Leo Reyzin. Notes for BU CAS CS 538.
1
2
Pseudorandom Generators: Unpredictability and First Example
2.1
Defnition o± nextbitunpredictability
As we have seen, informationtheoretic security requires long random strings. This brings up the following
question: can we replace random strings with pseudorandom ones and still retain some notion of security?
For now, we will focus on pseudorandomness and postpone the question of what notion of security we
can achieve using it. It will turn out that understanding pseudorandomness well will be of great help for
understanding secure encryption.
A common understanding of the meaning of “pseudorandom” is something that looks random but is
generated by a deterministic process starting with a random seed. The meaning “looks random” can vary,
and is crucial to the de±nition. Our ±rst de±nition of pseudorandomness (below), due to Blum and Micali
and ±rst published in 1982, will capture the following feature of truly random strings: you can’t predict the
next bit, even given all the previous ones. The de±nition will require pseudorandom strings to have this
property when the computational power of the bit predictor is limited: we will limit the predictor’s expected
running time to some polynomial in the length of the input seed.
We will de±ne the bit predictor as an algorithm that reads one bit of the pseudorandom string at a time,
and each time decides whether to try to predict the next bit, or to read it. As initial input, it will receive the
length
k
of the random seed used to generate the string (but not the seed itself, which must remain secret
for unpredictability). For technical reasons to be explained shortly, the value
k
will be input in unary as a
string of
k
ones, denoted 1
k
.
Defnition 1.
Ab
itpred
ictor
A
is an algorithm that runs in stages. At ±rst,
A
receives 1
k
as input (for
some
k
). At the end of each stage,
A
can output
next
or a bit
b
.I
fas
t
a
g
eo
u
t
p
u
t
s
next
,
A
expects one
more bit of input, and enters the next stage. If a stage outputs
b
,then
A
is ±nished, and
b
is called the
output of
A
.
We will now formally de±ne how a bit predictor interacts with a potential pseudorandom generator
G
.
Let
G
:
{
0
,
1
}
*
→{
0
,
1
}
*
be a polynomialtime deterministic algorithm. Suppose the length of the output
of
G
is always greater than the length of the input, and furthermore the length of the output is the same as
long as the length of the input is the same:

G
(
x
)

=
l
(

x

)forsome
expansion
function
l
satisfying
l
(
k
)
>k
.
Let
A
be a bit predictor. Consider the following experiment
experimentpredict
,parameter
izedby
k
:
1. Select a random
x
of length
k
2. Compute
y
=
G
(
x
)
3. Run
A
(1
k
), giving it bits of
y
in order in response to
A
’s
next
requests
If
A
stops after
i