Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Transcription

1 CS 276 Cryptography Sept 22, 2014 Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions Instructor: Sanjam Garg Scribe: Peihan Miao 1 PRG (Pseudo-Random Generator) extension In this section we will see that if there exists a PRG G : {0, 1} n {0, 1} n+1, then we can construct a new PRG F : {0, 1} n {0, 1} n+l, where l is polynomial in n. Construction 1 We construct the new PRG F as follows. (a) Input: S 0 is the input of F, and S 0 $ {0, 1} n. (b) i [l] = {1, 2,, l}, (σ i, S i ) := G(S i 1 ), where σ i {0, 1}, S i {0, 1} n. (c) Output: σ 1 σ 2 σ l S l. Theorem 2 The F described above is a PRG. Proof. We prove this by hybrid argument. Define the hybrid H i as follows. (a) Input: σ 1, σ 2,, σ i $ {0, 1}, Si $ {0, 1} n. (b) j {i + 1, i + 2,, l}, (σ j, S j ) := G(S j 1 ), where σ j {0, 1}, S j {0, 1} n. (c) Output: σ 1 σ 2 σ l S l. Note that H 0 F, and H l U n+l. Assume for the purpose of contradiction that we have a non-uniform PPT adversary A that can distinguish H 0 form H l. Define ɛ i := Pr[A(H i ) = 1] for i = 0, 1,, l. Then there exists a non-negligible function v(n) such that ɛ 0 ɛ l v(n). Since ɛ 0 ɛ 1 + ɛ 1 ɛ ɛ l 1 ɛ l ɛ 0 ɛ l v(n), we know that there exists k {0, 1,, l 1} such that ɛ k ɛ k+1 v(n). l l is polynomial in n, so v(n) l is also a non-negligible function. That is to say, A can distinguish H k from H k+1. Then we will construct an adversary R that can distinguish U n+1 from G(U n ) (which leads to a contradiction): For an input T {0, 1} n+1, T could be either from U n+1 or G(U n ). We define R(T ) := A(H k+1 (σ 1,, σ k, T )), where σ 1, σ 2,, σ k $ {0, 1}. Firstly, since A and G are both PPT computable, R is also PPT computable. Further, we have 5-1

2 Thus if T is from G(U n ), then H k+1 (σ 1,, σ k, T ) is from H k ; if T is from U n+1, then H k+1 (σ 1,, σ k, T ) is from H k+1. Pr[B(G(U n )) = 1] Pr[B(U n+1 ) = 1] = Pr[A(H k ) = 1] Pr[A(H k+1 ) = 1] = ɛ k ɛ k+1 v(n), l which means R is a non-uniform PPT computable adversary to G. Contradiction to the fact that G is PRG. 2 PRG from OWP (One-Way Permutations) In this section we will show how to construct pseudorandom generators under the assumption that one-way permutations exist. Construction 3 Let f : {0, 1} n {0, 1} n be a OWP. We construct G : {0, 1} 2n {0, 1} 2n+1 as G(x, r) = f(x) r B(x, r), where x, r {0, 1} n, and B(x, r) defines a hard core bit. Note that the hard core bit always exists because we know from previous classes that ( n ) b(x, r) = x i r i mod 2 is a hard core bit. i=1 Theorem 4 The G constructed above is a PRG. Proof. Assume for the purpose of contradiction that G is not PRG. We construct three ensembles of probability distributions: H 0 := G(U 2n ) = f(x) r B(x, r), where x, r $ {0, 1} n ; H 1 := f(x) r σ, where x, r $ {0, 1} n, σ $ {0, 1}; H 2 := U 2n+1. Since f is a permutation, H 1 is uniformly distributed in {0, 1} 2n+1, i.e., H 1 H 2. G is not PRG implies that there exists a non-uniform PPT adversary A that can distinguish H 0 from H 2. And since H 1 H 2, A can distinguish H 0 from H 1, that is, there exists a non-negligible function v(n) satisfying Pr[A(H 0 ) = 1] Pr[A(H 1 ) = 1] v(n). 5-2

3 Next we will construct an adversary R that can predict the hard core bit (which leads to a contradiction). Define a new ensemble of probability distribution Then we have H 1 = f(x) r (1 B(x, r)), where x, r $ {0, 1} n. Pr[A(H 1 ) = 1] = Pr[σ = B(x, r)] Pr[A(H 0 ) = 1] + Pr[σ = 1 B(x, r)] Pr[A(H 1) = 1] = 1 2 Pr[A(H 0) = 1] Pr[A(H 1) = 1], Pr[A(H 1 ) = 1] Pr[A(H 0 ) = 1] = 1 2 Pr[A(H 1) = 1] 1 2 Pr[A(H 0) = 1], 1 Pr[A(H 0 ) = 1] Pr[A(H 2 1) = 1] = Pr[A(H 1 ) = 1] Pr[A(H 0 ) = 1] v(n), Pr[A(H 0 ) = 1] Pr[A(H 1) = 1] 2v(n). Without loss of generality, we assume that Then we define R(f(x), r) as follows: where σ $ {0, 1}. Then we have Pr[A(H 0 ) = 1] Pr[A(H 1) = 1] 2v(n). R(f(x), r) := Pr[R(f(x), r) = B(x, r)] { σ, if A(f(x), r, σ) = 1 1 σ, if A(f(x), r, σ) = 0, = Pr[σ = B(x, r)] Pr[A(f(x), r, σ) = 1 σ = B(x, r)]+ Pr[σ = 1 B(x, r)] Pr[A(f(x), r, σ) = 0 σ = 1 B(x, r)]+ = 1 ( ) Pr[A(f(x), r, B(x, r)) = 1] + 1 Pr[A(f(x), r, 1 B(x, r)) = 1] 2 = ( Pr[A(H0 ) = 1] Pr[A(H 2 1) = 1] ) v(n). Thus B(x, r) is not a hard core bit, which leads to a contradiction. 3 PRF (Pseudo-Random Functions) from PRG In this section, we will first define pseudo-random functions, and then show that we can construct a pseudo-random function if we have a pseudo-random generator. Considering the set of all functions f : {0, 1} n {0, 1} n, there are (2 n ) 2n of them. And to describe a random function in this set, we need n 2 n bits. Intuitively, a pseudo-random function is one that cannot be distinguished from a random one, but we might need much fewer bits to describe it, e.g., polynomial in n. Nota bene, we restrict the distinguisher in such a way that it is only allowed to ask the function poly(n) times and decide whether it s random or pseudo-random. 5-3

4 3.1 Definitions Definition 1 A function ensemble is a sequence of Random Variables F 1, F 2,, F n, denoted as {F n } n N such that F n assumes values in the set of functions mapping n-bit input to n-bit output. Note that we will denote a random function ensemble by {R n } n N. Definition 2 A function ensemble is called efficiently computable if (a) Succinct: a PPT algorithm I and a mapping φ from strings to functions such that φ(i(1 n )) and F n are identically distributed. Note that we can view I as the description of the function. (b) Efficient: a poly-time machine V such that V (i, x) = f i (x) for every x {0, 1} n, where i is in the range of I(1 n ), and f i = φ(i). Definition 3 A function ensemble F = {F n } n N is pseudo-random if for every non-uniform PPT oracle adversary A, there exists a negligible function ɛ(n) such that Pr[A Fn (1 n ) = 1] Pr[A Rn (1 n ) = 1] ɛ(n). Here by saying oracle we mean that A has oracle access to a function (in our definition, the function is F n or R n ), and each call to that function costs 1 unit of time. Note that we will only consider efficiently computable pseudo-random ensembles in the following parts. 3.2 Construction of PRF from PRG Now we are ready to present the construction of pseudo-random functions from pseudo-random generators. Construction 5 Assume there exists a PRG G : {0, 1} n {0, 1} 2n, let G 0 (x) be the first n bits of G(x), G 1 (x) be the last n bits of G(x). We construct F i : {0, 1} n {0, 1} n as F i (x) = F i (x 1 x 2 x n ) := G xn (G xn 1 ( (G x1 (i)) )). Here i is an n-bit string, which is the seed of the pseudo-random function. The construction can be viewed as a full binary tree of depth n, as shown in Figure 1. Claim 6 The function ensemble constructed above is pseudo-random. Proof. Assume for the purpose of contradiction that {F n } n N is not PRG. Then there exists a non-uniform PPT oracle adversary A that can distinguish {F n } from {R n }. We use hybrid argument. Define H i (i = 0, 1,, n) in the following way: Let H i be a full binary tree of depth n where the nodes of levels 0 to i are truly random values, and the levels i + 1 to n are constructed by G 0 and G 1. Then we have H 0 F n and H n R n. Since A that can distinguish H 0 from H n, by hybrid argument, there exists j {0, 1,, n 1} such that A can distinguish H j from H j

5 Figure 1: view the construction as a binary tree Next, we need to use hybrid argument again. Note that A is PPT, so there are only poly(n) nodes in the j th level of the tree that have been visited by A. Denote all the nodes by v 1, v 2,, v t, where t = poly(n). We construct H j,i (i = 0, 1,, t) as follows: Let H j,i be a full binary tree of depth n where the nodes of levels 0 to j are random, the sons of nodes v 1, v 2,, v i are random, and all the rest nodes are constructed by G 0 and G 1. We have H j,0 H j. Further, H j,t and H j+1 are equivalent for A since the different nodes between H j,t and H j+1 are not visited by A. Thus, A that can distinguish H j,0 from H j,t. By hybrid argument, there exists k {0, 1,, t 1} such that A can distinguish H j,k from H j,k+1. Now we are ready to construct an adversary B : {0, 1} 2n {0, 1} where the input T could be either from U 2n or G(U n ): Construct a full binary tree of depth n where the nodes of levels 0 to j are random, the sons of nodes v 1, v 2,, v k are random, the left son of node v k+1 is the first n bits of T, the right son of node v k+1 is the last n bits of T, and all the rest nodes are constructed by G 0 and G 1. Take this binary tree as the input of A, then we have if T is from U 2n, then A s input is from H j,k+1 ; if T is from G(U n ), then A s input is from H j,k. Since A can distinguish H j,k from H j,k+1, A can distinguish from U 2n and G(U n ). Contradiction to the fact that G is a PRG. 3.3 Application Consider an interesting game: Alice and Bob are talking on the phone. Alice flips a coin, and Bob guesses whether it s head or tail. But the problem is how can Alice convince Bob that the coin is indeed head or tail? If we have pseudo-random functions, the problem could be easily solved. Assume we have a PRF F n : {0, 1} n {0, 1} n. Alice and Bob have a shared key i {0, 1} n, then f i ( ) is shared information. Now Alice has a message m {0, 1} n and wants to let Bob guess it, the procedure consists of three steps. 5-5

6 (a) Alice chooses a string r {0, 1} n, and sends to Bob m = f i (r) m ; (b) Bob guesses m; (c) Alice sends r to Bob. In step (a), since F n is PRF, all the information that Bob gets is a random n-bit string, so it will not influence his behavior in step (b). Then in step (c), Bob receives r and will be convinced that the true value of m is f i (r) m. 5-6