pseudo entropy and pseudorandom generators
play

Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv - PowerPoint PPT Presentation

Dec 25, 2023 •179 likes •1.42k views

Application of Information Theory, Lecture 11 Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 1 / 23 Part I

  1. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  2. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  3. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? HW. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  4. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? HW. Computational security? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  5. Part II Statistical Vs. Computational distance Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 4 / 23

  6. Distributions and statistical distance Let P and Q be two distributions over a finite set U . Their statistical distance (also known as, variation distance) is defined as SD ( P , Q ) := 1 � |P ( x ) − Q ( x ) | = max S⊆U ( P ( S ) − Q ( S )) 2 x ∈U We will only consider finite distributions. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 5 / 23

  7. Distributions and statistical distance Let P and Q be two distributions over a finite set U . Their statistical distance (also known as, variation distance) is defined as SD ( P , Q ) := 1 � |P ( x ) − Q ( x ) | = max S⊆U ( P ( S ) − Q ( S )) 2 x ∈U We will only consider finite distributions. Claim 2 For any pair of (finite) distributions P and Q , it holds that D { ∆ D ( P , Q ) := Pr SD ( P , Q ) = max x ←P [ D ( x ) = 1 ] − Pr x ←Q [ D ( x ) = 1 ] } , where D is any algorithm. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 5 / 23

  8. Distributions and statistical distance Let P and Q be two distributions over a finite set U . Their statistical distance (also known as, variation distance) is defined as SD ( P , Q ) := 1 � |P ( x ) − Q ( x ) | = max S⊆U ( P ( S ) − Q ( S )) 2 x ∈U We will only consider finite distributions. Claim 2 For any pair of (finite) distributions P and Q , it holds that D { ∆ D ( P , Q ) := Pr SD ( P , Q ) = max x ←P [ D ( x ) = 1 ] − Pr x ←Q [ D ( x ) = 1 ] } , where D is any algorithm. Let P , Q , R be finite distributions, then Triangle inequality: SD ( P , R ) ≤ SD ( P , Q ) + SD ( Q , R ) Repeated sampling: SD ( P 2 = ( P , P ) , Q 2 = ( Q , Q )) ≤ 2 · SD ( P , Q ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 5 / 23

  9. Section 1 Computational Indistinguishability Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 6 / 23

  10. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  11. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  12. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  13. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε ◮ We sometimes think of s = n ω ( 1 ) and ε = 1 / s , where n is the “security parameter” Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  14. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε ◮ We sometimes think of s = n ω ( 1 ) and ε = 1 / s , where n is the “security parameter” ◮ Can it be different from the statistical case? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  15. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε ◮ We sometimes think of s = n ω ( 1 ) and ε = 1 / s , where n is the “security parameter” ◮ Can it be different from the statistical case? ◮ Unless said otherwise, distributions are over { 0 , 1 } n Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  16. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  17. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  18. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  19. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  20. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr = ∆ D ( P 2 , ( P , Q )) + ∆ D (( P , Q ) , Q 2 ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  21. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr = ∆ D ( P 2 , ( P , Q )) + ∆ D (( P , Q ) , Q 2 ) ◮ So either ∆ D ( P 2 , ( P , Q )) ≥ ε ′ / 2, or ∆ D (( P , Q ) , Q 2 ) ≥ ε ′ / 2 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  22. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr = ∆ D ( P 2 , ( P , Q )) + ∆ D (( P , Q ) , Q 2 ) ◮ So either ∆ D ( P 2 , ( P , Q )) ≥ ε ′ / 2, or ∆ D (( P , Q ) , Q 2 ) ≥ ε ′ / 2 ◮ Hence, ε ′ < 2 ε implies s ′ ≥ s − n . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  23. Repeated sampling cont. What about P k and Q k ? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  24. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  25. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  26. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  27. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  28. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  29. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] Pr − Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  30. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] Pr − Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  31. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  32. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � ⇒ ∃ i ∈ [ k ] with ∆ D ( H i , H i − 1 ) ≥ ε ′ / k . = ◮ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  33. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � ⇒ ∃ i ∈ [ k ] with ∆ D ( H i , H i − 1 ) ≥ ε ′ / k . = ◮ ◮ Thus, ε ′ ≤ k ε implies s ′ > s − kn Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  34. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � ⇒ ∃ i ∈ [ k ] with ∆ D ( H i , H i − 1 ) ≥ ε ′ / k . = ◮ ◮ Thus, ε ′ ≤ k ε implies s ′ > s − kn ◮ When considering bounded time algorithms, things behaves very differently! Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  35. Part III Pseudorandom Generators Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 10 / 23

  36. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  37. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  38. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  39. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  40. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  41. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  42. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  43. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom ◮ We omit the “security parameter", i.e., n , when its value is clear from the context Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  44. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom ◮ We omit the “security parameter", i.e., n , when its value is clear from the context ◮ Do such generators exist? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  45. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom ◮ We omit the “security parameter", i.e., n , when its value is clear from the context ◮ Do such generators exist? ◮ Applications? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  46. Section 2 Pseudorandom generators (PRGs) from One-Way Permutations (OWPs) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 12 / 23

  47. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  48. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  49. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  50. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  51. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  52. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  53. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  54. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) = Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] + Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  55. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) = Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] + Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] = 1 2 ( δ + ε ′ ) + 1 2 · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  56. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) = Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] + Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] = 1 2 ( δ + ε ′ ) + 1 2 · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] . � � ◮ Hence, Pr = δ − ε ′ D ( f ( U n ) , b ( U n )) = 1 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  57. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  58. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Algorithm 9 ( P ) Input: y ∈ { 0 , 1 } n 1. Flip a random coin c ← { 0 , 1 } . 2. If D ( y , c ) = 1 output c , otherwise, output c . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  59. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Algorithm 9 ( P ) Input: y ∈ { 0 , 1 } n 1. Flip a random coin c ← { 0 , 1 } . 2. If D ( y , c ) = 1 output c , otherwise, output c . ◮ It follows that Pr [ P ( f ( U n )) = b ( U n )] = Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 1 | c = b ( U n )] + Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 0 | c = b ( U n )] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  60. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Algorithm 9 ( P ) Input: y ∈ { 0 , 1 } n 1. Flip a random coin c ← { 0 , 1 } . 2. If D ( y , c ) = 1 output c , otherwise, output c . ◮ It follows that Pr [ P ( f ( U n )) = b ( U n )] = Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 1 | c = b ( U n )] + Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 0 | c = b ( U n )] = 1 2 · ( δ + ε ′ ) + 1 2 ( 1 − δ + ε ′ ) = 1 2 + ε ′ . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  61. Part IV PRG from Regular OWF Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 15 / 23

  62. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  63. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  64. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  65. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling ◮ Non-monotonicity Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  66. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling ◮ Non-monotonicity ◮ Ensembles Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  67. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling ◮ Non-monotonicity ◮ Ensembles ◮ In the following we will simply write ( s , ε ) -entropy, etc Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  68. High entropy OWF from regular OWF Claim 11 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a 2 k -regular ( s , ε ) -one-way, let H = { h : { 0 , 1 } n �→ { 0 , 1 } k + 2 } be 2-universal family, and let g ( h , x ) = ( f ( x ) , h , h ( x )) . Then 1. H 2 ( g ( U n , H )) ≥ 2 n − 1 2 , for H ← H . 2. g is (Θ( s ε 2 ) , 2 ε ) -one-way. ◮ k and m and H are parameterized by of n ◮ We assume log |H| = n and s ≥ n Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 17 / 23

  69. g has high Renyi entropy Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  70. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  71. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  72. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  73. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 = 2 − n · 2 − n · 4 3 . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  74. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 = 2 − n · 2 − n · 4 3 . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  75. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 = 2 − n · 2 − n · 4 3 . Hence, H 2 ( g ( U n , H )) ≥ 2 n + log 3 4 ≥ 2 n − 1 2 . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  76. g is one-way Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  77. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  78. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Consider the following inverter for f Algorithm 12 ( B ) Input: y ∈ { 0 , 1 } n . Return D ( y , h , z ) , for h ← H and z ← { 0 , 1 } ℓ . Algorithm 13 ( D ) Input: y ∈ { 0 , 1 } n , h ∈ H and z 1 ∈ { 0 , 1 } ℓ . For all z 2 ∈ { 0 , 1 } k + 2 − ℓ : 1. Let ( x , h ) = A ( y , h , z 1 ◦ z 2 ) . 2. If f ( x ) = y , return x . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  79. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Consider the following inverter for f Algorithm 12 ( B ) Input: y ∈ { 0 , 1 } n . Return D ( y , h , z ) , for h ← H and z ← { 0 , 1 } ℓ . Algorithm 13 ( D ) Input: y ∈ { 0 , 1 } n , h ∈ H and z 1 ∈ { 0 , 1 } ℓ . For all z 2 ∈ { 0 , 1 } k + 2 − ℓ : 1. Let ( x , h ) = A ( y , h , z 1 ◦ z 2 ) . 2. If f ( x ) = y , return x . ◮ B’s size is (( s ′ + O ( n )) · 2 2 log ε ′ + 2 = Θ( s ′ /ε 2 ) 1 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  80. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Consider the following inverter for f Algorithm 12 ( B ) Input: y ∈ { 0 , 1 } n . Return D ( y , h , z ) , for h ← H and z ← { 0 , 1 } ℓ . Algorithm 13 ( D ) Input: y ∈ { 0 , 1 } n , h ∈ H and z 1 ∈ { 0 , 1 } ℓ . For all z 2 ∈ { 0 , 1 } k + 2 − ℓ : 1. Let ( x , h ) = A ( y , h , z 1 ◦ z 2 ) . 2. If f ( x ) = y , return x . ◮ B’s size is (( s ′ + O ( n )) · 2 2 log ε ′ + 2 = Θ( s ′ /ε 2 ) 1 D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ ◮ Pr x ←{ 0 , 1 } n ; h ←H � � Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  81. g is one-way, cont. We saw that D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ � � Pr (1) x ←{ 0 , 1 } n ; h ←H Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 20 / 23

  82. g is one-way, cont. We saw that D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ � � Pr (1) x ←{ 0 , 1 } n ; h ←H By the leftover hash lemma SD (( f ( x ) , h , h ( x ) 1 ,...,ℓ ) x ←{ 0 , 1 } , h ←H , ( f ( x ) , h , U ℓ ) x ←{ 0 , 1 } , h ←H ) ≤ ε ′ / 2 (2) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 20 / 23

  83. g is one-way, cont. We saw that D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ � � Pr (1) x ←{ 0 , 1 } n ; h ←H By the leftover hash lemma SD (( f ( x ) , h , h ( x ) 1 ,...,ℓ ) x ←{ 0 , 1 } , h ←H , ( f ( x ) , h , U ℓ ) x ←{ 0 , 1 } , h ←H ) ≤ ε ′ / 2 (2) Hence, ≥ ε ′ − ε ′ / 2 = ε ′ / 2 . B ( f ( x )) ∈ f − 1 ( f ( x )) � � Pr x ←{ 0 , 1 } n Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 20 / 23

Recommend

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William M. Hoza 1 Chris Umans 2 October 10, 2016 Dagstuhl Seminar 16411 1 University of Texas at Austin 2 California Institute of Technology ?

1.67k views • 130 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re Recall: : Succinct Secure Computation from HSS x Exchange additive Eval C Share output shares y 0 w 0 = C(x,x) w + w 1 y 1 Eval C x

638 views • 44 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in Algorithms and Complexity David Xiao LIAFA CNRS, Universit Paris 7 Example: Polynomial Identity Testing Given multi-variate polynomial p Z[x 1

259 views • 21 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya

Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya

Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya De Rocco Servedio Cornell U Penn Columbia Halfspaces (aka LTFs) + + + -- + + + -- + -- + -- -- -- + + + -- + + -- -- +

421 views • 29 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin BIRS Workshop 19w5088 July 8, 2019 1Supported by NSF Grant

1.69k views • 139 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin July 19 CCC 2019 1Supported by NSF Grant CCF-1705028 2Supported

1.08k views • 105 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Why do we need random numbers? Simulation Sampling Numerical analysis Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually:

157 views • 5 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale suprieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault &amp; Daniel Wichs) Damien Vergnaud (ENS)

694 views • 57 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante March 9, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

684 views • 55 slides
Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random

Introduction to Pseudo-Random Number Generators Nicola Gigante December 21, 2016 Why random numbers? Lifes most important questions are, for the most part, nothing but probability problems. Pierre-Simon de Laplace 2 Why random numbers?

1.37k views • 63 slides
Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of

Pseudo-random Functions Debdeep Mukhopadhyay IIT Kharagpur We have seen the construction of PRG (pseudo-random generators) being constructed from any one-way functions. Now we shall consider a related concept: Pseudo-random

829 views • 15 slides
Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg

Pseudo-Random Number Generators Functional Programming and Intelligent Algorithms Prof Hans Georg Schaathun Hgskolen i lesund 14th February 2017 1 Randomness 1. What is randomness? 2 Randomness 1. What is randomness? 2. How do we

590 views • 22 slides
Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel

Foundation of Cryptography (0368-4162-01), Lecture 2 Pseudorandom Generators Iftach Haitner, Tel Aviv University Tel Aviv University. February 25, 2014 Iftach Haitner (TAU) Foundation of Cryptography February 25, 2014 1 / 26 Part I

1.38k views • 76 slides
Evaluating Entropy for True Random Number Generators orski 1 Maciej Sk IST Austria WR0NG 2017,

Evaluating Entropy for True Random Number Generators orski 1 Maciej Sk IST Austria WR0NG 2017,

Evaluating Entropy for True Random Number Generators orski 1 Maciej Sk IST Austria WR0NG 2017, 30th April, Paris 1 Supported by the European Research Council consolidator grant (682815-TOCNeT) Maciej Sk orski (IST Austria) Evaluating

655 views • 49 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast

SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast

Motivation Standard PRNG Stateful PRNG PRNG with input Conclusion SoK: Security Models for Pseudo-Random Number Generators Sylvain Ruhault March 8 th , Tokyo, Fast Software Encryption 2017 1 / 18 Motivation Standard PRNG Stateful PRNG

266 views • 26 slides

More recommend