In cryptography, the hybrid argument is a proof technique used to show that two distributions are computationally indistinguishable.
Hybrid arguments had their origin in a papers by Andrew Yao in 1982 and Shafi Goldwasser and Silvio Micali in 1983.[1]
Formally, to show two distributions D1 and D2 are computationally indistinguishable, we can define a sequence of hybrid distributions D1 := H0, H1, ..., Ht =: D2 where t is polynomial in the security parameter n. Define the advantage of any probabilistic efficient (polynomial-bounded time) algorithm A as
| dist | |
| Adv | |
| Hi,Hi+1 |
(A):=\left|\Pr[x\stackrel{\$}{\gets}Hi:A(x)=1]-\Pr[x\stackrel{\$}{\gets}Hi+1:A(x)=1]\right|,
where the dollar symbol ($) denotes that we sample an element from the distribution at random.
By triangle inequality, it is clear that for any probabilistic polynomial time algorithm A,
| dist | |
| Adv | |
| D1,D2 |
(A)\leq
| t-1 | |
| \sum | |
| i=0 |
| dist | |
| Adv | |
| Hi,Hi+1 |
(A).
Thus there must exist some k s.t. 0 ≤ k < t(n) and
| dist | |
| Adv | |
| Hk,Hk+1 |
(A)\geq
| dist | |
| Adv | |
| D1,D2 |
(A)/t(n).
Since t is polynomial-bounded, for any such algorithm A, if we can show that it has a negligible advantage function between distributions Hi and Hi+1 for every i, that is,
\epsilon(n)\ge
| dist | |
| Adv | |
| Hk,Hk+1 |
(A)\geq
| dist | |
| Adv | |
| D1,D2 |
(A)/t(n),
then it immediately follows that its advantage to distinguish the distributions D1 = H0 and D2 = Ht must also be negligible. This fact gives rise to the hybrid argument: it suffices to find such a sequence of hybrid distributions and show each pair of them is computationally indistinguishable.[2]
The hybrid argument is extensively used in cryptography. Some simple proofs using hybrid arguments are: