# Hybrid argument (Cryptography)

In cryptography, the hybrid argument is a proof technique used to show that two distributions are computationally indistinguishable.

## Formal description

Formally, to show two distributions D1 and D2 are computationally indistinguishable, we can define a sequence of hybrid distributions D1 := H0, H1, ..., Ht =: D2 where t is polynomial in the security parameter. Define the advantage of any probabilistic efficient (polynomial-bounded time) algorithm A as

${\displaystyle {\mathsf {Adv}}_{H_{i},H_{i+1}}^{\mathsf {dist}}(\mathbf {A} ):=\left|\Pr[x{\stackrel {\}{\gets }}H_{i}:\mathbf {A} (x)=1]-\Pr[x{\stackrel {\}{\gets }}H_{i+1}:\mathbf {A} (x)=1]\right|,}$

where the dollar symbol (\$) denotes that we sample an element from the distribution at random.

By triangle inequality, it is clear that for any probabilistic polynomial time algorithm A,

${\displaystyle {\mathsf {Adv}}_{D_{1},D_{2}}^{\mathsf {dist}}(\mathbf {A} )\leq \sum _{i=0}^{t-1}{\mathsf {Adv}}_{H_{i},H_{i+1}}^{\mathsf {dist}}(\mathbf {A} ).}$

Thus there must exist some k s.t. 0 ≤ k < t and

${\displaystyle {\mathsf {Adv}}_{H_{k},H_{k+1}}^{\mathsf {dist}}(\mathbf {A} )\geq {\mathsf {Adv}}_{D_{1},D_{2}}^{\mathsf {dist}}(\mathbf {A} )/t.}$

Since t is polynomial-bounded, for any such algorithm A, if we can show that its advantage to distinguish the distributions Hi and Hi+1 is negligible for every i, then it immediately follows that its advantage to distinguish the distributions D1 = H0 and D2 = Ht must also be negligible. This fact gives rise to the hybrid argument: it suffices to find such a sequence of hybrid distributions and show each pair of them is computationally indistinguishable.[1]

## Applications

The hybrid argument is extensively used in cryptography. Some simple proofs using hybrid arguments are:

• If one cannot efficiently predict the next bit of the output of some number generator, then this generator is a pseudorandom number generator (PRG).[2]
• We can securely expand a PRG with 1-bit output into a PRG with n-bit output.[3]

## Notes

1. ^ Lemma 3 in Dodis's notes.
2. ^ Theorem 1 in Dodis's notes.
3. ^ Lemma 80.5, Corollary 81.7 in Pass's notes.

## References

• Dodis, Yevgeniy. "Introduction to Cryptography Lecture 5 notes" (PDF).
• Pass, Rafael. "A Course in Cryptography" (PDF).