Perfect Pseudo-randomness - Probabilistic & Statistical Methods in Cryptology An Introduction

In this section, we give a deﬁnition of so-called ”perfect” pseudo-randomness. Loosely speaking, this means a pseudo-random source that can not ”eﬃ- ciently” be distinguished by a computer from a truly random sequence. How- ever, the test for perfect pseudo-randomness is not practically implementable. For a function f(n) (n ∈ IN) we will write f(n) = O(ν(n)) if f(n) =

O(1/g(n)) (n→ ∞) for every polynomialg(z). In this case, we will say that the functionf(n) is negligible. A model M is called a perfect simulation of a sourceSif for every probabilistic polynomial-time algorithmD:IBn →IB

we have

|PS(D= 1)−PM(D= 1)|=O(ν(n)).

This means that no probabilistic polynomial algorithm can distinguish S

from M with non-negligible probability, or, in other words, that S and M

are polynomially indistinguishable. IfD did not satisfy the above inequality, then we would say thatDis a distinguishing algorithm. The following theorem states that the so-called Comparative Next Bit Test is a test of perfect

66 5 Pseudo-random Number Generators

pseudo-randomness. However, this test is of asymptotic nature and involves a formulation of type ”for every polynomial-time algorithm”, so it is only of theoretical value, since there are inﬁnitely many such algorithms. But even in theory, up to now it is not yet known if perfect pseudo-random generators actually exist!

Deﬁnition 5.1.A sourceS passes the Comparative Next Bit Test with re- spect to a model M if, for every i ∈ {1,2, . . . , n} and every probabilistic polynomial-time algorithmA:IBi−1→IB, we have that

|PS(A(x(i−1)) =xi)−PM(A(x(i−1)) =xi)|=O(ν(n)).

Theorem 5.5.A modelM is a perfect simulation of a sourceS iﬀS passes the Comparative Next Bit Test with respect to M.

Proof:The ”only if”-direction is easy to see by contraposition. What is more diﬃcult is the ”if”-direction which we will verify in the following. Suppose

S is not a perfect simulation ofM. We have to prove that S does not pass the Comparative Next Bit Test with respect to M. LetD :IBn _→ _IB _{be a}

distinguishing algorithm, i.e.,

|PS(D(x(n)) = 1)−PM(D(x(n)) = 1)| ≥n−k

for some constant exponent k. Let pS

i denote the probability that the al-

gorithm D gives 1 as output when the ﬁrst i bits of its input are taken out of the source S and the rest are i.i.d. unbiased random bits. By re- placing S by M in the above sentence, we deﬁne pM

i analogously. Con-

sider the diﬀerence di := pSi −p M

i . It holds that p S

n = PS(D(x(n)) = 1),

pMn = PM(D(x(n)) = 1), pS0 =pM0 = PU(D(x(n)) = 1) (where U means a

source of genuine independent i.i.d. unbiased random bits). Thus as d0= 0 and|dn|=|pnS−pMn | ≥n−k, there must be anisuch that|di−di−1| ≥n−(k+1).

W.l.o.g.di>0. The Comparative Next Bit Test Ainputs inD the concate-

nated bitstring x(n) = x(i−1)x(in) (where x(

i₋1) _∈ _S _or _M _and _x(n) i is a

bitstring generated by running the sourceU n−i+ 1 times). The output will bexiifD(x(n)) = 1 and 1−xielse. Now letx1, x2, . . . , xibe bits produced by

SorM and letqS _resp._qM _{be the probability that the distinguisher}_D_yields

1 as output when bits number 1,2, . . . , i−1 are given byx1, x2, . . . , xi−1, bit

numberiis 1−xi, and the rest are independent i.i.d. unbiased random bits.

Then we have pSi₋1= pS i +qS 2 , pMi−1= pMi +q M 2 ,

and thus PS(A(x(i−1)) =xi) = 1 2p S i + 1 2(1−q S ) = 1 2 +p S i −p S i₋1.

On the other hand

PM(A(x(i−1)) =xi) = 1 2p M i + 1 2(1−q M ) = 1 2 +p M i −p M i₋1, hence PS(A(x(i−1)) =xi)−PM(A(x(i−1)) =xi)≥n−(k+1).2

The property that the Comparative Next Bit Test checks can be called unpredictability, more precisely forwards unpredictability. Since the property of a pseudorandom number generator to be perfectly pseudorandom or not does not change if the output bits are taken in reverse order, forwards unpredictability is equivalent to backwards unpredictability.

A permutationf(.) is called one-way, if its result can be calculated in polynomial time, but on the other hand, for any probabilistic polynomial-time algorithm Athe probability P(A(f(x)) =x) is negligible. A predicate (bit)

B(.) is called hard-core for the permutationf(.) ifB(f(.)) can be determined in polynomial time whereas for all probabilistic polynomial time algorithms

A, the diﬀerenceP(A(x) =B(x))−1/2 is neglibile. If there exists a hard-core bit, then the permutation has to be one-way. Blum and Micali (1984) have proved that every one-way permutation f(.) with hard-core bit B(.) gives rise to a perfect pseudorandom generator as follows:

Theorem 5.6.(Blum and Micali.)Assumef(.)is a one-way permuation with hard-core bit B(.). Then the iteration

g(x) = (B(f(x)), B(f(f(x))), B(f(f(f(x)))), . . .)

yields a perfect pseudorandom generator.

Proof:We will show that the above generator is not backwards predictable. Assume the contrary. Then one could guess, in polynomial time and with non- neglibile probability of success, the valueB(fn(x)) (then-fold iteration off) given the set of valuesS={B(fm(x)) :m≥n+ 1}. ButS can be computed in polynomial time fromfn(x). So one can guess in polynomial time and with probability of success non-negligibly greater than 1/2 the valueB(fn₍_x_{)). So}

B(.) can not be hard-core, sincefn₍_x_{) has the same distribution as} _f₍_x_{) by}

the fact thatf(.) is supposed to be a permutation.2

In the Blum-Micali generator, xplays the role of a random seed. So these generators rather serve to improve randomness than produce it.

68 5 Pseudo-random Number Generators

In document Probabilistic & Statistical Methods in Cryptology An Introduction by Selected Topics pdf (Page 71-74)