Computational indistinguishability

From CRYPTUTOR

Revision as of 10:12, 31 December 2006; view current revision
←Older revision | Newer revision→

Two (ensembles of) probability distributions are computationally indistinguishable if no efficient computation shows significantly different behavior when provided inputs sampled according to one distribution or the other.

[edit]

Definition

Two ensembles of probability distributions, $\{\mathcal{T}_k\}_k$ and $\{\mathcal{V}_k\}_k$ , indexed by a security parameter $k\,$ , are said to be computationally indistinguishable if for all non-uniform PPT machines $A$ , the following difference is negligible (in $k$ ):

$\Pr_{x\leftarrow \mathcal{T}_k}[A(x)=1] - \Pr_{x\leftarrow \mathcal{V}_k}[A(x)=1]$ .

A weaker variant of this definition is to consider only uniform adversaries.

The distributions $\mathcal{T}_k$ and $\mathcal{V}_k$ are generally over $\{0,1\}^{\ell(k)}$ for some polynomial $\ell$ . When the ensembles and security parameter are understood, we often state that $\mathcal{T}_k$ and $\mathcal{V}_k$ are computationally indistinguishable.

[edit]

Transitivity

Computational indistinguishability is transitive when applied on a polynomial (in the security parameter) sequence of distributions.

Suppose the distribution ensembles $\{\mathcal{T}^{(i)}_k\}_k$ and $\{\mathcal{T}^{(i+1)}_k\}_k$ are computationally indistinguishable, for $i \in \{1, \ldots, t(k)\}$ , where $t$ is a polynomial. Then the extreme distributions $\{\mathcal{T}^{(1)}_k\}_k$ and $\{\mathcal{T}^{(t(k))}_k\}_k$ are also computationally indistinguishable.

This is true because if the two extreme distributions could be distinguished with probability $\epsilon\,$ , then by the pigeonhole principle, some adjacent pair of distributions could be distinguished with probability at least $\epsilon/t(k)\,$ . By our assumption about adjacent pairs of distributions, this probability is negligible in $k$ . Since a polynomial times a negligible function remains negligible, $\epsilon\,$ is negligible.

This transitivity property a fact commonly used in proofs which use a hybrid argument.

[edit]

Pseudorandom Distribution

An ensemble $\{\mathcal{T}_k\}_k$ of distributions over $\{0,1\}^{\ell(k)}$ is said to be pseudorandom if it is computationally indistinguishable from the uniform distribution over $\{0,1\}^{\ell(k)}$ .

As above, when the ensemble and security parameter are understood, we often state that $\mathcal{T}_k$ is a pseudorandom distribution.

Retrieved from "http://crypto.cs.uiuc.edu/wiki/index.php/Computational_indistinguishability"

Computational indistinguishability

From CRYPTUTOR

Definition

Transitivity

Pseudorandom Distribution

Views

Personal tools

Navigation

Search

Toolbox