NoteNextra-origin/content/CSE442T/CSE442T_L15.md

# Lecture 15

## Chapter 3: Indistinguishability and Pseudorandomness

### Random Function

$F:\{0,1\}^n\to \{0,1\}^n$

For each $x\in \{0,1\}^n$, there are $2^n$ possible values for $F(x)$.

pick $y=F(x)\gets \{0,1\}^n$ independently at random. ($n$ bits)

This generates $n\cdot 2^n$ random bits to specify $F$.

### Equivalent description of $F$

```python
# initialized empty list L
L=collections.defaultdict(int)
# initialize n bits constant
n=10
def F(x):
    """ simulation of random function
    param:
        x: n bits
    return:
        y: n bits
    """
    if L[x] is not None:
        return L[x]
    else:
        # y is a random n-bit string
        y=random.randbits(n)
        L[x]=y
        return y
```

However, this is not a good random function since two communicator may not agree on the same $F$.

### Pseudorandom Function

$f:\{0,1\}^n\to \{0,1\}^n$

#### Oracle Access (for function $g$)

$O_g$ is a p.p.t. that given $x\in \{0,1\}^n$ outputs $g(x)$.

The distinguisher $D$ is given oracle access to $O_g$ and outputs $1$ if $g$ is random and $0$ otherwise. It can make polynomially many queries.

### Oracle indistinguishability

$\{F_n\}$ and $\{G_n\}$ are sequence of distribution on functions

$$
f:\{0,1\}^{l_1(n)}\to \{0,1\}^{l_2(n)}
$$

that are computationally indistinguishable

$$
\{f_n\}\sim \{g_n\}
$$

if for all p.p.t. $D$ (with oracle access to $F_n$ and $G_n$),

$$
\left|P[f\gets F_n:D^f(1^n)=1]-P[g\gets G_n:D^g(1^n)=1]\right|< \epsilon(n)
$$

where $\epsilon(n)$ is negligible.

Under this property, we still have:

- Closure properties. under efficient procedures.
- Prediction lemma.
- Hybrid lemma.

### Pseudorandom Function Family

Definition: $\{f_s:\{0,1\}^\{0.1\}^{|S|}\to \{0,1\}^P$  $t_0s\in \{0,1\}^n\}$ is a pseudorandom function family if $\{f_s\}_{s\in \{0,1\}^n}$ are oracle indistinguishable.

- It is easy to compute for every $x\in \{0,1\}^{|S|}$.
- $\{s \gets\{0,1\}^n\}_n\approx \{F\gets RF_n,F\}$ is indistinguishable from the uniform distribution over $\{0,1\}^P$.
  - $R$ is truly random function.

Example:

For $s\in \{0,1\}^n$, define $f_s:\overline{x}\mapsto s\cdot \overline{s}$.

$\mathcal{D}$ gives oracle access to $g(0^n)=\overline{y_0}$, $g(1^n)=\overline{y_1}$. If $\overline{y_0}+\overline{y_1}=1^n$, then $\mathcal{D}$ outputs $1$ otherwise $0$.

```python
def O_g(x):
    pass

def D():
    # bit_stream(0,n) is a n-bit string of 0s
    y0=O_g(bit_stream(0,n))
    y1=O_g(bit_stream(1,n))
    if y0+y1==bit_stream(1,n):
        return 1
    else:
        return 0
```

If $g=f_s$, then $D$ returns $\overline{s}+\overline{s}+1^n =1^n$.

$$
P[f_s\gets D^{f_s}(1^n)=1]=1
$$

$$
P[F\gets RF^n,D^F(1^n)=1]=\frac{1}{2^n}
$$

#### Theorem PRG exists then PRF family exists.

Proof:

Let $g:\{0,1\}^n\to \{0,1\}^{2n}$ be a PRG.

$$
g(\overline{x})=[g_0(\overline{x})] [g_1(\overline{x})]
$$

Then we choose a random $s\in \{0,1\}^n$ (initial seed) and define $\overline{x}\gets \{0,1\}^n$, $\overline{x}=x_1\cdots x_n$.

$$
f_s(\overline{x})=f_s(x_1\cdots x_n)=g_{x_n}(\dots (g_{x_2}(g_{x_1}(s))))
$$

```python
s=random.randbits(n)

#????

def g(x):
    if x[0]==0:
        return g(f_s(x[1:]))
    else:
        return g(f_s(x[1:]))

def f_s(x):
    return g(x)

```

Suppose $g:\{0,1\}^3\to \{0,1\}^6$ is a PRG.

| $x$ | $f_s(x)$ |
| --- | -------- |
| 000 | 110011 |
| 001 | 010010 |
| 010 | 001001 |
| 011 | 000110 |
| 100 | 100000 |
| 101 | 110110 |
| 110 | 000111 |
| 111 | 001110 |

Suppose the initial seed is $011$, then the constructed function tree goes as follows:

Example: 

$$
\begin{aligned}
f_s(110)&=g_0(g_1(g_1(s)))\\
&=g_0(g_1(110))\\
&=g_0(111)\\
&=001
\end{aligned}
$$

$$
\begin{aligned}
f_s(010)&=g_0(g_1(g_0(s)))\\
&=g_0(g_1(000))\\
&=g_0(001)\\
&=010
\end{aligned}
$$

Assume that $D$ distinguishes $f_s$ and $F\gets RF_n$ with non-negligible probability.

By hybrid argument, there exists a hybrid $H_i$ such that $D$ distinguishes $H_i$ and $H_{i+1}$ with non-negligible probability.

For $H_0$, 

QED