notes-2 - Leo Reyzin. Notes for BU CAS CS 538. 1 2 2.1...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Leo Reyzin. Notes for BU CAS CS 538. 1 2 Pseudorandom Generators: Unpredictability and First Example 2.1 Defnition o± next-bit-unpredictability As we have seen, information-theoretic security requires long random strings. This brings up the following question: can we replace random strings with pseudorandom ones and still retain some notion of security? For now, we will focus on pseudorandomness and postpone the question of what notion of security we can achieve using it. It will turn out that understanding pseudorandomness well will be of great help for understanding secure encryption. A common understanding of the meaning of “pseudorandom” is something that looks random but is generated by a deterministic process starting with a random seed. The meaning “looks random” can vary, and is crucial to the de±nition. Our ±rst de±nition of pseudorandomness (below), due to Blum and Micali and ±rst published in 1982, will capture the following feature of truly random strings: you can’t predict the next bit, even given all the previous ones. The de±nition will require pseudorandom strings to have this property when the computational power of the bit predictor is limited: we will limit the predictor’s expected running time to some polynomial in the length of the input seed. We will de±ne the bit predictor as an algorithm that reads one bit of the pseudorandom string at a time, and each time decides whether to try to predict the next bit, or to read it. As initial input, it will receive the length k of the random seed used to generate the string (but not the seed itself, which must remain secret for unpredictability). For technical reasons to be explained shortly, the value k will be input in unary as a string of k ones, denoted 1 k . Defnition 1. Ab itpred ictor A is an algorithm that runs in stages. At ±rst, A receives 1 k as input (for some k ). At the end of each stage, A can output next or a bit b .I fas t a g eo u t p u t s next , A expects one more bit of input, and enters the next stage. If a stage outputs b ,then A is ±nished, and b is called the output of A . We will now formally de±ne how a bit predictor interacts with a potential pseudorandom generator G . Let G : { 0 , 1 } * →{ 0 , 1 } * be a polynomial-time deterministic algorithm. Suppose the length of the output of G is always greater than the length of the input, and furthermore the length of the output is the same as long as the length of the input is the same: | G ( x ) | = l ( | x | )forsome expansion function l satisfying l ( k ) >k . Let A be a bit predictor. Consider the following experiment experiment-predict ,parameter izedby k : 1. Select a random x of length k 2. Compute y = G ( x ) 3. Run A (1 k ), giving it bits of y in order in response to A ’s next requests If A stops after i
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This document was uploaded on 02/27/2012.

Page1 / 4

notes-2 - Leo Reyzin. Notes for BU CAS CS 538. 1 2 2.1...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online