
Pseudorandom Generator from HCB
G(x)=\{0,1\}^n\to \{0,1\}^{n+1}G(x)=\{0,1\}^n\to \{0,1\}^{l(n)}
For (1),
Theorem HCB generates PRG
Let f:\{0,1\}^n\to \{0,1\}^n be a one-way permutation (bijective) with a HCB h. Then G(x)=f(x)|| h(x) is a PRG.
Proof:
Efficiently computable: f is one-way so h is efficiently computable.
Expansion: n<n+1
Pseudorandomness:
We proceed by contradiction.
Suppose \{G(U_n)\}\cancel{\approx} \{U_{n+1}\}. Then there would be a next-bit predictor A such that for some bit i.
Pr[x\gets \{0,1\}^n;t=G(x);A(t_1t_2\cdots t_{i-1})=t_i]\geq \frac{1}{2}+\epsilon(n)
Since f is a bijection, x\gets U_n and f(x)\gets U_n.
G(x)=f(x)|| h(x)
So A could not predict t_i with advantage \frac{1}{2}+\epsilon(n) given any first n bits.
Pr[t_i=1|t_1t_2\cdots t_{i-1}]= \frac{1}{2}
So i=n+1 the last bit, A could predict.
Pr[x\gets \{0,1\}^n;y=f(x);A(y)=h(x)]>\frac{1}{2}+\epsilon(n)
This contradicts the HCB definition of h.
Construction of PRG
G'=\{0,1\}^n\to \{0,1\}^{l(n)}
using PRG G:\{0,1\}^n\to \{0,1\}^{n+1}
Let s\gets \{0,1\}^n be a random string.
We proceed by the following construction:
G(s)=X_1||b_1
G(X_1)=X_2||b_2
G(X_2)=X_3||b_3
\cdots
G(X_{l(n)-1})=X_{l(n)}||b_{l(n)}
G'(s)=b_1b_2b_3\cdots b_{l(n)}
We claim G':\{0,1\}^n\to \{0,1\}^{l(n)} is a PRG.
Corollary: Combining constructions
f:\{0,1\}^n\to \{0,1\}^n is a one-way permutation with a HCB h: \{0,1\}^n\to \{0,1\}.
G(s)=h(x)||h(f(x))||h(f^2(x))\cdots h(f^{l(n)-1}(x)) is a PRG. Where f^a(x)=f(f^{a-1}(x)).
Proof:
G' is a PRG:
- Efficiently computable: since we are computing
G'by applyingGmultiple times (polynomial ofl(n)times). - Expansion:
n<l(n). - Pseudorandomness: We proceed by contradiction. Suppose the output is not pseudorandom. Then there exists a distinguisher
\mathcal{D}that can distinguishG'fromU_{l(n)}with advantage\frac{1}{2}+\epsilon(n).
Strategy: use hybrid argument to construct distributions.
\begin{aligned}
H^0&=U_{l(n)}=u_1u_2\cdots u_{l(n)}\\
H^1&=u_1u_2\cdots u_{l(n)-1}b_{l(n)}\\
H^2&=u_1u_2\cdots u_{l(n)-2}b_{l(n)-1}b_{l(n)}\\
&\cdots\\
H^{l(n)}&=b_1b_2\cdots b_{l(n)}
\end{aligned}
By the hybrid argument, there exists an i such that \mathcal{D} can distinguish H^i and H^{i+1} 0\leq i\leq l(n)-1 by \frac{1}{p(n)l(n)}
Show that there exists \mathcal{D} for
\{u\gets U_{n+1}\}\text{ vs. }\{x\gets U_n;G(x)=u\}
with advantage \frac{1}{2}+\epsilon(n). (contradiction)