Computational indistinguishability

From CRYPTUTOR

Two (ensembles of) probability distributions are computationally indistinguishable if no efficient computation shows significantly different behavior when provided inputs sampled according to one distribution or the other.

[edit]

Definition

Two ensembles of probability distributions, $\{\mathcal{T}_k\}_k$ and $\{\mathcal{V}_k\}_k$ , indexed by a security parameter $k\,$ , are said to be computationally indistinguishable if for all non-uniform PPT machines $A$ , the following difference is negligible (in $k$ ):

$\Pr_{x\leftarrow \mathcal{T}_k}[A(x)=1] - \Pr_{x\leftarrow \mathcal{V}_k}[A(x)=1]$ .

A weaker variant of this definition is to consider only uniform adversaries.

The distributions $\mathcal{T}_k$ and $\mathcal{V}_k$ are generally over $\{0,1\}^{\ell(k)}$ for some polynomial $\ell$ . When the ensembles and security parameter are understood, we often state that $\mathcal{T}_k$ and $\mathcal{V}_k$ are computationally indistinguishable.

[edit]

Transitivity

Computational indistinguishability is transitive when applied on a polynomial (in the security parameter) sequence of distributions.

Suppose the distribution ensembles $\{\mathcal{T}^{(i)}_k\}_k$ and $\{\mathcal{T}^{(i+1)}_k\}_k$ are computationally indistinguishable, for $i \in \{1, \ldots, t(k)\}$ , where $t$ is a polynomial. Then the extreme distributions $\{\mathcal{T}^{(1)}_k\}_k$ and $\{\mathcal{T}^{(t(k))}_k\}_k$ are also computationally indistinguishable.

This is true because if the two extreme distributions could be distinguished with probability $\epsilon\,$ , then by the pigeonhole principle, some adjacent pair of distributions could be distinguished with probability at least $\epsilon/t(k)\,$ . By our assumption about adjacent pairs of distributions, this probability is negligible in $k$ . Since a polynomial times a negligible function remains negligible, $\epsilon\,$ is negligible.

This transitivity property a fact commonly used in proofs which use a hybrid argument.

[edit]

Pseudorandom Distribution

An ensemble $\{\mathcal{T}_k\}_k$ of distributions over $\{0,1\}^{\ell(k)}$ is said to be pseudorandom if it is computationally indistinguishable from the uniform distribution over $\{0,1\}^{\ell(k)}$ .

As above, when the ensemble and security parameter are understood, we often state that $\mathcal{T}_k$ is a pseudorandom distribution.

Retrieved from "http://crypto.cs.uiuc.edu/wiki/index.php/Computational_indistinguishability"

Computational indistinguishability

From CRYPTUTOR

Definition

Transitivity

Pseudorandom Distribution

Views

Personal tools

Navigation

Search

Toolbox