This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: U.C. Berkeley — CS276: Cryptography Lecture 10: 2/21/02 Professors Luca Trevisan and David Wagner Scribe: Wei Chen Lecture 10: 2/21/02 Last time we discussed the relation between OneWay Permutation (OWP) and pseudo random generators (PRG): if a lengthpreserving OWP exists, we can use it in combination with its hardcore bit to build a PRG. In today’s lecture, we will show that the same relation holds between Oneway Functions (OWF) and PRG, so that if there exists a OWF a PRG must also exist. Having proved that, we will then show that the existence of a PRG implies the existence of a pseudorandom function(PRF) 1 OneWay Functions and PRG In the last lecture we showed that following result first obtained in [HILL]: Theorem 1 (OWP > PRG) Suppose f : { , 1 } n → { , 1 } n is a oneway permutation, and B : { , 1 } n → { , 1 } is a hardcore predicate on f . Then G ( x ) = ( f ( x ) , B ( x )) is a PRG. This theorem thus means that if a oneway permutation exists, there must also exist a pseudorandom generator. We will show that this theorem also holds when f is a oneway function that’s not length preserving. First consider the case that that f is a injective OWF f : { , 1 } k → { , 1 } n , with n > k . Define H to be a family of pairwise independent hash functions, so that every h ∈ H satisfies the following: ∀ x, y ∈ { , 1 } n and ∀ q, b ∈ { , 1 } m chosen randomly, P r [ h ( x ) = q and h ( y ) = b ] = ( 1 2 m ) 2 Intuitively, a pairwise independent hash function maps every distinct pair of input randomly and independently. An example of H is the set { h A,b } , with A ∈ { , 1 } ( n ∗ m ) , b ∈ { , 1 } m , and h A,b ( x ) = Ax ⊕ b . The following theorem can be used to construct a pseudorandom generator from a oneway function and a family of hash functions: Theorem 2 Suppose f : { , 1 } k → { , 1 } n is an injective OWF, so that for any y ∈ { , 1 } n , P r [ y = f ( x )] < = 1 / 2 k . Let H be a family of pairwise independent hash functions satisfying the properties above, with h : { , 1 } n → { , 1 } ( k − log (1 / )) for every h ∈ H . Then ( h, h ( f ( x ))) is ( ∞ , ) indistinguishable from ( h, r ) , where r is randomly chosen over { , 1 } ( k − log (1 / )) ....
View
Full
Document
This note was uploaded on 02/04/2008 for the course CS 276 taught by Professor Trevisan during the Spring '02 term at Berkeley.
 Spring '02
 Trevisan

Click to edit the document details