Pseudorandomness - Foundations of Cryptography-A Primer

Cryptography Reference

In-Depth Information

looking” function f s (determining 2 n -many values), merely need to gen-

erate and share among themselves the n -bit seed s .(Forexample,one

party may randomly select the seed s , and communicate it, via a secure

channel, to all other parties.) Sharing a pseudorandom function allows

parties to determine (by themselves and without any further commu-

nication) random-looking values depending on their current views of

the environment (which need not be known a priori). To appreciate the

potential of this tool, one should realize that sharing a pseudorandom

function is essentially as good as being able to agree, on the fly, on the

association of random values to (on-line) given values, where the latter

are taken from a huge set of possible values. We stress that this agree-

ment is achieved without communication and synchronization: When-

ever some party needs to associate a random value to a given value,

(by setting r v = f s ( v ), where f s is a pseudorandom function agreed

upon beforehand).

n , it will associate to v the (same) random value r v ∈{

∈{

0 , 1

}

0 , 1

}

Theorem 3.5. ((68), see (65, Sec. 3.6.2)): Pseudorandom functions

can be constructed using any pseudorandom generator.

Proof sketch: Let G be a pseudorandom generator that stretches its

seed by a factor of two (i.e., ( n )=2 n ), and let G 0 ( s )(resp., G 1 ( s ))

denote the first (resp., last)

bits in G ( s ). Define

G σ |s| ···σ 2 σ 1 ( s ) de = G σ |s| (

···

G σ 2 ( G σ 1 ( s ))

···

) .

} |s| } s∈{ 0 , 1 } ∗ ,

where f s ( x ) de = G x ( s ). Pictorially, the function f s is defined by n -step

walks down a full binary tree of depth n having labels at the vertices.

The root of the tree, hereafter referred to as the level 0 vertex of the

tree, is labeled by the string s . If an internal vertex is labeled r then

its left child is labeled G 0 ( r ) whereas its right child is labeled G 1 ( r ).

The value of f s ( x ) is the string residing in the leaf reachable from the

root by a path corresponding to the string x .

We claim that the function ensemble

} |s| →{

We consider the function ensemble

{

f s :

{

0 , 1

f s } s∈{ 0 , 1 } ∗ , defined above, is

pseudorandom. The proof uses the hybrid technique: The i th

{

hybrid,

Foundations of Cryptography-A Primer

Search WWH ::

Custom Search

Home