YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Crytograhy and Comuter Security Handout #21 Professor M. J. Fischer November 29, 2005 Pseudorandom Seuence Generation 1 Distinguishability and Bit Prediction Let D be a robability distribution on a finite set Ω. Then D associates a robability P D (ω) with each each element ω Ω. We will also regard D as a random variable that ranges over Ω and assumes value ω Ω with robability P D (ω). Definition: An (S, l)-seudorandom seuence generator (PRSG) is a function f: S 0, 1} l. (We generally assume 2 l S.) More roerly seaking, a PRSG is a randomness amlifier. Given a random, uniformly distributed seed s S, the PRSG yields the seudorandom seuence z = f(s). We use S also to denote the uniform distribution on seeds, and we denote the induced robability distribution on seudorandom seuences by f(s). The goal of an (S, l)-prsg is to generate seuences that look random, that is, are comutationally indistinguishable from seuences drawn from the uniform distribution U on length-l seuences. Informally, a robabilistic algorithm A that always halts distinguishes X from Y if its outut distribution is noticeably differently deending whether its inut is drawn at random from X or from Y. Formally, there are many different kinds of distinguishably. In the following definition, the only asect of A s behavior that matters is whether or not it oututs 1. Definition: Let ɛ > 0, let X, Y be distributions on 0, 1} l, and let A be a robabilistic algorithm. Algorithm A naturally induces robability distributions A(X) and A(Y ) on the set of ossible outcomes of A. We say that A ɛ-distinguishes X and Y if rob[a(x) = 1] rob[a(y ) = 1] ɛ, and we say X and Y are ɛ-indistinguishable by A if A does not distinguish them. A natural notion of randomness for PRSG s is that the next bit should be unredictable given all of the bits that have been generated so far. Definition: Let ɛ > 0 and 1 i l. A robabilistic algorithm N i is an ɛ-next bit redictor for bit i of f if rob[n i (Z 1,..., Z i 1 ) = Z i ] 1 2 + ɛ where (Z 1,..., Z l ) is distributed according to f(s). A still stronger notion of randomness for PRSG s is that each bit i should be unredictable, even if one is given all of the bits in the seuence excet for bit i. Definition: Let ɛ > 0 and 1 i l. A robabilistic algorithm B i is an ɛ-strong bit redictor for bit i of f if rob[b i (Z 1,..., Z i 1, Z i+1,..., Z l ) = Z i ] 1 2 + ɛ where (Z 1,..., Z l ) is distributed according to f(s).
2 Pseudorandom Seuence Generation The close relationshi between distinguishability and the two kinds of bit rediction is established in the following theorems. Theorem 1 Suose ɛ > 0 and N i is an ɛ-next bit redictor for bit i of f. Then algorithm B i is an ɛ-strong bit redictor for bit i of f, where algorithm B i (z 1,..., z i 1, z i+1,..., z l ) simly ignores its last l i inuts and comutes N i (z 1,..., z i 1 ). Proof: Obvious from the definitions. Let x = (x 1,..., x l ) be a vector. We define x i to be the result of deleting the i th element of x, that is, x i = (x 1,..., x i 1, x i+1,..., x l ). Theorem 2 Suose ɛ > 0 and B i is an ɛ-strong bit redictor for bit i of f. Then algorithm A ɛ-distinguishes f(s) and U, where algorithm A on inut x oututs 1 if B i (x i ) = x i and oututs 0 otherwise. Proof: By definition of A, A(x) = 1 recisely when B i (x i ) = x i. Hence, rob[a(f(s)) = 1] 1/2 + ɛ. On the other hand, for r = U, rob[b i (r i ) = r i ] = 1/2 since r i is a uniformly distributed bivalued random variable that is indeendent of r i. Thus, rob[a(u) = 1] = 1/2, so A ɛ-distinguishes f(s) and U. For the final ste in the 3-way euivalence, we have to weaken the error bound. Theorem 3 Suose ɛ > 0 and algorithm A ɛ-distinguishes f(s) and U. For each 1 i l and c 0, 1}, define algorithm N c i (z 1,..., z i 1 ) as follows: 1. Fli coins to generate l i + 1 random bits r i,..., r l. 1 if A(z1,..., z 2. Let v = i 1, r i,..., r l ) = 1; 0 otherwise. 3. Outut v r i c. Then there exist m and c for which algorithm N c m is an ɛ/l-next bit redictor for bit m of f. Proof: Let (Z 1,..., Z l ) = f(s) and (R 1,..., R l ) = U be random variables, and let D i = (Z 1,..., Z i, R i+1,..., R l ). D i is the distribution on l-bit seuences that results from choosing the first i bits according to f(s) and choosing the last l i bits uniformly. Clearly D 0 = U and D l = f(s). Let i = rob[a(d i ) = 1], 0 i l. Since A ɛ-distinguishes D l and D 0, we have l 0 ɛ. Hence, there exists m, 1 m l, such that m m 1 ɛ/l. We show that the robability that N c m correctly redicts bit m for f is 1/2+( m m 1 ) if c = 1 and 1/2+( m 1 m ) if c = 0. It will follow that either N 0 m or N 1 m correctly redicts bit m with robability 1/2+ m m 1 ɛ/l. Consider the following exeriments. In each, we choose an l-tule (z 1,..., z l ) according to f(s) and an l-tule (r 1,..., r l ) according to U. Exeriment E 0 : Succeed if A(z 1,..., z m 1, z m, r m+1,..., r l ) = 1. Exeriment E 1 : Succeed if A(z 1,..., z m 1, z m, r m+1,..., r l ) = 1. Exeriment E 2 : Succeed if A(z 1,..., z m 1, r m, r m+1,..., r l ) = 1.
Handout #21 November 29, 2005 3 Let j be the robability that exeriment E j succeeds, where j = 0, 1, 2. Clearly 2 = ( 0 + 1 )/2 since r m = z m is eually likely as r m = z m. Now, the inuts to A in exeriment E 0 are distributed according to D m, so m = 0. Also, the inuts to A in exeriment E 2 are distributed according to D m 1, so m 1 = 2. Differencing, we get m m 1 = 0 2 = ( 0 1 )/2. We now analyze the robability that N c m correctly redicts bit m of f(s). Assume without loss of generality that A s outut is in 0, 1}. A articular run of N c m(z 1,..., z m 1 ) correctly redicts z m if A(z 1,..., z m 1, r m,..., r l ) r m c = z m (1) If r m = z m, (1) simlifies to and if r m = z m, (1) simlifies to A(z 1,..., z m 1, z m,..., r l ) = c, (2) A(z 1,..., z m 1, z m,..., r l ) = c. (3) Let OK c m be the event that N c m(z 1,..., Z m 1 ) = Z m, i.e., that N c m correctly redicts bit m for f. From (2), it follows that rob[ok c m R m = Z m ] = 0 if c = 1 (1 0 ) if c = 0 for in that case the inuts to A are distributed according to exeriment E 0. Similarly, from (3), it follows that rob[ok c 1 if c = 1 m R m = Z m ] = (1 1 ) if c = 0 for in that case the inuts to A are distributed according to exeriment E 1. Since rob[r m = Z m ] = rob[r m = Z m ] = 1/2, we have rob[ok c m] = 1 2 rob[okc m R m = Z m ] + 1 2 rob[okc m R m = Z m ] = 0 /2 + (1 1 )/2 = 1/2 + m m 1 if c = 1 1 /2 + (1 0 )/2 = 1/2 + m 1 m if c = 0. Thus, rob[ok c m] = 1/2 + m m 1 ɛ/l for some c 0, 1}, as desired. 2 BBS Generator We now give a PRSG due to Blum, Blum, and Shub for which the roblem distinguishing its oututs from the uniform distribution is closely related to the difficulty of determining whether a number with Jacobi symbol 1 is a uadratic residue modulo a certain kind of comosite number called a Blum integer. The latter roblem is believed to be comutationally hard. First some background. A Blum rime is a rime number such that 3 (mod 4). A Blum integer is a number n =, where and are Blum rimes. Blum rimes and Blum integers have the imortant roerty that every uadratic residue a has a suare root y which is itself a uadratic residue. We call such a y a rincial suare root of a and denote it by a.
4 Pseudorandom Seuence Generation Lemma 4 Let be a Blum rime, and let a be a uadratic residue modulo. Then y = a (+1)/4 mod is a rincial suare root of a modulo. Proof: We must show that, modulo, y is a suare root of a and y is a uadratic residue. By the Euler criterion [Theorem 2, handout 15], since a is a uadratic residue modulo, we have a ( 1)/2 1 (mod ). Hence, y 2 (a (+1)/4 ) 2 aa ( 1)/2 a (mod ), so y is a suare root of a modulo. Alying the Euler criterion now to y, we have y ( 1)/2 Hence, y is a uadratic residue modulo. (a (+1)/4) ( 1)/2 ( a ( 1)/2) (+1)/4 1 (+1)/4 1 (mod ). Theorem 5 Let n = be a Blum integer, and let a be a uadratic residue modulo n. Then a has four suare roots modulo n, exactly one of which is a rincial suare root. Proof: By Lemma 4, a has a rincial suare root u modulo and a rincial suare root v modulo. Using the Chinese remainder theorem, we can find x that solves the euations x ±u (mod ) x ±v (mod ) for each of the four choices of signs in the two euations, yielding 4 suare roots of a modulo n. It is easily shown that the x that results from the +, + choice is a uadratic residue modulo n, and the others are not. From Theorem 4, it follows that the maing b b 2 mod n is a bijection from the set of uadratic residues modulo n onto itself. (A bijection is a function that is 1 1 and onto.) Definition: The Blum-Blum-Shub generator BBS is defined by a Blum integer n = and an integer l. It is a (Z n, l)-prsg defined as follows: Given a seed s 0 Z n, we define a seuence s 1, s 2, s 3,..., s l, where s i = s 2 i 1 mod n for i = 1,..., l. The l-bit outut seuence is b 1, b 2, b 3,..., b l, where b i = s i mod 2. Note that any s m uniuely determines the entire seuence s 1,..., s l and corresonding outut bits. Clearly, s m determines s m+1 since s m+1 = s 2 m mod n. But likewise, s m determines s m 1 since s m 1 = s m, the rincial suare root of s m modulo n, which is uniue by Theorem 5. 3 Security of BBS Theorem 6 Suose there is a robabilistic algorithm A that ɛ-distinguishes BBS(Z n) from U. Then there is a robabilistic algorithm Q(x) that correctly determines with robability at least ɛ = ɛ/l whether or not an inut x Z n with Jacobi symbol ( x n) = 1 is a uadratic residue modulo n. Proof: From A, one easily constructs an algorithm  that reverses its inut and then alies A.  ɛ-distinguishes the reverse of BBS(Z n) from U. By Theorem 3, there is an ɛ -next bit redictor N m for bit l m + 1 of BBS reversed. Thus, N m (b l, b l 1,..., b m+1 ) correctly oututs b m with robability at least 1/2 + ɛ, where (b 1,..., b l ) is the (unreversed) outut from BBS(Z n).
Handout #21 November 29, 2005 5 We now describe algorithm Q(x), assuming x Z n and ( x n) = 1. Using x as a seed, comute (b 1,..., b l ) = BBS(x) and let b = N m (b l m, b l m 1,..., b 1 ). Outut uadratic residue if b = x mod 2 and non-residue otherwise. To see that this works, observe first that N m (b l m, b l m 1,..., b 1 ) correctly redicts b 0 with robability at least 1/2+ɛ, where b 0 = ( x 2 mod n) mod 2. This is because we could in rincile let s m+1 = x 2 mod n and then work backwards defining s m = s m+1 mod n, s m 1 = s m mod n,..., s 0 = s 1 mod n. It follows that b 0,..., b l m are the last l m + 1 bits of BBS(s 0 ), and b 0 is the bit redicted by N m. Now, x and x are clearly suare roots of s m+1. We show that they both have Jacobi symbol 1. Since ( ( ) ( ) ( ) ( ) ( ) ( ) x n) = x x = 1, then either x = x = 1 or x = x = 1. But because ( ) ( ) and are Blum rimes, 1 is a uadratic non-residue modulo both and, so 1 = 1 = 1. It follows that ( ) x n = 1. Hence, x = ± sm+1, so exactly one of x and x is a uadratic residue. Since n is odd, x mod n and x mod n have oosite arity. Hence, x is a uadratic residue iff x and s m+1 have the same arity. But N m oututs s m+1 mod 2 with robability 1/2 + ɛ, so it follows that Q correctly determines the uadratic residuosity of its argument with robability 1/2 + ɛ.