CPSC 467b Lecture Notes, Week 12

[Course home page] [Course lectures] YALE UNIVERSITY
DEPARTMENT OF COMPUTER SCIENCE

CPSC 467b: Cryptography and Computer Security

Week 12 (rev. 3)

Professor M. J. Fischer

April 12 & 14, 2005

Lecture Notes, Week 12

1 Coin-Flipping

Alice and Bob are in the process of getting divorced and are trying to decide who gets custody of their pet cat, Fluffy. They both want the cat, so they agree to decide by flipping a coin: heads Alice wins; tails Bob wins. Bob has already moved out and does not wish to be in the same room with Alice. The feeling is mutual, so Alice proposes that she flip the coin and telephone Bob with the result.

This proposal of course is not acceptable to Bob since he has no way of knowing whether Alice is telling the truth when she says that the coin landed heads. "Look Alice," he says, "to be fair, we both have to be involved in flipping the coin. We'll each flip a private coin and XOR our two coins together to determine who gets Fluffy. You should be happy with this arrangement since even if you don't trust me to flip fairly, your own fair coin is sufficient to ensure that the XOR is unbiased." This sounds reasonable to Alice, so she lets him go on to propose the protocol of Figure 1. In this protocol, 1 means "heads" and 0 means "tails".

	Alice		Bob
1.	Choose random bit b_A ∈ {0,1}	→ ^b_A.
2.		← ^b_B	Choose random bit b_B ∈ {0,1}.
3.	Coin outcome is b = b_A ⊕b_B.		Coin outcome is b = b_A ⊕b_B.

Figure 1: Distributed coin flip protocol requiring honest parties.

After Alice considers Figure 1 for awhile, she objects. "This isn't fair. You get to see my coin flip before I see yours, so now you have complete control over the value of b." She suggests that she would be happy if the first two steps were reversed, so that Bob flipped his coin first, but Bob balks at that suggestion.

They then both remember last week's lecture and decide to use blobs to prevent either party from controlling the outcome. They agree on the protocol of Figure 2. At the completion of step 2, both Alice and Bob have each other's commitment (something they failed to achieve in the past, which is why they're in the middle of a divorce now), but neither know the other's private bit. They each learn each other's bit at the completion of the respective open protocols.

	Alice		Bob
1.	Choose random bit b_A ∈ {0,1}.		Choose random bit b_B ∈ {0,1}.
2.	commit(b_A).	↔	commit(b_B).
3.	open(c_A).	↔	open(c_B).
4.	Coin outcome is b = b_A ⊕b_B.		Coin outcome is b = b_A ⊕b_B.

Figure 2: Distributed coin flip protocol using blobs.

While this protocol appears to be completely symmetric, it really isn't quite, for one of the parties completes step 3 before the other one does. Say Bob completes opening c_B first. At that point, Alice knows b_B and hence the coin outcome b. If it turns out that she lost, she might decide to stop the protocol and refuse to complete her part of step 3.

We haven't really addressed the question for any of these protocols about what happens if one party quits in the middle or one party detects the other party cheating. We have only been concerned until now with the possibility of undetected cheating. But in any real situation, one party might feel that he or she stands to gain by cheating, even if the cheating is detected. That in turn raises complicated questions as to what happens next. Does a third party Carol become involved? If so, can Bob prove to Carol that Alice cheated? What if Alice refuses to talk to Carol? It may be instructive to think about the recourse that Bob has in similar real-life situations and to consider the reasons why such situations rarely arise. For example, what happens if someone fails to follow the provisions of a contract or if someone ignores a summons to appear in court?

2 Locked Box Paradigm

Protocols for coin flipping and for dealing a poker hand from a deck of cards can be based on the intuitive notion of locked boxes. This idea in turn can be implemented using commutative cryptosystems.

2.1 Coin-flipping using locked boxes

We discussed the coin-flipping problem in section 1 and presented a protocol based on bit-commitment. Here we present a coin-flipping protocol based on the idea of locked boxes.

Imagine two sturdy boxes with hinged lids that can be locked with a padlock. Alice writes "heads" on a slip of paper and "tails" on another and places one of these slips in each box. She puts a padlock on each box for which she holds the only key. She then gives both locked boxes to Bob, in some random order.
Bob cannot open the boxes and does not know which box contains "heads" and which contains "tails". He chooses one of the boxes and locks it with his own padlock, for which he has the only key. Now the box has two locks on it, one belonging to Alice and one to Bob. He gives the doubly-locked box back to Alice.
Alice removes her lock and returns the box to Bob.
Bob removes his lock, opens the box, and learns the outcome of the coin toss. He gives the slip of paper from the unlocked box back to Alice.
Alice verifies that it is her slip of paper, with her handwriting on it, that she prepared at the beginning. She sends her key to Bob.
Bob removes Alice's lock from the other box and verifies that she carried out her protocol correctly. (In particular, he checks that the slip of paper in the other box contains the other coin value.)

2.2 Commutative cryptosystems

Alice and Bob can carry out this protocol electronically using any commutative cryptosystem, that is, one in which E_A(E_B(m)) = E_B(E_A(m)) for all messages m. RSA is commutative for keys with a common modulus n, so we can use RSA in an unconventional way. Rather than making the encryption exponent public and keeping the factorization of n private, we turn things around. Alice and Bob jointly chose primes p and q, and both compute n = pq. Alice then chooses an RSA key pair A = ((e_A, n), (d_A, n)), which she can do since she knows the factorization of n. Similarly, Bob chooses an RSA key pair B = ((e_B, n), (d_B, n)) using the same n. Alice and Bob both keep their key pairs private (until the end of the protocol, when they reveal them to each other to verify that there was no cheating).

We note that this scheme may have completely different security properties from usual RSA. In RSA, there are three different secrets involved with the key: the factorization of n, the encryption exponent e, and the decryption exponent d. We have seen previously that knowing n and any two of these pieces of information allows the third to be reconstructed. Thus, knowing the factorization of n and e lets one compute d (easy). We also showed in section 1.3 of lecture notes week 6 how to factor n given both e and d.

The way RSA is usually used, only e is public, and it is believed to be hard to find the other quantities. Here we propose making the factorization of n public but keeping e and d private. It may indeed be hard to find e and d, even knowing the factorization of n, but if it is, that fact is not going to follow from the difficulty of factoring n. Of course, for security, we need more than just that it is hard to find e and d. We also need it to be hard to find m given c = m^e mod n. This is reminiscent of the discrete log problem, but of course n is not prime in this case.

2.3 Coin-flipping using commutative cryptosystems

Assuming RSA used in this new way is secure, we can implement the locked box protocol as shown in Figure 3. Here we assume that Alice and Bob initially know large primes p and q. In step (2), Alice chooses a random number r such that r < (n−1)/2. This ensures that m₀ and m₁ are both in Z_n. Note that i and r can be efficiently recovered from m_i since i is just the low-order bit of m_i and r = (m_i − i)/2.

	Alice		Bob
1.	Choose RSA key pair A with modulus n=pq.		Choose RSA key pair B with modulus n=pq.
2.	Choose random r ∈ Z_(n−1)/2.
	Let m_i = 2r+i, for i ∈ {0,1}.
	Let c_i = E_A(m_i) for i ∈ {0,1}.
	Let C = {c₀, c₁}.	→ ^C	Choose c_a ∈ C.
3.		← ^c_ab	Let c_ab = E_B(c_a).
4.	Let c_b = D_A(c_ab).	→ ^c_b
5.			Let m = D_B(c_b).
			Let i = m mod 2.
			Let r = (m−i)/2.
			If i=0 outcome is "tails".
			If i=1 outcome is "heads".
		← ^B
6.	Let m = D_B(c_b).
	Check m ∈ {m₀, m₁}.
	If m=m₀ outcome is "tails".
	If m=m₁ outcome is "heads".
		→ ^A
7.			Let c′_a = C − { c_a }.
			Let m′ = D_A( c′_a ).
			Let i′ = m′ mod 2.
			Let r′ = (m′−i′)/2.
			Check that i′ ≠ i and r′ = r.

Figure 3: Distributed coin flip protocol using locked boxes.

To see that the protocol works when both Alice and Bob are honest, observe that in step 3, c_ab = E_B(E_A(m_j)) for some j. Then in step 4, c_b = D_A(E_B(E_A(m_j))) = E_B(m_j) by the commutativity of E_A and E_B. Hence, in step 5, m = m_j is one of Alice's strings from step 2.

A dishonest Bob can control the outcome of the coin toss if he can find two keys B and B′ such that E_B(c_a) = E_B′(c′_a), where C = {c_a, c′_a} is the set received from Alice in step 2. In this case, c_ab = E_B(E_A(m_j)) = E_B′(E_A(m_1−j)) for some j. Then in step 4, c_b = E_B(m_j) = E_B′(m_1−j). Hence, m_j = D_B(c_b) and m_1−j = D_B′(c_b), so Bob can obtain both of Alice's messages and then send B or B′ in step 5 to force the outcome to be as he pleases.

2.4 Card dealing using locked boxes

The same locked box paradigm can be used for dealing a 5-card poker hand from a deck of cards. Alice takes a deck of cards, places each card in a separate box, and locks each box with her lock. She arranges the boxes in random order and ships them off to Bob. Bob picks five boxes, locks each with his lock, and send them back. Alice removes her locks from those five boxes and returns them to Bob. Bob unlocks them and obtains the five cards of his poker hand. Further details are left to the reader.

3 Oblivious Transfer

In the locked box coin-flipping protocol, Alice has two messages m₀ and m₁. Bob gets one of them. Alice doesn't know which (until Bob tells her). Bob can't cheat to get both messages. Alice can't cheat to learn which message Bob got. The oblivious transfer problem abstracts these properties from particular applications such as coin flipping and card dealing,

3.1 Oblivious transfer of a secret

Alice has a secret s. In an oblivious transfer protocol, half of the time Bob learns s and half of the time he learns nothing. Afterwards, Alice doesn't know whether or not Bob learned s. Bob can do nothing to increase his chances of getting s, and Alice can do nothing to learn whether or not Bob got her secret. Rabin proposed an oblivious transfer protocol based on quadratic residuosity, shown in Figure 4, in the early 1980's.

	Alice		Bob
1.	Secret s.
	Choose primes p, q, and let n = pq.
	Generate RSA public key (e, n).
	Compute c = E_(e,n)(s).
		→ ^{(e, n, c)}
2.			Choose random x ∈ Z^∗_n.
		← ^a	Compute a = x² mod n.
3.	Check a ∈ QR_n.
	Choose y at random from among the 4 square roots of a mod n.
		→ ^y
4.			Check y² ≡ a mod n.
			If y \not ≡ ±x mod n, use x, y to factor n and decrypt c to obtain s.

Figure 4: Rabin's oblivious transfer protocol.

Alice can can carry out step 3 since she knows the factorization of n and can find all of the square roots of a. However, she has no idea which x Bob used to generate a. Hence, with probability 1/2, y ≡ ±x mod n and with probability 1/2, y\not ≡ ±x mod n. If y \not ≡ ±x mod n, then the two factors of n are gcd(x−y, n) and n/gcd(x−y, n), so Bob factors n and decrypts c in step 4. However, if y ≡ ±x mod n, he learns nothing, and Alice's secret is as secure as RSA itself.

There is one potential problem with this protocol. A cheating Bob in step 2 might send a number a which he generated by some other means than squaring a random x. In this case, he learns something new no matter which square root Alice sends him in step 3. Perhaps that information, together with what he already learned in the course of generating a, is enough for him to factor n. We don't know of any method by which Bob could find a quadratic residue without also knowing one of its square roots. We certainly don't know of any method that would produce a quadratic residue a and some other information Ξ that, combined with y, would allow Bob to factor n. But we also cannot prove that no such method exists.

We can fix this protocol by inserting between steps 2 and 3 a zero knowledge proof that Bob knows a square root of a. This is essentially what the simplified Feige-Fiat-Shamir protocol does, but we have to reverse the roles of Alice and Bob. Now Bob is the one with the secret square root x. He wants to prove to Alice that he knows x, but he does not want Alice to get any information about x, since if she learns x, she could choose y=x and reduce his chances of learning s while still appear to be playing honestly. Again, details are left to the reader.

3.2 One-of-two oblivious transfer

In the one-of-two oblivious transfer, Alice has two secrets, s₀ and s₁. Bob always gets exactly one of the secrets. He gets each with probability 1/2, and Alice does not know which he got.

The locked box protocol is one way to implement one-of-two oblivious transfer. Another is based on a public key cryptosystem (such as RSA) and a symmetric cryptosystem (such as AES). This protocol, given in Figure 5, does not rely on the cryptosystems being commutative.

	Alice		Bob
1.	Choose two PKS key pairs (e₀, d₀) and (e₁, d₁).
		→ ^{e₀, e₁}
2.			Generate random key k for a symmetric cryptosystem ([^(E)], [^(D)]).
			Choose e ∈ {e₀,e₁}.
		← ^c	Compute c = E_e(k).
3.	Compute k_i = D_{d_i}(c) for i=0, 1.
	Compute c_i = [^(E)]_{k_i}(s_i) for i=0, 1.	→ ^{c₀, c₁}
4.			Compute s_i = [^(D)]_k(c_i) for i=0, 1.
			One of the s_i is correct and the other is garbage.

Figure 5: One-of-two oblivious transfer using two PKS key pairs.

In step 2, Bob encrypts a randomly chosen key k for the symmetric cryptosystem using one of the encryption keys that Alice sent him in step 1. One of the k_i Alice computes in step 3 is Bob's key k, but because k is random, she can't tell which it is. However, the key that is different from k cannot be computed by Bob since Bob doesn't have the corresponding decryption key d_i.

Note that this protocol depends on Bob being able to distinguish good secrets from random-looking garbage. To make it work for arbitrary secrets, Alice can add some known redundancy to the secrets that Bob can recognize. Another possibility would be for her to encrypt c·s_i in step 3 instead of just s_i. Since Bob knows c, he could then check the two possible decryptions to see which one began with c.

4 Pseudorandom Sequence Generation

We mentioned pseudorandom sequence generation in section 3.3 of lecture notes week 11. In a little more detail, a pseudorandom sequence generator G is a function from a domain of seeds S to a domain of strings X. We will generally find it convenient to assume that all of the seeds in S have the same length m and that all of the strings in X have the same length n, where m << n and n is polynomially related to m.

Intuitively, we want the strings G(s) to "look random". But what does that mean? Chaitin and Kolmogorov proposed ways of defining what it means for an individual sequence to be considered random. While philosophically very interesting, these notions are somewhat different than the statistical notions that most people mean by randomness.

We take a different tack. We assume that the seeds are chosen uniformly at random from S, that is, we consider a uniformly distributed random variable S over S. Then X = G(S) is a random variable over X. For x ∈ X,

prob[X=x] =

|{ s ∈ S | G(s) = x}|

|S|

That is, the probability is the fraction of seeds that give rise to x. Because m << n, |S| = 2^m, and |X| = 2ⁿ, most strings in X are not in the range of G and hence have probability 0. If G happens to be one-to-one, then the remaining strings each have probability 1/2^m.

We also consider the uniform random variable U ∈ X, where U = x with probability 1/2ⁿ for every x ∈ X. U is what we usually mean by a "truly random" variable on n-bit strings.

We will say that G is a cryptographically strong pseudorandom sequence generator if X and U are indistinguishable to all probabilistic polynomial Turing machines. We have already seen that the probability distributions of X and U are quite different. Nevertheless, they are indistinguishable if there is no feasible algorithm to determine whether random samples come from X or from U.

Before going further, let me describe some functions G for which G(S) is readily distinguished from U. Suppose every string x = G(s) has the form b₁ b₁ b₂ b₂ b₃ b₃ …, for example 0011111100001100110000.... An algorithm that guesses that x came from G(S) if x is of that form, and guesses that x came from U otherwise, will be right almost all of the time. True, it is possible to get a string like this from U, but it is extremely unlikely.

Formally speaking, a judge is a probabilistic Turing machine J that takes an n-bit string as input and produces a single bit b as output. Because it is probabilistic, it actually defines a random function from X to {0,1}. This means that for every input x, there is some probability p_x that the output is 1. If the input string is itself a random variable X, then the probability that the output is 1 is the weighted sum over all possible inputs that the judge outputs 1, where the weights are the probabilities of the corresponding inputs occurring. Thus, the output value is itself a random variable which we denote by J(X).

Now, we say that two random variables X and Y are ε-indistinguishable by judge J if

|prob[J(X) = 1] − prob[J(Y) = 1]| < ε.

Intuitively, we say that G is cryptographically strong if G(S) and U are ε-indistinguishable for suitably small ε by all judges that do not run for too long. A careful mathematical treatment of the concept of indistinguishability must relate the length parameters m and n, the error parameter ε, and the allowed running time of the judges, all of which is beyond the scope of this course.

[Note: The topics covered by these lecture notes are presented in more detail and with greater mathematical rigor in handout 18.]

5 BBS Pseudorandom Sequence Generator

We present a cryptographically strong PRSG due to Blum, Blum, and Shub. The generator is based on the difficulty of determining, for a given a ∈ Z^∗_n with Jacobi symbol jacobi(a, n) = 1, whether or not a is a quadratic residue, i.e., whether or not a ∈ QR_n. Recall from lecture notes week 7, that this is the property upon on which the security of the Goldwasser-Micali probabilistic encryption system relies. The BBS generator further requires n to be a certain kind of composite number called a Blum integer. Blum primes and Blum integers were introduced in lecture notes week 11. We review their properties here.

5.1 Blum integers

A Blum prime is a prime number p such that p ≡ 3 mod 4. A Blum integer is a number n=pq, where p and q are Blum primes. Blum primes and Blum integers have the important property that every quadratic residue a has a square root y which is itself a quadratic residue. We call such a y a principal square root of a and denote it by √a mod n or simply by √a when it is clear that mod n is intended.

We need two other facts about Blum integers n. Let a ∈ QR_n. Then jacobi(a, n) = jacobi(−a, n) = 1.

Let lsb(x) be the least significant bit of integer x. That is, lsb(x) = (x mod 2). Let x ∈ Z_n. Then lsb(x) ⊕lsb(−x) = 1.

Claim 1 actually holds for all n which are the product of two distinct odd primes. Claim 2 holds whenever n is odd.

5.2 BBS algorithm

The Blum-Blum-Shub generator BBS is defined by a Blum integer n = pq and an integer l. It maps strings in Z^∗_n to strings in {0,1}^l. Given a seed s₀ ∈ Z^∗_n, we define a sequence s₁, s₂, s₃, …, s_l, where s_i = s_i−1² mod n for i = 1, …, l. The l-bit output sequence is b₁, b₂, b₃, …, b_l , where b_i = lsb(s_i).

5.3 Bit-prediction

One important property of the uniform distribution U on bit-strings b₁, …, b_l is that the individual bits are statistically independent from each other. This means that the probability that a particular bit b_i = 1 is unaffected by the values of the other bits in the sequence. This implies that any algorithm that attempts to predict b_i, even knowing other bits of the sequence, will be correct only 1/2 of the time. We now translate this property of unpredictability to pseudorandom sequences.

5.3.1 Next-bit prediction

One property we would like a pseudorandom sequence to have is that it be difficult to predict the next bit given the bits that came before.

We say that an algorithm A is an ε-next-bit predictor for bit i of a PRSG G if

prob[ A(b₁, …, b_i−1) = b_i ] ≥

+ ε

where (b₁, …, b_i) = G_i(S). To explain this notation, S is a uniformly distributed random variable ranging over the possible seeds for G. G(S) is a random variable (i.e., probability distribution) over the output strings of G, and G_i(S) is the corresponding probability distribution on the length-i prefixes of G(S).

Next-bit prediction is closely related to indistinguishability, introduced in section 4. We will show later that if if G(S) has a next-bit predictor for some bit i, then G(S) is distinguishable from the uniform distribution U on the same length strings, and conversely, if G(S) is distinguishable from U, then there is a next-bit predictor for some bit i of G(S). The precise definitions under which this theorem is true are subtle, for one must quantify both the amount of time the judge and next-bit predictor algorithms are permitted to run as well as how much better than chance the judgments or predictions must be in order to be considered a successful judge or next-bit predictor. We defer the mathematics for now and focus instead on the intuitive concepts that underly this theorem.

5.3.2 Building a judge from a next-bit predictor

Suppose a PRSG G has an ε-next-bit predictor A for some bit i. Here's how to build a judge J that distinguishes G(S) from U. The judge J, given a sample string drawn from either G(S) or from U, runs algorithm A to guess bit b_i from bits b₁, …, b_i−1. If the guess agrees with the real b_i, then J outputs 1 (meaning that he guesses the sequence came from G(S)). Otherwise, J outputs 0. For sequences drawn from G(S), J will output 1 with the same probability that A successfully predicts bit b_i, which is at least 1/2 + ε. For sequences drawn from U, the judge will output 1 with probability exactly 1/2. Hence, the judge distinguishes G(S) from U with advantage ε.

It follows that no cryptographically strong PRSG can have an ε-next-bit predictor. In other words, no algorithm that attempts to predict the next bit can have more than a "small" advantage ε over chance.

5.4 Previous-bit prediction

Previous-bit prediction, while perhaps less natural, is analogous to next-bit prediction. An ε-previous-bit predictor for bit i is an algorithm that, given bits b_i+1, …, b_l, correctly predicts b_i with probability at least 1/2 + ε.

As with next-bit predictors, it is the case that if G(S) has a previous-bit predictor for some bit b_j, then some judge distinguishes G(S) from U. Again, I am being vague with the exact conditions under which this is true. The somewhat surprising fact follows that G(S) has an ε-next-bit predictor for some bit i if and only if it has an ε′-previous-bit predictor for some bit j (where ε and ε′ are related but not necessarily equal).

To give some intuition into why such a fact might be true, we look at the special case of l = 2, that is, of 2-bit sequences. The probability distribution G(S) can be described by four probabilities

p_u,v = prob[ b₁ = u ∧b₂ = v ], where u, v ∈ {0, 1}.

Written in tabular form, we have

b₂

b₁

p_0,0

p_0,1

p_1,0

p_1,1

We describe an algorithm A(v) for predicting b₁ given b₂=v. A(v) predicts b₁=0 if p_0,v > p_1,v, and it predicts b₁=1 if p_0,v ≤ p_1,v. In other words, the algorithm chooses the value for b₁ that is most likely given that b₂ = v. Let a(v) be the value predicted by A(v).

If A is an ε-previous-bit predictor for b₁, then A is an ε-next-bit predictor for either b₁ or b₂.

Assume A is an ε-previous-bit predictor for b₁. Then A correctly predicts b₁ given b₂ with probability at least 1/2 + ε. We show that A is an ε-next-bit predictor for either b₁ or b₂.

We have two cases:

Case 1: a(0) = a(1). Then algorithm A does not depend on v, so A itself is also an ε-next-bit predictor for b₁.

Case 2: a(0) ≠ a(1). The probability that A(v) correctly predicts b₁ when b₂ = v is given by the conditional probability

prob[b₁ = a(v) | b₂ = v] =

prob[b₁ = a(v) ∧b₂ = v]

prob[b₂ = v]

p_a(v),v

prob[b₂ = v]

The overall probability that A(b₂) is correct for b₁ is the weighted average of the conditional probabilities for v=0 and v=1, weighted by the probability that b₂ = v. Thus,

prob[A(b₂) is correct for b₁]

∑
u ∈ {0,1}

prob[b₁ = a(v) | b₂ = v] ·prob[b₂ = v]

∑
u ∈ {0,1}

p_a(v),v

p_a(0),0 + p_a(1),1

Now, since a(0) ≠ a(1), the function a is one-to-one and onto. A simple case analysis shows that either a(v) = v for v ∈ {0,1}, or a(v) = ¬v for v ∈ {0,1}. That is, a is either the identity or the complement function. In either case, a is its own inverse. Hence, we may also use algorithm A(u) as a predictor for b₂ given b₁ = u. By a similar analysis to that used above, we get

prob[A(b₁) is correct for b₂]

∑
v ∈ {0,1}

prob[b₂ = a(u) | b₁ = u] ·prob[b₁ = u]

∑
u ∈ {0,1}

p_u,a(u)

p_0,a(0) + p_1,a(1)

But

p_a(0),0 + p_a(1),1 = p_0,a(0) + p_1,a(1)

since either a is the identity function or the complement function. Hence, A(b₁) is correct for b₂ with the same probability that A(b₂) is correct for b₁. Therefore, A is an ε-next-bit predictor for b₂.

In both cases, we conclude that A is an ε-next-bit predictor for either b₁ or b₂.

5.5 Security of BBS generator

We now show that if BBS has a previous-bit predictor, then there is an algorithm for testing quadratic residues whose running time and accuracy are related to the running time and accuracy of the BBS predictor. Thus, if quadratic-residue-testing is "hard", then so is previous-bit prediction for BBS. See handout 18 for further results on the security of BBS.

Let A be an ε-previous-bit predictor for BBS(S). Then we can find an algorithm Q for testing whether a number x with Jacobi symbol 1 is a quadratic residue, and Q will be correct with probability at least 1/2 + ε.

Assume that A predicts b_j given the k bits b_j+1, …,b_j+k. Then A also predicts b₁ given b₂, …, b_k with the same accuracy. This follows from the fact that the mapping x→ x² mod n is a permutation on QR_n. Hence, s₀ and s_j−1 are identically distributed, so the k-bit prefixes of BBS(s₀) and BBS(s_j−1) are likewise identically distributed.

Algorithm Q(x), shown in Figure 6, tests whether or not a number x with Jacobi symbol 1 is a quadratic residue modulo n. It outputs 1 to mean x ∈ QR_n and 0 to mean x ∉ QR_n.

To Q(x):
1.	Let s₂ = x² mod n.
2.	Let s_i = s_i−1² mod n, for i=3, …, k.
3.	Let b₁ = lsb(x).
4.	Let b_i = lsb(s_i), for i=2, …, k.
5.	Let c = A(b₂, …, b_k).
6.	If c = b₁ then output 1; else output 0.

Figure 6: Algorithm Q for testing x ∈ QR_n.

Since jacobi(x, n) = 1, then either x or −x is a quadratic residue. Let s₀ be the principal square root of x or −x and consider the first k bits of BBS(s₀). We have two cases:

If x ∈ QR_n, the sequence of seeds is s₀, x, s₂, …, s_k and the corresponding sequence of output bits is

b₁, b₂, …, b_k.

If −x ∈ QR_n, the sequence of seeds is s₀, −x, s₂, …, x_k and the corresponding sequence of output bits is

¬b₁, b₂, …, b_k.

Hence, if the predicted first bit c is correct, then

c=b₁ iff x ∈ QR_n.

Since the predicted bit is correct with probability at least 1/2 +ε, algorithm Q is correctly with probability at least 1/2 +ε.

File translated from T_EX by T_TH, version 3.66.
On 2 May 2005, 12:57.