Computer Science Dept.

Similar documents
Lecture 3: Randomness in Computation

On Pseudorandomness w.r.t Deterministic Observers

COS598D Lecture 3 Pseudorandom generators from one-way functions

Extracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Reproduced without access to the TeX macros. Ad-hoc macro denitions were used instead. ON THE POWER OF TWO-POINTS BASED SAMPLING

Pseudorandom Generators

On the Construction of Pseudo-Random Permutations: Luby-Rackoff Revisited

Sparse Pseudorandom Distributions

From Unpredictability to Indistinguishability: A Simple. Construction of Pseudo-Random Functions from MACs. Preliminary Version.

n-party protocol for this purpose has maximum privacy if whatever a subset of the users can

Pseudorandom Generators

1 Introduction Almost any interesting cryptographic task must be based on the computational hardness of some problem. Proving such hardness assumption

Two Comments on Targeted Canonical Derandomizers

Contents 1 Introduction Objects, specications, and implementations : : : : : : : : : : : : : : : : : : : : : : : : : : : : Indistinguishab

Contents 1 Introduction 2 2 Formal Setting and General Observations Specication : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : :

Abstract. Often the core diculty in designing zero-knowledge protocols arises from having to

Pseudorandom Generators

Lecture 7: Pseudo Random Generators

polynomial time computable function g that stretches a short random string x into a long string g(x) that \looks" random to any feasible algorithm, ca

1 Introduction An old folklore rooted in Brassard's paper [7] states that \cryptography" cannot be based on NPhard problems. However, what Brassard ha

From Non-Adaptive to Adaptive Pseudorandom Functions

1 Introduction A fundamental Lemma of Yao states that computational weak-unpredictability of predicates gets amplied if the results of several indepen

Lecture 2: Program Obfuscation - II April 1, 2009

A Uniform-Complexity Treatment of. Oded Goldreich. Rehovot, Israel. July 1991, revised July Abstract

Pseudo-Random Generators and Structure of Complete Degrees

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

From Unpredictability to Indistinguishability: A Simple Construction of Pseudo-Random Functions from MACs

Last time, we described a pseudorandom generator that stretched its truly random input by one. If f is ( 1 2

Pseudorandom Generators

An Improved Pseudo-Random Generator Based on Discrete Log

Pseudo-random Number Generation. Qiuliang Tang

Computer Science A Cryptography and Data Security. Claude Crépeau

The Indistinguishability of the XOR of k permutations

On the Power of the Randomized Iterate

An Improved Pseudorandom Generator Based on Hardness of Factoring

On Pseudorandom Generators with Linear Stretch in NC 0

Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation

An Efficient Discrete Log Pseudo Random Generator

of trapdoor permutations has a \reversed sampler" (which given ; y generates a random r such that S 0 (; r) = y), then this collection is doubly-enhan

CPSC 467: Cryptography and Computer Security

How many rounds can Random Selection handle?

Benes and Butterfly schemes revisited

c 1999 Society for Industrial and Applied Mathematics

Honest Verifier vs Dishonest Verifier in Public Coin Zero-Knowledge Proofs

How to Construct Constant-Round. Zero-Knowledge Proof Systems for NP. Oded Goldreich y Ariel Kahan z. March Abstract

The Generalized Randomized Iterate and its Application to New Efficient Constructions of UOWHFs from Regular One-Way Functions

BU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/

CS294: Pseudorandomness and Combinatorial Constructions September 13, Notes for Lecture 5

Generic Case Complexity and One-Way Functions

Lecture 22. We first consider some constructions of standard commitment schemes. 2.1 Constructions Based on One-Way (Trapdoor) Permutations

Where do pseudo-random generators come from?

1 Introduction The relation between randomized computations with one-sided error and randomized computations with two-sided error is one of the most i

Being Taught can be Faster than Asking Questions

A Note on Negligible Functions

Foundation of Cryptography, Lecture 4 Pseudorandom Functions

On the Power of the Randomized Iterate

Chapter 2 Balanced Feistel Ciphers, First Properties

Inaccessible Entropy and its Applications. 1 Review: Psedorandom Generators from One-Way Functions

Zero-Knowledge Proofs 1

Limits on the Stretch of Non-Adaptive Constructions of Pseudo-Random Generators

protocols such as protocols in quantum cryptography and secret-key agreement by public discussion [8]. Before we formalize the main problem considered

On Black-Box Separations among Injective One-Way Functions

A SIHPLE CONSTRUCTION OF ALMOST k-wise INDEPENDENT RANDOM VARIABLES. O. Goldreich and J. Hastad. Technical Report #638

Synthesizers and Their Application to the Parallel Construction of Pseudo-Random Functions*

Pseudorandom generators without the XOR Lemma. May 18, Abstract

ISSN Technical Report L Self-Denable Claw Free Functions Takeshi Koshiba and Osamu Watanabe TR May Department of Computer Science Tok

for average case complexity 1 randomized reductions, an attempt to derive these notions from (more or less) rst

Reusing Shares in Secret Sharing Schemes Abstract A (t w) threshold scheme is a method for sharing a secret among w shareholders so that the collabora

Worst-Case to Average-Case Reductions Revisited

The Many Entropies in One-Way Functions

CBC MAC for Real-Time Data Sources. Abstract. The Cipher Block Chaining (CBC) Message Authentication Code (MAC) is an

Short Exponent Diffie-Hellman Problems

Security of Random Feistel Schemes with 5 or more Rounds

Contents 1 Introduction The Basics : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : : A

Abstract. This paper discusses polynomial-time reductions from Hamiltonian Circuit (HC),

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

The Complexity of the Matroid-Greedoid Partition Problem

Almost k-wise independence versus k-wise independence

Permutation Generators Based on Unbalanced Feistel Network: Analysis of the Conditions of Pseudorandomness 1

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrosky. Lecture 4

Preface More than ten years have elapsed since the rst completeness theorems for two-party and multi-party fault-tolerant computation have been announ

Lecture 4 - Computational Indistinguishability, Pseudorandom Generators

Extractors and Pseudorandom Generators

The Randomness Complexity of Parallel Repetition

Extracted from a working draft of Goldreich s FOUNDATIONS OF CRYPTOGRAPHY. See copyright notice.

Simple Constructions of Almost k-wise Independent Random Variables

Lecture Notes on Linearity (Group Homomorphism) Testing

Indistinguishability and Pseudo-Randomness

Probabilistically Checkable Arguments

A survey on quantum-secure cryptographic systems

A NOTE ON A YAO S THEOREM ABOUT PSEUDORANDOM GENERATORS

On the (Im)Possibility of Arthur-Merlin Witness Hiding Protocols

An Implementation of Ecient Pseudo-Random Functions. Michael Langberg. March 25, Abstract

Parallel Repetition of Zero-Knowledge Proofs and the Possibility of Basing Cryptography on NP-Hardness

A version of for which ZFC can not predict a single bit Robert M. Solovay May 16, Introduction In [2], Chaitin introd

On-line Bin-Stretching. Yossi Azar y Oded Regev z. Abstract. We are given a sequence of items that can be packed into m unit size bins.

On the Round Security of Symmetric-Key Cryptographic Primitives

The sum of d small-bias generators fools polynomials of degree d

A list-decodable code with local encoding and decoding

Transcription:

A NOTE ON COMPUTATIONAL INDISTINGUISHABILITY 1 Oded Goldreich Computer Science Dept. Technion, Haifa, Israel ABSTRACT We show that following two conditions are equivalent: 1) The existence of pseudorandom generators. 2) The existence of a pair of eciently constructible distributions which are computationally indistinguishable but statistically very dierent. KEYWORDS: Computational Complexity, Randomness, Algorithms. 1 Appeared as TR-602 of the CS Dept. Technion. This research was supported by grant No. 86-00301 from the United States - Israel Binational Science Foundation (BSF), Jerusalem, Israel.

1. INTRODUCTION A fundamental notion in complexity theory is that of probability distributions which are computationally indistinguishable. This notion originates from the pioneering work of [Goldwasser, Micali 82] and was presented in full generality in the fundamental work of [Yao 82]. Loosely speaking, two probability distributions are computationally indistinguishable if no ecient algorithm can "tell them apart". Namely, the output distribution of every ecient algorithm is oblivious of whether the input is taken from the rst distribution or from the second distribution. Clearly, every two distributions which are statistically close are also computationally indistinguishable. Using a counting argument one can show that the converse does not hold [Goldreich, Krawczyk 89]; namely, there exist two distributions which are statistically very dierent yet are computationally indistinguishable. However, these distributions are not eciently constructible. A fundamental question in this area is whether there exist two eciently constructible distributions which are computationally indistinguishable, yet statistically very dierent. In the sequel we refer to a positive answer to the above question as the non-triviality of computational indistinguishability. The (hypothetical) existence of pseudorandom generators, introduced and developed by [Blum, Micali 82] and [Yao 82], imply the non-triviality of computational indistinguishability. A pseudorandom generator is an ecient (deterministic) algorithm which stretches short seeds into longer output sequences such that the output distribution on a uniformly chosen seed is computationally indistinguishable from a uniform distribution. It is easy to see that the pseudorandom output distribution and the uniform distribution constitute a non-trivial case of computational indistinguishability. We conclude that the existence of pseudorandom generators is a sucient condition for the non-triviality of computational indistinguishability. In this note we prove that this condition is also a necessary one. Namely, the non-triviality of computational indistinguishability implies the existence of pseudorandom generator. 2 The notion of false entropy, introduced by [Impagliazzo, Levin, Luby 89], plays a central role in our proof. This notion yields a special case of two eciently constructible distributions which are statistically dierent yet computationally indistinguishable. We rst show that the nontriviality of computational indistinguishability implies the existence of false entropy and conclude by employing a result of [Impagliazzo, Levin, Luby 89] which states that the existence of false entropy implies the existence of pseudorandom generators. 2 We stress that it is not currently known whether pseudorandom generators do exist. Recently, it has been shown that the existence of one-way functions (another widely believed complexity assumption) is a necessary and sucient condition for the existence of pseudorandom generators (cf. [Impagliazzo, Levin, Luby 89] and [Hastad 89]).

2. FORMAL SETTING For a formal setting we consider sequences of probability distributions (called ensembles) instead of single probability distributions. Denition 1: An ensemble = f n g n2n is a sequence of random variables each ranging over binary strings. (Sometimes we omit n 2 N from the notation.) Denition 2: An ensemble = f n g n2n is polynomial-time constructible if there exists a probabilistic polynomial-time algorithm, S, such that n = S(1 n ). (On input 1 n algorithm S has output distribution n.) Denition 3: Two ensembles = f n g and Y = fy n g are said to be statistically dierent if there exists a constant c > 0 and an integer N such that for all n N jprob( n = ) Prob(Y n = )j > 1 n c : The ensembles = f n g and Y = fy n g are statistically close if for every c > 0 there exists an integer N such that for all n N jprob( n = ) Prob(Y n = )j < 1 n c : Two ensembles which are not statistically close are not necessarily statistically dierent. Statistically close ensembles constitute an uninteresting case of polynomially indistinguishable ensembles (see Denition 4). Denition 4 [Goldwasser, Micali 82, and Yao 82]: Two ensembles = f n g and Y = fy n g are polynomially indistinguishable if for every (probabilistic) polynomial-time algorithm, A, and every c > 0 there exists an integer N such that for all n N jprob(a( n ) = 1) Prob(A(Y n ) = 1)j < 1 n c : Denition 5: An ensemble = f n g n2n is called uniform if there exists a function l : N 7! N, such that for every n and every 2 f0; 1g l(n) : Prob( n = ) = 2 l(n) If l(n) = n, for all n, then is call the uniform ensemble. The uniform ensemble is denoted by U = fu n g; namely, for every 2 f0; 1g n : Prob(U n = ) = 2 n. Denition 6 [Yao 82]: An ensemble = f n g is called pseudorandom if it is polynomially indistinguishable from some uniform ensemble.

Denition 7 [Blum, Micali 82]: A deterministic polynomial-time algorithm G is called a pseudorandom generator if the following two conditions hold 1) For every s 2 f0; 1g : jg(s)j > jsj. 2) The ensemble fg(u n )g n2n is pseudorandom. Theorem: The following two conditions are equivalent: 1) There exists a pseudorandom generator, 2) There exists a pair of polynomial-time constructible ensembles which are statistically dierent yet polynomially indistinguishable. 3. PROOF OF THE THEOREM To see that condition (1) implies (2), let G be a pseudorandom generator, and l : N! N be a function so that fg(u n )g n2n and fu l(n) g n2n are polynomially indistinguishable. Since jg()j > jj, it follows that l(n) > n. Also, G(U n ) must concentrate on strings of length l(n) (i.e. Prob(jG(U n )j = l(n)) > 2 ) and hence l(n) can be computed with very high probability 3 in poly(n)-time. Namely, there exists a probabilistic polynomial-time algorithm L such that Prob(L(1 n ) = l(n)) > 1 2 n. Let Y n denote the following two step random process: rst assign l L(1 n ) and next assign Y n a string chosen uniformly in f0; 1g l. Then Y = fy n g is polynomial-time constructible and satises Prob(Y n 2 f0; 1g l(n) ) 1 2 n and Prob(Y n = jy n 2 f0; 1g l(n) ) = 2 l(n) for every 2 f0; 1g l(n). Hence fg(u n )g and fy n g (being polynomial-time constructible, statistical dierent, and polynomially indistinguishable) satisfy condition (2). To see that condition (2) implies condition (1) we use the notion of false entropy introduced in [Impagliazzo, Levin, Luby 89]. Denition 8: A polynomial-time constructible ensemble F = ff n g is said to have false entropy (is a false entropy ensemble) if there exists a polynomial-time constructible ensemble D = fd n g, such that F and D are polynomially indistinguishable and D has higher entropy than F. Namely, there exists a constant c 0 and an integer N such that for all n N Ent(D n ) Ent(F n ) + 1 n c where Ent is the entropy functional assigning to each random variable its entropy Prob( = ) log 2 (Prob( = )): The proof follows immediately from the subsequent two lemmas.

Lemma 1: Let f n g and fy n g be a pair of ensembles as in condition (2) of the Theorem. Then there exists a false entropy ensemble. Lemma 2 [Impagliazzo, Levin, Luby 89]: If there exists a false entropy ensemble then there exists a pseudorandom generator. 3.1 Proof of Lemma 1 A construction which proves the lemma is obtained by letting F n = (0; n ) with probability 1/2 and F n = (1; Y n ) with probability 1/2. The ensemble fd n g used to demonstrate that ff n g has false entropy is D n = (B; n ) with probability 1/2 and D n = (B; Y n ) with probability 1/2, where B is uniformly distributed over f0; 1g independently of all other random variables. It is simpler, however, to verify the validity of the more complex construction given below. Let c > 0 be such that for all suciently large n we have jprob( n = ) Prob(Y n = )j > 1 n c Dene n to be n 2c+1 independent copies of n, and Y n to be n 2c+1 independent copies of Y n. Clearly, f n g and f Yn g are both polynomial-time constructible. Standard technique can be used to show that f n g and f Y n g are polynomial-time indistinguishable (e.g., consider "hybrids" H i n composed of i independent copies of n followed by n 2c+1 i independent copies of Y n ). and Y are statistically very dierent; namely: jprob( n = ) Prob( Y n = )j > 1 2 n : We now apply the above construction to n and Yn (instead of to n and Y n ). Formally, F n equals (0; n ) with probability 1/2 and (1; Y n ) otherwise. Dn equals (B; n ) with probability 1/2 and (B; Yn ) otherwise. Clearly, Fn and Dn are polynomial indistinguishable, while Dn has higher entropy than Fn (as the rst bit of Dn is independent of the rest, while in Fn the rst bit is determined with very high probability by the rest). Remark: An analogous argument can be applied directly to F n and D n. The rst bit of F n can be predicted with non-negligible advantage (rather than almost determined) from the rest. 3.2 Proof of Lemma 2 - Sketch The proof originates from [Impagliazzo, Levin, Luby 89]. A sketch is presented here for the sake of self-containment. Let F = ff n g be a false entropy ensemble and D = fd n g the ensemble used to demonstrate this property. Let S be a probabilistic polynomial-time algorithm satisfying S(1 n ) = F n (such an algorithm exists since F n is polynomial-time constructible). Let t(n) be a bound on the running time of S(1 n ). We may view S(1 n ) as selecting at random a sequence of t(n) bits, denoted r, and

then evaluating f(r), where f is a polynomial-time computable function. Let R n be uniform over f0; 1g t(n), then F n = f(r n ). Suppose Ent(D n ) > Ent(F n ) + 1, and let e(n) def = Ent(F n n ). Shorthand t = t(n), e = e(n) c and let m = (n c t) O(1) and l = m(t e) m 2=3 t n. Consider the following three ensembles: (1) h; f(r 1 ):::f(r m ); h(r 1 :::r m ) (2) h; f(r 1 ):::f(r m ); s (3) h; D n :::D n ; s (this ensemble contains m independent copies of D n ) where (in the appropriate ensembles) r 1 :::r m are uniformly selected each in f0; 1g t, the string s is uniformly selected in f0; 1g l, and h is a randomly selected function from a family of universal 2 hash functions mapping m t-bit strings to l-bit strings. Such families have the (dening) property that every two elements of the domain are mapped (uniformly and) in a pairwise independent manner by a function chosen uniformly in the family. We require the family to have succinct representation: the functions in the family should be representable by strings of length n c, where c is a constant independent of n. It is easy to see that the ensembles (2) and (3) are polynomially indistinguishable (as F = ff(r n )g and D are polynomially indistinguishable). To show that the ensembles (1) and (2) are statistically close, observe that for most sequences r 1 ; r 2 ; :::; r m, the number of pre-images of f(r 1 )f(r 2 )f(r m ) is at least 2 m(t e) m2=3 t = 2 l+n (as the average logarithm of pre-image size for each f(r i ) is t e and m independent repetitions of an experiment are unlikely to deviate from the expectation by more than p m times the maximal value). It can be shown that most functions chosen from the above family map a subset of size 2 l+n almost uniformly onto f0; 1g l (see [Impagliazzo, Levin, Luby 89] for the non-trivial technical details). Hence, ensembles (1) and (2) are statistically close. We conclude that ensembles (1) and (3) are polynomially indistinguishable. We now show that the entropy of ensemble (3) is greater than the number of random bits used in the construction of ensemble (1). The entropy of ensemble (3) is at least jhj + m (e + 1 n c ) + m (t e) m2=3 t n > jhj + m t + m 1 n c 2m 2=3 t: With a suitable choice of m (e.g. m = (3n c t) 3 ) this is substantially more than jhj + m t which is the number of bits used in the construction of ensemble (1). Finally, applying a suitable hashing function on ensembles (1) and (3) yields a pseudorandom generator G. I.e., G(h 0 ; h; r 1 :::r m ) = h 0 h 0 (h; f(r 1 ):::f(r m ); h(r 1 :::r m )); where h 0 is a hashing function chosen from a suitable class. The output distribution of G is polynomially indistinguishable from the distribution h 0 h 0 (h; D n :::D n ; s) and the latter is statistically close to a uniform ensemble.

ACKNOWLEDGEMENT I am most grateful to Johan Hastad for his exposition of the proof of Lemma 2. I also wish to thank Hugo Krawczyk, Leonid Levin and Mike Luby for discussion concerning polynomial indistinguishability and pseudorandom generators. Final thanks to the anonymous referee for helpful comments. REFERENCES [1] Blum, M., and Micali, S., \How to Generate Cryptographically Strong Sequences of Pseudo- Random Bits", SIAM Jour. on Computing, Vol. 13, 1984, pp. 850-864. First version in FOCS 1982. [2] Goldreich, O., and H. Krawczyk, \Sparse Pseudorandom Distributions", Crypto89 proceedings, to appear. [3] Goldwasser, S., and S. Micali, \Probabilistic Encryption", JCSS, Vol. 28, No. 2, 1984, pp. 270-299. Previous version in STOC 1982. [4] Hastad, J., \Pseudo-Random Generators with Uniform Assumptions", preprint, 1989. [5] Impagliazzo, R., L.A. Levin, and M. Luby, \Pseudorandom Generation from One-Way Functions", Proc. of the 21st ACM Symp. on Theory of Computing (STOC), 1989, pp. 12-24. [6] Yao, A.C., \Theory and Applications of Trapdoor Functions", Proc. of the 23rd IEEE Symp. on Foundation of Computer Science (FOCS), 1982, pp. 80-91.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback