Pseudo-Randomness
Game 2 A second issue concerns the size of a problem instance
3.3 Pseudo-random generators
if g=1then Outputui+1
else
Output ¯ui+1=1−ui+1
end if Note that,
Pr
t←Xn : A0(1n,t1. . .ti) =ti+1
= Prh
b← {0, 1};t ←Hni+1,b :A(t) =1i
> 1
2+ 1
p(n)`(n) which concludes the proof Theorem75.4.
3.3 Pseudo-random generators
We now turn to definitions and constructions of pseudo-random generators.
3.3.1 Definition of a Pseudo-random Generators
.Definition 77.1 (Pseudo-random Generator). A function G : {0, 1}∗ → {0, 1}∗ is aPseudo-random Generator (PRG) if the fol-lowing holds.
1. (efficiency): Gcan be computed in p.p.t.
2. (expansion): |G(x)|>|x|
3. The ensemble{x←Un :G(x)}n is pseudo-random.
3.3.2 An Initial Construction
To provide some intuition for our construction, we start by con-sidering a simplified construction (originally suggested by Adi Shamir). The basic idea is to iterate a one-way permutation and then output, in reverse order, all the intermediary values. More precisely, let f be a one-way permutation, and define the genera-torG(s) = fn(s)k fn−1(s)k. . .k f(s)ks. We use theksymbol here to represent string concatentation.
The idea behind the scheme is that given some prefix of the output of the generator, computing the next block is equivalent
G(s) = fn(s) fn−1(s) fn−2(s) ... f(s) s
Figure78.2: Shamir’s proposed PRG
to inverting the one-way permutation f. Indeed, this scheme results in a sequence of unpredictablenumbers, but not necessarily unpredictable bits. In particular, a one-way permutation may never “change” the first two bits of its input, and thus those corresponding positions will always be predictable.
The reason we need f to be a permutation, and not a gen-eral one-way function, is two-fold. First, we need the domain and range to be the same number of bits. Second, and more importantly, we require that the output of fk(x)be uniformly distributed if x is uniformly distributed. This holds if f is a permutation, but may not hold for a general one-way function.
As we shall see, this construction can be modified to generate unpredictable bits as well. Doing so requires the new concept of ahard-core bit.
3.3.3 Hard-core bits
Intuitively, a predicatehishard-corefor a OWF f ifh(x)cannot be predicted significantly better than with probability 1/2, even given f(x). In other words, although a OWF might leak many bits of its inverse, it does not leak the hard-core bits—in fact, it essentially does not leakanything about the hard-core bits. Thus, hard-core bits are computationally unpredictable.
.Definition78.3(Hard-core Predicate). A predicateh :{0, 1}∗ → {0, 1} is a hard-core predicate for f(x) if h is efficiently com-putable given x, and for all nonuniform p.p.t. adversaries A, there exists a negligibleeso that∀k∈N
Prh
x ← {0, 1}k : A(1n,f(x)) =h(x)i≤ 1
2+e(n)
Examples The least significant bit of the RSA one-way function is known to be hardcore (under the RSA assumption). That
3.3. Pseudo-random generators 79
is, given N,e, and fRSA(x) = xemod N, there is no efficient algorithm that predicts LSB(x). A few other examples include:
• The function halfN(x)which is equal to 1 iff 0≤ x≤ N2 is also hardcore for RSA, under the RSA assumption.
• The function halfp−1(x)is a hardcore predicate for expo-nentiation to the power xmod p for a prime p under the DL assumption. (See§3.4.1for this proof.)
We now show how hard-core predicates can be used to con-struct a PRG.
3.3.4 Constructions of a PRG
Our idea for constructing a pseudo-random generator builds on Shamir’s construction above that outputs unpredictable numbers.
Instead of outputting all intermediary numbers, however, we only output a “hard-core” bit of each of them. We start by providing a construction of a PRG that only expands the seed by one bit, and then give the full construction in Corollary81.7.
.Theorem79.4 Let f be a one-way permutation, and h a hard-core predicate for f . Then G(s) = f(s)kh(s)is a PRG.
Proof. Assume for contradiction that there exists a nonuniform p.p.t. adversaryAand a polynomial p(n)such that for infinitely many n, there exists an i such that A predicts the ith bit with probability p(1n). Since the firstnbits ofG(s)are a permutation of a uniform distribution (and thus also uniformly distributed), Amust predict bitn+1 with advantage p(1n) . Formally,
Pr[A(f(s)) =h(s)]> 1 2 + 1
p(n)
This contradicts the assumption that b is hard-core for f. We
conclude thatGis a PRG.
3.3.5 Expansion of a PRG
The construction above from Thm. 79.4 only extends an n-bit seed ton+1 output bits. The following theorem shows how a PRG that extends the seed by only1bit can be used to create a PRG that extends ann-bit seed to poly(n)output bits.
.Lemma80.5 Let G:{0, 1}n → {0, 1}n+1 be a PRG. For any polyno-mial`, define G0 :{0, 1}n→ {0, 1}`(n)as follows (see Fig.6):
G0(s) =b1. . .b`(n) where X0←s
Xi+1kbi+1←G(Xi) Then G0 is a PRG.
G(s) s
b1 X1
b0 X0 G(X0)
b2 X2 G(X1)
Figure 80.6: Illustration of the PRG G0 that expands a seed of lengthnto`(n). The functionGis a PRG that expands by only 1 bit.
Proof. Consider the following recursive definition of G0(s) = Gm(s):
G0(x) =ε
Gi(x) =b||Gi−1(x0)wherex0||b←G(x)
3.3. Pseudo-random generators 81
where ε denotes the empty string. Now, assume for contradic-tion that there exists a distinguisher D and a polynomial p(·) such that for infinitely many n, D distinguishes {Um(n)}n and {G0(Un)}n with probability p(1n).
Define the hybrid distributions Hin = Um(n)−i||Gi(Un), for i = 1, . . . ,m(n). Note that Hn0 = Um(n) and Hnm(n) = Gm(n)(Un). Thus, D distinguishes H0n and Hnm(n) with probability p(1n). By the Hybrid Lemma, for each n, there exist some isuch that D distinguishes HinandHni+1 with probability m(n)1p(n). Recall that,
Hin=Um−ikGi(Un)
=Um−i−1kU1kGi(Un) Hni+1=Um−i−1kGi+1(Un)
=Um−i−1kbkGi(x)wherexkb←G(Un)
Consider the n.u. p.p.t. M(y)which outputs from the following experiment:
bprev←Um−i−1
b←y1
bnext ←Gi(y2. . .yn+1) Outputbprevkbkbnext
Algorithm M(y)is non-uniform because for each input length n, it needs to know the appropriatei. Note thatM(Un+1) =Hni and M(G(Un)) =Hni+1. Since (by the PRG property ofG){Un+1}n≈ {G(Un)}n, it follows by closure under efficient operations that {Hin}n≈ {Hni+1}n, which is a contradiction.
By combining Theorem79.4and Lemma80.5, we get the final construction of a PRG.
.Corollary81.7 Let f be a OWP and h a hard core bit for f . Then G(x) =h(x)kh(f(x))kh(f(2)(x))k. . .kh(f`(n)(x)) is a PRG.
Proof. Let G0(x) = f(x) k h(x). By Theorem 79.4 G0 is a PRG.
Applying Lemma 80.5 to G0 shows that G also is a PRG. See
Fig.8.
s f(s) f(2)(s) . . .
b0 b1 b2
h(s) h(f(s)) h(f(2)(s))
Figure82.8: Illustration of a PRG based on a one-way permuta-tion f and its hard-core bith.
Note that the above PRG can be computed in an “on-line”
fashion. Namely, we only need to rememberxi to compute the continuation of the output. This makes it possible to compute an arbitrarylong pseudo-random sequence using only a short seed of a fixed length. (In other words, we do not need to know an upper-bound on the length of the output when starting to generate the pseudo-random sequence.)
Furthermore, note that the PRG construction can be easily adapted to work also with a collection of OWP, and not just a OWP. If{fi}is a collection of OWP, simply considerGdefined as follows:
G(r1,r2) =hi(fi(x))khi(fi(2)(x))k. . . wherer1is used to sampleiandr2is used to sample x.
3.3.6 Concrete examples of PRGs
By using our concrete candidates of OWP (and their correspond-ing hard-core bits), we get the followcorrespond-ing concrete instantiations of PRGs.
Modular Exponentiation (Blum-Micali PRG)
• Use the seed to generate p,g,x where p is a prime of the form 2q+1 and qis also prime, g is a generator for Z∗p, andx∈Z∗p.
• Output halfp−1(x) khalfp−1(gx mod p) k halfp−1(ggx mod p)k · · ·