Lecture 7: Pseudo Random Generators

Similar documents
Indistinguishability and Pseudo-Randomness

Lecture 8: Computational Indistinguishability and Pseudorandomness

CS 290G (Fall 2014) Introduction to Cryptography Oct 23rdd, Lecture 5: RSA OWFs. f N,e (x) = x e modn

Lecture 5: Pseudo-Random Generators and Pseudo-Random Functions

Lecture 13: Private Key Encryption

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Lecture 3: Randomness in Computation

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Pseudorandom Generators

Pseudorandom Generators

Scribe for Lecture #5

Lecture 09: Next-bit Unpredictability. Lecture 09: Next-bit Unpredictability

Lecture 4: Computationally secure cryptography

Lecture 7: Hard-core Predicate and PRG

Pseudorandom Generators

Lecture 5, CPA Secure Encryption from PRFs

Modern symmetric-key Encryption

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Lecture 7: CPA Security, MACs, OWFs

On Pseudorandomness w.r.t Deterministic Observers

Lecture Notes on Secret Sharing

Lecture 17: Constructions of Public-Key Encryption

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

Pseudorandom Generators

Computer Science Dept.

Block Ciphers/Pseudorandom Permutations

Lecture 11: Key Agreement

Computational security & Private key encryption

6.080 / Great Ideas in Theoretical Computer Science Spring 2008

Lecture 5. Lecturer: Yevgeniy Dodis Spring 2012

CPA-Security. Definition: A private-key encryption scheme

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

CPSC 467: Cryptography and Computer Security

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Simple Unpredictable Pseudo-Random Number Generator

5 Pseudorandom Generators

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Lecture 9 - One Way Permutations

Non-Interactive ZK:The Feige-Lapidot-Shamir protocol

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Lecture 23: Alternation vs. Counting

2 Message authentication codes (MACs)

Approximate and Probabilistic Differential Privacy Definitions

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

6.892 Computing on Encrypted Data September 16, Lecture 2

Modern Cryptography Lecture 4

Lecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Lecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]

CSA E0 235: Cryptography March 16, (Extra) Lecture 3

Extracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

BEYOND POST QUANTUM CRYPTOGRAPHY

Lecture Examples of problems which have randomized algorithms

CTR mode of operation

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Last time, we described a pseudorandom generator that stretched its truly random input by one. If f is ( 1 2

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

We begin by recalling the following definition and property from the previous class. The latter will be instrumental in our proof to follow.

IITM-CS6845: Theory Toolkit February 3, 2012

Impagliazzo s Hardcore Lemma

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Lecture 4: Perfect Secrecy: Several Equivalent Formulations

Lecture 2: Program Obfuscation - II April 1, 2009

CSC 2429 Approaches to the P vs. NP Question and Related Complexity Questions Lecture 2: Switching Lemma, AC 0 Circuit Lower Bounds

Lecture 9 - Symmetric Encryption

Concurrent Non-malleable Commitments from any One-way Function

1 Nisan-Wigderson pseudorandom generator

: On the P vs. BPP problem. 18/12/16 Lecture 10

From Non-Adaptive to Adaptive Pseudorandom Functions

Authentication. Chapter Message Authentication

Notes for Lecture 7. 1 Increasing the Stretch of Pseudorandom Generators

Cryptography: The Landscape, Fundamental Primitives, and Security. David Brumley Carnegie Mellon University

III. Pseudorandom functions & encryption

1 Cryptographic hash functions

Cryptography 2017 Lecture 2

Basic elements of number theory

Foundations of Machine Learning and Data Science. Lecturer: Avrim Blum Lecture 9: October 7, 2015

Basic elements of number theory

Pseudo-Random Generators

Pseudo-Random Generators

Lecture 15: Interactive Proofs

Lecture 15 - Zero Knowledge Proofs

Topics. Pseudo-Random Generators. Pseudo-Random Numbers. Truly Random Numbers

How many rounds can Random Selection handle?

Dan Boneh. Stream ciphers. The One Time Pad

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

1 Cryptographic hash functions

Lecture th January 2009 Fall 2008 Scribes: D. Widder, E. Widder Today s lecture topics

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Lecture 3: Interactive Proofs and Zero-Knowledge

Lecture 4 : Quest for Structure in Counting Problems

1 Indistinguishability for multiple encryptions

6.080/6.089 GITCS Apr 15, Lecture 17

Lectures 2+3: Provable Security

15-855: Intensive Intro to Complexity Theory Spring Lecture 16: Nisan s PRG for small space

Transcription:

Introduction to ryptography 02/06/2018 Lecture 7: Pseudo Random Generators Instructor: Vipul Goyal Scribe: Eipe Koshy 1 Introduction Randomness is very important in modern computational systems. For example, randomness is needed for encrypting a session key in an SSL connection or for encrypting a hard drive. There are multiple challenges associated with generating randomness for modern systems: True randomness is difficult to get Large amounts of randomness are needed in practice Given these challenges, several different input sources are used for randomness on modern systems. For example, key strokes or mouse movements can be used as a source of randomness. However, these sources are limited in the amount of randomness they can generate. In addition, it is critical that the sources of randomness be truly random or close to being truly random. Several crypto-systems have been defeated 1 because their randomness generators were broken (i.e. not truly random.) As a solution to both the challenges detailed above for generating randomness, an approach to build a kind of randomness generator that creates random strings of a desired length would be to first, start off with building a short random string (of length, say, n bits), and then, expand it to a longer random looking string k (of length, say, l(n) bits.) We can represent this randomness generator as f : {0, 1} n {0, 1} l(n) A key question is: an we can really expand a short string with a few random bits into a longer string with many random bits? The answer lies in the definition of the term random looking that we we used in our definition above. The long string that we have generated is not truly random (since with an input of length n bits, we can only generate 2 n outputs, as compared to the 2 l(n) outputs needed if the string was truly random.) However, as detailed in the next section, we can generate a pseudo-random string such that the output appears random looking to a PPT (probabilistic polynomial time) adversary. 2 Pseudorandomness Let us suppose there are n uniformly random bits. Pseudorandomness can be defined as finding a deterministic (polynomial-time) algorithm f : {0, 1} n {0, 1} l(n) such that: the output of f(x) contains l(n) bits 1 https://en.wikipedia.org/wiki/random_number_generator_attack#prominent_examples 1-1

{0, 1} l(n) appears to be as random looking as a truly random string f : {0, 1} n {0, 1} l(n) is called a pseudorandom generator (PRG) that takes n random bits with no additional randomness of its own and outputs l(n) random bits. What do we mean by random looking? The key idea is that the the pseudorandom generator (PRG) produces output that is indistinguishable from that of a true random number generator for a PPT adversary. Random looking indicates that the bits should not follow any pattern. The random looking string should also pass all necessary statistical tests like: There should be as many 0s as there are 1s Each particular bit is roughly unbiased Each sequence of bits occur roughly with same probability The main idea is that no efficient computer should be able to tell apart the output of f(x) (i.e. the pseudorandom generator) from that of a truly random generator. Before knowing more about pseudorandomness, let us look at some of the underlying definitions that will help us understand the concept better. Definition 1 (Support) The support or sample space can be defined as the set of all possible values of outcomes of an experiment. Definition 2 (Distribution) X n is a distribution over support ξ if it assigns probability p s to each s ξ such that s ξ p s = 1. Definition 3 (Distribution Ensembles) A sequence {X n } n N is called an ensemble if for each n N, X n is a distribution over {0, 1} Generally, Xn will be a distribution over the sample space {0, 1} l(n) Definition 4 (Identical Distributions) X n and X n are said to be identical distributions if s {supp 2 (X n ) supp(x n)}: P r[x X n : x = s] = P r[x X n : x = s] = supp(x n ) = supp(x n) (1) 3 omputational Indistinguishability The term computationally indistinguishable is used to formalize a way to capture what it means for two distributions X and Y to look alike to any efficient test. In short, Efficient test = Efficient computation = Non-uniform PPT 2 Note: supp refers to the support of the distribution 1-2

Intuition: No non-uniform PPT distinguisher algorithm D can tell the two distributions X and Y apart i.e. behavior of D is same for both of them. Informally, we say that we have computational indistinguishability when the output of a PRG is indistinguishable from that of a true random number generator. We will begin by attempting to define computational indistinguishability. Definition 5 (omputational Indistinguishability - first attempt) Distribution ensembles X n and X n are said to be computationally indistinguishable if n N and s {supp(x n ) supp(x n)}, P r[x X n : x = s] P r[x X n : x = s] ν(n), (2) where ν(n) represents a negligible function. Unfortunately, this definition does not work. To see this, let us consider the following distribution ensembles: {X n } represents all even numbers that can be represented using n bits. {X n} represents all odd numbers that can be represented using n bits. It is easy to see that the number of elements in each ensemble above is 2 n 1. Let us consider the case where s in our definition of computational indistinguishability above is an even element. The LHS, i.e., P r[x X n : x = s] P r[x X n : x = s] evaluates to: 2 n 1 0 = 2 n 1 ν(n) Given this definition does not work, we will attempt an alternate definition: Definition 6 (omputational Indistinguishability - second and correct attempt) onsider distribution ensembles {X n } and {X n} and a PPT adversary A. We define: A(x) = 0 if x is sampled from {X n } A(x) = 1 if x is sampled from {X n} {X n } and {X n} are said to be computationally indistinguishable if PPT adversaries A and n N, P r[x X n : A(x) = 0] P r[x X n : A(x) = 0] ν(n) (3), where ν(n) represents a negligible function. Note: The LHS of this definition, i.e. P r[x X n : A(x) = 0] P r[x X n : A(x) = 0] is also referred to as distinguishing advantage. Definition 7 (Prediction advantage) Denote distribution ensembles X n and X n as Xn 0 and Xn 1 respectively. Then, an alternate representation for computational indistinguishability follows as below; the LHS of this expression is defined as prediction advantage. The expression is PPT adversaries A,: P r[b $ {0, 1}, x Xn b : A(x) = b] (1/2) ν(n) (4), where ν(n) represents a negligible function. 1-3

An alternate definition of prediction advantage can be stated as below: Definition 8 (Prediction advantage - alternate definition) A non-uniform PPT A is said to guess the bit b from the sample x that is picked out of sequence of distribution {Xn} b (made with randomness, say $,) with prediction advantage P r[b $ {0, 1}, x Xn b : A(x) = b] (1/2) negligibly close to 0. Lemma 1 (Informal) If distinguishing advantage is negligible, then prediction advantage is also negligible and vice versa. Alternately, we can restate the same lemma as that computational indistinguishibility implies prediction advantage is negligible and vice versa. Proof. Let us start by considering prediction advantage, the expression for which is as follows: P r[b $ {0, 1}, x Xn b : A(x) = b] (1/2) = P r[x X 0 n : A(x) = 0]P r[b = 0] + P r[x X 1 n : A(x) = 1]P r[b = 1] (1/2) = (1/2) P r[x X 0 n : A(x) = 0] + P r[x X 1 n : A(x) = 1] 1...( P r[b = 0] = P r[b = 1] = (1/2)) = (1/2) P r[x X 0 n : A(x) = 0] + (1 P r[x X 1 n : A(x) = 0]) 1 = (1/2) P r[x X 0 n : A(x) = 0] P r[x X 1 n : A(x) = 0]) = (1/2) the expression for distinguishing advantage = (1/2) ν(n)... where, ν(n), is a negligible function Lemma 2 (Stronger) Distinguishing advantage and predictive advantage are within a factor of 2 of each other. 3.1 Properties of omputational Indistinguishability Note: If distribution ensembles {X n } and {X n} are computationally indistinguishable, then we can represent them as {X n } {X n} 1. losure: For every PPT machine M, if {X n } {X n}, then M{X n } M{X n} Note: For proof, we can use contradiction, since if this were not true, we could use M to distinguish the two ensembles. 2. Transitivity: Suppose (X, Y ) are computationally indistinguishable with advantage ɛ 1 and (Y, Z) are computationally indistinguishable with advantage ɛ 2, then (X, Z) are computationally indistinguishable with advantage ɛ ɛ 1 + ɛ 2. Note: We can also use the triangle inequality to prove this property. Proof. Given, P r[x X : A(x) = 0] P r[x Y : A(x) = 0] ɛ 1 = P r[x X : A(x) = 0] P r[x Z : A(x) = 0]) ɛ 1 + P r[x Y : A(x) = 0] P r[x Z : A(x) = 0]) = P r[x X : A(x) = 0] P r[x Z : A(x) = 0]) ɛ 1 + ɛ 2 1-4

Lemma 3 (Hybrid lemma) Let X 1, X 2, X 3,..., X n be distributional ensembles for m = poly(n). Suppose PPT A which distinguishes X 1 from X n with advantage ɛ. Then when i where 1 i m-1, a PPT algorithm B can distinguish X i and X i+1 with advantage greater or equal to ɛ m Note: Note, this lemma is used in many proofs that contains hybrid arguments. Proof. Let ɛ i denote distinguishing advantage between X i and X i+1. Let us assume that ɛ i ɛ m i. Then, ɛ m 1 i=1 ɛ i = ɛ ɛ * (m 1) m This is, of course, a contradiction. Hence, we can say that there exists i such that ɛ i ɛ m. 4 Return to Pseudorandomness Intuition: A distribution is pseudorandom if it looks like a uniform distribution for any efficient test. Definition 9 (Pseudorandom ensembles) An ensemble {X n }, where X n is a distribution over {0, 1} l(n), is said to be pseudorandom if: {X n } = U l(n)... where U l(n) represents a uniform distribution over {0, 1} l(n 5 Pseudorandom Generators (PRG) Definition 10 (Pseudorandom Generators) A deterministic algorithm G: {0, 1} n {0, 1} l(n) is called a pseudorandom generator (PRG) if: 1. G can be computed in polynomial time 2. l(n) > n 3. {x {0, 1} n : G(x)} {U l(n) }, where {U l(n) } = a uniform l(n) bit string Note: The stretch of G is defined as G(x) x 1-5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback