5.4: Extending the Stretch of a PRG

Recall that the stretch of a PRG is the amount by which the PRG’s output length exceeds its input length. A PRG with very long stretch seems much more useful than one with small stretch. Is there a limit to the stretch of a PRG? Using only \(?\lambda\) bits of true uniform randomness, can we generate \(100\lambda\), or even \(\lambda^3\) pseudorandom bits?

In this section we will see that once you can extend a PRG a little bit, you can also extend it a lot. This is another magical feat that is possible with pseudorandomness but not with truly uniform distributions. We will demonstrate the concept by extending a PRG with stretch \(\lambda\) into one with stretch \(2\lambda\), but the idea can be used to increase the stretch of any PRG indefinitely (see the exercises).

Construction \(\PageIndex{1}\) : PRG Feedback

Let \(G : \{0,1\}^{\lambda} \rightarrow \{0,1\}^{2\lambda}\) be a length-doubling PRG (i.e., a PRG with stretch \(\lambda\)). When \(x \in \{0,1\}^{2\lambda}\), we write \(x_{left}\) to denote the leftmost \(\lambda\) bits of \(x\) and \(x_{right}\) to denote the rightmost \(\lambda\) bits. Define the length-tripling function \(H : \{0,1\}^{\lambda} \rightarrow \{0,1\}^{3\lambda}\) as follows:

Claim \(\PageIndex{1}\) :

If \(G\) is a secure length-doubling \(PRG\), then \(H\) (defined above) is a secure length-tripling \(PRG\).

Proof:

We want to show that \(\mathscr{L}^H_{\text{prg-real}} ≋ \mathscr{L}^H_{\text{prg-rand}}\). As usual, we do so with a hybrid sequence. Since we assume that \(G\) is a secure \(PRG\), we are allowed to use the fact that \(\mathscr{L}^G_{\text{prg-real}} ≋ \mathscr{L}^G_{\text{prg-rand}}\). In this proof, we will use the fact twice: once for each occurrence of \(G\) in the code of \(H\).

The starting point is \(\mathscr{L}^H_{\text{prg-real}}\), shown here with the details of \(H\) filled in.

The first invocation of \(G\) has been factored out into a subroutine. The resulting hybrid library includes an instance of \(\mathscr{L}^G_{\text{prg-real}}\).

From the PRG security of \(G\), we can replace the instance of \(\mathscr{L}^G_{\text{prg-real}}\) with \(\mathscr{L}^G_{\text{prg-rand}}|). The resulting hybrid library is indistinguishable.

A subroutine has been inlined

Choosing \(2\lambda\) uniformly random bits and then splitting them into two halves has exactly the same effect as choosing \(\lambda\) uniformly random bits and independently choosing \(\lambda\) more.

The remaining appearance of \(G\) has been factored out into a subroutine. Now \(\mathscr{L}^G_{\text{prg-real}}\) makes its second appearance

Again, the PRG security of G lets us replace \(\mathscr{L}^G_{\text{prg-real}}\) with \(\mathscr{L}^G_{\text{prg-rand}}\). The resulting hybrid library is indistinguishable.

A subroutine has been inlined.

Similar to above, concatenating \(\lambda\) uniform bits with \(2\lambda\) independently uniform bits has the same effect as sampling \(3\lambda\) uniform bits. The result of this change is \(\mathscr{L}^H_{\text{prg-rand}}\).

Through this sequence of hybrid libraries, we showed that:

\(\mathscr{L}^H_{\text{prg-real}} \equiv \mathscr{L}_{\text{hyb-1}} ≋ \mathscr{L}_{\text{hyb-2}} \equiv \mathscr{L}_{\text{hyb-3}} \equiv \mathscr{L}_{\text{hyb-4}} \equiv \mathscr{L}_{\text{hyb-5}} ≋ \mathscr{L}_{\text{hyb-6}} \equiv \mathscr{L}_{\text{hyb-7}}\equiv \mathscr{L}^H_{\text{prg-rand}}\).

Hence, \(H\) is a secure PRG.