 # ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

## Presentation on theme: "ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,"— Presentation transcript:

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis, Boris Temkin and Il’ya Safro.

ACT 2 Introduction In this lecture we’ll cover: Definition of pseudorandom generators Computational indistinguishability Statistical closeness Multiple samples Application of pseudorandom generators Amplification of the stretch function One-way function Hard-core predicate

ACT 3 Definition of PRG A Pseudorandom Generator is an efficient program which stretches short random seeds into long pseudorandom sequences. Stretching Seed PRG Pseudorandom Sequence Random Sequence Efficient Algorithm Efficiency Mmmm… They look the same to me!

ACT 4 Computational Indistinguishability Def: A probability ensemble X is a family X = {X n } n  N such that X n is a probability distribution on some finite domain. Def: Two probability ensembles, {X n } n  N and {Y n } n  N, are called computationally indistinguishable if for any probabilistic polynomial-time algorithm A, for any positive polynomial p(.), and for all sufficiently large n’s 13.1

ACT 5 Defining PRG Def: A deterministic polynomial-time algorithm G is called a pseudorandom generator if there exists a stretching function l:N  N, s.t. the following two probability ensembles, denoted {G n } n  N and {R n } n  N, are computationally indistinguishable 1.Distribution G n is defined as the output of G on a uniformly selected seed in {0,1} n. 2.Distribution R n is defined as the uniform distribution on {0,1} l(n). 13.2

ACT 6 Statistical Closeness Def (statistical closeness): The statistical difference between two distributions, X and Y, is defined as Two probability ensembles {X n } n  N and {Y n } n  N are statistically close if for all polynomials p(.) and for all sufficiently large n Prop: If two probability ensembles are statistically close then they are computationally indistinguishable. 13.3

ACT 7 Poly-time Constructible Def: An ensemble {Z n } n  N is probabilistic polynomial- time constructible if there exists a probabilistic polynomial-time algorithm S such that for every n, S(1 n ) = Z n 13.4

ACT 8 Thm: Let {X n } and {Y n } be computational indistinguishable and probabilistic polynomial- time constructible. Let t(.) be a positive polynomial. Define {X n ’} and {Y n ’} as follows: X n ’ = X n 1  X n 2  …  X n t(n) Y n ’ = Y n 1  Y n 2  …  Y n t(n) where the X n i ’s (Y n i ’s) are independent copies of X n (Y n ). Then {X n ’} and {Y n ’} are computationally indistinguishable Independent Samples Independent Samples

ACT 9 Hybrid Distribution Proof: Assume a distinguisher D for {X n ’} and {Y n ’} s.t. for a polynomial p(.) and all sufficiently large n’s. Define the hybrid distributions for 0  i  t(n): H n (i) =(X n (1)  X n (2)  …X n (i)  Y n (i+1)  … Y n (t(n)) ) Note that H n (0) = Y’ n and H n (t(n)) = X’ n Define an algorithm D’ as follows: For  taken from X n or Y n D’(  )=D(X n (1)  X n (2)  …X n (i-1)  Y n (i+1)  … Y n (t(n)) ) where i is chosen uniformly in {1,2,…,t(n)}

ACT 10 Hybrid Argument Therefore, and According to the definition of D’ ‘i’ is chosen uniformly from {1..t(n)} According to the definition of H n (i) Note: only up to i-1 we have X’s so we get H n (i-1)

ACT 11 Hybrid Argument Thus, It’s a telescopic sum

ACT 12 Application of PRG Let A be a probabilistic algorithm, and  (n) denote a polynomial upper bound on its randomness complexity. Let A(x,r) denote the output of A on input x and coin tosses sequence r  {0,1}  (n). Let G be a pseudorandom generator with stretching function l:N  N Then A G is a randomized algorithm that, on input x Sets k=k(|x|) to be the smallest integer s.t. l(k)   (|x|) Uniformly selects s  {0,1} k Outputs A(x,r), where r is the  (|x|)-bit long prefix of G(s) 13.5

ACT 13 Application of PRG (2) Thm: Let A and G be as above. Then for every pair of probabilistic polynomial-time algorithms, a finder F and a distinguisher D, every positive polynomial p(.) and all sufficiently large n’s where and the probabilities are taken over the U m ’s as well as over the coin tosses of F and D.

ACT 14 Amplifying the Stretch Function (2) n G n G n G n 1 1 1 Output Sequence

ACT 15 Thm: Let G be a pseudorandom generator with stretch function l(n)=n+1, and l’ be any polynomially bounded stretch function, which is polynomial-time computable. Let G 1 (x) denote the |x|-bit long prefix of G(x), and G 2 (x) denote the last bit of G(x). Then G’(s)=  1  2 …  l’(|s|) where x 0 =s,  i =G 2 (x i-1 ) and x i =G 1 (x i-1 ), is a pseudorandom generator with stretch function l’. The theorem is proven using the hybrid technique. Amplifying the Stretch Function 13.6

ACT 16 One-Way Functions Def: A one-way function, f, is a polynomial-time computable function s.t. for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s where U n is the uniform distribution over {0,1} n. Popular candidates for one-way functions are based on the conjectured intractability of: Integer factorization Discrete logarithm problem Decoding of random linear code 13.7

ACT 17 Hard-Core Predicate Def (hard-core predicate): A polynomial-time computable predicate b:{0,1}*  {0,1} is called a hard-core of a function f if for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s Thm (generic hard-core): Let f be an arbitrary one-way function, and let g be defined by g(x,r)=(f(x),r), where |x|=|r|. Let b(x,r) denote the inner-product mod 2 of the binary vectors x and r. Then b is a hard-core of g. 13.8

ACT 18 Hard-Core Predicate (2) Thm: Let b be a hard-core predicate of a polynomial- time computable 1-1 function f. Then, G(s)=f(s)b(s) is a pseudorandom generator. Proof Sketch: Clearly the |s|-bit long prefix of G(s) is uniformly distributed (since f is 1-1 and onto {0,1} |s| ). Hence, we only have to show that distinguishing f(s)b(s) from f(s) , where  is a random bit, contradicts the hypothesis that b is a hard-core of f. Intuitively, such a distinguisher also distinguishes f(s)b(s) from, and so yields an algorithm for predicting b(s) based on f(s).

ACT 19 The Existence of PRG Thm: Pseudorandom generators exist iff one-way functions exist. Proof: 1) Let G be a pseudorandom generator with stretch function l(n)=2n. For x,y  {0,1} n, define f(x,y)=G(x), and so f is polynomial-time computable. Suppose, by way of contradiction, that f is not one-way. Then there exists an algorithm A’ such that for some polynomial p(.). We define the following polynomial-time algorithm D: For an input z  {0,1} 2n, 13.9

ACT 20 The existence of PRG (2) So we have, while. Therefore, D distinguishes G(U n ) from U 2n, with contradiction to the hypothesis that G is a pseudorandom generator. 2) Proof outline: Suppose f is a one-way function. f is not necessarily 1-1, so the construction G(s)=f(s)b(s) where b is a hard-core of f cannot be used directly.

ACT 21 The Existence of PRG (3) One idea is to hash f(U n ) to an almost uniform string of length related to its entropy, using universal hash functions. But this means shrinking the length of the output to some n’<n. Thus, we can add n-n’+1 bits by extracting them from the seed U n, by hashing U n. The adding of this hash value does not make the inverting task any easier. n-bit seed f hash function n bits hash function

Download ppt "ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,"

Similar presentations