Next-bit test

Next-bit test

In cryptography and the theory of computation, the next-bit test[1] is a test against pseudo-random number generators. We say that a sequence of bits passes the next bit test for at any position i in the sequence, if an attacker knows the i first bits, he cannot predict the (i + 1)st with reasonable computational power.

Contents

Precise statement(s)

Let P be a polynomial, and S = {Sk} be a collection of sets such that Sk contains P(k)-bit long sequences. Moreover, let μk be the probability distribution of the strings in Sk.

We now define the next-bit test in two different ways.

Boolean circuit formulation

A predicting collection[2] C=\{C_k^i\} is a collection of boolean circuits, such that each circuit C_k^i has less than PC(k) gates and exactly i inputs. Let p_{k,i}^C be the probability that, on input the i first bits of s, a string randomly selected in Sk with probability μk(s), the circuit correctly predicts si + 1, i.e. :

p_{k,i}^C={\mathcal P} \left[ C_k(s_1\ldots s_i)=s_{i+1} \right | s\in S_k\text{ with probability }\mu_k(s)]

Now, we say that {Sk}k passes the next-bit test if for any predicting collection C, any polynomial Q :

p_{k,i}^C<\frac{1}{2}+\frac{1}{Q(k)}

Probabilistic Turing machines

We can also define the next-bit test in terms of probabilistic Turing machines, although this definition is somewhat stronger (see Adleman's theorem). Let \mathcal M be a probabilistic Turing machine, working in polynomial time. Let p_{k,i}^{\mathcal M} be the probability that \mathcal M predicts the (i + 1)st bit correctly, i.e.

p_{k,i}^{\mathcal M}={\mathcal P}[M(s_1\ldots s_i)=s_{i+1} | s\in S_k\text{ with probability }\mu_k(s)]

We say that collection S = {Sk} passes the next-bit test if for all polynomial Q, for all but finitely many k, for all 0 < i < k:

p_{k,i}^{\mathcal M}<\frac{1}{2}+\frac{1}{Q(k)}

Completeness for Yao's test

The next-bit test is a particular case of Yao's test for random sequences, and passing it is therefore a necessary condition for passing Yao's test. However, it has also been shown a sufficient condition by Yao.[1]

We prove it now in the case of probabilistic Turing machine, since Adleman has already done the work of replacing randomization with non-uniformity in his theorem. The case of boolean circuits cannot be derived from this case (since it involves deciding potentially undecidable problems), but the proof of Adleman's theorem can be easily adapted to the case of non-uniform boolean circuits families.

Let \mathcal M a distringuer for the probabilistic version of Yao's test, i.e. a probabilistic Turing machine, running in polynomial time, such that there is a polynomial Q such that for infinitely many k

|p_{k,S}^{\mathcal M}-p_{k,U}^{\mathcal M}|\geq\frac{1}{Q(k)}

Let R_{k,i}=\{s_1\ldots s_iu_{i+1}\ldots u_{P(k)}| s\in S_k, u\in\{0,1\}^{P(k)}\}. We have : Rk,0 = {0,1}P(k) and Rk,P(k) = Sk. Then, we notice that \sum_{i=0}^{P(k)}|p_{k,R_{k,i+1}}^{\mathcal M}-p_{k,R_{k,i}}^{\mathcal M}|\geq |p^{\mathcal M}_{k,R_{k,P(k)}}-p^{\mathcal M}_{k,R_{k,0}}|=|p_{k,S}^{\mathcal M}-p_{k,U}^{\mathcal M}|\geq\frac{1}{Q(k)}. Therefore, at least one of the |p_{k,R_{k,i+1}}^{\mathcal M}-p_{k,R_{k,i}}^{\mathcal M}| should be no smaller than \frac{1}{Q(k)P(k)}.

Next, we consider probability distributions μk,i and \overline{\mu_{k,i}} on Rk,i. Distribution μk,i is the probability distribution of choosing the i first bits in Sk with probability given by μk, and the P(k) − i remaining bits uniformly at random. We have thus :

\mu_{k,i}(w_1\ldots w_{P(k)})=\left(\sum_{s\in S_k, s_1\ldots s_i=w_1\ldots w_i}\mu_k(s)\right)\left(\frac{1}{2}\right)^{P(k)-i}

\overline{\mu_{k,i}}(w_1\ldots w_{P(k)})=\left(\sum_{s\in S_k, s_1\ldots s_{i-1}(1-s_i)=w_1\ldots w_i}\mu_k(s)\right)\left(\frac{1}{2}\right)^{P(k)-i}

We thus have \mu_{k,i}=\frac{1}{2}(\mu_{k,i+1}+\overline{\mu_{k,i+1}}) (a simple calculus trick shows this), thus distributions μk,i + 1 and \overline{\mu_{k,i+1}} can be distinguished by \mathcal M. Without loss of generality, we can assume that p^{\mathcal M}_{\mu_{k,i+1}}-p^{\mathcal M}_{\overline{\mu_{k,i+1}}}\geq\frac{1}{2}+\frac{1}{R(k)}, with R a polynomial.

This gives us a possible construction of a Turing machine solving the next-bit test : upon receiving the i first bits of a sequence, \mathcal N pads this input with a guess of bit l and then P(k) − i − 1 random bits, chosen with uniform probability. Then it runs \mathcal M, and outputs l if the result is 1, and 1 − l else.

References

  1. ^ a b Andrew Chi-Chih Yao. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, 1982.
  2. ^ Manuel Blum and Silvio Micali, How to generate cryptographically strong sequences of pseudo-random bits, in SIAM J. COMPUT., Vol. 13, No. 4, November 1984

Wikimedia Foundation. 2010.

Игры ⚽ Поможем сделать НИР

Look at other dictionaries:

  • Bit-tech — Infobox Website name=bit tech.net url = http://www.bit tech.net commercial=Yes registration=No type=online magazine current status=online owner=Bit Publishing Ltd author=bit tech staffbit tech is an online magazine for computer hardware… …   Wikipedia

  • Bit ring — This article is about the rings on the outside of a bit. For an over of bits in general, see bit (horse). For information on leverage devices, see bit shank. The bit ring is the ring on the side of a horse s bit, particularly on a snaffle bit. It …   Wikipedia

  • Test card — A test card, also known as a test pattern in the UK, North America and Australia, is a television test signal, typically broadcast at times when the transmitter is active but no program is being broadcast (often at startup and closedown). Used… …   Wikipedia

  • NExT — Missionsverlauf Start 7. 2. 1999 Kurskorrektur DSM 1 18. 1. – 22. 1. 2000 Größte Entfernung von der Sonne 10. 2. 2000 1. Staubsammelphase 22. 2. – 1. 5. 2000 Standbym …   Deutsch Wikipedia

  • New Zealand's Next Top Model, Cycle 2 — New Zealand s Next Top Model Cycle 2 Promotional photograph of the cast of Cycle 2 of New Zealand s Next Top Model Format Reality television Created by Tyr …   Wikipedia

  • Second Test, 2007–08 Border-Gavaskar Trophy — Umpire Steve Bucknor, whose decisions in the Test were controversial and led to him being dropped from officiating in the Third Test …   Wikipedia

  • Australia's Next Top Model, Cycle 5 — Promotional photograph of the c …   Wikipedia

  • Lucas–Lehmer test for Mersenne numbers — This article is about the Lucas–Lehmer test (LLT), that only applies to Mersenne numbers. There is also a Lucas Lehmer Riesel test for numbers of the form N=k 2^n 1, with 2^n > k, based on the LLT: see Lucas Lehmer Riesel test. There is also a… …   Wikipedia

  • America's Next Top Model, Cycle 2 — Promotional photograph of the cast of Cycle 2 of America s Next Top Model Format Modeling Created by Tyra Banks …   Wikipedia

  • Duplicate Address Test — IPv6 im TCP/IP‑Protokollstapel: Anwendung HTTP IMAP SMTP DNS … Transport TCP UDP …   Deutsch Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”