we are now going to do a hybrid proof
for the security of the scheme
now hybrid proofs
have 3 rules, rule number 1
is that there will be
a first hybrid H1 lets
say and the last hybrid lets say
Hlast these two
should be the two things that need
to be indistinguishable so essentially
in a hybrid proof our goal is to prove
that
this first hybrid is indistinguishable
from the last hybrid
but instead of doing it
at once we will do it using hybrids
so we will define the second rule
that says considering two neighboring
hybrids
H i and H i+1
distinguishing
these two hybrids should mean
breaking some underlying scheme some
underlying assumption
remember we said
hybrid proofs one of the main uses of
them is when
sums primitive is repeated multiple
times
so here we have Gn+1 repeated
multiple times
between Gn+pn essentially we will
define our hybrids such that
the only difference between two
neighboring hybrids
would be something
related to Gn+1
this is our underlying assumptions so if
the adversary can distinguish between
one of these
we will show that we can distinguish
let's say we can break
Gn+1
the third rule says there must be
polynomially many hybrids so
in some sense this will mean that we will
call
our H first as let's say H
zero and our Hlast as let's
say
H some let's say p(n)
for some polynomial n let us define
our hybrids for this particular proof
and then
it will all become more clear
we will define
hybrid i as follows:
for this particular proof. So hybrid i
says pick a random value
s that is n+1
bits sorry n+i bits
So pick a random n+i
bit. Then let me
label these bits let's say levels
so this is the 0th level 1st
level
2nd level 3rd level et cetera
so if I run Gn+1 once
corresponds to first.
if I run twice from the beginning
second level. three times from the beginning
third level
so the last level would be pnth
level. So hybrid I says
pick some random s that is n+i bits
and then continue this
construction
from level i
so start at level
i and continue there
let's see what this means for some
values of i. consider H0
the 0th hybrid
first hybrid essentially. What
it would mean is
we would be picking s that is how many bits
you see it n+i, i is 0
n bits and then
start at level 0 if I start at level 0
so I have n bits of random value
I start at level 0
do these things this essentially
corresponds to running
G n+p(n) so pick this s
and then run G n+p(n)
using this s as the input
it will give us some random value let say r
a pseudorandom value r at the end
and
the length of this r would be n+
p(n) bits. let's look at
Hpn
when i is equal to p(n) what it would 
would mean is
pick s that is of length n+p(n)
so I, is equal to p(n) according to the
hybrid definition this means we're
picking s that is n+p(n) bits 
and then continue from level p(n)
if I continue this construction from
level p(n) there's nothing further
to do
essentially I can say that my
r that is the output let's say
would be equal to s. If you consider
this hybrid the definitions H0
essentially is
picking a random s running Gn+n 
and then outputs it
so my H0 is in some sense
the pseudo-random experiment
what is Hp(n)?
Hp(n) is picking a truly random value of the 
same length as the output of my pseudorandom experiment
so this is my random experiment 
remember pseudorandom generator definitions
security definition says
this experiment needs to be
indistinguishable
computationally indistinguishable from
this experiment
so if I managed to prove this
H0 is indistinguishable from this Hp(n)
then I am done that's the proof I'm
trying to
eventually form. Now let's look at
some neighboring hybrids consider for
example
H1. what is H1?
H1 would mean pick n+1 random bit
and then continue this construction from level 1
what was H0 pick
n bit random value and then continue from level 0
so the only difference
between H0 and H1
would be at this first step hybrid 0
uses Gn+1 to perform this first step
hybrid one doesn't use Gn+1
it picks these n+1 bits completely random
so the only difference between hybrid 0 and hybrid 1
is this one use of Gn+1
considered hybrid 2
hybrid 2 says pick n+2 random
bits continue at level 2
so pick n+2 random bits
continue from level 2 between hybrid 1 and hybrid 2
the only difference is running this Gn+1 once
so between each Hi and Hi+1
the only difference would be
we are either running Gn+1 one more time
or we're starting randomly so essentially
this difference here would correspond to
distinguishing G n+1's
pseudorandom output from a random value
of the same length. remember that's
what we wanted to achieve
distinguishing each the neighboring hybrid
should correspond
to breaking some underlying assumption
the assumption here would be
Gn+1 is
indistinguishable from random. 
Do we have polynomially many
hybrids? yes remember our last hybrid is
P(n) and so we have
P(n)+1 hybrids essentially
remember P(n)
was a polynomial so we have polynomially many
hybrids we satisfy all three requirements
of a hybrid proof if we define our hybrid i
as this. now
the next step would be proving
this using a reduction so this was
only let's say a starting point for us
next we need to proof what's the
theorem we are going to prove lets write it
first and then we will do to prove soon
the theorem says
if this
G n+1 is a secure pseudorandom
generator
that has N+1 bit
output then
this
new pseudorandom generator we defined Gn+p(n)
which is essentially this whole contruction
remember repeating Gn+1 p(n)
many times on the first n bits of
the output
taking these extras here. So this
construction
then will be a secure pseudorandom
generator with
n+p(n) bit output
so this is the theorem we are going to prove
and in our proof
we are going to employ this hybrid
the definition
