Notes for Lecture 7 1 Increasing the Stretch of Pseudorandom Generators

In the previous lecture, we proved that if f is a permutation and B is an (S,)-hardcore predicate for f then G : x → f (x), B(x), which maps n bits to n + 1 bits, is (S,) pseudorandom. We then started investigating the performance of the iterative application of G, namely G (k) defined as in figure 1. B(x)) B(f(x))) B(f ((2)) (x))) B(f ((k-1)) (x))) f ((k)) (x)) xx GG GG GG GG Figure 1: Definition of G (k) G (k) maps n bits to n + k bits and its pseudorandom properties are determined by theorem 1 which was stated in the end of the previous lecture. Today we will finish the proof. We will go quickly through the steps of the proof that were given in the previous lecture. Theorem 1 If f is a permutation and B an (S,) hardcore predicate for f and, moreover, f, B are computable by circuits of size ≤ t, then G (k) , where G : x → f (x), B(x), is (S − O(tk), k)-pseudorandom. Proof: We will prove the contra-positive of the statement. Indeed, we will suppose that G (k) is not (S ,)-pseudorandom and we will try to derive a distinguishing circuit for G. By definition it follows that there exists a circuit D of size ≤ S such that Pr Un∼{0,1} n [D(G (k) (U n)) = 1] − Pr U n+k ∼{0,1} n+k [D(U n+k) = 1] ≥ Without loss of generality, we can assume that circuit D satisfies the above inequality after removing the absolute value and by virtue of a hybrid argument we can argue that there exists an integer (k−1) (x)), f (k) (x)) = 1] ≥ k (1)