MIT6_045JS11_lec14

MIT6_045JS11_lec14 - 6.080/6.089 GITCS Apr 15, 2008 Lecture...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 6.080/6.089 GITCS Apr 15, 2008 Lecture 17 Lecturer: Scott Aaronson Scribe: Adam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). As we discussed before a pseudorandom generator is a function that takes as input a short truly random input string and produces an output of a seemingly random string. Formally, a PRG is a polytime- computable function f : { , 1 } n { , 1 } n +1 such that for all deterministic polynomial- time algorithms A , Pr [ A ( y ) accepts] Pr [ A ( f ( x )) accepts] y { , 1 } n +1 x { , 1 } n is negligible. Given a PRG that stretches n bits to n + 1 bits, we can create a PRG that stretches n bits to p ( n ) bits for any polynomial p . To do so, we repeatedly break off a single bit of the PRGs output, and feeding the remaining n bits back into the PRG to get another n + 1 pseudorandom bits. This process is shown in figure 1. To prove that it works, one needs to show that, could we distinguish the p ( n )-bit output from random, we could also distinguish the original ( n + 1)-bit output from random, thereby violating the assumption that we started with a PRG. Formalizing this intuition is somewhat tricky and will not be done here. n n +1 n +1 n +1 n +1 p(n) Figure 1 : A seemingly random string of size p ( n ) is gener- ated from an n-bit seed using the feed and repeat method. 1.2 Cryptographic Codes Using pseudorandom generators, its possible to create secure cryptographic codes with small key sizes. The details of this are complicated if you want to protect against realistic attacks (for example, so-called chosen-message attacks ). But at the simplest level, the intuition is the following: we should be able to simulate a one-time pad (which is provably unbreakable when used correctly) by (1) taking a small random key, (2) stretching it to a longer key using a PRG, and then (3) treating that longer key as the one-time pad. If a polynomial-time adversary could break such a system, that would mean that the adversary was distinguishing the PRGs output from a truly random string, contrary to assumption....
View Full Document

This note was uploaded on 12/26/2011 for the course ENGINEERIN 18.400J taught by Professor Prof.scottaaronson during the Spring '11 term at MIT.

Page1 / 7

MIT6_045JS11_lec14 - 6.080/6.089 GITCS Apr 15, 2008 Lecture...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online