Extracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Similar documents
Computer Science Dept.

Contents 1 Introduction Objects, specications, and implementations : : : : : : : : : : : : : : : : : : : : : : : : : : : : Indistinguishab

Contents 1 Introduction 2 2 Formal Setting and General Observations Specication : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

1 Introduction Almost any interesting cryptographic task must be based on the computational hardness of some problem. Proving such hardness assumption

Extracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Preface These notes were prepared on the occasion of giving a guest lecture in David Harel's class on Advanced Topics in Computability. David's reques

In this chapter we discuss zero-knowledge proof systems. Loosely speaking, such proof

Concurrent Non-malleable Commitments from any One-way Function

A version of for which ZFC can not predict a single bit Robert M. Solovay May 16, Introduction In [2], Chaitin introd

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Computational Tasks and Models

Pseudorandom Generators

of trapdoor permutations has a \reversed sampler" (which given ; y generates a random r such that S 0 (; r) = y), then this collection is doubly-enhan

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

Probabilistically Checkable Arguments

20.1 2SAT. CS125 Lecture 20 Fall 2016

Indistinguishability and Pseudo-Randomness

Complexity Theory VU , SS The Polynomial Hierarchy. Reinhard Pichler

Outline. Complexity Theory EXACT TSP. The Class DP. Definition. Problem EXACT TSP. Complexity of EXACT TSP. Proposition VU 181.

Lecture 7: Pseudo Random Generators

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Lecture 5, CPA Secure Encryption from PRFs

case in mathematics and Science, disposing of an auxiliary condition that is not well-understood (i.e., uniformity) may turn out fruitful. In particul

Pseudorandom Generators

1 Introduction The relation between randomized computations with one-sided error and randomized computations with two-sided error is one of the most i

Where do pseudo-random generators come from?

6.841/18.405J: Advanced Complexity Wednesday, February 12, Lecture Lecture 3

The Power of Amnesia: Learning Probabilistic. Automata with Variable Memory Length

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

: On the P vs. BPP problem. 18/12/16 Lecture 10

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

k-protected VERTICES IN BINARY SEARCH TREES

Lecture 14 - P v.s. NP 1

1 Introduction A popular methodology for designing cryptographic protocols consists of the following two steps. One rst designs an ideal system in whi

Time-bounded computations

CPA-Security. Definition: A private-key encryption scheme

for average case complexity 1 randomized reductions, an attempt to derive these notions from (more or less) rst

2 Message authentication codes (MACs)

Preface More than ten years have elapsed since the rst completeness theorems for two-party and multi-party fault-tolerant computation have been announ

Pseudorandom Generators

A An Overview of Complexity Theory for the Algorithm Designer

Computational security & Private key encryption

1 Cryptographic hash functions

Lecture 2: Program Obfuscation - II April 1, 2009

We begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.

Synthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions*

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Two Comments on Targeted Canonical Derandomizers

Then RAND RAND(pspace), so (1.1) and (1.2) together immediately give the random oracle characterization BPP = fa j (8B 2 RAND) A 2 P(B)g: (1:3) Since

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Lecture 5: Pseudorandom functions from pseudorandom generators

Lecture 3: Randomness in Computation

1 Introduction An old folklore rooted in Brassard's paper [7] states that \cryptography" cannot be based on NPhard problems. However, what Brassard ha

Authentication. Chapter Message Authentication

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

A fast algorithm to generate necklaces with xed content

Compute the Fourier transform on the first register to get x {0,1} n x 0.

Notational conventions

How to Construct Constant-Round. Zero-Knowledge Proof Systems for NP. Oded Goldreich y Ariel Kahan z. March Abstract

1 Cryptographic hash functions

Impossibility Results for Universal Composability in Public-Key Models and with Fixed Inputs

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

/633 Introduction to Algorithms Lecturer: Michael Dinitz Topic: Dynamic Programming II Date: 10/12/17

Block Ciphers/Pseudorandom Permutations

Generic Case Complexity and One-Way Functions

Classes of Boolean Functions

On Controllability and Normality of Discrete Event. Dynamical Systems. Ratnesh Kumar Vijay Garg Steven I. Marcus

n-party protocol for this purpose has maximum privacy if whatever a subset of the users can

A Full Characterization of Functions that Imply Fair Coin Tossing and Ramifications to Fairness

Computing the acceptability semantics. London SW7 2BZ, UK, Nicosia P.O. Box 537, Cyprus,

Chapter 5 The Witness Reduction Technique

1 Introduction A fundamental Lemma of Yao states that computational weak-unpredictability of predicates gets amplied if the results of several indepen

An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Contents 1 Introduction The Basics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : A

Non-Commutative Arithmetic Circuits: Depth Reduction and Size Lower Bounds. Eric Allender y. Department of Computer Science. Rutgers University

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

Computational Complexity: Problem Set 4

6.842 Randomness and Computation Lecture 5

(a) Definition of TMs. First Problem of URMs

Chapter 0 Introduction Suppose this was the abstract of a journal paper rather than the introduction to a dissertation. Then it would probably end wit

Lecture 1 : Data Compression and Entropy

IP = PSPACE using Error Correcting Codes

CPSC 467: Cryptography and Computer Security

Notes on Inductive Sets and Induction

1 Introduction Property Testing (cf., [13, 9]) is a general formulation of computational tasks in which one is to determine whether a given object has

Lecture 13: Private Key Encryption

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

Time-Space Trade-Os. For Undirected ST -Connectivity. on a JAG

5 Pseudorandom Generators

Perfect Zero-Knowledge Arguments for N P Using any One-Way. Permutation. Abstract

CPSC 467: Cryptography and Computer Security

Lecture 6: Oracle TMs, Diagonalization Limits, Space Complexity

A Uniform-Complexity Treatment of. Oded Goldreich. Rehovot, Israel. July 1991, revised July Abstract

4.1 Notation and probability review

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

On Pseudorandomness w.r.t Deterministic Observers

Space and Nondeterminism

Upper and Lower Bounds on the Number of Faults. a System Can Withstand Without Repairs. Cambridge, MA 02139

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

ICML '97 and AAAI '97 Tutorials

Transcription:

106 CHAPTER 3. PSEUDORANDOM GENERATORS Using the ideas presented in the proofs of Propositions 3.5.3 and 3.5.9, one can show that if the n 3 -bit to l(n 3 ) + 1-bit function used in Construction 3.5.2 is a hard-core of F then the resulting algorithm constitutes a pseudorandom generator. Yet, we are left with the problem of constructing a huge hard-core function, G, for the function F. Specically, jg(x)j has to equal 2jxj 2 3, for all x's. A natural idea is to dene G analogously to the way g is dened in Construction 3.5.4. Unfortunately, we do not know howtoprove the validity of this construction (when applied to F ), and a much more complicated construction is required. This construction does use all the above ideas in conjunction with additional ideas not presented here. The proof of validity iseven more complex, and is not suitable for a book of the current nature. We thus conclude this section by merely stating the result obtained. Theorem 3.5.12 If there exist one-way functions then pseudorandom generators exist as well. 3.6 Pseudorandom Functions Pseudorandom generators enable to generate, exchange and share a large number of pseudorandom values at the cost of a much smaller number of random bits. Specically, poly(n) pseudorandom bits can be generated, exchanged and shared at the cost of n (uniformly chosen bits). Since any ecient application uses only a polynomial number of random values, providing access to polynomially many pseudorandom entries seems sucient. However, the above conclusion is too hasty, since it assumes implicitly that these entries (i.e., the addresses to be accessed) are xed beforehand. In some natural applications, one may need to access addresses which are determined \dynamically" by the application. For example, one may want to assign random values to (poly(n) many) n-bit long strings, produced throughout the application, so that these values can be retrieved at latter time. Using pseudorandom generators the above taskcanbeachieved at the cost of generating n random bits and storing poly(n) many values. The challenge, met in the sequel, is to achieve the above task at the cost of generating and storying only n random bits. The key to the solution is the notion of pseudorandom functions. In this section we dene pseudorandom functions and show how to eciently implement them. The implementation uses as a building block any pseudorandom generator. 3.6.1 Denitions Loosely speaking, pseudorandom functions are functions which cannot be distinguished from truly random functions by any ecient procedure which can get the value of the function at arguments of its choice. Hence, the distinguishing procedure may query the function being examined at various points, depending possibly on previous answers obtained, and yet can not tell whether the answers were supplied by a function taken from the pseudorandom ensemble (of functions) or from the uniform ensemble (of function). Hence, to formalize the

3.6. PSEUDORANDOM FUNCTIONS 107 notion of pseudorandom functions we need to consider ensembles of functions. For sake of concreteness we consider in the sequel ensembles of length preserving functions. Extensions are discussed in Exercise 23. Denition 3.6.1 (function ensembles): A function ensemble isasequence F = ff n g n2n of random variables, so that the random variable F n assumes values in the set of functions mapping n-bit long strings to n-bit long strings. The uniform function ensemble, denoted H = fh n g n2n,hash n uniformly distributed over the set of functions mapping n-bit long strings to n-bit long strings. To formalize the notion of pseudorandom functions we use (probabilistic polynomialtime) oracle machines. We stress that our use of the term oracle machine is almost identical to the standard one. One deviation is that the oracle machines we consider have a length preserving function as oracle rather than a Boolean function (as is standard in most cases in the literature). Furthermore, we assume that on input 1 n the oracle machine only makes queries of length n. These conventions are not really essential (they merely simplify the exposition a little). Denition 3.6.2 (pseudorandom function ensembles): A function ensemble, F = ff n g n2n, is called pseudorandom if for every probabilistic polynomial-time oracle machine M, every polynomial p() and all suciently large n's jpr(m Fn (1 n )=1); Pr(M Hn (1 n )=1)j < 1 p(n) where H = fh n g n2n is the uniform function ensemble. Using techniques similar to those presented in the proof of Proposition 3.2.3 (of Subsection 3.2.2), one can demonstrate the existence of pseudorandom function ensembles which are not statistically close to the uniform one. However, to be of practical use, we need require that the pseudorandom functions can be eciently computed. Denition 3.6.3 (eciently computable function ensembles): A function ensemble, F = ff n g n2n,iscalled eciently computable if the following two conditions hold 1. (ecient indexing): There exists a probabilistic polynomial time algorithm, I, anda mapping from strings to functions,, so that (I(1 n )) and F n are identically distributed. We denote by f i the f0 1g n 7!f0 1g n def function assigned toi (i.e., f i = (i)). 2. (ecient evaluation): There exists a probabilistic polynomial time algorithm, V, so that V (i x)=f i (x).

108 CHAPTER 3. PSEUDORANDOM GENERATORS In particular, functions in an eciently computable function ensemble have relatively succinct representation (i.e., of polynomial rather than exponential length). It follows that eciently computable function ensembles may have only exponentially many functions (out of the double-exponentially many possible functions). Another point worthy of stressing is that pseudorandom functions may (if being ef- ciently computable) be eciently evaluated at given points, provided that the function description is give as well. However, if the function (or its description) is not known (and it is only known that it is chosen from the pseudorandom ensemble) then the value of the function at a point cannot be approximated (even in a very liberal sense and) even if the values of the function at other points is also given. In the rest of this book we consider only eciently computable pseudorandom functions. Hence, in the sequel we sometimes shorthand such ensembles by calling them pseudorandom functions. 3.6.2 Construction Using any pseudorandom generator, we construct a (eciently computable) pseudorandom function (ensemble). Construction 3.6.4 Let G be a deterministic algorithm expanding inputs of length n into strings of length 2n. We denote by G 0 (s) the jsj-bit long prex of G(s), and by G 1 (s) the jsj-bit long sux of G(s) (i.e., G(s) =G 0 (s)g 1 (s)). For every s 2f0 1g n, we dene a function f s :f0 1g n 7!f0 1g n so that for every 1 ::: n 2f0 1g f s ( 1 2 n ) def = G n ((G 2 (G 1 (s)) ) Let F n bearandom variable dened by uniformly selecting s 2f0 1g n and setting F n = f s. Finally, let F = ff n g n2n be our function ensemble. Pictorially, the function f s is dened by n-step walks down a full binary tree of depth n having labels on the vertices. The root of the tree, hereafter referred to as the level 0 vertex of the tree, is labelled by the string s. If an internal node is labelled r then its left child is labelled G 0 (r) whereas its right child is labelled G 1 (r). The value of f s (x) is the string residing in the leaf reachable from the root by a path corresponding to string x, when the root is labelled by s. The random variable F n is assigned labelled trees corresponding to all possible 2 n labellings of the root, with uniform probability distribution. A function, operating on n-bit strings, in the ensemble constructed above can be specied by n bits. Hence, selecting, exchanging and storing such a function can be implemented at the cost of selecting, exchanging and storing a single n-bit string. Theorem 3.6.5 Let G and F be as in Construction 3.6.4, and suppose that G is a pseudorandom generator. Then F is an eciently computable ensemble of pseudorandom functions.

3.6. PSEUDORANDOM FUNCTIONS 109 Proof: Clearly, the ensemble F is eciently computable. To prove that F is pseudorandom we use the hybrid technique. The k th hybrid will be assigned functions which result by uniformly selecting labels for the vertices of the k th (highest) level of the tree and computing the labels of lower levels as in Construction 3.6.4. The 0-hybrid will correspond to the random variable F n (since a uniformly chosen label is assigned to the root), whereas the n-hybrid will correspond to the uniform random variable H n (since a uniformly chosen label is assigned to each leaf). It will be shown that an ecient oracle machine distinguishing neighbouring hybrids can be transformed into an algorithm that distinguishes polynomially many samples of G(U n ) from polynomially many samples of U 2n. Using Theorem 3.2.6 (of Subsection 3.2.3), we derive a contradiction to the hypothesis (that G is a pseudorandom generator). Details follows. For every k, 0 k n, we dene a hybrid distribution Hn k (assigned as values functions f : f0 1g n 7!f0 1g n )asfollows. For every s 1 s 2 ::: s 2 k 2f0 1g n,we dene a function f s1 ::: s 2 k :f0 1g n 7!f0 1g n so that f s1 ::: s 2 k( 1 2 n ) def = G n ((G k+2 (G k+1 (s idx(k1))) ) where idx() is index of in the standard lexicographic order of strings of length jj. (In the sequel we take the liberty of associating the integer idx() with the string.) Namely, f s0 k ::: s 1 k (x) is computed by rst using the k-bit long prex of x to determine one of the s j 's, and next using the (n ; k)-bit long sux of x to determine which of the functions G 0 and G 1 to apply at each remaining stage. The random variable Hn k is uniformly distributed over the above (2 n ) 2k possible functions. Namely, H k n def = f (1) U n ::: U (2 k ) n where U n (j)'s are independent random variables each uniformly distributed over f0 1gn. At this point it is clear that Hn 0 is identical to F n, whereas Hn n is identical to H n. Again, as usual in the hybrid technique, ability to distinguish the extreme hybrids yields ability to distinguish a pair of neighbouring hybrids. This ability is further transformed (as sketched above) so that contradiction to the pseudorandomness of G is reached. Further details follow. We assume, in contradiction to the theorem, that the function ensemble F is not pseudorandom. It follows that there exists a probabilistic polynomial-time oracle machine, M, and a polynomial p() so that for innitely many n's (n) def = jpr(m Fn (1 n )=1); Pr(M Hn (1 n )=1)j > 1 p(n) Let t() be a polynomial bounding the running time of M(1 n )(such a polynomial exists since M is polynomial-time). It follows that, on input 1 n, the oracle machine M makes at most t(n) queries (since the number of queries is clearly bounded by the running time).

110 CHAPTER 3. PSEUDORANDOM GENERATORS Using the machine M, we construct an algorithm D that distinguishes the t()-product of the ensemble fg(u n )g n2n from the t()-product of the ensemble fu 2n g n2n as follows. On input 1 ::: t 2f0 1g 2n (with t = t(n)), algorithm D proceeds as follows. First, D selects uniformly k 2f0 1 ::: n ; 1g. This random choice, hereafter called the checkpoint, and is the only random choice made by D itself. Next, algorithm D invokes the oracle machine M (on input 1 n ) and answers M's queries as follows. The rst query of machine M, denoted q 1, is answered by G n ((G k+2 (P k+1 ( 1 ))) ) where q 1 = 1 n,andp 0 () denotes the n-bit prex of (and P 1 () denotes the n-bit sux of ). In addition, algorithm D records this query (i.e., q 1 ). Subsequent queries are answered by rst checking if their k-bit long prex equals the k-bit long prex of a previous query. In case the k-bit long prex of the current query, denoted q i, is dierent from the k-bit long prexes of all previous queries, we associate this prex a new input string (i.e., i ). Namely, we answer query q i by G n ((G k+2 (P k+1 ( i ))) ) where q i = 1 n. In addition, algorithm D records the current query (i.e., q i ). The other possibility is that the k-bit long prex of the i th query equals the k-bit long prex of some previous query. Let j be the smallest integer so that the k-bit long prex of the i th query equals the k-bit long prex of the j th query (by hypothesis j<i). Then, we record the current query (i.e., q i ) but answer it using the string associated with query q j. Namely, we answer query q i by G n ((G k+2 (P k+1 ( j ))) ) where q i = 1 n. Finally, when machine M halts, algorithm D halts as well and outputs the same output as M. Pictorially, algorithm D answers the rst query by rst placing the two halves of 1 in the corresponding children of the tree-vertex reached by following the path from the root corresponding to 1 k. The labels of all vertices in the subtree corresponding to 1 k are determined by the labels of these two children (as in the construction of F ). Subsequent queries are answered by following the corresponding paths from the root. In case the path does not pass through a (k + 1)-level vertex which has already a label, we assign this vertex and its sibling a new string (taken from the input). For sake of simplicity, in case the path of the i th query requires a new string we use the i th input string (rather than the rst input string not used so far). In case the path of a new query passes through a(k + 1)-level vertex which has been labelled already, we use this label to compute the labels of subsequent vertices along this path (and in particular the label of the leaf). We stress that the algorithm does not necessarily compute the labels of all vertices in a subtree corresponding to 1 k (although these labels are determined by the label of the vertex corresponding to 1 k ), but rather computes only the labels of vertices along the paths corresponding to the queries.

3.6. PSEUDORANDOM FUNCTIONS 111 Clearly, algorithm D can be implemented in polynomial-time. It is left to evaluate its performance. The key observation is that when the inputs are taken from the t(n)-product of G(U n ) and algorithm D chooses k as the checkpoint then M behaves exactly as on the k th hybrid. Likewise, when the inputs are taken from the t(n)-product of U 2n and algorithm D chooses k as the checkpoint thenm behaves exactly as on the k +1 st hybrid. Namely, Claim 3.6.5.1: Let n be an integer and t def = t(n). Let K be a random variable describing the random choice of checkpoint by algorithm D (on input a t-long sequence of 2n-bit long strings). Then for every k 2f0 1 ::: n ; 1g Pr D(G(U (1) n ) ::: G(U (t) n ))=1jK =k Pr D(U (1) 2n ::: U 2n)=1j (t) K =k = Pr M Hk n (1 n )=1 = Pr M Hk+1 n (1 n )=1 where the U n (i) 's and U (j) 2n 's are independent random variables uniformly distributed over f0 1g n and f0 1g 2n, respectively. The above claim is quite obvious, yet a rigorous proof is more complex than one realizes at rst glance. The reason being that M's queries may depend on previous answers it gets, and hence the correspondence between the inputs of D and possible values assigned to the hybrids is less obvious than it seems. To illustrate the diculty consider a n-bit string which is selected by a pair of interactive processes, which proceed in n iterations. At each iteration the rst party chooses a new location, based on the entire history of the interaction, and the second process sets the value of this bit by ipping an unbiased coin. It is intuitively clear that the resulting string is uniformly distributed, and the same holds if the second party sets the value of the chosen locations using the outcome of a coin ipped beforehand. In our setting the situation is slightly more involved. The process of determining the string is terminated after k<niterations and statements are made of the partially determined string. Consequently, the situation is slightly confusing and we feel that a detailed argument is required. Proof of Claim 3.6.5.1: We start by sketching a proof of the claim for the extremely simple case in which M's queries are the rst t strings (of length n) in lexicographic order. Let us further assume, for simplicity, that on input 1 ::: t, algorithm D happens to choose checkpoint k so that t =2 k+1. In this case the oracle machine M is invoked on input 1 n and access to the function f, where s s1 ::: s 2 k+1 2j;1+ = P ( j )forevery j 2 k and 2f0 1g. Thus, if the inputs to D are uniformly selected in f0 1g 2n then M is invoked with access to the k +1 st hybrid random variable (since in this case the s j 's are independent and uniformly distributed in f0 1g n ). On the other hand, if the inputs to D are distributed as G(U n ) then M is invoked with access to the k th hybrid random variable (since in this case f s1 ::: s 2 = f k+1 r1 ::: r 2 k where the r j 's are seeds corresponding to the j 's). For the general case we consider an alternative way of dening the random variable Hn m, for every 0 m n. This alternative way is somewhat similar to the way in which

112 CHAPTER 3. PSEUDORANDOM GENERATORS D answers the queries of the oracle machine M. (We use the symbol m instead of k since m does not necessarily equal the checkpoint, denoted k, chosen by algorithm D.) This way of dening Hn m consists of the interleaving of two random processes, which together rst select at random a function g : f0 1g m 7!f0 1g n, that is later used to determine a function f : f0 1g n 7!f0 1g n. The rst random process, denoted, is an arbitrary process (\given to us from the outside"), which species points in the domain of g. (The process corresponds to the queries of M, whereas the second process corresponds to the way A answers these queries.) The second process, denoted, assigns uniformly selected n-bit long strings to every new point specied by, thus dening the value of g on this point. We stress that in case species an old point (i.e.,apoint for which g is already dened) then the second process does nothing (i.e., the value of g at this point is left unchanged). The process may depend on the history of the two processes, and in particular on the values chosen for the previous points. When terminates the second process (i.e., ) selects random values for the remaining undened points (in case such exist). We stress that the second process (i.e., ) is xed for all possible choices of a (\rst") process. The rest of this paragraph gives a detailed description of the interleaving of the two random processes (and may be skipped). We consider a randomized process mapping sequences of n-bit strings (representing the history) to single m-bit strings. We stress that is not necessarily memoryless (and hence may \remember" its previous random choices). Namely, for every xed sequence v 1 ::: v i 2f0 1g n, the random variable (v 1 ::: v i ) is (arbitrarily) distributed over f0 1g m [ f?g where? isaspecialsymbol denoting termination. A \random" function g :f0 1g m 7!f0 1g n is dened by iterating the process with the random process dened below. Process starts with g which is undened on every point in its domain. At the i th def def iteration lets p i = (v 1 ::: v i;1 ) and, assuming p i 6=?, setsv i = v j if p i = p j for some j<iand lets v i be uniformly distributed in f0 1g n otherwise. In the latter case (i.e., p i is new and hence g is not yet dened on p i ), sets g(p i ) def = v i (in fact g(p i )=g(p j )=v j = v i also in case p i = p j for some j<i). When terminates, i.e., (v 1 ::: v T )=? for some T, completes the function g (if necessary) bychoosing independently and uniformly in f0 1g n values for the points at which g is undened yet. (Alternatively, wemay augment the process so that it terminates only after specifying all possible m-bit strings.) Once a function g is totally dened, we dene a function f g :f0 1g n 7!f0 1g n by f g ( 1 2 n ) def = G n ((G k+2 (G k+1 (g( k 1 ))) ) The reader can easily verify that f g equals f g(0 m ) ::: g(1 m ) (as dened in the hybrid construction above). Also, one can easily verify that the above random process (i.e., the interleaving of with any ) yields a function g that is uniformly distributed over the set of all possible functions mapping m-bit strings to n-bit strings. It follows that the above described random process yields a result (i.e., a function) that is distributed identically to the random variable H m n. Suppose now that the checkpoint chosen by D equals k and that D's inputs are independently and uniformly selected in f0 1g 2n. In this case the way in which D answers the

3.6. PSEUDORANDOM FUNCTIONS 113 M's queries can be viewed as placing independently and uniformly selected n-bit strings as the labels of the (k + 1)-level vertices. It follows that the way in which D answers M's queries corresponds to the above described process with m = k + 1 (with M playing the role of and A playing the role of ). Hence, in this case M is invoked with access to the k +1 st hybrid random variable. Suppose, on the other hand, that the checkpoint chosen by D equals k and that D's inputs are independently selected so that each is distributed identically to G(U n ). In this case the way inwhich D answers the M's queries can be viewed as placing independently and uniformly selected n-bit strings as the labels of the k-level vertices. It follows that the way in which D answers the M's queries corresponds to the above described process with m = k. Hence, in this case M is invoked with access to the k th hybrid random variable. 2 Using Claim 3.6.5.1, it follows that jpr D(G(U (1) n ) ::: G(U (t) ))=1 ; Pr n D(U (1) 2n ::: U (t) 2n)=1 j = (n) n 1 which, by the contradiction hypothesis is greater than, for innitely many n's. Using np(n) Theorem 3.2.6, we derive a contradiction to the hypothesis (of the current theorem) that G is a pseudorandom generator, and the current theorem follows. 3.6.3 A general methodology Author's Note: Ellaborate on the following. The following two-step methodology is useful in many cases: 1. Design your scheme assuming that all legitimate users share a random function, f : f0 1g n 7!f0 1g n. (The adversaries may be able to obtain, from the legitimate users, the values of f on arguments of their choice, but do not have direct access to f.) This step culminates in proving the security of the scheme assuming that f is indeed uniformly chosen among all possible such functions, while ignoring the question of how such an f can be selected and handled. 2. Construct a real scheme by replacing the random function by a pseudorandom function. Namely, the legitimate users will share a random/secret seed specifying such a pseudorandom function, whereas the adversaries do not know the seed. As before, at most the adversaries may obtain (from the legitimate users) the value of the function at arguments of their choice. Finally, conclude that the real scheme (as presented above) is secure (since otherwise one could distinguish a pseudorandom function from a truly random one). We stress that the above methodology may be applied only if legitimate users can share random/secret information not known to the adversary (i.e., as is the case in private-key encryption schemes).

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback