CSci 5403 Lecture 15 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

CSci 5403 Lecture 15

Description:

xm of elements in the range {0,1,...,p-1}, count occurrences: ... Let B(S) run A(Xm-i,s,Yi-1). B has advantage e/m in. distinguishing X from Y. Definition. ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 21
Provided by: nickh4
Category:
Tags: csci | lecture | xm

less

Transcript and Presenter's Notes

Title: CSci 5403 Lecture 15


1
CSci 5403
COMPLEXITY THEORY
LECTURE XXI FORMAL FOUNDATIONS OF
PSEUDORANDOMNESS
2
PSEUDORANDOM NUMBERS
Where do the random bits in a PPT come from?
  • In C we call rand() to get pseudo-random bits.

static int x int rand(void) xi1 axi b
mod p return xi1
And we call srand(int x) to set x.
Do these bits look like random bits?
3
STATISTICAL TESTS
  • A statistical test tries to find something
    non-random about a sequence of values
  • e.g. Given m samples x1 xm of elements in the
    range 0,1,,p-1, count occurrences
  • value 0 1 2 p-1
  • seen 10 12 8 11
  • If too many (gt 2 m/p, say) in any slot, fail.
    otherwise pass.
  • The ?2 test for a random variable

4
Definition. A sequence generator is an
efficiently computable function that takes a
short initial sequence to a longer output
sequence.
Example. Cs rand() is a linear
congruential generator, e.g. it takes x0 ?
x0x1xi using the rule xi axi-1 b mod p
Example. The repeated squaring generator GN(x)
b1b2bl, where xi xi-12 mod N, and bi xi mod
2
5
APPLICATION GAME-PLAYING
Paper, Rock, Scissors
If Bob knows Alice will play P, R, or S each with
probability 1/3, he should too.
What if Alice uses an LCG (mod 3) to choose her
moves?
Random sequences should be unpredictable.
6
  • Definition. A generator G is e(n)-unpredictable
    if for every i 2 1,,m(n), ?PPT A,
  • Prb bi ½ / TimeA(n) e(n)
  • where s?R0,1n, b1bmG(s), b A(b1,,bi-1).

Challenger
b1,b2,,bi-1 Ã G(s)
Guess b
Adversary
A wins if b bi.
As advantage is Prbb ½ .
7
DERANDOMIZATION
(10K random bits)
Stock Picker
(Stock prices)

Bob has only 1000 random bits. Are 10K generated
using GN good enough?
8
Definition. An ensemble is a family Xn of
random variables, where Xn ranges over 0,1n.
Example. Un, where Un is the uniform
distribution on 0,1n.
Definition. Ensembles X Xn and Y Yn are
?(n)-statistically close if ?(n) ?x?0,1n
PrXnx PrYnx
9
INDISTINGUISHABILITY
Definition. Xn and Yn are e(n)
computationally indistinguishable (denoted Xn
?e(n) Yn) if ?PPT A PrA(Xn) 1
PrA(Yn)1 / TimeA(n) e(n)
x à Db, (b 2R 0,1)
Challenger
guess b
A wins if b b.
Adversary
As advantage is PrA(Xn)1 PrA(Yn)1
2 Prbb ½
10
Definition. Xn and Yn are computationally ind
istinguishable (Xn ? Yn) if for every
poly p(n), Xn ?1/p(n) Yn .
Theorem. If Xn ? Yn then Xnm ? Ynm for
any constant m.
Proof. Suppose not. Then ?PPT A , e(n) gt 1/nc
so PrA(x1,,xm)1 PrA(y1,,ym)1 gt
e(n) (where x1,,xm ? Xn, y1,,ym ? Yn).
We will show how to build PPT B with advantage at
least e(n)/m.
11
Define the hybrid ensembles Di Xm-iYi
X
X
X
X
X
X
X
X
X
X
X
Y
X
X
X
X
Y
Y
PrA(Xm)1 - PrA(Ym)1 gt e
X
X
X
Y
Y
Y
PrA(Di)1 PrA(Di1)1 gt e/m
X
X
Y
Y
Y
Y
X
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Y
Since ? PrA(Di)1 PrA(Di1)1 gt e, there
must exist i so PrA(Di)1 PrA(Di1)1 gt
e/m.
Let B(S) run A(Xm-i,s,Yi-1). B has advantage e/m
in distinguishing X from Y.
12
  • Definition. A function G 0,1 ? 0,1 is a
  • pseudorandom generator if
  • G is polynomial-time computable
  • G(x) l(x), where l(n)gtn
  • Ul(n) ? G(Un)

Lemma. If a generator is pseudorandom, then it
is next-bit unpredictable.
Lemma. If a generator is next-bit
unpredictable then it is pseudorandom.
We prove both in the contrapositive.
13
PREDICT ? DISTINGUISH
b
,b
,,b
G(s
)
b
,b
,,b
G(s
)
Prbibi ½ ?
Ã
Ã
1
2
i
-
1
1
2
i
-
1

Challenger

Challenger
Guess b
Guess b

Adversary

Adversary
x à Db, b 2R 0,1
Challenger
guess b
Adversary
14
PREDICT ? DISTINGUISH
x1,,xi-1
xi
x à G(Uk) or x à Ul(k)
Challenger
If xi xi then PSEUDO else RANDOM
Adversary
PrA(G(U))1 Prxixi ½ ? PrA(U)1
½ Gap (½ ?) ½ ?
15
DISTINGUISH ? PREDICT
PrB(G(U))1 PrB(U)1 ?
b1bi-1 Ã G(s)
Challenger
guess bi
Adversary
16
HYBRIDS
PrB(G(U))1 PrB(U)1 e
e/l
e
17
Let b1bl be the output of G(Un), then
PrB(b1bi-1,bi,ri1rl)1 PrB(b1bi-1,ri,ri1
rl)1 ?/l
The second term can be written as
½PrB(b1bi-1,bi,ri1rl)1½PrB(b1bi-1,bi,ri
1rl)1
Plugging it back in, we get
PrB(b1bi-1,bi,ri1rl)1-PrB(b1bi-1,bi,ri1
rl)1 2?/l
B can distinguish between the correct next bit
and the incorrect next bit!
18
DISTINGUISH ? PREDICT
PrB(G(U))1 PrB(U)1 ?
c d
x,0,ri1rl
x,1,ri1rl
x b1bi-1 Ã G(s)
Challenger
If cd then b 2R 0,1 Else if c 1 then b
0 Else b 1
Adversary
Claim. Prbbi ½ ?/l
19
Claim. Prbbi ½ ?/l
  • A guesses bi with probability
  • ½(Prcd) PrB(bi)1 B(1-bi)0
  • ½PrB(bi)1?B(bi)1 ½PrB(bi)0?B(bi)0
    PrB(bi)1?B(bi)0
  • Using the identity X ½X ½X,
  • ½PrB(bi)1?B(bi)1 ½PrB(bi)0?B(bi)0
  • ½ PrB(bi)1?B(bi)0 ½PrB(bi)1?B(bi)0
  • Using the fact that (B(x)0) and (B(x)1)
    partition the event space,
  • ½PrB(bi)1 ½PrB(bi)0
  • ½PrB(bi)1 ½(1-PrB(bi)1)
  • ½ ½(PrB(bi)1 PrB(bi)1)

20
CS5403.info
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "CSci 5403 Lecture 15" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!