Flight plan: Difference between revisions

Revision as of 16:49, 31 December 2013

In cryptography and the theory of computation, the next-bit test^[1] is a test against pseudo-random number generators. We say that a sequence of bits passes the next bit test for at any position $i$ in the sequence, if an attacker knows the $i$ first bits, he cannot predict the $(i + 1)$ st with reasonable computational power.

Precise statement(s)

Let $P$ be a polynomial, and $S = {S_{k}}$ be a collection of sets such that $S_{k}$ contains $P (k)$ -bit long sequences. Moreover, let $μ_{k}$ be the probability distribution of the strings in $S_{k}$ .

We now define the next-bit test in two different ways.

Boolean circuit formulation

A predicting collection^[2] $C = {C_{k}^{i}}$ is a collection of boolean circuits, such that each circuit $C_{k}^{i}$ has less than $P_{C} (k)$ gates and exactly $i$ inputs. Let $p_{k, i}^{C}$ be the probability that, on input the $i$ first bits of $s$ , a string randomly selected in $S_{k}$ with probability $μ_{k} (s)$ , the circuit correctly predicts $s_{i + 1}$ , i.e. :

$p_{k, i}^{C} = 𝒫 [C_{k} (s_{1} \dots s_{i}) = s_{i + 1} | s \in S_{k} with probability μ_{k} (s)]$

Now, we say that ${S_{k}}_{k}$ passes the next-bit test if for any predicting collection $C$ , any polynomial $Q$ :

$p_{k, i}^{C} < \frac{1}{2} + \frac{1}{Q (k)}$

Probabilistic Turing machines

We can also define the next-bit test in terms of probabilistic Turing machines, although this definition is somewhat stronger (see Adleman's theorem). Let $ℳ$ be a probabilistic Turing machine, working in polynomial time. Let $p_{k, i}^{ℳ}$ be the probability that $ℳ$ predicts the $(i + 1)$ st bit correctly, i.e.

$p_{k, i}^{ℳ} = 𝒫 [M (s_{1} \dots s_{i}) = s_{i + 1} | s \in S_{k} with probability μ_{k} (s)]$

We say that collection $S = {S_{k}}$ passes the next-bit test if for all polynomial $Q$ , for all but finitely many $k$ , for all $0 < i < k$ :

$p_{k, i}^{ℳ} < \frac{1}{2} + \frac{1}{Q (k)}$

Completeness for Yao's test

The next-bit test is a particular case of Yao's test for random sequences, and passing it is therefore a necessary condition for passing Yao's test. However, it has also been shown a sufficient condition by Yao.^[1]

We prove it now in the case of probabilistic Turing machine, since Adleman has already done the work of replacing randomization with non-uniformity in his theorem. The case of boolean circuits cannot be derived from this case (since it involves deciding potentially undecidable problems), but the proof of Adleman's theorem can be easily adapted to the case of non-uniform boolean circuits families.

Let $ℳ$ a distringuer for the probabilistic version of Yao's test, i.e. a probabilistic Turing machine, running in polynomial time, such that there is a polynomial $Q$ such that for infinitely many $k$

| p_{k, S}^{ℳ} - p_{k, U}^{ℳ} | \geq \frac{1}{Q (k)}

Let $R_{k, i} = {s_{1} \dots s_{i} u_{i + 1} \dots u_{P (k)} | s \in S_{k}, u \in {0, 1}^{P (k)}}$ . We have : $R_{k, 0} = {0, 1}^{P (k)}$ and $R_{k, P (k)} = S_{k}$ . Then, we notice that $\sum_{i = 0}^{P (k)} | p_{k, R_{k, i + 1}}^{ℳ} - p_{k, R_{k, i}}^{ℳ} | \geq | p_{k, R_{k, P (k)}}^{ℳ} - p_{k, R_{k, 0}}^{ℳ} | = | p_{k, S}^{ℳ} - p_{k, U}^{ℳ} | \geq \frac{1}{Q (k)}$ . Therefore, at least one of the $| p_{k, R_{k, i + 1}}^{ℳ} - p_{k, R_{k, i}}^{ℳ} |$ should be no smaller than $\frac{1}{Q (k) P (k)}$ .

Next, we consider probability distributions $μ_{k, i}$ and $\overline{μ_{k, i}}$ on $R_{k, i}$ . Distribution $μ_{k, i}$ is the probability distribution of choosing the $i$ first bits in $S_{k}$ with probability given by $μ_{k}$ , and the $P (k) - i$ remaining bits uniformly at random. We have thus :

$μ_{k, i} (w_{1} \dots w_{P (k)}) = (\sum_{s \in S_{k}, s_{1} \dots s_{i} = w_{1} \dots w_{i}} μ_{k} (s)) {(\frac{1}{2})}^{P (k) - i}$

$\overline{μ_{k, i}} (w_{1} \dots w_{P (k)}) = (\sum_{s \in S_{k}, s_{1} \dots s_{i - 1} (1 - s_{i}) = w_{1} \dots w_{i}} μ_{k} (s)) {(\frac{1}{2})}^{P (k) - i}$

We thus have $μ_{k, i} = \frac{1}{2} (μ_{k, i + 1} + \overline{μ_{k, i + 1}})$ (a simple calculus trick shows this), thus distributions $μ_{k, i + 1}$ and $\overline{μ_{k, i + 1}}$ can be distinguished by $ℳ$ . Without loss of generality, we can assume that $p_{μ_{k, i + 1}}^{ℳ} - p_{\overline{μ_{k, i + 1}}}^{ℳ} \geq \frac{1}{2} + \frac{1}{R (k)}$ , with $R$ a polynomial.

This gives us a possible construction of a Turing machine solving the next-bit test : upon receiving the $i$ first bits of a sequence, $𝒩$ pads this input with a guess of bit $l$ and then $P (k) - i - 1$ random bits, chosen with uniform probability. Then it runs $ℳ$ , and outputs $l$ if the result is $1$ , and $1 - l$ else.

References

↑ ^1.0 ^1.1 Andrew Chi-Chih Yao. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, 1982.
↑ Manuel Blum and Silvio Micali, How to generate cryptographically strong sequences of pseudo-random bits, in SIAM J. COMPUT., Vol. 13, No. 4, November 1984

[yao82-1] 1.0 ^1.1 Andrew Chi-Chih Yao. Theory and applications of trapdoor functions. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, 1982.

[2] Manuel Blum and Silvio Micali, How to generate cryptographically strong sequences of pseudo-random bits, in SIAM J. COMPUT., Vol. 13, No. 4, November 1984

[1]

[2]

@@ Line 1: / Line 1: @@
-Their next step to this fact game''s success is that it produces the impression that it''s a multi player game. I come to feel it''s a fantasy because you don''t do can be necessary directly with different player. You don''t fight and explore in unison like you would in Wow, of play against another player even in the time of with a turn-by-turn justification comparable to Chess. Any time you raid another player''s village, by which player is offline and you could at the type of same time just be particularly raiding a random computer-generated village.<br><br>
+In [[cryptography]] and the [[theory of computation]], the next-bit test<ref name="yao82">[[Andrew Chi-Chih Yao]]. [http://www.busim.ee.boun.edu.tr/~mihcak/teaching/ee684-spring07/proposed-project-papers/one-way-functions/Yao-XOR-Lemma-and-Hard-Core-Predicates/Yao-XOR-original.pdf Theory and applications of trapdoor functions]. In Proceedings of the 23rd IEEE Symposium on Foundations of Computer Science, 1982.</ref> is a test against [[Pseudo-random| pseudo-random number generators]]. We say that a sequence of bits passes the next bit test for at any position <math>i</math> in the sequence, if an attacker knows the <math>i</math> first bits, he cannot predict the <math>(i+1)</math>st with reasonable computational power.
-To understand coins and gems, you will obtain the Clash of Clans hack equipment to clicking on the earn button. Contingent on operating framework that you're utilizing, you will do the trick the downloaded document since admin. Furnish a new log in Id and choose the gadget. Immediately after this, you are enter in the [http://Search.Un.org/search?ie=utf8&site=un_org&output=xml_no_dtd&client=UN_Website_en&num=10&lr=lang_en&proxystylesheet=UN_Website_en&oe=utf8&q=quantity&Submit=Go quantity] of gems or coins that you need to have and start off my Clash of Clans get into instrument.<br><br>If you happen to getting a online business for your little one, look for one which enables numerous customers carry out with each other. Video gaming can undoubtedly solitary action. Nevertheless, it is important regarding motivate your youngster getting to be social, and multi-player clash of clans hack is capable executing that. They empower sisters and brothers coupled with buddies to all among take a moment to laugh and compete alongside one another.<br><br>Online are fun, nonetheless informative also be costly. The costs of gaming and consoles can be more expensive than many people may choose those to be, but this may be eliminated.<br><br>We can use this procedure to acquisition the bulk of any time in the midst of 1hr and one special day. For archetype to acquire the majority of vessel up 4 a endless time, acting x = 15, 400 abnormal and / or you receive y equals 51 gems.<br><br>Playing games is infiltrating houses around the world. Some play these games for work, remember, though , others play them intended for enjoyment. This firm is booming and won't disappear anytime soon. Study for some fantastic recommendations on gaming.<br><br>And all our options are looked into and approved from the best possible virus recognition software not to mention anti-virus in the industry to ensure a security-level as large as you can, in case you fear for protection of your computer or your cellular device, no boueux.  If you want to check out more about [http://prometeu.net clash of clans hack no download] take a look at our web page. In case you nevertheless have nearly doubts, take a examine the movie and you'll get it operates and it's very 100% secure! It takes only a few moments of the time!
+== Precise statement(s) ==
+Let <math>P</math> be a polynomial, and <math>S=\{S_k\}</math> be a collection of sets such that <math>S_k</math> contains <math>P(k)</math>-bit long sequences. Moreover, let <math>\mu_k</math> be the [[probability distribution]] of the strings in <math>S_k</math>.
+We now define the next-bit test in two different ways.
+===Boolean circuit formulation===
+A predicting collection<ref>[[Manuel Blum]] and [[Silvio Micali]], How to generate cryptographically strong sequences of pseudo-random bits, in SIAM J. COMPUT., Vol. 13, No. 4, November 1984</ref> <math>C=\{C_k^i\}</math> is a collection of [[boolean circuits]], such that each circuit <math>C_k^i</math> has less than <math>P_C(k)</math> gates and exactly <math>i</math> inputs. Let <math>p_{k,i}^C</math> be the probability that, on input the <math>i</math> first bits of <math>s</math>, a string randomly selected in <math>S_k</math> with probability <math>\mu_k(s)</math>, the circuit correctly predicts <math>s_{i+1}</math>, i.e. :
+<center>
+<math>
+p_{k,i}^C={\mathcal P} \left[ C_k(s_1\ldots s_i)=s_{i+1} \right | s\in S_k\text{ with probability }\mu_k(s)]
+</math>
+</center>
+Now, we say that <math>\{S_k\}_k</math> passes the next-bit test if for any predicting collection <math>C</math>, any polynomial <math>Q</math> :
+<center>
+<math>p_{k,i}^C<\frac{1}{2}+\frac{1}{Q(k)}</math>
+</center>
+===Probabilistic Turing machines===
+We can also define the next-bit test in terms of [[probabilistic Turing machines]], although this definition is somewhat stronger (see [[P/poly#Adleman's theorem|Adleman's theorem]]). Let <math>\mathcal M</math> be a probabilistic Turing machine, working in polynomial time. Let <math>p_{k,i}^{\mathcal M}</math> be the probability that <math>\mathcal M</math> predicts the <math>(i+1)</math>st bit correctly, i.e.
+<center>
+<math>p_{k,i}^{\mathcal M}={\mathcal P}[M(s_1\ldots s_i)=s_{i+1} | s\in S_k\text{ with probability }\mu_k(s)]</math>
+</center>
+We say that collection <math>S=\{S_k\}</math> passes the next-bit test if for all polynomial <math>Q</math>, for all but finitely many <math>k</math>, for all <math>0<i<k</math>:
+<center>
+<math>
+p_{k,i}^{\mathcal M}<\frac{1}{2}+\frac{1}{Q(k)}
+</math>
+</center>
+== Completeness for Yao's test ==
+The next-bit test is a particular case of [[Yao's test]] for random sequences, and passing it is therefore a [[necessary condition]] for passing [[Yao's test]]. However, it has also been shown a [[sufficient condition]] by [[Andrew Chi-Chih Yao|Yao]].<ref name="yao82"/>
+We prove it now in the case of probabilistic Turing machine, since [[Leonard Adleman|Adleman]] has already done the work of replacing randomization with non-uniformity in [[Adleman's theorem|his theorem]]. The case of boolean circuits cannot be derived from this case (since it involves deciding potentially undecidable problems), but the proof of Adleman's theorem can be easily adapted to the case of non-uniform boolean circuits families.
+Let <math>\mathcal M</math> a distringuer for the probabilistic version of Yao's test, i.e. a probabilistic Turing machine, running in polynomial time, such that there is a polynomial <math>Q</math> such that for infinitely many <math>k</math>
+<center><math>|p_{k,S}^{\mathcal M}-p_{k,U}^{\mathcal M}|\geq\frac{1}{Q(k)}</math></center>
+Let <math>R_{k,i}=\{s_1\ldots s_iu_{i+1}\ldots u_{P(k)}| s\in S_k, u\in\{0,1\}^{P(k)}\}</math>. We have : <math>R_{k,0}=\{0,1\}^{P(k)}</math> and <math>R_{k,P(k)}=S_k</math>.
+Then, we notice that <math>\sum_{i=0}^{P(k)}|p_{k,R_{k,i+1}}^{\mathcal M}-p_{k,R_{k,i}}^{\mathcal M}|\geq |p^{\mathcal M}_{k,R_{k,P(k)}}-p^{\mathcal M}_{k,R_{k,0}}|=|p_{k,S}^{\mathcal M}-p_{k,U}^{\mathcal M}|\geq\frac{1}{Q(k)}</math>. Therefore, at least one of the <math>|p_{k,R_{k,i+1}}^{\mathcal M}-p_{k,R_{k,i}}^{\mathcal M}|</math> should be no smaller than <math>\frac{1}{Q(k)P(k)}</math>.
+Next, we consider probability distributions <math>\mu_{k,i}</math> and <math>\overline{\mu_{k,i}}</math> on <math>R_{k,i}</math>. Distribution <math>\mu_{k,i}</math> is the probability distribution of choosing the <math>i</math> first bits in <math>S_k</math> with probability given by <math>\mu_k</math>, and the <math>P(k)-i</math> remaining bits uniformly at random. We have thus :
+<center>
+<math>\mu_{k,i}(w_1\ldots w_{P(k)})=\left(\sum_{s\in S_k, s_1\ldots s_i=w_1\ldots w_i}\mu_k(s)\right)\left(\frac{1}{2}\right)^{P(k)-i}</math>
+</center><center>
+<math>\overline{\mu_{k,i}}(w_1\ldots w_{P(k)})=\left(\sum_{s\in S_k, s_1\ldots s_{i-1}(1-s_i)=w_1\ldots w_i}\mu_k(s)\right)\left(\frac{1}{2}\right)^{P(k)-i}</math>
+</center>
+We thus have <math>\mu_{k,i}=\frac{1}{2}(\mu_{k,i+1}+\overline{\mu_{k,i+1}})</math> (a simple calculus trick shows this), thus distributions <math>\mu_{k,i+1}</math> and <math>\overline{\mu_{k,i+1}}</math> can be distinguished by <math>\mathcal M</math>. Without loss of generality, we can assume that <math>p^{\mathcal M}_{\mu_{k,i+1}}-p^{\mathcal M}_{\overline{\mu_{k,i+1}}}\geq\frac{1}{2}+\frac{1}{R(k)}</math>, with <math>R</math> a polynomial.
+This gives us a possible construction of a Turing machine solving the next-bit test : upon receiving the <math>i</math> first bits of a sequence, <math>\mathcal N</math> pads this input with a guess of bit <math>l</math> and then <math>P(k)-i-1</math> random bits, chosen with uniform probability. Then it runs <math>\mathcal M</math>, and outputs <math>l</math> if the result is <math>1</math>, and <math>1-l</math> else.
+== References ==
+<references/>
+{{DEFAULTSORT:Next-Bit Test}}
+[[Category:Pseudorandom number generators]]