PPT-Cryptography Lecture 6 Pseudorandom generators (PRGs) Let G be an efficient, deterministic

Cryptography Lecture 6 Pseudorandom generators PRGs Let G be an efficient deterministic algorithm that expands a short seed into a longer output Specifically let Gx px G is a PRG if when the distribution of x is uniform the distribution of Gx is indistinguishable from uniform. uoagr Abstract Pseudorandom sequences have many applications in cryp tography and spread spectrum communications In this dissertation on one hand we develop tools for assessing the randomness of a sequence and on the other hand we propose new constru Raghu Meka (IAS). Parikshit Gopalan, Omer Reingold (MSR-SVC) Luca Trevian (Stanford), Salil Vadhan (Harvard). Can we generate random bits?. Can we generate random bits?. Pseudorandom Generators. Stretch bits to fool a class of “test functions” . 1. Raghu. . Meka. UT Austin. (joint work with David Zuckerman). Polynomial Threshold Functions. 2. Applications. : Complexity theory, learning theory, voting theory, quantum computing. Halfspaces. 3. 3b. . Pseudorandomness. .. B. ased on: Jonathan . Katz and Yehuda . Lindell. . Introduction . to . Modern Cryptography. 2. Pseudorandomness. An introduction. A distribution . D. is pseudorandom if no PPT . Based on: William . Stallings, Cryptography and Network Security . . Chapter 7. Pseudorandom Number Generators . and Stream Ciphers. Random Numbers. A number of cryptographic protocols make use of random binary numbers:. Cryptography Lecture 8 Pseudorandom functions Keyed functions Let F: {0,1} * x {0,1} *  {0,1} * be an efficient, deterministic algorithm Define F k (x) = F(k, x) The first input is called the Cryptography Lecture 7 Pseudorandom functions Keyed functions Let F: {0,1} * x {0,1} *  {0,1} * be an efficient, deterministic algorithm Define F k (x) = F(k, x) The first input is called the Cryptography Lecture 6 Clicker quiz Let G(x) = x || parity(x). Which of the following proves that G is not a pseudorandom generator? G is not expanding Consider the following distinguisher D: D(y) outputs 1 k. c. m. c. . . . Enc. k. (m). k. m. 1. c. 1. . . . Enc. k. (m. 1. ). m. 2. c. 2. . . . Enc. k. (m. 2. ). c. 1. c. 2. Is the threat model too strong?. In practice, there are many ways an attacker can . Crypto is amazing. Can do things that initially seem impossible. Crypto is important. It impacts each of us every day. Crypto is fun!. Deep theory. Attackers’ mindset. Necessary administrative stuff. Keyed functions. Let F: {0,1}. *. x {0,1}. *. .  {0,1}. *. be an efficient, deterministic algorithm. Define . F. k. (x) = F(k, x). The first input is called the . key. A. ssume F is . length preserving. Which of the following encryption schemes is CPA-secure (G is a PRG, F is a PRF)?. Enc. k. (m) chooses uniform r; outputs <r, G(r) .  . m>. Enc. k. (m) chooses uniform r; outputs <r, . F. Our goal. Cover basic number theory quickly!. Cover the minimum needed for all the applications we will study. Some facts stated without proof. Can take entire classes devoted to this material. Abstracting some of the ideas makes things easier to understand. . (PRGs). Let G be an efficient, deterministic algorithm . that expands a . short . seed. . into a . longer . output. Specifically, let |G(x)| = p(|x|). G is a PRG if: when the distribution of x is uniform, the distribution of G(x) is “indistinguishable from uniform”.