Hybrid argument (cryptography)

In cryptography, the hybrid argument is a proof technique used to show that two distributions are computationally indistinguishable.

History

Hybrid arguments had their origin in a papers by Andrew Yao in 1982 and Shafi Goldwasser and Silvio Micali in 1983.^[1]

Formal description

Formally, to show two distributions D₁ and D₂ are computationally indistinguishable, we can define a sequence of hybrid distributions D₁ := H₀, H₁, ..., H_t =: D₂ where t is polynomial in the security parameter n. Define the advantage of any probabilistic efficient (polynomial-bounded time) algorithm A as

{𝖠 𝖽 𝗏}_{H_{i}, H_{i + 1}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) : = | \Pr [x \overset{$}{\leftarrow} H_{i} : 𝐀 (x) = 1] - \Pr [x \overset{$}{\leftarrow} H_{i + 1} : 𝐀 (x) = 1] |,

where the dollar symbol ($) denotes that we sample an element from the distribution at random.

By triangle inequality, it is clear that for any probabilistic polynomial time algorithm A,

{𝖠 𝖽 𝗏}_{D_{1}, D_{2}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) \leq \sum_{i = 0}^{t - 1} {𝖠 𝖽 𝗏}_{H_{i}, H_{i + 1}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) .

Thus there must exist some k s.t. 0 ≤ k < t(n) and

{𝖠 𝖽 𝗏}_{H_{k}, H_{k + 1}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) \geq {𝖠 𝖽 𝗏}_{D_{1}, D_{2}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) / t (n) .

Since t is polynomial-bounded, for any such algorithm A, if we can show that it has a negligible advantage function between distributions H_i and H_i+1 for every i, that is,

ϵ (n) \geq {𝖠 𝖽 𝗏}_{H_{k}, H_{k + 1}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) \geq {𝖠 𝖽 𝗏}_{D_{1}, D_{2}}^{𝖽 𝗂 𝗌 𝗍} (𝐀) / t (n),

then it immediately follows that its advantage to distinguish the distributions D₁ = H₀ and D₂ = H_t must also be negligible. This fact gives rise to the hybrid argument: it suffices to find such a sequence of hybrid distributions and show each pair of them is computationally indistinguishable.^[2]

Applications

The hybrid argument is extensively used in cryptography. Some simple proofs using hybrid arguments are:

If one cannot efficiently predict the next bit of the output of some number generator, then this generator is a pseudorandom number generator (PRG).^[3]
We can securely expand a PRG with 1-bit output into a PRG with n-bit output.^[4]

Notes

Template:Div col Template:Reflist Template:Div col end

References

↑ Bellare, Mihir, and Phillip Rogaway. "Code-based game-playing proofs and the security of triple encryption." Cryptology ePrint Archive (2004)
↑ Lemma 3 in Dodis's notes.
↑ Theorem 1 in Dodis's notes.
↑ Lemma 80.5, Corollary 81.7 in Pass's notes.

[1] Bellare, Mihir, and Phillip Rogaway. "Code-based game-playing proofs and the security of triple encryption." Cryptology ePrint Archive (2004)

[2] Lemma 3 in Dodis's notes.

[3] Theorem 1 in Dodis's notes.

[4] Lemma 80.5, Corollary 81.7 in Pass's notes.

[1]

[2]

[3]

[4]

Hybrid argument (cryptography)

Contents

History

Formal description

Applications

See also

Notes

References

Navigation menu

Hybrid argument (cryptography)

History

Formal description

Applications

See also

Notes

References

Navigation menu

Search