This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: 6.080/6.089 GITCS Apr 15, 2008 Lecture 17 Lecturer: Scott Aaronson Scribe: Adam Rogal 1 Recap 1.1 Pseudorandom Generators We will begin with a recap of pseudorandom generators (PRGs). As we discussed before a pseudorandom generator is a function that takes as input a short truly random input string and produces an output of a seemingly random string. Formally, a PRG is a polytime computable function f : { , 1 } n { , 1 } n +1 such that for all deterministic polynomial time algorithms A , Pr [ A ( y ) accepts] Pr [ A ( f ( x )) accepts] y { , 1 } n +1 x { , 1 } n is negligible. Given a PRG that stretches n bits to n + 1 bits, we can create a PRG that stretches n bits to p ( n ) bits for any polynomial p . To do so, we repeatedly break off a single bit of the PRGs output, and feeding the remaining n bits back into the PRG to get another n + 1 pseudorandom bits. This process is shown in figure 1. To prove that it works, one needs to show that, could we distinguish the p ( n )bit output from random, we could also distinguish the original ( n + 1)bit output from random, thereby violating the assumption that we started with a PRG. Formalizing this intuition is somewhat tricky and will not be done here. n n +1 n +1 n +1 n +1 p(n) Figure 1 : A seemingly random string of size p ( n ) is gener ated from an nbit seed using the feed and repeat method. 1.2 Cryptographic Codes Using pseudorandom generators, its possible to create secure cryptographic codes with small key sizes. The details of this are complicated if you want to protect against realistic attacks (for example, socalled chosenmessage attacks ). But at the simplest level, the intuition is the following: we should be able to simulate a onetime pad (which is provably unbreakable when used correctly) by (1) taking a small random key, (2) stretching it to a longer key using a PRG, and then (3) treating that longer key as the onetime pad. If a polynomialtime adversary could break such a system, that would mean that the adversary was distinguishing the PRGs output from a truly random string, contrary to assumption....
View
Full
Document
This note was uploaded on 12/26/2011 for the course ENGINEERIN 18.400J taught by Professor Prof.scottaaronson during the Spring '11 term at MIT.
 Spring '11
 Prof.ScottAaronson

Click to edit the document details