{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

MIT6_045JS11_lec14

# MIT6_045JS11_lec14 - 6.080/6.089 GITCS Lecture 17 Lecturer...

This preview shows pages 1–3. Sign up to view the full content.

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 6.080/6.089 GITCS Apr 15, 2008 Lecture 17 Lecturer: Scott Aaronson Scribe: Adam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). As we discussed before a pseudorandom generator is a function that takes as input a short truly random input string and produces an output of a seemingly random string. Formally, a PRG is a polytime- computable function f : { , 1 } n → { , 1 } n +1 such that for all deterministic polynomial- time algorithms A , Pr [ A ( y ) accepts] − Pr [ A ( f ( x )) accepts] y ∈{ , 1 } n +1 x ∈{ , 1 } n is negligible. Given a PRG that stretches n bits to n + 1 bits, we can create a PRG that stretches n bits to p ( n ) bits for any polynomial p . To do so, we repeatedly break off a single bit of the PRG’s output, and feeding the remaining n bits back into the PRG to get another n + 1 pseudorandom bits. This process is shown in figure 1. To prove that it works, one needs to show that, could we distinguish the p ( n )-bit output from random, we could also distinguish the original ( n + 1)-bit output from random, thereby violating the assumption that we started with a PRG. Formalizing this intuition is somewhat tricky and will not be done here. n n +1 n +1 n +1 … n +1 p(n) Figure 1 : A seemingly random string of size p ( n ) is gener- ated from an n-bit seed using the feed and repeat method. 1.2 Cryptographic Codes Using pseudorandom generators, it’s possible to create secure cryptographic codes with small key sizes. The details of this are complicated if you want to protect against realistic attacks (for example, so-called chosen-message attacks ). But at the simplest level, the intuition is the following: we should be able to simulate a one-time pad (which is provably unbreakable when used correctly) by (1) taking a small random key, (2) stretching it to a longer key using a PRG, and then (3) treating that longer key as the one-time pad. If a polynomial-time adversary could break such a system, that would mean that the adversary was distinguishing the PRG’s output from a truly random string, contrary to assumption....
View Full Document

{[ snackBarMessage ]}

### Page1 / 7

MIT6_045JS11_lec14 - 6.080/6.089 GITCS Lecture 17 Lecturer...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online