pseudo entropy and pseudorandom generators
play

Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv - PowerPoint PPT Presentation

Dec 25, 2023 •179 likes •1.42k views

Application of Information Theory, Lecture 11 Pseudo-Entropy and Pseudorandom Generators Iftach Haitner Tel Aviv University. January 6, 2015 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 1 / 23 Part I

  1. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  2. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  3. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? HW. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  4. Encryption schemes Definition 1 A pair of algorithms ( E , D ) is (perfectly correct) encryption scheme, if for any k ∈ { 0 , 1 } n and m ∈ { 0 , 1 } ℓ , it holds that D ( k , E ( k , m )) = m ◮ What security should we ask from such scheme? ◮ Perfect secrecy: E K ( m ) ≡ E K ( m ′ ) , for any m , m ′ ∈ { 0 , 1 } ℓ and K ∼ { 0 , 1 } n , letting E k ( x ) := E ( k , x ) . ◮ Theorem (Shannon): Perfect secrecy implies n ≥ ℓ . ◮ Is is bad? Is it optimal? ◮ Proof : Let M ∼ { 0 , 1 } n . ◮ Perfect secrecy = ⇒ H ( M , E K ( M )) = H ( M , E K ( 0 ℓ )) ⇒ H ( M | E K ( M )) = H ( M , E K ( M )) − H ( E K ( M )) = H ( M | E K ( 0 ℓ )) = n = ◮ ◮ Perfect correctness = ⇒ H ( M | E K ( M ) , K ) = 0 = ⇒ H ( M | E K ( M )) ≤ H ( M , K | E K ( M )) ≤ H ( K | E K ( M )) + 0 ≤ H ( K ) ◮ = ⇒ n ≤ ℓ . ◮ ◮ Statistical security? HW. Computational security? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 3 / 23

  5. Part II Statistical Vs. Computational distance Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 4 / 23

  6. Distributions and statistical distance Let P and Q be two distributions over a finite set U . Their statistical distance (also known as, variation distance) is defined as SD ( P , Q ) := 1 � |P ( x ) − Q ( x ) | = max S⊆U ( P ( S ) − Q ( S )) 2 x ∈U We will only consider finite distributions. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 5 / 23

  7. Distributions and statistical distance Let P and Q be two distributions over a finite set U . Their statistical distance (also known as, variation distance) is defined as SD ( P , Q ) := 1 � |P ( x ) − Q ( x ) | = max S⊆U ( P ( S ) − Q ( S )) 2 x ∈U We will only consider finite distributions. Claim 2 For any pair of (finite) distributions P and Q , it holds that D { ∆ D ( P , Q ) := Pr SD ( P , Q ) = max x ←P [ D ( x ) = 1 ] − Pr x ←Q [ D ( x ) = 1 ] } , where D is any algorithm. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 5 / 23

  8. Distributions and statistical distance Let P and Q be two distributions over a finite set U . Their statistical distance (also known as, variation distance) is defined as SD ( P , Q ) := 1 � |P ( x ) − Q ( x ) | = max S⊆U ( P ( S ) − Q ( S )) 2 x ∈U We will only consider finite distributions. Claim 2 For any pair of (finite) distributions P and Q , it holds that D { ∆ D ( P , Q ) := Pr SD ( P , Q ) = max x ←P [ D ( x ) = 1 ] − Pr x ←Q [ D ( x ) = 1 ] } , where D is any algorithm. Let P , Q , R be finite distributions, then Triangle inequality: SD ( P , R ) ≤ SD ( P , Q ) + SD ( Q , R ) Repeated sampling: SD ( P 2 = ( P , P ) , Q 2 = ( Q , Q )) ≤ 2 · SD ( P , Q ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 5 / 23

  9. Section 1 Computational Indistinguishability Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 6 / 23

  10. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  11. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  12. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  13. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε ◮ We sometimes think of s = n ω ( 1 ) and ε = 1 / s , where n is the “security parameter” Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  14. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε ◮ We sometimes think of s = n ω ( 1 ) and ε = 1 / s , where n is the “security parameter” ◮ Can it be different from the statistical case? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  15. Computational indistinguishability Definition 3 (computational indistinguishability) P and Q are ( s , ε ) -indistinguishable, if ∆ D P , Q ≤ ε , for any s -size D. ◮ Adversaries are circuits (possibly randomized) ◮ ( ∞ , ε ) -indistinguishable is equivalent to statistical distance ε ◮ We sometimes think of s = n ω ( 1 ) and ε = 1 / s , where n is the “security parameter” ◮ Can it be different from the statistical case? ◮ Unless said otherwise, distributions are over { 0 , 1 } n Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 7 / 23

  16. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  17. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  18. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  19. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  20. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr = ∆ D ( P 2 , ( P , Q )) + ∆ D (( P , Q ) , Q 2 ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  21. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr = ∆ D ( P 2 , ( P , Q )) + ∆ D (( P , Q ) , Q 2 ) ◮ So either ∆ D ( P 2 , ( P , Q )) ≥ ε ′ / 2, or ∆ D (( P , Q ) , Q 2 ) ≥ ε ′ / 2 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  22. Repeated sampling Question 4 Assume P and Q are ( s , ε ) -indistinguishable, what about P 2 and Q 2 ? ◮ Let D be an s ′ -size algorithm with ∆ D ( P 2 , Q 2 ) = ε ′ ε ′ = x ←P 2 [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ] Pr = ( Pr x ←P 2 [ D ( x ) = 1 ] − x ← ( P , Q ) [ D ( x ) = 1 ]) Pr + ( x ← ( P , Q ) [ D ( x ) = 1 ] − Pr x ←Q 2 [ D ( x ) = 1 ]) Pr = ∆ D ( P 2 , ( P , Q )) + ∆ D (( P , Q ) , Q 2 ) ◮ So either ∆ D ( P 2 , ( P , Q )) ≥ ε ′ / 2, or ∆ D (( P , Q ) , Q 2 ) ≥ ε ′ / 2 ◮ Hence, ε ′ < 2 ε implies s ′ ≥ s − n . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 8 / 23

  23. Repeated sampling cont. What about P k and Q k ? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  24. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  25. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  26. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  27. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  28. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  29. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] Pr − Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  30. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] Pr − Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  31. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  32. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � ⇒ ∃ i ∈ [ k ] with ∆ D ( H i , H i − 1 ) ≥ ε ′ / k . = ◮ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  33. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � ⇒ ∃ i ∈ [ k ] with ∆ D ( H i , H i − 1 ) ≥ ε ′ / k . = ◮ ◮ Thus, ε ′ ≤ k ε implies s ′ > s − kn Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  34. Repeated sampling cont. What about P k and Q k ? Claim 5 Assume P and Q are ( s , ε ) -indistinguishable, then P k and Q k are ( s − kn , k ε ) -indistinguishable. Proof : ? ◮ For i ∈ { 0 , . . . , k } , let H i = ( P 1 , . . . , P i , Q i + 1 , . . . , Q k ) , where the P i ’s are iid ∼ P and the Q i ’s are iid ∼ Q . (hybrids) ◮ Let D be a s ′ -size algorithm with ∆ D ( P k , Q k ) = ε ′ ◮ ε ′ = Pr � D ( H k ) = 1 � � D ( H 0 ) = 1 � − Pr . ◮ ε ′ = � � D ( H i ) = 1 � � D ( H i − 1 ) = 1 � i ∈ [ k ] ∆ D ( H i , H i − 1 ) i ∈ [ k ] Pr − Pr = � ⇒ ∃ i ∈ [ k ] with ∆ D ( H i , H i − 1 ) ≥ ε ′ / k . = ◮ ◮ Thus, ε ′ ≤ k ε implies s ′ > s − kn ◮ When considering bounded time algorithms, things behaves very differently! Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 9 / 23

  35. Part III Pseudorandom Generators Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 10 / 23

  36. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  37. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  38. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  39. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  40. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  41. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  42. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  43. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom ◮ We omit the “security parameter", i.e., n , when its value is clear from the context Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  44. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom ◮ We omit the “security parameter", i.e., n , when its value is clear from the context ◮ Do such generators exist? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  45. Pseudorandom generator Definition 6 (pseudorandom distributions) A distribution P over { 0 , 1 } n is ( s , ε ) -pseudorandom, if it is ( s , ε ) -indistinguishable from U n . ◮ Do such distributions exit for interesting ( s , ε ) Definition 7 (pseudorandom generators (PRGs)) A poly-time computable function g : { 0 , 1 } n �→ { 0 , 1 } ℓ ( n ) is a ( s , ε ) -pseudorandom generator, if for any n ∈ N ◮ g is length extending (i.e., ℓ ( n ) > n ) ◮ g ( U n ) is ( s ( n ) , ε ( n )) -pseudorandom ◮ We omit the “security parameter", i.e., n , when its value is clear from the context ◮ Do such generators exist? ◮ Applications? Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 11 / 23

  46. Section 2 Pseudorandom generators (PRGs) from One-Way Permutations (OWPs) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 12 / 23

  47. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  48. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  49. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  50. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  51. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  52. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  53. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  54. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) = Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] + Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  55. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) = Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] + Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] = 1 2 ( δ + ε ′ ) + 1 2 · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  56. OWP to PRG Claim 8 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a poly-time permutation and let b : { 0 , 1 } n �→ { 0 , 1 } be a poly-time ( s , ε ) -hardcore predicate of f , then g ( x ) = ( f ( x ) , b ( x )) is a ( s − O ( n ) , ε ) -PRG. ◮ Hence, OWP = ⇒ PRG ◮ Proof : Let D be an s ′ -size algorithm with ∆ D ( g ( U n ) , U n + 1 ) = ε ′ , we will show ∃ ( s ′ + O ( n )) -size P with Pr [ P ( f ( U n )) = b ( U n )] = 1 2 + ε ′ . ◮ Let δ = Pr [ D ( U n + 1 ) = 1 ] (hence, Pr [ D ( g ( U n )) = 1 ] = δ + ε ′ ) ◮ Compute δ = Pr [ D ( f ( U n ) , U 1 ) = 1 ] ( f is a permuation) = Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] + Pr [ U 1 = b ( U n )] · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] = 1 2 ( δ + ε ′ ) + 1 2 · Pr [ D ( f ( U n ) , U 1 ) = 1 | U 1 = b ( U n )] . � � ◮ Hence, Pr = δ − ε ′ D ( f ( U n ) , b ( U n )) = 1 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 13 / 23

  57. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  58. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Algorithm 9 ( P ) Input: y ∈ { 0 , 1 } n 1. Flip a random coin c ← { 0 , 1 } . 2. If D ( y , c ) = 1 output c , otherwise, output c . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  59. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Algorithm 9 ( P ) Input: y ∈ { 0 , 1 } n 1. Flip a random coin c ← { 0 , 1 } . 2. If D ( y , c ) = 1 output c , otherwise, output c . ◮ It follows that Pr [ P ( f ( U n )) = b ( U n )] = Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 1 | c = b ( U n )] + Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 0 | c = b ( U n )] Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  60. OWP to PRG cont. ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ + ε ′ ◮ Pr [ D ( f ( U n ) , b ( U n )) = 1 ] = δ − ε ′ Algorithm 9 ( P ) Input: y ∈ { 0 , 1 } n 1. Flip a random coin c ← { 0 , 1 } . 2. If D ( y , c ) = 1 output c , otherwise, output c . ◮ It follows that Pr [ P ( f ( U n )) = b ( U n )] = Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 1 | c = b ( U n )] + Pr [ c = b ( U n )] · Pr [ D ( f ( U n ) , c ) = 0 | c = b ( U n )] = 1 2 · ( δ + ε ′ ) + 1 2 ( 1 − δ + ε ′ ) = 1 2 + ε ′ . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 14 / 23

  61. Part IV PRG from Regular OWF Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 15 / 23

  62. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  63. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  64. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  65. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling ◮ Non-monotonicity Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  66. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling ◮ Non-monotonicity ◮ Ensembles Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  67. Computational notions of entropy Definition 10 X has ( s , ε ) -pseudoentropy at least k , if ∃ rv Y with H ( Y ) ≥ k and ∆ D ( X , Y ) ≤ ε for any s -size D. ( s , ε ) -pseudo min/Reiny -entropy are analogously defined. ◮ Example ◮ Repeated sampling ◮ Non-monotonicity ◮ Ensembles ◮ In the following we will simply write ( s , ε ) -entropy, etc Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 16 / 23

  68. High entropy OWF from regular OWF Claim 11 Let f : { 0 , 1 } n �→ { 0 , 1 } n be a 2 k -regular ( s , ε ) -one-way, let H = { h : { 0 , 1 } n �→ { 0 , 1 } k + 2 } be 2-universal family, and let g ( h , x ) = ( f ( x ) , h , h ( x )) . Then 1. H 2 ( g ( U n , H )) ≥ 2 n − 1 2 , for H ← H . 2. g is (Θ( s ε 2 ) , 2 ε ) -one-way. ◮ k and m and H are parameterized by of n ◮ We assume log |H| = n and s ≥ n Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 17 / 23

  69. g has high Renyi entropy Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  70. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  71. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  72. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  73. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 = 2 − n · 2 − n · 4 3 . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  74. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 = 2 − n · 2 − n · 4 3 . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  75. g has high Renyi entropy w , w ′ ←{ 0 , 1 } n ×H [ g ( w ) = g ( w ′ )] CP ( g ( U n , H )) := Pr h , h ′ ←H [ h = h ′ ] · ( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ f ( x ) = f ( x ′ )] = Pr Pr h ←H ;( x , x ′ ) ← ( { 0 , 1 } n ) 2 [ h ( x ) = h ( x ′ ) | f ( x ) = f ( x ′ )] · Pr = CP ( H ) · CP ( f ( U n )) · ( 2 − k + ( 1 − 2 − k ) · 2 − k − 2 ) ≤ CP ( H ) · CP ( f ( U n )) · 2 − k · 4 3 = 2 − n · 2 − n · 4 3 . Hence, H 2 ( g ( U n , H )) ≥ 2 n + log 3 4 ≥ 2 n − 1 2 . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 18 / 23

  76. g is one-way Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  77. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  78. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Consider the following inverter for f Algorithm 12 ( B ) Input: y ∈ { 0 , 1 } n . Return D ( y , h , z ) , for h ← H and z ← { 0 , 1 } ℓ . Algorithm 13 ( D ) Input: y ∈ { 0 , 1 } n , h ∈ H and z 1 ∈ { 0 , 1 } ℓ . For all z 2 ∈ { 0 , 1 } k + 2 − ℓ : 1. Let ( x , h ) = A ( y , h , z 1 ◦ z 2 ) . 2. If f ( x ) = y , return x . Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  79. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Consider the following inverter for f Algorithm 12 ( B ) Input: y ∈ { 0 , 1 } n . Return D ( y , h , z ) , for h ← H and z ← { 0 , 1 } ℓ . Algorithm 13 ( D ) Input: y ∈ { 0 , 1 } n , h ∈ H and z 1 ∈ { 0 , 1 } ℓ . For all z 2 ∈ { 0 , 1 } k + 2 − ℓ : 1. Let ( x , h ) = A ( y , h , z 1 ◦ z 2 ) . 2. If f ( x ) = y , return x . ◮ B’s size is (( s ′ + O ( n )) · 2 2 log ε ′ + 2 = Θ( s ′ /ε 2 ) 1 Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  80. g is one-way Let A be an s ′ -size algorithm that inverts g w.p ε ′ and let ℓ = k − 2 log 1 � � . ε ′ Consider the following inverter for f Algorithm 12 ( B ) Input: y ∈ { 0 , 1 } n . Return D ( y , h , z ) , for h ← H and z ← { 0 , 1 } ℓ . Algorithm 13 ( D ) Input: y ∈ { 0 , 1 } n , h ∈ H and z 1 ∈ { 0 , 1 } ℓ . For all z 2 ∈ { 0 , 1 } k + 2 − ℓ : 1. Let ( x , h ) = A ( y , h , z 1 ◦ z 2 ) . 2. If f ( x ) = y , return x . ◮ B’s size is (( s ′ + O ( n )) · 2 2 log ε ′ + 2 = Θ( s ′ /ε 2 ) 1 D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ ◮ Pr x ←{ 0 , 1 } n ; h ←H � � Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 19 / 23

  81. g is one-way, cont. We saw that D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ � � Pr (1) x ←{ 0 , 1 } n ; h ←H Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 20 / 23

  82. g is one-way, cont. We saw that D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ � � Pr (1) x ←{ 0 , 1 } n ; h ←H By the leftover hash lemma SD (( f ( x ) , h , h ( x ) 1 ,...,ℓ ) x ←{ 0 , 1 } , h ←H , ( f ( x ) , h , U ℓ ) x ←{ 0 , 1 } , h ←H ) ≤ ε ′ / 2 (2) Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 20 / 23

  83. g is one-way, cont. We saw that D ( f ( x ) , h , h ( x ) 1 ,...,ℓ ) ∈ f − 1 ( f ( x )) = ε ′ � � Pr (1) x ←{ 0 , 1 } n ; h ←H By the leftover hash lemma SD (( f ( x ) , h , h ( x ) 1 ,...,ℓ ) x ←{ 0 , 1 } , h ←H , ( f ( x ) , h , U ℓ ) x ←{ 0 , 1 } , h ←H ) ≤ ε ′ / 2 (2) Hence, ≥ ε ′ − ε ′ / 2 = ε ′ / 2 . B ( f ( x )) ∈ f − 1 ( f ( x )) � � Pr x ←{ 0 , 1 } n Iftach Haitner (TAU) Application of Information Theory, Lecture 11 January 6, 2015 20 / 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009

Pseudorandom generators hard for propositional proof systems Markus Latte April 3 and 4, 2009 JASS09 Sankt Peterburg Pseudorandom Generators in Complexity Theory Informally, a pseudorandom generator is a (computable) function G n : { 0 , 1 }

624 views • 49 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects:

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 1: Pseudorandom objects: examples and constructions David Xiao LIAFA CNRS, Universit Paris 7 Plan Today: examples of pseudorandom objects Expander graphs

403 views • 17 slides
Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego)

Pseudorandom generators from polarizing random walks Ka Kaave Ho Hossei eini (UC San Diego) Eshan Chattopadhyay (IAS Cornell) Pooya Hatami (UT Austin Ohio State) Shachar Lovett (UC San Diego) Outline Introduce Pseudorandom generators

1.41k views • 88 slides
Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William

Targeted Pseudorandom Generators, Simulation Advice Generators, and Derandomizing Logspace William M. Hoza 1 Chris Umans 2 October 10, 2016 Dagstuhl Seminar 16411 1 University of Texas at Austin 2 California Institute of Technology ?

1.67k views • 130 slides
Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and

Extractors and Pseudorandom Generators Luca Trevisan Columbia University Extractors and Pseudorandom Generators 1 Contents We present a new approach to construct extractors. Extractors transform a weakly random (realistic)

391 views • 27 slides
Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re

Part II: Pseudorandom Correlation Generators What are they? How can we build them? Re Recall: : Succinct Secure Computation from HSS x Exchange additive Eval C Share output shares y 0 w 0 = C(x,x) w + w 1 y 1 Eval C x

638 views • 44 slides
Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in

Pseudorandom Objects and Generators Journes ALEA 2012 Lecture 2: Pseudorandomness in Algorithms and Complexity David Xiao LIAFA CNRS, Universit Paris 7 Example: Polynomial Identity Testing Given multi-variate polynomial p Z[x 1

259 views • 21 slides
Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters

Pseudorandom Generators from Regular One-way Functions: New Constructions with Improved Parameters Yu Yu Joint work with Xiangxue Li and Jian Weng Asiacrypt 2013 One-way Functions One-way functions are an ensemble of functions ( ) n l

214 views • 20 slides
Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya

Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya

Simple and Efficient Pseudorandom generators from Gaussian Processes Eshan Chattopadhyay Anindya De Rocco Servedio Cornell U Penn Columbia Halfspaces (aka LTFs) + + + -- + + + -- + -- + -- -- -- + + + -- + + -- -- +

421 views • 29 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin BIRS Workshop 19w5088 July 8, 2019 1Supported by NSF Grant

1.69k views • 139 slides
Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya

Near-Optimal Pseudorandom Generators for Constant-Depth Read-Once Formulas Dean Doron 1 Pooya Hatami 2 William M. Hoza 3 UT Austin Stanford UT Austin Ohio State UT Austin July 19 CCC 2019 1Supported by NSF Grant CCF-1705028 2Supported

1.08k views • 105 slides
ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado

Pseudo Random Number Generators ECEN 5022 Cryptography Pseudo Random Number Generators Peter Mathys University of Colorado Spring 2008 Peter Mathys ECEN 5022 Cryptography Pseudo Random Number Generators Random Number Generation Random

352 views • 14 slides
Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and

Why do we need random numbers? Simulation Sampling Numerical analysis Pseudo-Random Generators Computer programming (e.g. randomized algorithm) Elementary and critical element in many cryptographic protocols Usually:

157 views • 5 slides
Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols

Symbolic Encryption with Pseudorandom Keys Daniele Micciancio (UCSD) Cryptographic Protocols Often make use of several basic crypto ops: (Enc) Encryption: E(k,m) (PRG) Pseudorandom generators: G(k) Protocol should be secure for

433 views • 24 slides
Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale

Security of Pseudo-Random Number Generators With Input Damien Vergnaud cole normale suprieure INRIA PSL wr0ng April, 30th 2017 (with Yevgeniy Dodis, David Pointcheval, Sylvain Ruhault &amp; Daniel Wichs) Damien Vergnaud (ENS)

694 views • 57 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
Pseudo Bayesian inference for intensity-dependent point processes Kasper K. Berthelsen 1 1

Pseudo Bayesian inference for intensity-dependent point processes Kasper K. Berthelsen 1 1

Pseudo Bayesian inference for intensity-dependent point processes Kasper K. Berthelsen 1 1 Department of Mathematical Sciences Aalborg University Joint work with Mari Myllym aki Avignon, May 2012 1/35 Pseudo Bayesian inference for

510 views • 35 slides
Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/

Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/

Overview The Result The Technique Example Conclusion Short Bases of Lattices over Number Fields Claus Fieker Damien Stehl e University of Sydney/ Magma LIP CNRS/ENSL/U. Lyon/INRIA/UCBL ANTS-IX, July 2010 Overview The Result The

387 views • 19 slides
for Planted Clique Part II Lecture Outline Part I: Relaxed k-clique Equations and Theorem

for Planted Clique Part II Lecture Outline Part I: Relaxed k-clique Equations and Theorem

Lecture 13: SOS Lower Bounds for Planted Clique Part II Lecture Outline Part I: Relaxed k-clique Equations and Theorem Statement Part II: Pseudo-Calibration/Moment Matching Part III: Decomposition of Graph Matrices via Minimum Vertex

815 views • 57 slides
Efficient Clause Learning for Quantified Boolean Formulas via QBF Pseudo Unit Propagation Florian

Efficient Clause Learning for Quantified Boolean Formulas via QBF Pseudo Unit Propagation Florian

Efficient Clause Learning for Quantified Boolean Formulas via QBF Pseudo Unit Propagation Florian Lonsing 1 Uwe Egly 1 Allen Van Gelder 2 1 Vienna University of Technology http://www.kr.tuwien.ac.at/staff/{egly,lonsing} 2 University of California

783 views • 41 slides
Boolean Satisfiability Example problem instance Naive algorithm pseudocode example Ari

Boolean Satisfiability Example problem instance Naive algorithm pseudocode example Ari

Boolean Satisfiability Ari Mermelstein (with advisement from Professor Gu) Statement of the Problem Boolean Satisfiability Example problem instance Naive algorithm pseudocode example Ari Mermelstein (with advisement from Professor Gu)

655 views • 24 slides
Timeline-based Planning and Execution: Theory and Practice - PLATINUm - A Novel framework for PL

Timeline-based Planning and Execution: Theory and Practice - PLATINUm - A Novel framework for PL

Timeline-based Planning and Execution: Theory and Practice - PLATINUm - A Novel framework for PL anning and A cting with TI meli N es under U ncertainty Alessandro Umbrico National Research Council of Italy (ISTC-CNR) Outline p General

400 views • 38 slides
SilverLine: Data and Network Isolation for Cloud Services Yogesh Mundada Anirudh Ramachandran

SilverLine: Data and Network Isolation for Cloud Services Yogesh Mundada Anirudh Ramachandran

SilverLine: Data and Network Isolation for Cloud Services Yogesh Mundada Anirudh Ramachandran Nick Feamster 1 Cloud Computing Advantages Reduced operational costs Reduced management overhead Easier resources scaling Lowers

543 views • 19 slides
Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint

Formal verification of an implementation of CRT-RSA Vigilants algorithm Maria CHRISTOFI Joint work with Boutheina CHETALI, Louis GOUBIN and David VIGILANT PROOFS 2012, September 13 th 2012 Introduction Implementations of cryptosystems can

612 views • 29 slides

More recommend