Pseudo-random generators

if g=1then Outputu_i+1

else

Output ¯u_i+1=1−u_i+1

end if Note that,

Pr

t←X_n : A⁰(1ⁿ,t₁. . .t_i) =t_i+1

= Prh

b← {0, 1};t ←H_n^i+1,b :A(t) =1i

> ¹

2+ ¹

p(n)`(n) which concludes the proof Theorem75.4.

3.3 Pseudo-random generators

We now turn to definitions and constructions of pseudo-random generators.

3.3.1 Definition of a Pseudo-random Generators

.Definition 77.1 (Pseudo-random Generator). A function G : {0, 1}^∗ → {0, 1}^∗ is aPseudo-random Generator (PRG) if the fol-lowing holds.

1. (efficiency): Gcan be computed in p.p.t.

2. (expansion): |G(x)|>|x|

3. The ensemble{x←U_n :G(x)}_n is pseudo-random.

3.3.2 An Initial Construction

To provide some intuition for our construction, we start by con-sidering a simplified construction (originally suggested by Adi Shamir). The basic idea is to iterate a one-way permutation and then output, in reverse order, all the intermediary values. More precisely, let f be a one-way permutation, and define the genera-torG(s) = fⁿ(s)k fⁿ⁻¹(s)k. . .k f(s)ks. We use theksymbol here to represent string concatentation.

The idea behind the scheme is that given some prefix of the output of the generator, computing the next block is equivalent

G(s) = _fⁿ_{(s) f}ⁿ⁻¹_{(s) f}ⁿ⁻²_(s) ... f(s) s

Figure78.2: Shamir’s proposed PRG

to inverting the one-way permutation f. Indeed, this scheme results in a sequence of unpredictablenumbers, but not necessarily unpredictable bits. In particular, a one-way permutation may never “change” the first two bits of its input, and thus those corresponding positions will always be predictable.

The reason we need f to be a permutation, and not a gen-eral one-way function, is two-fold. First, we need the domain and range to be the same number of bits. Second, and more importantly, we require that the output of f^k(x)be uniformly distributed if x is uniformly distributed. This holds if f is a permutation, but may not hold for a general one-way function.

As we shall see, this construction can be modified to generate unpredictable bits as well. Doing so requires the new concept of ahard-core bit.

3.3.3 Hard-core bits

Intuitively, a predicatehishard-corefor a OWF f ifh(x)cannot be predicted significantly better than with probability 1/2, even given f(x). In other words, although a OWF might leak many bits of its inverse, it does not leak the hard-core bits—in fact, it essentially does not leakanything about the hard-core bits. Thus, hard-core bits are computationally unpredictable.

.Definition78.3(Hard-core Predicate). A predicateh :{0, 1}^∗ → {0, 1} is a hard-core predicate for f(x) if h is efficiently com-putable given x, and for all nonuniform p.p.t. adversaries A, there exists a negligibleeso that∀k∈_N

Prh

x ← {0, 1}^k : A(1ⁿ,f(x)) =h(x)ⁱ≤ ¹

2+e(n)

Examples The least significant bit of the RSA one-way function is known to be hardcore (under the RSA assumption). That

3.3. Pseudo-random generators 79

is, given N,e, and f_RSA(x) = x^emod N, there is no efficient algorithm that predicts LSB(x). A few other examples include:

• The function half_N(x)which is equal to 1 iff 0≤ x≤ ^N₂ is also hardcore for RSA, under the RSA assumption.

• The function half_p−1(x)is a hardcore predicate for expo-nentiation to the power xmod p for a prime p under the DL assumption. (See§3.4.1for this proof.)

We now show how hard-core predicates can be used to con-struct a PRG.

3.3.4 Constructions of a PRG

Our idea for constructing a pseudo-random generator builds on Shamir’s construction above that outputs unpredictable numbers.

Instead of outputting all intermediary numbers, however, we only output a “hard-core” bit of each of them. We start by providing a construction of a PRG that only expands the seed by one bit, and then give the full construction in Corollary81.7.

.Theorem79.4 Let f be a one-way permutation, and h a hard-core predicate for f . Then G(s) = f(s)kh(s)is a PRG.

Proof. Assume for contradiction that there exists a nonuniform p.p.t. adversaryAand a polynomial p(n)such that for infinitely many n, there exists an i such that A predicts the i^th bit with probability _p(¹_n). Since the firstnbits ofG(s)are a permutation of a uniform distribution (and thus also uniformly distributed), Amust predict bitn+1 with advantage _p(¹_n) . Formally,

Pr[A(f(s)) =h(s)]> ¹ 2 + ¹

p(n)

This contradicts the assumption that b is hard-core for f. We

conclude thatGis a PRG.

3.3.5 Expansion of a PRG

The construction above from Thm. 79.4 only extends an n-bit seed ton+1 output bits. The following theorem shows how a PRG that extends the seed by only1bit can be used to create a PRG that extends ann-bit seed to poly(n)output bits.

.Lemma80.5 Let G:{0, 1}ⁿ → {0, 1}ⁿ⁺¹ be a PRG. For any polyno-mial`, define G<sup>0</sup> :{0, 1}<sup>n</sup>→ {0, 1}<sup>`(n)</sup>as follows (see Fig.6):

G⁰(s) =b₁. . .b_`(n) where X₀←s

X_i+1kb_i+1←G(X_i) Then G⁰ is a PRG.

G(s) s

b₁ X₁

b₀ X₀ G(X0)

b₂ X₂ G(X1)

Figure 80.6: Illustration of the PRG G⁰ that expands a seed of lengthnto`(n). The functionGis a PRG that expands by only 1 bit.

Proof. Consider the following recursive definition of G⁰(s) = G^m(s):

G⁰(x) =ε

Gⁱ(x) =b||Gⁱ⁻¹(x⁰)wherex⁰||b←G(x)

3.3. Pseudo-random generators 81

where ε denotes the empty string. Now, assume for contradic-tion that there exists a distinguisher D and a polynomial p(·) such that for infinitely many n, D distinguishes {U_m(n)}_n and {G⁰(U_n)}_n with probability _p(¹_n).

Define the hybrid distributions Hⁱ_n = U_m(n)−i||Gⁱ(U_n), for i = 1, . . . ,m(n). Note that H_n⁰ = U_m(n) and H_n^m(n) = G^m(n)(U_n). Thus, D distinguishes H⁰_n and H_n^m(n) with probability _p(¹_n). By the Hybrid Lemma, for each n, there exist some isuch that D distinguishes Hⁱ_nandH_nⁱ⁺¹ with probability _m(n)¹_p(n). Recall that,

Hⁱ_n=U_m−ikGⁱ(Un)

=U_m−i−1kU₁kGⁱ(Un) H_nⁱ⁺¹=U_m−i−1kGⁱ⁺¹(U_n)

=U_m−i−1kbkGⁱ(x)wherexkb←G(Un)

Consider the n.u. p.p.t. M(y)which outputs from the following experiment:

bprev←U_m−i−1

b←y₁

bnext ←Gⁱ(y2. . .yn+1) Outputb_prevkbkb_next

Algorithm M(y)is non-uniform because for each input length n, it needs to know the appropriatei. Note thatM(U_n+1) =H_nⁱ and M(G(U_n)) =H_nⁱ⁺¹. Since (by the PRG property ofG){U_n+1}_n≈ {G(Un)}n, it follows by closure under efficient operations that {Hⁱ_n}_n≈ {H_nⁱ⁺¹}_n, which is a contradiction.

By combining Theorem79.4and Lemma80.5, we get the final construction of a PRG.

.Corollary81.7 Let f be a OWP and h a hard core bit for f . Then G(x) =h(x)kh(f(x))kh(f⁽²⁾(x))k. . .kh(f^`(n)(x)) is a PRG.

Proof. Let G⁰(x) = f(x) k h(x). By Theorem 79.4 G⁰ is a PRG.

Applying Lemma 80.5 to G⁰ shows that G also is a PRG. See

Fig.8.

s f(s) f⁽²⁾(s) ^{. . .}

b₀ b₁ b2

h(s) h(f(s)) _h(f⁽²⁾(s))

Figure82.8: Illustration of a PRG based on a one-way permuta-tion f and its hard-core bith.

Note that the above PRG can be computed in an “on-line”

fashion. Namely, we only need to rememberx_i to compute the continuation of the output. This makes it possible to compute an arbitrarylong pseudo-random sequence using only a short seed of a fixed length. (In other words, we do not need to know an upper-bound on the length of the output when starting to generate the pseudo-random sequence.)

Furthermore, note that the PRG construction can be easily adapted to work also with a collection of OWP, and not just a OWP. If{f_i}is a collection of OWP, simply considerGdefined as follows:

G(r₁,r₂) =h_i(f_i(x))kh_i(f_i⁽²⁾(x))k_{. . .} wherer₁is used to sampleiandr₂is used to sample x.

3.3.6 Concrete examples of PRGs

By using our concrete candidates of OWP (and their correspond-ing hard-core bits), we get the followcorrespond-ing concrete instantiations of PRGs.

Modular Exponentiation (Blum-Micali PRG)

• Use the seed to generate p,g,x where p is a prime of the form 2q+1 and qis also prime, g is a generator for Z^∗_p, andx∈_Z^∗_p.

• Output half_p−1(x) khalf_p−1(g^x mod p) k half_p−1(g^gx mod p)k · · ·