Hybrid argument (Cryptography)

In cryptography, the hybrid argument is a proof technique used to show that two distributions are computationally indistinguishable.

Formal description

Formally, to show two distributions D₁ and D₂ are computationally indistinguishable, we can define a sequence of hybrid distributions D₁ := H₀, H₁, ..., H_t =: D₂ where t is polynomial in the security parameter n. Define the advantage of any probabilistic efficient (polynomial-bounded time) algorithm A as

[math]\displaystyle{ \mathsf{Adv}_{H_i, H_{i+1}}^{\mathsf{dist}}(\mathbf{A}) := \left|\Pr[x \stackrel{\$}{\gets} H_i : \mathbf{A}(x)=1] - \Pr[x \stackrel{\$}{\gets} H_{i+1} : \mathbf{A}(x)=1] \right|, }[/math]

where the dollar symbol ($) denotes that we sample an element from the distribution at random.

By triangle inequality, it is clear that for any probabilistic polynomial time algorithm A,

[math]\displaystyle{ \mathsf{Adv}_{D_1, D_2}^{\mathsf{dist}}(\mathbf{A}) \leq \sum_{i=0}^{t-1}\mathsf{Adv}_{H_i, H_{i+1}}^{\mathsf{dist}}(\mathbf{A}). }[/math]

Thus there must exist some k s.t. 0 ≤ k < t(n) and

[math]\displaystyle{ \mathsf{Adv}_{H_k, H_{k+1}}^{\mathsf{dist}}(\mathbf{A}) \geq \mathsf{Adv}_{D_1, D_2}^{\mathsf{dist}}(\mathbf{A})/t(n). }[/math]

Since t is polynomial-bounded, for any such algorithm A, if we can show that it has a negligible advantage function between distributions H_i and H_i+1 for every i, that is,

[math]\displaystyle{ \epsilon(n) \ge \mathsf{Adv}_{H_k, H_{k+1}}^{\mathsf{dist}}(\mathbf{A}) \geq \mathsf{Adv}_{D_1, D_2}^{\mathsf{dist}}(\mathbf{A})/t(n), }[/math]

then it immediately follows that its advantage to distinguish the distributions D₁ = H₀ and D₂ = H_t must also be negligible. This fact gives rise to the hybrid argument: it suffices to find such a sequence of hybrid distributions and show each pair of them is computationally indistinguishable.^[1]

Applications

The hybrid argument is extensively used in cryptography. Some simple proofs using hybrid arguments are:

• If one cannot efficiently predict the next bit of the output of some number generator, then this generator is a pseudorandom number generator (PRG).^[2]
• We can securely expand a PRG with 1-bit output into a PRG with n-bit output.^[3]

Notes

References

• Dodis, Yevgeniy. "Introduction to Cryptography Lecture 5 notes". http://cs.nyu.edu/courses/fall08/G22.3210-001/lect/lecture5.pdf. 
• Pass, Rafael. "A Course in Cryptography". https://www.cs.cornell.edu/courses/cs4830/2010fa/lecnotes.pdf. 
• Fischlin, Marc; Mittelbach, Arno. "An Overview of the Hybrid Argument". https://eprint.iacr.org/2021/088.pdf. 

0.00 (0 votes) Original source: https://en.wikipedia.org/wiki/Hybrid argument (Cryptography). Read more