NUEVAS TENDENCIAS EL FUTURO DEL BENCHMARKING

Proof of Theorem 3.6.6: Clearly, the ensemble Fis efficiently computable. To prove thatFis pseudorandom, we use the hybrid technique. Thekth hybrid will be assigned a function that results from uniformly selecting labels for the vertices of the kth (highest) level of the tree and computing the labels for lower levels as in Construction 3.6.5. The 0 hybrid will correspond to the random variable Fn(since a uniformly chosen label is assigned to the root), whereas thenhybrid

will correspond to the uniform random variable Hn (since a uniformly chosen

label is assigned to each leaf). It will be shown that an efficient oracle machine distinguishing neighboring hybrids can be transformed into an algorithm that distinguishes polynomially many samples of G(Un) from polynomially many

samples ofU2n. Using Theorem 3.2.6, we derive a contradiction to the hypothesis

(thatGis a pseudorandom generator). Details follows.

For every k, with 0≤k ≤n, we define a hybrid distribution Hk

n, assigned

as values functions f:{0,1}n→{0,1}n, as follows. For every s1,s2, . . . ,s2k ∈ {0,1}n_{, we define a function f} s1,...,s₂k:{0,1} n_→{0,1}n_{such that} fs1,...,s₂k(σ1σ2· · ·σn) def =G_σn · · ·G_σk+2 G_σk+1 sidx(σk···σ1) · · ·

where idx(α) is the index of α in the standard lexicographic order of binary strings of length |α|. Namely, fs1,...,s₂k(x) is computed by first using thek-bit- long prefix ofxto determine one of thesj’s and then using the (n−k)-bit-long

3.6. PSEUDORANDOM FUNCTIONS

remaining stages (of Construction 3.6.5). The random variable Hk

n is uniformly

distributed over the (2n₎2k_{possible functions (corresponding to all possible choices}

ofs1,s2, . . . ,s2k ∈ {0,1}n). Namely, H_nkdef= f Un(1),...,U(2 k₎ n whereU(j)

n ’s are independent random variables, each uniformly distributed over

{0,1}n_.

At this point it is clear that H0

n is identical with Fn, whereas Hnn is identical

to Hn. Again, as is usual in the hybrid technique, the ability to distinguish the

extreme hybrids yields the ability to distinguish a pair of neighboring hybrids. This ability is further transformed so that contradiction to the pseudorandomness ofG is reached. Further details follow.

We assume, in contradiction to the theorem, that the function ensemble F is not pseudorandom. It follows that there exists a probabilistic polynomial-time oracle machineM and a polynomial p(·) such that for infinitely manyn’s,

(n)def=PrMFn₍₁n₎=₁ −Pr_MHn₍₁n₎=₁ > 1 p(n)

Lett(·) be a polynomial bounding the running time ofM(1n_{) (such a polynomial}

exists becauseM is a polynomial-time machine). It follows that on input 1n_{, the}

oracle machine M makes at mostt(n) queries (since the number of queries is clearly bounded by the running time). Using the machine M, we construct an algorithmDthat distinguishes thet(·)-product of the ensemble{G(Un)}n_∈Nfrom

thet(·)-product of the ensemble{U2n}n∈Nas follows.

AlgorithmD: On inputα1, . . . , αt ∈ {0,1}2n (witht =t(n)), algorithmDpro-

ceeds as follows. First, D selects uniformlyk∈ {0,1, . . . ,n−1}. This random choice, hereafter called thecheckpoint, is the only random choice made byDit- self. Next, algorithmDinvokes the oracle machineM(on input 1n_{) and answers} M’s queries as follows. The first query of machineM, denotedq1, is answered by

G_σn· · ·G_σk+2P_σk+1(α1)

· · ·

whereq1 =σ1· · ·σn, (α1is the first input string) andP0(α) (resp.,P1(α)) denotes

then-bit prefix ofα(resp., then-bit suffix ofα). In addition, algorithmDrecords this query (i.e.,q1). Each subsequent query is answered by first checking to see

if itsk-bit-long prefix equals thek-bit-long prefix of a previous query. In case the k-bit-long prefix of the current query, denotedqi, is different from thek-bit-long

prefixes of all previous queries, we associate this prefix with a new input string (i.e.,αi). Namely, we answer queryqi by

G_σn · · ·G_σk+2 P_σk+1(αi) · · ·

where qi =σ1· · ·σn. In addition, algorithm D records the current query (i.e., qi). The other possibility is that thek-bit-long prefix of theith query equals the k-bit-long prefix of some previous query. Let j be the smallest integer such that thek-bit-long prefix of theith query equals thek-bit-long prefix of the jth query

PSEUDORANDOM GENERATORS

(by hypothesis, j <i). Then we record the current query (i.e.,qi), but answer it

using the string associated with queryqj (i.e., the input stringαj). Namely, we

answer queryqi by

G_σn· · ·G_σk+2P_σk+1(αj)

· · ·

whereqi =σ1· · ·σn. Finally, when machineM halts, algorithmDhalts as well

and outputs the same output asM.

Pictorially, algorithmDanswers the first query by first placing the two halves of α1in the corresponding children of the tree’s vertex reached by following the path

from the root corresponding toσ1· · ·σk. The labels of all vertices in the subtree

corresponding to σ1· · ·σk are determined by the labels of these two children

(as in the construction of F). Subsequent queries are answered by following the corresponding paths from the root. In case the path does not pass through a (k+1)-level vertex that already has a label, we assign this vertex and its sibling a new string (taken from the input). For the sake of simplicity, in case the path of theith query requires a new string, we use theith input string (rather than the first input string not used thus far). In case the path of a new query passes through a (k+1)-level vertex that has already been labeled, we use this label to compute the labels of subsequent vertices along this path (and in particular the label of the leaf). We stress that the algorithmdoes notcompute the labels ofallvertices in a subtree corresponding toσ1· · ·σk (although these labels are determined by

the label of the vertex corresponding toσ1· · ·σk), but rather computes only the

labels of vertices along the paths corresponding to the queries.

Clearly, algorithm D can be implemented in polynomial time. It is left to evaluate its performance. The key observation is the correspondence between D’s actions on checkpointkand the hybridskandk+1: