This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Leo Reyzin. Notes for BU CAS CS 538. 1 3 Pseudorandom Generators: Indistinguishability 3.1 Definition We have seen how to build generators whose next bit is unpredictable from the previous bits. This clearly has applications: e.g., if you want to run a lottery or build a gambling machine, this is exactly what you are looking for, so that next day’s winning numbers cannot be predicted from the past. However, it is not clear that this is the right notion to apply when, for example, you want to use pseudorandom strings instead of random ones in one-time-pad encryption. For instance, if you always begin your letters with “Dear” and end them with “Sincerely,” then the adversary can figure out the first few and the last few bits of the one-time pad. In that case, you want the middle bits (which protect the actual contents of your letter) to be unpredictable to the adversary who is given some of the beginning and some of the end of the pseudorandom string. This is merely one example to illustrate that next-bit unpredictability is not necessarily the right notion for many applications. We will now consider a different notion of pseudorandomness. A popular way to test strings for pseudorandomness before the advent of cryptography was to run “statistical tests” on them: e.g., counting the number of 0’s and 1’s, seeing if the longest run of consecutive 0’s is what you’d expect it to be in a random string, etc. As cryptographers, we want our random strings to be secure not just against some statistical tests, but against any statistical test that the adversary can devise. We therefore consider any polynomial-time algorithm that outputs 0 or 1 to be a statistical test . So, let T be a statistical test. Then consider two experiments: experiment-pr and experiment-r . The first is as follows: 1. Select random x of length k 2. Compute y = G ( x ) 3. Run T ( y ) and output whatever it does The second is as follows: 1. Select random y of length l ( k ) 2. Run T ( y ) and output whatever it does Definition 1 ([Yao82]). G passes all statistical tests if for all T , there exists a negligible function η ( k ) such that for all k , | Pr[ experiment-pr ( k ) → 1]- Pr[ experiment-r ( k ) → 1] | ≤ η ( k ) . (Here and below, for ease of notation, we will often use → instead of “outputs.”) Note that the definition above means that a pseudorandom string can be used in place of a random one in any polynomial-time computation without any noticeable effect. Thus, this definition of pseudorandomness is useful also outside cryptography, for any randomized computation (e.g., Monte-Carlo simulations, primality testing, etc.). 3.2 Equivalence to Unpredictability Theorem 1 ([Yao82] 1 ). An algorithm G is a pseudorandom generator if and only if it passes all statistical tests....
View Full Document
This document was uploaded on 02/27/2012.
- Spring '09