Presentation is loading. Please wait.

Presentation is loading. Please wait.

ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,"— Presentation transcript:

1

2 ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis, Boris Temkin and Il’ya Safro.

3 ACT 2 Introduction In this lecture we’ll cover: Definition of pseudorandom generators Computational indistinguishability Statistical closeness Multiple samples Application of pseudorandom generators Amplification of the stretch function One-way function Hard-core predicate

4 ACT 3 Definition of PRG A Pseudorandom Generator is an efficient program which stretches short random seeds into long pseudorandom sequences. Stretching Seed PRG Pseudorandom Sequence Random Sequence Efficient Algorithm Efficiency Mmmm… They look the same to me!

5 ACT 4 Computational Indistinguishability Def: A probability ensemble X is a family X = {X n } n  N such that X n is a probability distribution on some finite domain. Def: Two probability ensembles, {X n } n  N and {Y n } n  N, are called computationally indistinguishable if for any probabilistic polynomial-time algorithm A, for any positive polynomial p(.), and for all sufficiently large n’s 13.1

6 ACT 5 Defining PRG Def: A deterministic polynomial-time algorithm G is called a pseudorandom generator if there exists a stretching function l:N  N, s.t. the following two probability ensembles, denoted {G n } n  N and {R n } n  N, are computationally indistinguishable 1.Distribution G n is defined as the output of G on a uniformly selected seed in {0,1} n. 2.Distribution R n is defined as the uniform distribution on {0,1} l(n). 13.2

7 ACT 6 Statistical Closeness Def (statistical closeness): The statistical difference between two distributions, X and Y, is defined as Two probability ensembles {X n } n  N and {Y n } n  N are statistically close if for all polynomials p(.) and for all sufficiently large n Prop: If two probability ensembles are statistically close then they are computationally indistinguishable. 13.3

8 ACT 7 Poly-time Constructible Def: An ensemble {Z n } n  N is probabilistic polynomial- time constructible if there exists a probabilistic polynomial-time algorithm S such that for every n, S(1 n ) = Z n 13.4

9 ACT 8 Thm: Let {X n } and {Y n } be computational indistinguishable and probabilistic polynomial- time constructible. Let t(.) be a positive polynomial. Define {X n ’} and {Y n ’} as follows: X n ’ = X n 1  X n 2  …  X n t(n) Y n ’ = Y n 1  Y n 2  …  Y n t(n) where the X n i ’s (Y n i ’s) are independent copies of X n (Y n ). Then {X n ’} and {Y n ’} are computationally indistinguishable Independent Samples Independent Samples

10 ACT 9 Hybrid Distribution Proof: Assume a distinguisher D for {X n ’} and {Y n ’} s.t. for a polynomial p(.) and all sufficiently large n’s. Define the hybrid distributions for 0  i  t(n): H n (i) =(X n (1)  X n (2)  …X n (i)  Y n (i+1)  … Y n (t(n)) ) Note that H n (0) = Y’ n and H n (t(n)) = X’ n Define an algorithm D’ as follows: For  taken from X n or Y n D’(  )=D(X n (1)  X n (2)  …X n (i-1)  Y n (i+1)  … Y n (t(n)) ) where i is chosen uniformly in {1,2,…,t(n)}

11 ACT 10 Hybrid Argument Therefore, and According to the definition of D’ ‘i’ is chosen uniformly from {1..t(n)} According to the definition of H n (i) Note: only up to i-1 we have X’s so we get H n (i-1)

12 ACT 11 Hybrid Argument Thus, It’s a telescopic sum

13 ACT 12 Application of PRG Let A be a probabilistic algorithm, and  (n) denote a polynomial upper bound on its randomness complexity. Let A(x,r) denote the output of A on input x and coin tosses sequence r  {0,1}  (n). Let G be a pseudorandom generator with stretching function l:N  N Then A G is a randomized algorithm that, on input x Sets k=k(|x|) to be the smallest integer s.t. l(k)   (|x|) Uniformly selects s  {0,1} k Outputs A(x,r), where r is the  (|x|)-bit long prefix of G(s) 13.5

14 ACT 13 Application of PRG (2) Thm: Let A and G be as above. Then for every pair of probabilistic polynomial-time algorithms, a finder F and a distinguisher D, every positive polynomial p(.) and all sufficiently large n’s where and the probabilities are taken over the U m ’s as well as over the coin tosses of F and D.

15 ACT 14 Amplifying the Stretch Function (2) n G n G n G n 1 1 1 Output Sequence

16 ACT 15 Thm: Let G be a pseudorandom generator with stretch function l(n)=n+1, and l’ be any polynomially bounded stretch function, which is polynomial-time computable. Let G 1 (x) denote the |x|-bit long prefix of G(x), and G 2 (x) denote the last bit of G(x). Then G’(s)=  1  2 …  l’(|s|) where x 0 =s,  i =G 2 (x i-1 ) and x i =G 1 (x i-1 ), is a pseudorandom generator with stretch function l’. The theorem is proven using the hybrid technique. Amplifying the Stretch Function 13.6

17 ACT 16 One-Way Functions Def: A one-way function, f, is a polynomial-time computable function s.t. for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s where U n is the uniform distribution over {0,1} n. Popular candidates for one-way functions are based on the conjectured intractability of: Integer factorization Discrete logarithm problem Decoding of random linear code 13.7

18 ACT 17 Hard-Core Predicate Def (hard-core predicate): A polynomial-time computable predicate b:{0,1}*  {0,1} is called a hard-core of a function f if for every probabilistic polynomial-time algorithm A’, every positive polynomial p(.), and all sufficiently large n’s Thm (generic hard-core): Let f be an arbitrary one-way function, and let g be defined by g(x,r)=(f(x),r), where |x|=|r|. Let b(x,r) denote the inner-product mod 2 of the binary vectors x and r. Then b is a hard-core of g. 13.8

19 ACT 18 Hard-Core Predicate (2) Thm: Let b be a hard-core predicate of a polynomial- time computable 1-1 function f. Then, G(s)=f(s)b(s) is a pseudorandom generator. Proof Sketch: Clearly the |s|-bit long prefix of G(s) is uniformly distributed (since f is 1-1 and onto {0,1} |s| ). Hence, we only have to show that distinguishing f(s)b(s) from f(s) , where  is a random bit, contradicts the hypothesis that b is a hard-core of f. Intuitively, such a distinguisher also distinguishes f(s)b(s) from, and so yields an algorithm for predicting b(s) based on f(s).

20 ACT 19 The Existence of PRG Thm: Pseudorandom generators exist iff one-way functions exist. Proof: 1) Let G be a pseudorandom generator with stretch function l(n)=2n. For x,y  {0,1} n, define f(x,y)=G(x), and so f is polynomial-time computable. Suppose, by way of contradiction, that f is not one-way. Then there exists an algorithm A’ such that for some polynomial p(.). We define the following polynomial-time algorithm D: For an input z  {0,1} 2n, 13.9

21 ACT 20 The existence of PRG (2) So we have, while. Therefore, D distinguishes G(U n ) from U 2n, with contradiction to the hypothesis that G is a pseudorandom generator. 2) Proof outline: Suppose f is a one-way function. f is not necessarily 1-1, so the construction G(s)=f(s)b(s) where b is a hard-core of f cannot be used directly.

22 ACT 21 The Existence of PRG (3) One idea is to hash f(U n ) to an almost uniform string of length related to its entropy, using universal hash functions. But this means shrinking the length of the output to some n’<n. Thus, we can add n-n’+1 bits by extracting them from the seed U n, by hashing U n. The adding of this hash value does not make the inverting task any easier. n-bit seed f hash function n bits hash function

Download ppt "ACT1 Slides by Vera Asodi & Tomer Naveh. Updated by : Avi Ben-Aroya & Alon Brook Adapted from Oded Goldreich’s course lecture notes by Sergey Benditkis,"

Similar presentations

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?

An Introduction to Randomness Extractors Ronen Shaltiel University of Haifa Daddy, how do computers get random bits?
Function Technique Eduardo Pinheiro Paul Ilardi Athanasios E. Papathanasiou The.

Function Technique Eduardo Pinheiro Paul Ilardi Athanasios E. Papathanasiou The.
Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.

Extracting Randomness From Few Independent Sources Boaz Barak, IAS Russell Impagliazzo, UCSD Avi Wigderson, IAS.
ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.

ONE WAY FUNCTIONS SECURITY PROTOCOLS CLASS PRESENTATION.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:

Foundations of Cryptography Lecture 2: One-way functions are essential for identification. Amplification: from weak to strong one-way function Lecturer:
1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.

1 Efficient Pseudorandom Generators from Exponentially Hard One-Way Functions Iftach Haitner, Danny Harnik, Omer Reingold.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS151 Complexity Theory Lecture 8 April 22, 2004.

CS151 Complexity Theory Lecture 8 April 22, 2004.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Chapter 5 The Witness Reduction Technique: Feasible Closure Properties of #P Greg Goldstein Andrew Learn 18 April 2001.

Chapter 5 The Witness Reduction Technique: Feasible Closure Properties of #P Greg Goldstein Andrew Learn 18 April 2001.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.

1 Deciding Primality is in P M. Agrawal, N. Kayal, N. Saxena Presentation by Adi Akavia.
Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC 2010 1.

Randomized Algorithms Kyomin Jung KAIST Applied Algorithm Lab Jan 12, WSAC
1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006

1 Algorithms for Large Data Sets Ziv Bar-Yossef Lecture 13 June 25, 2006
Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.

Computability and Complexity 20-1 Computability and Complexity Andrei Bulatov Random Sources.
1 List Coloring and Euclidean Ramsey Theory TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A Noga Alon, Tel Aviv.

1 List Coloring and Euclidean Ramsey Theory TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A Noga Alon, Tel Aviv.
Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Foundations of Cryptography Lecture 8: Application of GL, Next-bit unpredictability, Pseudo-Random Functions. Lecturer: Moni Naor Announce home )deadline.

Similar presentations

Ads by Google