Title: Notation of probability
1Notation of probability
A probabilistic algorithm, A(x,y,) the
probability space for inputs x,y,, S the
support of probability space S, Prx?S y?T
p(x,y,) the probability that the predicate
p(x,y,) is true after execution of the
algorithms x?S y?T etc.
0,1k the set of k-bit string, x?0,1k x
xkxk-1 xk-2.x1, xi ? 0,1 xj the first j
bits of x, xj xjxj-1x1, y x the
concatenation of x and y, Yk the distribution
over 0,1k, ykyk-1yk-2.y1 ? Yk selection of an
element x in 0,1k according to Yk, Rk the
uniform distribution over 0,1k,
A function e(k) N?R is negligible if for every c
gt0 there exists kc s.t. e(k) lt 1/kc for every
kgtkc.
2Some facts on probability
- Let E, E1, E2?S be an event.
- 0?P(E)?1, P(S) 1, P(f)0
- P(E) 1- P(E)
- E1?E2 ? P(E1)?P(E2)
- P(E1?E2) P(E1?E2) P(E1) P(E2)
- E1?E2 f ? P(E1?E2) P(E1)P(E2)
- P(E1?E2) P(E1E2) P(E2)
- E is the complement event of E.
- P(E1E2) is the conditional probability of E1
given E2.
3Majority Decision Method for OLSB
It is possible to enhance the correctness of the
oracle OLSB by knowing LSB(Mri) for random ri?Zn.
Lemma 1 Let r1, , rt ?RZn, for enough large t,
holds with high probability for Malten/2.
Assume that OLSB correctly answers with
probability 1/2 e. If ri is random in Zn and Ma
mod n lt en/2, LSB(Ma mod n)
OLSB(C(ari)e) xor LSB(Mri mod n) holds with
probability at least 1/2 e/2.
4Probability of Majority Decision Method
Define xi by xi 1 if equation (1) is not true,
else xi 0 for i?S1,2,..,t. Let P be the
probability equation (1) is not true. P lt 1/2
e/2. The mean is Exp(xi) SP/t P lt 1/2 -
e/2. The variance is Var(xi) Exp(xi2)-Exp2(xi)
P P2 lt -(P-1/2)2 1/4 lt 1/4 .
The error probability of lemma 1 is
Chebyshevs inequality
If we choose t O(poly(log n) e-2), the error
term is upper-bounded by 1/poly(log n).
5(No Transcript)
6Uniform sampling technique with known bits
(1) Each point is uniformly distributed in Zn.
(2) The points are pairwise independent. (3) The
least significant bit of each point is known with
high probability. We use Mri mod n, where ri
k il, (k, l are random integers in Zn, 0?iltt).
Let y Mk mod n, z Ml mod n.
Here assume we know LSB(y), LSB(z), and y, z are
one of the intervals y? ?j jen/8,
(j1)en/8 0,n, z? ?j jen/8t, (j1)en/8t
0,n. There are (28/e)(28t/e)28te-2
possibilities.
Then we can know Mri up to en/8 i en/8t lt
2en/8. If rix is in the interval containing 0,
we can not guess LSB (with probability lte/4 ) ?
Pr LSB(rix) is unknown ? e/4.
7Error analysis of the bit security
Pr Gi?LSB(Mri) is known ? PrGi Pr LSB(Mri)
is unknown ? 1/2e/2 e/4 gt 1/2e/4.
The error case for ri is the event Ei
?(Gi?LSB(Mri) is known), thus PrEi lt 1/2 - e/4.
Define xi by xi 1 if x?Ei else xi 0. Then, its
mean is Exp(xi) lt 1/2 - e/4, and its variance is
Var(xi) Exp(xi2)-Exp2(xi)lt1/4.
Chebyshevs inequality
The error probability is bounded by 4/te2
1/16(log n), where t 26(log n)e-2. The oracle
OLSB is correct with probability 1-1/log n
(including random sampling).
8Estimation of the total running time
The estimation of total running time is as
follows. (1) Pr x in Zn x ?I is at least e2
? expected number of step 1 is O(e-2). (2) There
are 28te-2 possibilities to find proper y, z of
Mri. ? We will run O(te-2 ) copies of the gcd
procedure in parallel. (3)Each gcd calls O(log n)
queries to the oracle OLBS. (4)The oracle makes
O(t) operations for the majority decision method.
For t 26(log n)e-2 the overall expected time is
O(e-4 t2 log n) O(e-8 (log n)3).
From e 1/(log n)c, we obtain O((log n)8c3) for
any constant cgt0 ( poly(log n)).