1 / 13

Understanding Secure Pseudorandom Generators and Statistical Tests

This course delves into the principles of secure pseudorandom generators (PRGs) in cryptography. Learn how to define indistinguishability through statistical tests and explore examples illustrating the statistical advantage of distinguishing algorithms. We will analyze the characteristics of secure PRGs, including unpredictability and their implications in cryptographic security. By examining theoretical foundations as well as practical applications, participants will gain a comprehensive understanding of PRGs and their importance in modern cryptography.

eloise
Télécharger la présentation

Understanding Secure Pseudorandom Generators and Statistical Tests

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online Cryptography Course Dan Boneh Stream ciphers PRG Security Defs

  2. Let G:K ⟶ {0,1}n be a PRG Goal: define what it means that is “indistinguishable” from

  3. Statistical Tests Statistical teston {0,1}n: an alg. A s.t. A(x) outputs “0” or “1” Examples:

  4. Statistical Tests More examples:

  5. Advantage Let G:K ⟶{0,1}n be a PRG and A a stat. test on {0,1}n Define: A silly example: A(x) = 0 ⇒ AdvPRG [A,G] = 0

  6. Suppose G:K ⟶{0,1}n satisfies msb(G(k)) = 1 for2/3 of keys in K Define stat. test A(x) as: if [ msb(x)=1 ] output “1” else output “0” Then AdvPRG[A,G] = |Pr[ A(G(k))=1] - Pr[ A(r)=1 ] | = | 2/3 – 1/2 | = 1/6

  7. Secure PRGs: crypto definition Def: We say that G:K ⟶{0,1}n is a secure PRG if Are there provably secure PRGs? but we have heuristic candidates.

  8. Easy fact: a secure PRG is unpredictable We show: PRG predictable ⇒ PRG is insecure Suppose A is an efficient algorithm s.t. for non-negligible ε (e.g. ε = 1/1000)

  9. Easy fact: a secure PRG is unpredictable Define statistical test B as:

  10. Thm(Yao’82): an unpredictable PRG is secure Let G:K ⟶{0,1}n be PRG “Thm”: if ∀ i ∈ {0, … , n-1} PRG G is unpredictable at pos. i then G is a secure PRG. If next-bit predictors cannot distinguish G from random then no statistical test can !!

  11. Let G:K ⟶{0,1}n be a PRG such that from the last n/2 bits of G(k) it is easy to compute the first n/2 bits. Is G predictable for some i ∈ {0, … , n-1} ? Yes No

  12. More Generally Let P1 and P2 be two distributions over {0,1}n Def: We say that P1 and P2 are computationally indistinguishable (denoted ) Example: a PRG is secure if { k ⟵K : G(k) }≈p uniform({0,1}n) R

  13. End of Segment

More Related