Slides by Vera Asodi

1
Pseudorandom Generators

Slides by Vera Asodi Tomer Naveh. Updated by
Avi Ben-Aroya Alon Brook Adapted from Oded
Goldreichs course lecture notes by Sergey
Benditkis, Boris Temkin and Ilya Safro.
2
Introduction

• In this lecture well cover
• Definition of pseudorandom generators
• Computational indistinguishability
• Statistical closeness
• Multiple samples
• Application of pseudorandom generators
• Amplification of the stretch function
• One-way function
• Hard-core predicate

3
Definition of PRG

• A Pseudorandom Generator is an efficient program
  which stretches short random seeds into long
  pseudorandom sequences.

Efficiency
Seed
Mmmm They look the same to me!
PRG
Stretching
Pseudorandom Sequence
4
Computational Indistinguishability
13.1

• Def A probability ensemble X is a family X
  Xnn?N such that Xn is a probability
  distribution on some finite domain.
• Def Two probability ensembles, Xnn?N and
  Ynn?N , are called computationally
  indistinguishable if for any probabilistic
  polynomial-time algorithm A, for any positive
  polynomial p(.), and for all sufficiently large
  ns

5
Defining PRG
13.2

• Def A deterministic polynomial-time algorithm G
  is called a pseudorandom generator if there
  exists a stretching function lN?N, s.t. the
  following two probability ensembles, denoted
  Gnn?N and Rnn?N, are computationally
  indistinguishable
• Distribution Gn is defined as the output of G on
  a uniformly selected seed in 0,1n.
• Distribution Rn is defined as the uniform
  distribution on 0,1l(n).

6
Statistical Closeness
13.3

• Def (statistical closeness) The statistical
  difference between two distributions, X and Y, is
  defined as Two probability ensembles Xnn?N
  and Ynn?N are statistically close if
  for all polynomials p(.) and for all
  sufficiently large n
• Prop If two probability ensembles are
  statistically close then they are computationally
  indistinguishable.

7
Poly-time Constructible
13.4

• Def An ensemble Znn?N is probabilistic
  polynomial-time constructible if there exists a
  probabilistic polynomial-time algorithm S such
  that for every n, S(1n) Zn

8
Independent Samples

Thm Let Xn and Yn be computational
indistinguishable and probabilistic
polynomial-time constructible.Let t(.) be a
positive polynomial.Define Xn and Yn as
follows Xn Xn1 ? Xn2 ? ? Xnt(n) Yn Yn1
? Yn2 ? ? Ynt(n)where the Xnis (Ynis) are
independent copies of Xn (Yn).Then Xn and
Yn are computationally indistinguishable
9
Hybrid Distribution

• Proof
• Assume a distinguisher D for Xn and Yn
  s.t.for a polynomial p(.) and all sufficiently
  large ns.
• Define the hybrid distributions for
  0?i?t(n) Hn(i)(Xn(1)? Xn(2)?Xn(i)? Yn(i1)?
  Yn(t(n)))
• Note that Hn(0) Yn and Hn(t(n)) Xn
• Define an algorithm D as followsFor ? taken
  from Xn or Yn D(?)D(Xn(1)?
  Xn(2)?Xn(i-1)???Yn(i1)? Yn(t(n)))where i is
  chosen uniformly in 1,2,,t(n)

10
Hybrid Argument
According to the definition of D i is chosen
uniformly from 1..t(n)

• Therefore,
• and

According to the definition of Hn(i)
Note only up to i-1 wehave Xs so we get Hn(i-1)
11
Hybrid Argument
Its a telescopic sum

• Thus,

12
Application of PRG
13.5

• Let A be a probabilistic algorithm, and ?(n)
  denote a polynomial upper bound on its randomness
  complexity.Let A(x,r) denote the output of A on
  input x and coin tosses sequence r?0,1?(n).Let
  G be a pseudorandom generator with stretching
  function lN?N
• Then AG is a randomized algorithm that, on input
  x
• Sets kk(x) to be the smallest integer s.t.
  l(k)? ?(x)
• Uniformly selects s?0,1k
• Outputs A(x,r), where r is the ?(x)-bit long
  prefix of G(s)

13
Application of PRG (2)

• Thm Let A and G be as above. Then for every pair
  of probabilistic polynomial-time algorithms, a
  finder F and a distinguisher D, every positive
  polynomial p(.) and all sufficiently large
  nswhere and the probabilities are taken
  over the Ums as well as over the coin tosses of
  F and D.

14
Amplifying the Stretch Function (2)
n
Output Sequence
G
n
1
G
n
1
G
n
1
15
Amplifying the Stretch Function
13.6

• Thm Let G be a pseudorandom generator with
  stretch function l(n)n1, and l be any
  polynomially bounded stretch function, which is
  polynomial-time computable.Let G1(x) denote the
  x-bit long prefix of G(x), and G2(x) denote the
  last bit of G(x).Then G(s)?1?2?l(s)wher
  e x0s, ?iG2(xi-1) and xiG1(xi-1), is a
  pseudorandom generator with stretch function l.
• The theorem is proven using the hybrid technique.

16
One-Way Functions
13.7

• Def A one-way function, f, is a polynomial-time
  computable function s.t. for every probabilistic
  polynomial-time algorithm A, every positive
  polynomial p(.), and all sufficiently large
  nswhere Un is the uniform distribution over
  0,1n.
• Popular candidates for one-way functions are
  based on the conjectured intractability of
• Integer factorization
• Discrete logarithm problem
• Decoding of random linear code

17
Hard-Core Predicate
13.8

• Def (hard-core predicate) A polynomial-time
  computable predicate b0,1?0,1 is called a
  hard-core of a function f if for every
  probabilistic polynomial-time algorithm A, every
  positive polynomial p(.), and all sufficiently
  large ns
• Thm (generic hard-core) Let f be an arbitrary
  one-way function, and let g be defined by
  g(x,r)(f(x),r), where xr. Let b(x,r) denote
  the inner-product mod 2 of the binary vectors x
  and r. Then b is a hard-core of g.

18
Hard-Core Predicate (2)

• Thm Let b be a hard-core predicate of a
  polynomial-time computable 1-1 function f. Then,
  G(s)f(s)b(s) is a pseudorandom generator.
• Proof Sketch Clearly the s-bit long prefix of
  G(s) is uniformly distributed (since f is 1-1 and
  onto 0,1s). Hence, we only have to show that
  distinguishing f(s)b(s) from f(s)?, where ? is a
  random bit, contradicts the hypothesis that b is
  a hard-core of f. Intuitively, such a
  distinguisher also distinguishes f(s)b(s) from
  , and so yields an algorithm for
  predicting b(s) based on f(s).

19
The Existence of PRG
13.9

• Thm Pseudorandom generators exist iff one-way
  functions exist.
• Proof
• Let G be a pseudorandom generator with stretch
  function l(n)2n. For x,y?0,1n, define
  f(x,y)G(x), and so f is polynomial-time
  computable. Suppose, by way of contradiction,
  that f is not one-way. Then there exists an
  algorithm A such that
• 
  for some polynomial p(.). We define the
  following polynomial-time algorithm D For an
  input z?0,12n,

20
The existence of PRG (2)

• So we have ,
• while
  .
• Therefore, D distinguishes G(Un) from U2n, with
• contradiction to the hypothesis that G is a
• pseudorandom generator.
• Proof outline Suppose f is a one-way function. f
  is not necessarily 1-1, so the construction
  G(s)f(s)b(s) where b is a hard-core of f cannot
  be used directly.

21
The Existence of PRG (3)

• One idea is to hash f(Un) to an almost uniform
  string of length related to its entropy, using
  universal hash functions. But this means
  shrinking the length of the output to some nltn.
• Thus, we can add n-n1 bits by extracting them
  from the seed Un, by hashing Un. The adding of
  this hash value does not make the inverting task
  any easier.

f
hash function
n-bit seed
n bits
n bits
hash function