Identificación de parasitoides

The constructions surveyed in this section transform computation difficulty, in the form of one-way functions, into generators of pseudorandomness. Loosely speaking, apolynomial-time computable function is called one-way if any ef- ficient algorithm can invert it only with negligible success probability. For simplicity we consider throughout this section only length-preserving one-way functions.

Definition 3.9 (one-way function): Aone-way function,f, is a polynomial- time computable function such that for every probabilistic polynomial-time algorithm A′_{, every positive polynomial p(·), and all sufficiently large k’s}

PrA′_(f(U

k))∈f−1(f(Uk))< 1

p(k)

We stress that both occurrences of Uk refer to the same random variable. That is, the above asserts that

X

x∈{0,1}k

2−k

·PrA′_(f(x))∈f−1_(f(x))< 1

p(k)

Popular candidates for one-way functions are based on the conjectured in- tractability of Integer Factorization (cf., [295] for state of the art), the Dis- crete Logarithm Problem (cf., [296] analogously), and decoding of random linear code [182]. The infeasibility of invertingf yields a weak notion of un- predictability: For every probabilistic polynomial-time algorithmA(and suf- ficiently largek), it must be the case that Pri[A(i, f(Uk))=6 bi(Uk)]>1/2k,

4_{Two probability ensembles, {X}

k}k∈N and{Yk}k∈N, are said to be statistically close

if for every positive polynomialpand sufficient largekthe variation distance betweenXk

3.3. THE ARCHETYPICAL CASE 87

where the probability is taken uniformly over i ∈ {1, ..., k} (and Uk), and

bi(x) denotes the ith bit of x. A stronger (and in fact strongest possible) notion of unpredictability is that of a hard-core predicate. Loosely speaking, a polynomial-time computable predicate b is called a hard-core of a func- tionf if all efficient algorithm, givenf(x), can guessb(x) only with success probability which is negligible better than half.

Definition 3.10 (hard-core predicate [72]): A polynomial-time computable predicate b : {0,1}∗ _{7→ {0,1} is called a hard-core of a function f if for} every probabilistic polynomial-time algorithm A′, every polynomial p(·), and all sufficiently largek’s

Pr (A′(f(Uk)) =b(Uk))< 1 2 +

1

p(k)

Clearly, ifb is a hard-core of a 1-1 polynomial-time computable function f

then f must be one-way.5 _{It turns out that any one-way function can be} slightly modified so that it has a hard-core predicate.

Theorem 3.11 (A generic hard-core [183]): Let f be an arbitrary one-way function, and let g be defined by g(x, r) def= (f(x), r), where _|x_|=_|r_|. Let

b(x, r) denote the inner-product mod 2 of the binary vectors xandr. Then the predicateb is a hard-core of the functiong.

A proof is presented in Appendix C.2. Finally, we get to the construction of pseudorandom generators.

Proposition 3.12 (A simple construction of pseudorandom generators): Let

b be a hard-core predicate of a polynomial-time computable 1-1 function f. Then,G(s)def= f(s)b(s)is a pseudorandom generator.

Proof Sketch: Clearly the_|s_|-bit long prefix ofG(s) is uniformly distributed (since f is 1-1 and onto _{0,1_}|s|_{). Hence, the proof boils down to showing} that distinguishing f(s)b(s) from f(s)σ, where σ is a random bit, yields contradiction to the hypothesis thatb is a hard-core of f (i.e., that b(s) is

unpredictable from f(s)). Intuitively, such a distinguisher also distinguishes

f(s)b(s) from f(s)b(s), where σ = 1₋σ, and so yields an algorithm for predictingb(s) based onf(s).

In a sense, the key point in the above proof is showing that the (obvious by definition) unpredictability of the output ofGimplies its pseudorandom- ness. The fact that (next bit) unpredictability and pseudorandomness are equivalent in general is proven explicitly in the alternative presentation be- low.

5 _{Functions which are not 1-1 may have hard-core predicates of information theoretic}

nature; but these are of no use to us here. For example, forσ∈ {0,1},f(σ, x) = 0f′(x) has an “information theoretic” hard-core predicateb(σ, x) =σ.

An alternative presentation. Our presentation of the construction of pseudorandom generators, via Construction 3.4 and Proposition 3.12, is anal- ogous to the original construction of pseudorandom generators suggested by by Blum and Micali [72]: Given an arbitrary stretch functionℓ:

N

N

one-way functionf with a hard-coreb, one defines

G(s)def= b(x1)b(x2)· · ·b(xℓ(|s|)),

wherex0=sandxi=f(xi−1) fori= 1, ..., ℓ(|s|). The pseudorandomness of

Gis established in two steps, using the notion of (next bit) unpredictability. An ensemble{Zk}k∈N is calledunpredictableif any probabilistic polynomial-

time machine obtaining a prefix ofZkfails to predict the next bit ofZk with probability non-negligiblly higher than 1/2.

1. One first proves that the ensemble_{G(Uk)}k∈N, where Uk is uniform over_{0,1_}k_{, is (next-bit) unpredictable (from right to left) [72].} Loosely speaking, if one can predictb(xi) fromb(xi+1)· · ·b(xℓ(|s|)) then one can predict b(xi) given f(xi) (i.e., by computing xi+1, ..., xℓ(|s|) and so obtainingb(xi+1)· · ·b(xℓ(|s|))), in contradiction to the hard-core hypothesis.

2. Next, one uses Yao’s observation by which a (polynomial-time con- structible) ensemble ispseudorandom if and only if it is (next-bit)un- predictable (cf., [171, Sec. 3.3.4]).

Clearly, if one can predict the next bit in an ensemble then one can certainly distinguish this ensemble from the uniform ensemble (which in unpredictable regardless of computing power). However, here we need the other direction which is less obvious. Still, using a hybrid argument, one can show that (next bit) unpredictability implies indis- tinguishability from the uniform ensemble. Specifically, theith _hybrid takes the firstibits from the questionable ensemble and the rest from the uniform one. Thus, distinguishing the extreme hybrids implies dis- tinguishing some neighboring hybrids, which in turn implies next-bit predictability.

A general condition for the existence of pseudorandom generators. Recall that given any one-way 1-1 function, we can easily construct a pseu- dorandom generator. Actually, the 1-1 requirement may be dropped, but the currently known construction – for the general case – is quite complex. Theorem 3.13 (On the existence of pseudorandom generators [214]):

Pseudorandom generators exist if and only if one-way functions exist.

To show that the existence of pseudorandom generators imply the existence of one-way functions, consider a pseudorandom generator G with stretch

3.3. THE ARCHETYPICAL CASE 89

function ℓ(k) = 2k. For x, y _{∈ {}0,1_}k_{, define f(x, y)} def_{= G(x), and so f} is polynomial-time computable (and length-preserving). It must be that f

is one-way, or else one can distinguish G(Uk) from U2k by trying to invert and checking the result: Invertingf on its range distribution refers to the distributionG(Uk), whereas the probability thatU2k has inverse under f is negligible.

The interesting direction is the construction of pseudorandom generators based on any one-way function. In general (when f may not be 1-1) the ensemblef(Uk) may not be pseudorandom, and so Construction 3.12 (i.e.,

G(s) =f(s)b(s), where b is a hard-core of f) cannot be used directly. One idea of [214] is to hashf(Uk) to an almost uniform string of length related to its entropy, using Universal Hash Functions [93]. (This is done after guar- anteeing, that the logarithm of the probability mass of a value of f(Uk) is typically close to the entropy off(Uk).)6 But “hashingf(Uk) down to length comparable to the entropy” means shrinking the length of the output to, say,

k′_{< k. This foils the entire point of stretching thek-bit seed. Thus, a second} idea of [214] is to compensate for the k₋k′ _{loss by extracting these many} bits from the seed Uk itself. This is done by hashing Uk, and the point is that the (k−k′_{+ 1)-bit long hash value does not make the inverting task} any easier. Implementing these ideas turns out to be more difficult than it seems, and indeed an alternative construction would be most appreciated. On constructing non-uniformly strong pseudorandom generators. Non-uniformly strong pseudorandom generators (i.e., which produce sequences indistinguishable by polynomial-size circuits as in Definition 3.6) can be con- structed analogously using any one-way function which is hard to invert by any non-uniform family of polynomial-size circuits (rather than by probabilis- tic polynomial-time machines). In fact, the construction can be simplified in this case (cf., [220]).

Advanced comment regarding other strong notions (of pseudoran- dom generators): An alternative strengthening of Definition 3.1 amounts to explicitly quantifying the resources and success gaps of distinguishers. These quantities will be bounded as a function of the seed length (i.e.,k) rather as a function of the sequence which is being examined (i.e., ℓ(k)). For a class of time bounds _T (e.g., _T = _{t(k) def= 2c√k

}c∈N) and a class of noticeable

functions (e.g.,_F =_{f(k)def= 1/t(k) :t_{∈ T }}), we say that a pseudorandom generator, G, is (T,F)-strong if for any probabilistic algorithm D having running-time bounded by a function inT (applied tok)7_{, for any functionf}

6 _{Specifically, given an arbitrary one way functionf}′_{, one first constructsf by taking} a “direct product” of sufficiently many copies off′_{. For example, forx}

1, ..., xk2∈ {0,1}k,

we letf(x1, ..., xk2)def= f′(x1), ..., f′(xk2).

7 _{That is, when examining a sequence of lengthℓ(k) algorithmD makes at mostt(k)}

inF, and for all sufficiently largek’s

|Pr[D(G(Uk)) = 1] −Pr[D(Uℓ(k)) = 1]| < f(k)

An analogous strengthening may be applied to the definition of one-way functions. Doing so reveals the weakness of the result in [214]: It only implies that for some ǫ > 0 (ǫ = 1/5 will do), for any _T and _F, the existence of (_T,_F)-strong one-way functions implies the existence of (_T′_,F′_)-strong pseudorandom generators, where T′ _{= {t}′_(k) def_{= t(k}ǫ_{)/poly(k) : t ∈ T }} and _F′ _{= {f}′_(k) def_{= poly(k)·f(k}ǫ_{) : f}

∈ F}. What we would like to have is an analogous result withT′ _={t′_(k) def_{= t(k)/poly(k) : t ∈ T } and}

F′_={f′_(k)def_{= poly(k)·f(k) :f ∈ F}.}