Next-bit test
Encyclopedia
In cryptography
and the theory of computation
, the next-bit test is a test against pseudo-random number generators. We say that a sequence of bits passes the next bit test for at any position
in the sequence, if an attacker knows the 
first bits, he cannot predict the 
st with reasonable computational power.
be a polynomial, and 
be a collection of sets such that 
contains 
-bit long sequences. Moreover, let 
be the probability distribution
of the strings in
.
We now define the next-bit test in two different ways.
is a collection of boolean circuits, such that each circuit 
has less than 
gates and exactly 
inputs. Let 
be the probability that, on input the 
first bits of 
, a string randomly selected in 
with probability 
, the circuit correctly predicts 
, i.e. :
Now, we say that
passes the next-bit test if for any predicting collection 
, any polynomial 
:
be a probabilistic Turing machine, working in polynomial time. Let 
be the probability that 
predicts the 
st bit correctly, i.e.
We say that collection
passes the next-bit test if for all polynomial 
, for all but finitely many 
, for all 
:
We prove it now in the case of probabilistic Turing machine, since Adleman
has already done the work of replacing randomization with non-uniformity in his theorem. The case of boolean circuits cannot be derived from this case (since it involves deciding potentially undecidable problems), but the proof of Adleman's theorem can be easily adapted to the case of non-uniform boolean circuits families.
Let
a distringuer for the probabilistic version of Yao's test, i.e. a probabilistic Turing machine, running in polynomial time, such that there is a polynomial 
such that for infinitely many 
Let
. We have : 
and 
.
Then, we notice that
. Therefore, at least one of the 
should be no smaller than 
.
Next, we consider probability distributions
and 
on 
. Distribution 
is the probability distribution of choosing the 
first bits in 
with probability given by 
, and the 
remaining bits uniformly at random. We have thus :
We thus have
(a simple calculus trick shows this), thus distributions 
and 
can be distinguished by 
. Without loss of generality, we can assume that 
, with 
a polynomial.
This gives us a possible construction of a Turing machine solving the next-bit test : upon receiving the
first bits of a sequence, 
pads this input with a guess of bit 
and then 
random bits, chosen with uniform probability. Then it runs 
, and outputs 
if the result is 
, and 
else.
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...
and the theory of computation
Theory of computation
In theoretical computer science, the theory of computation is the branch that deals with whether and how efficiently problems can be solved on a model of computation, using an algorithm...
, the next-bit test is a test against pseudo-random number generators. We say that a sequence of bits passes the next bit test for at any position
in the sequence, if an attacker knows the first bits, he cannot predict the st with reasonable computational power.Precise statement(s)
Let be a polynomial, and be a collection of sets such that contains -bit long sequences. Moreover, let be the probability distributionProbability distribution
In probability theory, a probability mass, probability density, or probability distribution is a function that describes the probability of a random variable taking certain values....
of the strings in
.We now define the next-bit test in two different ways.
Boolean circuit formulation
A predicting collection is a collection of boolean circuits, such that each circuit has less than gates and exactly inputs. Let be the probability that, on input the first bits of , a string randomly selected in with probability , the circuit correctly predicts , i.e. :Now, we say that
passes the next-bit test if for any predicting collection , any polynomial :Probabilistic Turing machines
We can also define the next-bit test in terms of probabilistic Turing machines, although this definition is somewhat stronger (see Adleman's theorem). Let be a probabilistic Turing machine, working in polynomial time. Let be the probability that predicts the st bit correctly, i.e.We say that collection
passes the next-bit test if for all polynomial , for all but finitely many , for all :Completeness for Yao's test
The next-bit test is a particular case of Yao's test for random sequences, and passing it is therefore a necessary condition for passing Yao's test. However, it has also been shown a sufficient condition by Yao.We prove it now in the case of probabilistic Turing machine, since Adleman
Leonard Adleman
Leonard Max Adleman is an American theoretical computer scientist and professor of computer science and molecular biology at the University of Southern California. He is known for being a co-inventor of the RSA cryptosystem in 1977, and of DNA computing...
has already done the work of replacing randomization with non-uniformity in his theorem. The case of boolean circuits cannot be derived from this case (since it involves deciding potentially undecidable problems), but the proof of Adleman's theorem can be easily adapted to the case of non-uniform boolean circuits families.
Let
a distringuer for the probabilistic version of Yao's test, i.e. a probabilistic Turing machine, running in polynomial time, such that there is a polynomial such that for infinitely many Let
. We have : and .Then, we notice that
. Therefore, at least one of the should be no smaller than .Next, we consider probability distributions
and on . Distribution is the probability distribution of choosing the first bits in with probability given by , and the remaining bits uniformly at random. We have thus :We thus have
(a simple calculus trick shows this), thus distributions and can be distinguished by . Without loss of generality, we can assume that , with a polynomial.This gives us a possible construction of a Turing machine solving the next-bit test : upon receiving the
first bits of a sequence, pads this input with a guess of bit and then random bits, chosen with uniform probability. Then it runs , and outputs if the result is , and else.