Next-bit test explained

In cryptography and the theory of computation, the next-bit test[1] is a test against pseudo-random number generators. We say that a sequence of bits passes the next bit test for at any position

i

in the sequence, if any attacker who knows the

i

first bits (but not the seed) cannot predict the

(i+1)

st with reasonable computational power.

Precise statement(s)

Let

P

be a polynomial, and

S=\{Sk\}

be a collection of sets such that

Sk

contains

P(k)

-bit long sequences. Moreover, let

\muk

be the probability distribution of the strings in

Sk

.

We now define the next-bit test in two different ways.

Boolean circuit formulation

A predicting collection[2]

i\}
C=\{C
k
is a collection of boolean circuits, such that each circuit
i
C
k
has less than

PC(k)

gates and exactly

i

inputs. Let
C
p
k,i
be the probability that, on input the

i

first bits of

s

, a string randomly selected in

Sk

with probability

\muk(s)

, the circuit correctly predicts

si+1

, i.e. :
C={lP}
p
k,i

\left[Ck(s1\ldotssi)=si+1\right|s\inSkwithprobability\muk(s)]

Now, we say that

\{Sk\}k

passes the next-bit test if for any predicting collection

C

, any polynomial

Q

:
C<1
2
p+
k,i
1
Q(k)

Probabilistic Turing machines

We can also define the next-bit test in terms of probabilistic Turing machines, although this definition is somewhat stronger (see Adleman's theorem). Let

lM

be a probabilistic Turing machine, working in polynomial time. Let
lM
p
k,i
be the probability that

lM

predicts the

(i+1)

st bit correctly, i.e.
lM
p
k,i

={lP}[M(s1\ldotssi)=si+1|s\inSkwithprobability\muk(s)]

We say that collection

S=\{Sk\}

passes the next-bit test if for all polynomial

Q

, for all but finitely many

k

, for all

0<i<k

:
lM
p<
k,i
1+
2
1
Q(k)

Completeness for Yao's test

The next-bit test is a particular case of Yao's test for random sequences, and passing it is therefore a necessary condition for passing Yao's test. However, it has also been shown a sufficient condition by Yao.[1]

We prove it now in the case of the probabilistic Turing machine, since Adleman has already done the work of replacing randomization with non-uniformity in his theorem. The case of Boolean circuits cannot be derived from this case (since it involves deciding potentially undecidable problems), but the proof of Adleman's theorem can be easily adapted to the case of non-uniform Boolean circuit families.

Let

lM

be a distinguisher for the probabilistic version of Yao's test, i.e. a probabilistic Turing machine, running in polynomial time, such that there is a polynomial

Q

such that for infinitely many

k

lM
|p
k,S
lM
-p|\geq
k,U
1
Q(k)

Let

Rk,i=\{s1\ldotssiui+1\ldotsuP(k)|s\inSk,u\in\{0,1\}P(k)\}

. We have:

Rk,0=\{0,1\}P(k)

and

Rk,P(k)=Sk

. Then, we notice that
P(k)
\sum
i=0
lM
|p
k,Rk,i+1
lM
-p
k,Rk,i

|\geq

lM
|p
k,Rk,P(k)
lM
-p
k,Rk,0
lM
|=|p
k,S
lM
-p|\geq
k,U
1
Q(k)
. Therefore, at least one of the
lM
|p
k,Rk,i+1
lM
-p
k,Rk,i

|

should be no smaller than
1
Q(k)P(k)
.

Next, we consider probability distributions

\muk,i

and

\overline{\muk,i

} on

Rk,i

. Distribution

\muk,i

is the probability distribution of choosing the

i

first bits in

Sk

with probability given by

\muk

, and the

P(k)-i

remaining bits uniformly at random. We have thus:

\muk,i(w1\ldotswP(k)

)=\left(\sum
s\inSk,s1\ldotssi=w1\ldotswi
\mu
k(s)\right)\left(1
2

\right)P(k)-i

\overline{\muk,i

}(w_1\ldots w_)=\left(\sum_\mu_k(s)\right)\left(\frac\right)^

We thus have

\muk,i=

1
2

(\muk,i+1+\overline{\muk,i+1

}) (a simple calculus trick shows this), thus distributions

\muk,i+1

and

\overline{\muk,i+1

} can be distinguished by

lM

. Without loss of generality, we can assume that
lM
p
\muk,i+1
lM
-p
\overline{\muk,i+1
}\geq\frac+\frac, with

R

a polynomial.

This gives us a possible construction of a Turing machine solving the next-bit test: upon receiving the

i

first bits of a sequence,

lN

pads this input with a guess of bit

l

and then

P(k)-i-1

random bits, chosen with uniform probability. Then it runs

lM

, and outputs

l

if the result is

1

, and

1-l

else.

References

  1. [Andrew Chi-Chih Yao]
  2. [Manuel Blum]

This article is licensed under the GNU Free Documentation License. It uses material from the Wikipedia article "Next-bit test".

Except where otherwise indicated, Everything.Explained.Today is © Copyright 2009-2024, A B Cryer, All Rights Reserved. Cookie policy.