Pseudorandom Generator - SJTU

Pseudorandom Generator

Synopsis

1. Pseudorandom Generator

2. Pseudorandom Function

3. One-Way Function

Computational Complexity, by Y. Fu Pseudorandom Generator 1 / 49



Modern cryptography addresses the long key issue by studying howto generate long keys from short ones.

I An efficient observer can only detect ignorable differencesbetween a generated key and a random key.


What is a random string? How do we characterize random strings?

I For modern cryptography it suffices that strings are distributedin a way that looks random to all efficient observers.



Let G : {0, 1}∗ → {0, 1}∗ and ` : N→ N be P-time computablesuch that `(n) > n for all n and |G (x)| = `(|x |) for all x ∈ {0, 1}∗.

G is a computationally secure pseudorandom generator of stretch`(n) if, for every P-time PTM A, there exists a negligible functionε : N→ [0, 1] such that∣∣Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1]

∣∣ ≤ ε(n).

Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.


The definition of pseudorandom generator says nothing about howto construct such a generator.


Unpredictability

Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch `(n),where ` : N→ N is P-time computable such that ∀n.`(n) > n.

We say that G is unpredictable if for every P-time PTM B there isa negligible function ε : N→ [0, 1] such that∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−

1

2

∣∣∣∣ ≤ ε(n).

M. Blum, S. Micali. How to Generate Cryptographically StrongSequences of Pseudorandom Bits. FOCS 1982.


Unpredictability ⇐ Pseudorandomness

Suppose G is a pseudorandom generator. If it is not unpredictablethen there is some c such that∣∣∣∣Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yi−1) = yi ]−

1

2

∣∣∣∣ ≥ 1

nc

holds for a P-time PTM B for infinitely many n. Some i exists st.∣∣∣∣Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ]−1

2

∣∣∣∣ ≥ 1

nc`(n)

for infinitely many n. It follows from Pr[B(U`(n)) = 1] = 12 that

Pr[B(G (Un)) = 1]− Pr[B(U`(n)) = 1] ≥ 1

nc`(n)

for infinitely many n, which is a contradiction.


Unpredictability ⇒ Pseudorandomness

Theorem (Yao, 1982).

If G is unpredictable, then it is a pseudorandom generator.

Yao. Theory and Applications of Trapdoor Functions. FOCS 1982.



Let ` : N→ N be P-time computable such that `(n) ≥ n.Let G : {0, 1}∗ → {0, 1}∗ be P-time computable with stretch `.

Suppose G is not a pseudorandom generator. Then there is someconstant c and some P-time PTM A such that, wlog,

Pr[A(G (Un)) = 1]− Pr[A(U`(n)) = 1] ≥ 1

nc

for infinitely many n.



For i ≤ `(n), the hybrid distribution Di is defined as follows:

1. choose x ∈R {0, 1}n and compute y = G (x);

2. output y1, . . . , yi , zi+1, . . . , z`(n) with zi+1, . . . , z`(n) ∈R {0, 1}.

Note that D0 = U`(n) and D`(n) = G (Un).

Let pi = Pr[A(Di ) = 1]. By assumption p`(n) − p0 ≥ 1nc . Now

p`(n)− p0 = (p`(n)− p`(n)−1) + (p`(n)−1− p`(n)−2) + . . .+ (p1− p0).



Algorithm B asserts that everything A says is correct.

I Input 1n, i ∈ [`(n)] and y1, . . . , yi−1.

1. randomly generate zi , . . . , z`(n);2. compute a = A(y1, . . . , yi−1, zi , . . . , z`(n));3. output zi if a = 1 and 1− zi if a = 0.

We are done if we can prove the following inequality

Prx∈R{0,1}n,y=G(x),i∈R[`(n)][B(1n, y1, . . . , yn−1) = yi ]−1

2≥ 1

nc`(n),

which can be derived if the following holds for every i ∈ [`(n)]:

Prx∈R{0,1}n,y=G(x)[B(1n, y1, . . . , yi−1) = yi ] =1

2+ (pi − pi−1).



B predicts yi correctly if a = 1 ∧ zi = yi or a = 0 ∧ zi = 1− yi .This event happens with probability

1

2Prx,y=G(x)[a = 1|zi = yi ] +

1

2

(1− Prx,y=G(x)[a = 1|zi = 1− yi ]

).

Now Prx∈R{0,1}n,y=G(x)[a = 1|zi = yi ] = pi . On the other hand,

pi−1 = Pr[A(Di−1) = 1]

= Pr[a = 1|zi = yi ]/2 + Pr[a = 1|zi = 1− yi ]/2

= pi/2 + Pr[a = 1|zi = 1− yi ]/2. (1)

We get Pr[a = 1|zi = 1− yi ] = 2pi−1 − pi from (1).


Theorem Given a pseudorandom generator with stretch nc , onecan design a computationally secure encryption scheme (E, D) usingn-length keys for nc -length messages.

Given a random key of length n, generate a key of length nc usingthe pseudorandom generator, and then apply the one-time padencryption scheme.


Application: Derandomization

If pseudorandom generator exists, then we can constructsubexponential deterministic algorithms for problems in BPP.

I This is the derandomization of BPP.

The basic idea:

I Let L be decided by an nd -time PTM P with bounded error.

I For every small ε let c be such that 0 < dc < ε < 1.

I Apply to all strings of length ndc the pseudorandom generator

with stretch nc and then execute P by following the choicesprescribed by the produced pseudorandom strings of length nd .

I The algorithm runs in time O(2nε)


Pseudorandom Function


Let Fn denote the set of all functions of type {0, 1}n → {0, 1}n.

1. Generally n2n bits are necessary to specify a function in Fn.

2. Consequently its computation is not efficient.

We look for an efficient subset Gn of Fn that appears random.

1. Every element of Gn is specified by n bits.

2. Every element of Gn is P-time computable.

3. Yet no P-time PTM can detect noticeable difference betweena random element of Gn and a random element of Fn.

I There are 2n2n

elements in Fn.

I There are only 2n elements in Gn.


Pseudorandom functions are pseudorandom generators withexponential stretch.

I A pseudofunction is a blackbox, a distinguisher can only askfor the values of the function at a small number of inputs.


Pseudorandom Function

Let {fk}k∈{0,1}∗ be a family of functions such that

I fk : {0, 1}|k| → {0, 1}|k| for every k ∈ {0, 1}∗, and

I fk(x) is P-time computable from k , x .

The family {fk}k∈{0,1}∗ is pseudorandom if for every P-timeprobabilistic OTM A there is a negligible function ε : N→ [0, 1]such that for all n,∣∣∣Prk∈R{0,1}n [Afk (1n) = 1]− Prg∈RFn [Ag (1n) = 1]

∣∣∣ ≤ ε(n).

A needs no input. The string 1n marks the input length.


Pseudorandom Generator ⇐ Pseudorandom Function

Suppose {fk}k∈{0,1}∗ is a pseudorandom family of functions.

I For every polynomial `(n), the map G defined by

k ∈ {0, 1}n 7→ fk(1), . . . , fk(`(n)) ∈ {0, 1}n`(n)

is a pseudorandom generator.

I This follows from definition.


Goldreich-Goldwasser-Micali Theorem.

Suppose that there exists a pseudorandom generator G with stretch`(n) = 2n. Then there exists a pseudorandom function family.

O. Goldreich, S. Goldwasser, S. Micali. How to Construct RandomFunctions. FOCS 1984.


Pseudorandom Generator ⇒ Pseudorandom Function

Let G be a pseudorandom generator with stretch 2n.

I G0(x) is the first n bits;

I G1(x) is the last n bits.

For each k ∈ {0, 1}n the function fk is defined by

fk(x) = Gxn(Gxn−1(. . .Gx1(k) . . .)).

We will prove that {fk}k∈{0,1}∗ is a pseudorandom function family.


x1= 0 x

1 = 1

x2=0 x

2 =1 x2

=0 x

2 =1

......

......

......

......

k

G0(k) G1(k)

G0(G0(k)) G1(G0(k)) G0(G1(k)) G1(G1(k))

Figure: The Algorithm that Calculates fk(x).



Let A be a T -time PTM that distinguishes {fk}k∈{0,1}n and Fn.Ie. some c and A exist st the following holds for infinitely many n,

Prg∈RFn [Ag (1n) = 1]− Prk∈R{0,1}n [Afk (1n) = 1] ≥ 1

nc.

We construct a P-time PTM B that distinguishes the distributionsU2n and G (Un) with 1

nT ·1nc bias.

I For that purpose we define a random implementation O of theoracles fUn in terms of G .

1. generate the seed k ∈R {0, 1}n randomly;2. run the algorithm that calculates fk on all queries.

I We then modify O to obtain {Oi}i≤nT using hybrid approach.



For i ≤ nT the random oracle Oi is defined as follows:

1. For the first i invocations of G , Oi chooses randomly.

I the random answers must be consistent!I the random number generated at the i-th step is the seed k.

2. In the rest of the invocations of G , Oi calculates like O.

Clearly O0 is O, and OnT is a random function.

Let pi = Pr[AOi (1n) = 1]. Observe that

I p0 = Prk∈R{0,1}n [Afk (1n) = 1] and

I pnT = Prg∈RFn [Ag (1n) = 1].

By assumption pnT − p0 ≥ 1nc .


Algorithm B.

1. Input k ∈ {0, 1}2n.

2. Generate i ∈R [nT ].

3. Run AOi (1n), with the modification that in the i-th invocationthe two children are the first respectively the last n bits of k .

The following can be easily verified.

I If k ∈R U2n, then B’s output is distributed as AOi (1n).

I If k ∈R G (Un), then B’s output is distributed as AOi−1(1n).

Consequently Pr[B(U2n) = 1]− Pr[B(G (Un)) = 1] is

∑i∈[nT ]

AOi (1n)

nT−∑

i∈[nT ]

AOi−1(1n)

nT=

pnTnT− p0

nT≥ 1

nT· 1

nc.


Application: One Key for Many Messages

By Goldreich-Goldwasser-Micali Theorem and Yao’s Theorem, thestring fk(r1), fk(r2), fk(r3), . . . is unpredictable.

1. Alice encrypts a message x ∈ {0, 1}n by choosing r ∈R {0, 1}nand sends (r , fk(r)⊕ x) to Bob, where k ∈ {0, 1}n is the key.

2. Bob receives (r , y) and calculates fk(r)⊕ y to recover x .


Application: Message Authentication Code

For the same reason the following protocol is secure.

1. Alice sends x to Bob.

2. Bob sends (x , fk(x)) to Alice.

3. Alice receives (x , y) and checks if y = fk(x) to verify that themessage has not been corrupted.


Application: Lower Bound for Machine Learning

In machine learning the goal is to learn a function f from asequence of examples (r1, f (r1)), . . . , (rk , f (rk)).

I The existence of pseudorandom function implies that even if fis P-time computable, there is no way to learn it in P-time.


One-Way Function


Suppose G : {0, 1}∗ → {0, 1}∗ is a pseudorandom generator.

For every P-time PTM A there must be a negligible functionε : N→ [0, 1] such that the following holds for every n,

Prx∈R{0,1}n [A(1n,G (x)) = x ′ ∧ G (x ′) = G (x)] ≤ ε(n).


One-Way Function

A P-time function f : {0, 1}∗ → {0, 1}∗ is a one-way function if forevery P-time PTM A there is a negligible function ε : N→ [0, 1]such that for every n,

Prx∈R{0,1}n,y=f (x)[A(1n, y) = x ′ ∧ f (x ′) = y ] ≤ ε(n).


Let f : {0, 1}∗ → {0, 1}∗ be a P-time computable function suchthat ∀x .|x | ≤ |f (x)|.I If P = NP then {(l , u, y) | ∃x .f (x) = y ∧ l ≤ x ≤ u} ∈ P.

I By divide-and-conquer one can compute f −1 in P-time.

The existence of one way function implies P 6= NP.


Integer multiplication is believed to be one-way.


Theorem. If one-way permutations exist, then for every c ∈ N,there exists a pseudorandom generator with stretch S(n) = nc .

Q. Yao.

I Theory and Applications of Trapdoor Functions. FOCS 1982.

Theorem. If one-way functions exist, then for every c ∈ N, thereexists a pseudorandom generator with stretch S(n) = nc .

J. Hastad, R. Impagliazzo, L. Levin and M. Luby.

I A Pseudorandom Generator from any One-way Function.SIAM Journal on Computing, 28:1364-1396, 1999.


The crucial step is in obtaining a pseudorandom generator thatextends its input by one bit.

I If f is a one-way permutation, then G (x , r) = f (x), r , x � r isa pseudorandom generator. Notice that f (x), r are completelyrandom and independent, and the (2n + 1)-th bit cannot bepredicted with probability noticeably larger than 1/2.

We shall prove Theorem using Goldreich-Levin Theorem.


Goldreich-Levin Theorem. Suppose f : {0, 1}∗ → {0, 1}∗ is aone-way permutation. Then for every P-time PTM A there is anegligible function ε : N→ [0, 1] such that∣∣∣∣Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1

2

∣∣∣∣ ≤ ε(n),

where x � r =∑n

i=1 xi ri (mod 2). �

We call x � r the hard core bit of the function xr 7→ f (x)r .

O. Goldreich, L. Levin.

I A Hard-Core Predicate for All One-Way Functions. STOC’89.


Scenario:

I We know f (x) and that A(f (x), r) approximates x � r .

I We hope to recover x .

1. If A(f (x), r) = x � r for all r , then it is easy to recover x by thefollowing algorithm:

I Run A(f (x), e1), . . . , A(f (x), en).

I Paste the resulting n bits to form x .


2. Suppose Prr∈R{0,1}n [A(f (x), r) = x � r ] ≥ 0.9.

Now x � r is uniformly distributed. So by union bound

Prr∈R{0,1}n [(A(f (x), r) 6= x � r)∨ (A(f (x), r ⊕ e i ) 6= x � (r ⊕ e i ))] ≤ 0.2.

Using the equality x � (r ⊕ e i ) = (x � r)⊕ (x � e i ), one sees that

Prr∈R{0,1}n [A(f (x), r)⊕ A(f (x), r � e i ) = xi ] ≥ 0.8, (2)

which can be amplified to 1− 1/10n by majority vote.

I If we replace 0.9 by 0.75, then 0.8 decreases to 0.5, renderingthe lower bound in (2) utterly useless.


Algorithm B:

1. m := 200n.

2. Choose r1, . . . , rm ∈R {0, 1}n.

3. For i from 1 to n do

3.1 z1 := A(f (x), r1), z ′1 := A(f (x), r1 ⊕ e i ),. . . ,zm := A(f (x), rm), z ′m := A(f (x), rm ⊕ e i ).

3.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].


Analysis of B:

1. Let random variable Zj be defined by

Zj(rj) =

1, if A(f (x), r j) = x � r j and

A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.

2. Clearly Z1, . . . ,Zm are independent. Let Z = Z1 + . . .+ Zm.

3. E[Zj ] ≥ 0.8 and E[Z ] ≥ 0.8m.

4. Pr[|Z−E[Z ]| ≥ 0.3m] ≤ 1/(0.3√m)2 by Chebychev inequality.

5. It follows from m = 100n that Pr[Z ≤ 0.5m] ≤ 1/10n.

I Chebychev inequality: Pr[|Z−E[Z ]| ≥ k

√Var(Z )

]≤ 1/k2.

I Var(Z ) =∑m

j=1Var(Zj) ≤ m since Var(Zj) ≤ 1 for all j .


3. Suppose there are constant c ∈ N and P-time PTM A such that

Prx ,r∈R{0,1}n [A(f (x), r) = x � r ]− 1

2≥ 1

nc

for infinitely many n.

There is at least a 12nc fragment of x ’s, the good x ’s, such that

Prr∈R{0,1}n [A(f (x), r) = x � r ]− 1

2≥ 1

2nc

for infinitely many n’s.

Lemma. Suppose a1, a2, . . . , an ∈ [0, 1] and ρ = (∑

i∈[n] ai )/n.

Then there is at least ρ2 fraction of ai ’s such that ai ≥ ρ

2 .


We cannot afford to apply A twice.

Instead of calculating A(f (x), r1), . . . , A(f (x), rm), we can try toguess the values of x � r1, . . . , x � rm.

I Choose randomly distinct s1, . . . , sk ∈R {0, 1}n.

I {⊕

R}R⊆{s1,...,sk} are random and pairwise independent.

I {x �⊕

R}R⊆{s1,...,sk} are determined by x � s1, . . . , x � sk .

We can have and afford the exhaustive guessing if k = logm.


Algorithm C:

1. Input y ∈ {0, 1}n. Think of y as f (x) for some x .

2. m := 10n2c+1;

3. k := log(m);

4. Generate s1, . . . , sk ∈R {0, 1}n;

5. Let R1, . . . ,Rm be subsets of {s1, . . . , sk} in a canonical way;

6. For each guess w ∈ {0, 1}k do

6.1 for each i ∈ [n] do

6.1.1 x � s1 := w1, . . . , x � sk := wk ;

z1 :=⊕

t∈R1

(x � s t

), . . . , zm :=

⊕t∈Rm

(x � s t

);

z ′1 := A(y ,⊕

R1 ⊕ e i), . . . , z ′m := A

(y ,⊕

Rm ⊕ e i);

6.1.2 guess that xi is the majority value of {zj ⊕ z ′j }j∈[m].

6.2 x := x1 . . . xn;

6.3 if f (x) = y , output x and halt.


Analysis of C:

1. Let the random variable Zj be defined by

Zj(rj) =

{1, if A(y , r j ⊕ e i ) = x � (r j ⊕ e i ),0, otherwise.

2. Z1, . . . ,Zm are pairwise independent and E[Zj ] ≥ 1/2 + 1/nc .

3. Hence E[Z ] ≥ m/2 + m/nc , where Z = Z1 + . . .+ Zm.

4. Using Var(Z ) =∑m

j=1Var(Zj) ≤ m, we derive

Pr[|Z−E[Z ]| ≥ m/nc ] ≤ Pr[|Z−E[Z ]| ≥√m

nc

√Var(Z )]

≤ n2c

m=

n2c

10n2c+1=

1

10n.

5. Now Pr[Z ≤ m/2] ≤ 110n follows from 3 and 4.


Theorem. If f is one-way permutation and c ∈ N, the function Gthat maps x , r ∈ {0, 1}n onto

r , f nc(x)� r , f n

c−1(x)� r , . . . , f 1(x)� r

is a pseudorandom generator of stretch n + nc .

Let A be a P-time PTM st for x , r ∈R {0, 1}n and i ∈R [nc ],

Pr[A(r , f nc

(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ]− 1

2≥ 1

nd

for some d ∈ N and infinitely many n.

Continued on the next slide.


The PTM B(y , r), where y , r ∈ {0, 1}n, is designed as follows:

1. Generate i ∈R [nc ];

2. Output A(r , f nc−i (y)� r , . . . , f 1(y)� r , y � r).

The probability that B(f (x), r) outputs x � r is the same as

Pr[A(r , f nc

(x)� r , f nc−1(x)� r , . . . , f i+1(x)� r) = f i (x)� r ].

Hence

Prx,r∈R{0,1}n [B(f (x), r) = x � r ]− 1

2≥ 1

nd,

contradicting to Goldreich-Levin Theorem.

Since f is a permutation r , f nc−i (x)� r , . . . , f 1(x)� r , x � r is the

same distribution as r , f nc(x)� r , . . . , f i+1(x)� r , f i (x)� r .


one-way function ⇔ pseudorandom generator ⇔ unpredictability


Application: Tossing Coin Over Phone

Suppose A and B want to toss a coin over phone. We can applythe following protocol.

1. A chooses x , r ∈R {0, 1}n and sends (fn(x), r) to B, where fnis a one-way permutation known to both parties.

2. B chooses b ∈R {0, 1} and sends it to A.

3. A sends x to B.

A and B agree to use b ⊕ (x � r).

I A cannot manipulate the result because it cannot change x .

I B cannot manipulate the result because it did not know x .

I A can make sure that the result is random as long as x is.

I B can make sure that the result is random as long as b is.


Pseudorandom Generator - SJTU

Documents