Notes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators

Similar documents
CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Notes for Lecture 14 v0.9

Notes for Lecture 18

Pseudorandom Generators

Notes for Lecture 15

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

COS598D Lecture 3 Pseudorandom generators from one-way functions

Pseudorandom Generators

Goldreich-Levin Hardcore Predicate. Lecture 28: List Decoding Hadamard Code and Goldreich-L

Notes for Lecture 2. Statement of the PCP Theorem and Constraint Satisfaction

Where do pseudo-random generators come from?

Stanford University CS254: Computational Complexity Handout 8 Luca Trevisan 4/21/2010

Pseudorandom Generators

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan 1/29/2002. Notes for Lecture 3

1 Cryptographic hash functions

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Last time, we described a pseudorandom generator that stretched its truly random input by one. If f is ( 1 2

1 Cryptographic hash functions

Lecture 24: Goldreich-Levin Hardcore Predicate. Goldreich-Levin Hardcore Predicate

On the Complexity of Non-adaptively Increasing the Stretch of Pseudorandom Generators

Lecture 7: Pseudo Random Generators

Impagliazzo s Hardcore Lemma

We begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Lecture 9 - One Way Permutations

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Additive Combinatorics and Computational Complexity

Notes on Discrete Probability

Introduction to Cryptography

Some notes on streaming algorithms continued

Notes for Lecture 25

Notes for Lecture 27

Notes for Lecture 25

A New Proof of a Theorem of Green, Tao, and Ziegler

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

Lecture 3: Randomness in Computation

Foundation of Cryptography, Lecture 7 Non-Interactive ZK and Proof of Knowledge

A list-decodable code with local encoding and decoding

Lecture 5: February 16, 2012

Lecture 8: Computational Indistinguishability and Pseudorandomness

Notes for Lecture 9. 1 Combining Encryption and Authentication

CSC 2429 Approaches to the P vs. NP Question and Related Complexity Questions Lecture 2: Switching Lemma, AC 0 Circuit Lower Bounds

1 Randomized Computation

Computer Science Dept.

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 3 Luca Trevisan August 31, 2017

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

CMSC 858K Advanced Topics in Cryptography March 4, 2004

Lecture 23: Alternation vs. Counting

Lecture 4: LMN Learning (Part 2)

On Pseudorandomness w.r.t Deterministic Observers

Lecture 2: Program Obfuscation - II April 1, 2009

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

1 Distributional problems

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

6.842 Randomness and Computation Lecture 5

Lecture 4: Hardness Amplification: From Weak to Strong OWFs

Pseudorandom Generators

Lecture 1: January 16

Lecture 14 October 22

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

1 Nisan-Wigderson pseudorandom generator

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

Lecture 21: P vs BPP 2

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 2 Luca Trevisan August 29, 2017

On the Power of the Randomized Iterate

Notes for Lecture 3... x 4

U.C. Berkeley CS278: Computational Complexity Professor Luca Trevisan August 30, Notes for Lecture 1

On Uniform Amplification of Hardness in NP

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Limits of Minimum Circuit Size Problem as Oracle

Indistinguishability and Pseudo-Randomness

Lecture 4 : Quest for Structure in Counting Problems

CSC 5170: Theory of Computational Complexity Lecture 9 The Chinese University of Hong Kong 15 March 2010

Notes for Lecture 3... x 4

Generic Case Complexity and One-Way Functions

Notes for Lecture 14

The Indistinguishability of the XOR of k permutations

Lecture 3 (Notes) 1. The book Computational Complexity: A Modern Approach by Sanjeev Arora and Boaz Barak;

c 1999 Society for Industrial and Applied Mathematics

On the Randomness Complexity of. Efficient Sampling. Bella Dubrov

State Recovery Attacks on Pseudorandom Generators

Separating Models of Learning from Correlated and Uncorrelated Data

Lecture 18: Inapproximability of MAX-3-SAT

Lecture 4: Proof of Shannon s theorem and an explicit code

Lecture 7: Hard-core Predicate and PRG

Homework 5 Solutions

1 From previous lectures

Notes on Zero Knowledge

THE COMPLEXITY OF CONSTRUCTING PSEUDORANDOM GENERATORS FROM HARD FUNCTIONS

2 Evidence that Graph Isomorphism is not NP-complete

Limits on the Stretch of Non-Adaptive Constructions of Pseudo-Random Generators

Average Case Complexity: Levin s Theory

Lecture 3: AC 0, the switching lemma

2 Natural Proofs: a barrier for proving circuit lower bounds

U.C. Berkeley CS294: Beyond Worst-Case Analysis Handout 8 Luca Trevisan September 19, 2017

: On the P vs. BPP problem. 30/12/2016 Lecture 12

CSC 2414 Lattices in Computer Science October 11, Lecture 5

Homework 10 Solution

8.1 Polynomial Threshold Functions

Transcription:

UC Bereley Handout N7 CS294: Pseudorandomness and Combinatorial Constructions September 20, 2005 Professor Luca Trevisan Scribe: Constantinos Dasalais Notes for Lecture 7 1 Increasing the Stretch of Pseudorandom Generators In the previous lecture, we proved that if f is a permutation and B is an (S, ɛ)-hardcore predicate for f then G : x f(x), B(x), which maps n bits to n + 1 bits, is (S, ɛ) pseudorandom We then started investigating the performance of the iterative application of G, namely G () defined as in figure 1 x G G G G B(x) B(f(x)) B(f (2) (x)) B(f (-1) (x)) f () (x) Figure 1: Definition of G () G () maps n bits to n + bits and its pseudorandom properties are determined by theorem 1 which was stated in the end of the previous lecture Today we will finish the proof We will go quicly through the steps of the proof that were given in the previous lecture Theorem 1 If f is a permutation and B an (S, ɛ) hardcore predicate for f and, moreover, f, B are computable by circuits of size t, then G (), where G : x f(x), B(x), is (S O(t), ɛ)- pseudorandom Proof: We will prove the contra-positive of the statement Indeed, we will suppose that G () is not (S, ɛ )-pseudorandom and we will try to derive a distinguishing circuit for G By definition it follows that there exists a circuit D of size S such that Pr (U U n {0,1} n[d(g() n )) = 1] Pr U n+ {0,1} n+[d(u n+) = 1] ɛ Without loss of generality, we can assume that circuit D satisfies the above inequality after removing the absolute value and by virtue of a hybrid argument we can argue that there exists an integer i,0 i 1, such that: Pr [D(r 1,, r i, B(f (i) (x)), B(f (i+1) (x)),, B(f ( 1) (x)), f () (x)) = 1] x,r 1,,r i Pr [D(r 1,, r i, r i+1, B(f (i+1) (x)),, B(f ( 1) (x)), f () (x)) = 1] ɛ x,r 1,,r i+1 (1) 1

Let us denote by p i the first term of the left hand side of the above inequality and by p i+1 the second term without the minus sign Inspired by the above inequality, an algorithm that distinguishes the output of G from the uniform distribution on n + 1 bits can loo as follows Algorithm A Input: An (n + 1)-bit string b, y /*could be uniform, could be B(z), f(z) where z is uniform*/ Choose uniformly at random bits r 1,, r i Output: D(r 1,, r i, b, B(y), B(f(y)),, B(f ( i 2) (y)), f ( i 1) (y)) We can analyze the performance of the algorithm as follows By a change of variables, it can be easily verified that the following equalities hold and Pr [A(b, y) = 1] p i+1 (2) Pr [A(B(z), f(z)) = 1] p i (3) Note that the only observation needed to establish these equalities is that, if z is uniformly distributed and f is a permutation, then f(z) is also uniformly distributed From (1), (2) and (3) it follows that: Pr [A(B(z), f(z)) = 1] Pr ɛ [A(b, y) = 1] E [A(B(z), f(z)) A(b, y)] ɛ,b,y E [A r 1,r (B(z), f(z)) A ɛ 2,,r z,b,y i r1 (b, y)],r 2,,r i Pr [A r (B(z), f(z)) = 1] Pr [A ɛ 1 z,b,y,r 2,,r i r1 (b, y) = 1] z,b,y,r 2,,r i Thus algorithm A r 1,r2 distinguishes the output of G from the uniform distribution with probability at least ɛ Note that A r1 can be realized by a circuit of size S + O(t) since it just,r 2,,r i,,r i requires at most copies of the circuits implementing f and B and one copy of circuit D Thus, if we set S S O(t) (the constant in the O notation same as above) and ɛ ɛ we get a contradiction to the fact that G : x f(x), B(x) is (S, ɛ)-pseudorandom This concludes the proof Now we will generalize theorem 1 to the following scenario: suppose G : {0, 1} n {0, 1} n+1 is an (S, ɛ)-pseudorandom generator of stretch l(n) = n + 1 and suppose that we consider G () : {0, 1} n {0, 1} n+ defined as in figure 1 For convenience let s denote the output of the generator G as G(x) =: F (x), B(x), where F : {0, 1} n {0, 1} n and B : {0, 1} n {0, 1}; we will prove the following theorem which is a generalization of theorem 1 Theorem 2 If G : {0, 1} n {0, 1} n+1 is an (S, ɛ) pseudorandom generator which is computable by a circuit of size t, then G () is (S O(t), ɛ)-pseudorandom 2

Proof: As in the proof of theorem 1 we will prove the contrapositive by virtue of a hybrid argument Indeed, by way of contradiction let us suppose that G () is not (S, ɛ )-pseudorandom We will try to derive a distinguishing circuit for G By definition it follows that there exists a circuit D of size S such that Pr (U U n {0,1} n[d(g() n )) = 1] Pr U n+ {0,1} n+[d(u n+) = 1] ɛ Without loss of generality, we can assume that circuit D satisfies the above inequality after removing the absolute value namely that Pr (U U n {0,1} n[d(g() n )) = 1] Pr U n+ {0,1} n+[d(u n+) = 1] ɛ (4) Now let us consider the following hybrid distributions: H 0, pic x : B(x), B(F (x)), B(F (2) (x)), B(F (3) (x)), B(F ( 1) ), F () (x) H 1, pic x, r 1 : r 1, B(x), B(F (x)), B(F (2) (x)),, B(F ( 2) ), F ( 1) (x) H 2, pic x, r 1, r 2 : r 1, r 2, B(x), B(F (x)),, B(F ( 3) ), F ( 2) (x) H, pic x, r 1, r 2,, r : r 1, r 2, r 3, r 4,, r, x Note that the distribution H 0 is exactly the distribution G () (U n ), observed at the output of G () if the uniform distribution U n is given in the input, and distribution H is exactly the uniform distribution U n+ Thus, we can write (4) as follows: 1 ɛ Pr[D(H 0 ) = 1] Pr[D(H ) = 1] = [Pr[D(H i ) = 1] Pr[D(H i+1 ) = 1]] from which it follows that there exists an integer i, 0 i 1 such that: i=0 or Pr[D(H i ) = 1] Pr[D(H i+1 ) = 1] ɛ Pr [D(r 1,, r i, B(x), B(F (x)),, B(F ( i 1) (x)), F ( i) (x)) = 1] x,r 1,,r i Pr [D(r 1,, r i, r i+1, B(x),, B(F ( i 2) (x)), F ( i 1) (x)) = 1] ɛ x,r 1,,r i+1 Let us denote by p i the first term of the left hand side of the above inequality and by p i+1 the second term without the minus sign Inspired by the above inequality, an algorithm that distinguishes the output of G from the uniform distribution on n + 1 bits can loo as follows Algorithm A Input: An (n + 1)-bit string b, y /*could be uniform, could be B(z), F (z) where z is uniform*/ Choose uniformly at random bits r 1,, r i Output: D(r 1,, r i, b, B(y), B(F (y)),, B(F ( i 2) (y)), F ( i 1) (y)) (5) 3

We can analyze the performance of the algorithm as follows following equalities hold It can be easily verified that the and From (5), (6) and (7) it follows that: Pr [A(b, y) = 1] p i+1 (6) Pr [A(B(z), F (z)) = 1] p i (7) Pr [A(B(z), F (z)) = 1] Pr ɛ [A(b, y) = 1] E [A(B(z), F (z)) A(b, y)] ɛ,b,y E [A r 1,r (B(z), F (z)) A ɛ 2,,r z,b,y i r1 (b, y)],r 2,,r i Pr [A r (B(z), F (z)) = 1] Pr [A ɛ 1 z,b,y,r 2,,r i r1 (b, y) = 1] z,b,y,r 2,,r i Thus algorithm A r 1,r2 distinguishes the output of G from the uniform distribution with probability at least ɛ Note that A r1 can be realized by a circuit of size S +O(t) since it requires,r 2,,r i,,r i at most 1 copies of the circuit implementing G and one copy of circuit D Thus, if we set S S O(t) (the constant in the O notation same as above) and ɛ ɛ we get a contradiction to the fact that G : x F (x), B(x) is (S, ɛ)-pseudorandom This concludes the proof Now, that we have proved theorems 1 and 2, figure 2 presents the state of our nowledge Note that we haven t yet seen the implications denoted by broen arrows 2 The Goldreich-Levin Theorem The computational problem addressed by the Goldreich-Levin theorem is along the following lines: Suppose: l a : {0, 1} n {0, 1} is the mapping x i a ix i, where parameter a {0, 1} n is unnown f : {0, 1} n {0, 1} is a boolean function such that f(x) i a ix i for at least a fraction + ɛ of {0, 1}n 1 2 Given oracle access to f find a It turns out that the problem as stated is not well defined Indeed, we can very well find a pair a, b {0, 1} n such that the mappings: x i a i x i and x i b i x i 4

F one-way permutation Goldreich-Levin F permutation B hc predicate for F Pseudorandom Generator of Stretch n+1 Pseudorandom Generator of stretch n+ Hastad Impagliazzo-Levin-Luby One-Way Functions Exist Figure 2: The picture of our nowledge agree on exactly half of the inputs In this case, we can define a boolean function f which agrees with each mapping on 3/4 of the inputs and, thus, the computational problem stated above does not have a unique answer So the computational problem is better stated as follows: Given oracle access to a boolean function f : {0, 1} n {0, 1} and a parameter ɛ Find, in time polynomial in n, 1 ɛ and with high probability, all a {0, 1}n such that f and l a agree on at least a 1 2 + ɛ fraction of the inputs The elegant algorithm of Goldreich and Levin that solves this problem will be described in the next lecture 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback