Samiksha Jaiswal (Editor)

Hybrid argument (Cryptography)

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit

In cryptography, the hybrid argument is a proof technique used to show that two distributions are computationally indistinguishable.

Contents

Formal description

Formally, to show two distributions D1 and D2 are computationally indistinguishable, we can define a sequence of hybrid distributions D1 := H0, H1, ..., Ht =: D2 where t is polynomial in the security parameter. Define the advantage of any probabilistic efficient (polynomial-bounded time) algorithm A as

A d v H i , H i + 1 d i s t ( A ) := | Pr [ x $ H i : A ( x ) = 1 ] Pr [ x $ H i + 1 : A ( x ) = 1 ] | ,

where the dollar symbol ($) denotes that we sample an element from the distribution at random.

By triangle inequality, it is clear that for any probabilistic polynomial time algorithm A,

A d v D 1 , D 2 d i s t ( A ) i = 0 t 1 A d v H i , H i + 1 d i s t ( A ) .

Thus there must exist some k s.t. 0 ≤ k < t and

A d v H k , H k + 1 d i s t ( A ) A d v D 1 , D 2 d i s t ( A ) / t .

Since t is polynomial-bounded, for any such algorithm A, if we can show that its advantage to distinguish the distributions Hi and Hi+1 is negligible for every i, then it immediately follows that its advantage to distinguish the distributions D1 = H0 and D2 = Ht must also be negligible. This fact gives rise to the hybrid argument: it suffices to find such a sequence of hybrid distributions and show each pair of them is computationally indistinguishable.

Applications

The hybrid argument is extensively used in cryptography. Some simple proofs using hybrid arguments are:

  • If one cannot efficiently predict the next bit of the output of some number generator, then this generator is a pseudorandom number generator (PRG).
  • We can securely expand a PRG with 1-bit output into a PRG with n-bit output.

    • References

    Hybrid argument (Cryptography) Wikipedia
    (Text) CC BY-SA