let's do our first hybrid proof remember
our theorem is that if this PRG with n+1 bit output
is secure meaning that
the output of this the N plus one bits here
is indistinguishable from n+1 random bits
computationally
then we're going to prove that this n+p(n)
bit output PRG that we constructed
here, is secure. Our proof style
remember, always goes through adversaries
so what we are going to prove remember
is that
if there exists a PPT
adversary A, that
breaks this
new construction we have
G n+p(n). Remember,
breaking here means distinguishing
the output of Gn+p(n) from random output
of the same length
n+p(n) bits with non negligible
advantage then we are going to
construct remember another
PPT adversary let's call it
B. And B
is going to break this
underlying primitive our assumption
our assumption here, Gn+1, so if there exists
an adversary who can break this
then we will construct an
an adversary who can break this
if the adversary who breaks it  
PPT then ours will be
PPT as well.
If this adversary has
non-negligible advantage
our adversary will have
non-negligible advantage as well
In this proof we are going to
employ
hybrid technique remember our hybrid definition 
was as follows:
hybrid i would mean
pick n+i random 
bits and then continue this
construction
from level i so
start with n+i tandom bits
continue this construction
end with n+p(n) bits. Let's define
our adversaries as usual we're going to
do it
visually so we will 
draw these two boxes, inside
there will be the adversary
A. Adversary A is playing
the game for PRG n+p(n)
what's this game
remember the adversary is given the
security parameter
together with
some value, let's say W
such that this W is
output of G(n)+p(n)
or completely random of the same length
n+p(n) bits
at the end this adversary
is going to tell us whether
this W is pseudorandom
or random. That will be the adversaries output.
this adversary B that we are going to construct
is playing the game for Gn+1
so it will be given
the security parameter for that game
which
happens to be the same here
and some value let's say r.
Such that this r
is either the output
of Gn+1
using some random n bits input. Or
it is completely random n+1 bits
and our goal as B is to again say
whether this r was pseudorandom
or random. So B needs to construct
these hybrids for now assume that we
have a fixed value of i.
so our goal is to construct
either Hi
OK or Hi+1
remember the only difference between Hi and Hi+1
was
one more round of this Gn+1
so our goal is to construct either one of these.
essentially we will not know which one we constructed.
but that's good because
the adversary will help us know which 
one we constructed so we want to construct
either Hi or Hi+1. Let's do that.
What we're going to do the hybrid
says pick random
i bits or
i+1 bits input
so in every proof remember
the outside adversary B is trying to tie
its input to somehow the input
of the inside adversary A.
That is the main mechanism of
every proof, every reduction proof we are doing
so somehow my hybrid construction
should include this r value
so what I'm going to do here is
I will start from r.
at level i. And then
I will run this construction from level
i starting with r
and then obtain
what will be
n+p(n)
bit output. I will call this
W and I will send this
to the adversary of course now we need to
think carefully
remember this r is
only how many bits n+1 bits
so the
n+1 bits of r
is coming here but level i
requires n+i bits
so I need i-1
extra bits here
and these i-1 extra bits
let me call it s, and I'm going to pick
those
randomly. So I'm going to pick
i-1 extra random bits
concatenate with r now start with
r together with s at level i do
this construction
continued from level i. obtain
n+p(n) bit output send this as W
what did we do here?
so here let's consider two cases
there are two cases either r
is computed as follows some let's say
x value was chosen randomly
such that it is n bits
and then r was computed as running
Gn+1 over this
X. So this is the pseudorandom
case of r.
now what about the random case of r
in the random case
r was actually chosen completely
randomly
from n+1 bits
now let's think about
what we did here. Consider
the case that r itself is completely random
so essentially what we did here is the following
we have n+1 random bits we have
i-1 random bits here so in
total
we will have n+1+i-1
n+i random bits
so we started with n+i random bits
reached to W this would correspond to
essentially hybrid
i, this is
exactly the definition of hybrid i
what if r was pseudorandom?
if r was pseudorandom here
is what would have happened:
we would have started
with some random values here
and then r would have been computed
so r would have been here
anything extra here
would have been transferred here
so why would this correspond to Hi-1
think about it this way
if r was computed as an output of
Gn+1 over some random
x that is n bits so x was here that is n bits
and then there were i-1 random bits here
r is computed 
r is n+1 bits
we copy these
i-1 random bits here so,
overall we would obtain ...
n+i bits
now, what would this mean? This would mean
that
we essentially started
with n+i-1 random bits
random bits
we ran through one level on
this, obtained our pseudorandom
and then i-1 bits
and continued of course until we obtain
some W. So we started at level i-1
randomly and then essentially
continued running the construction
from there. This is why this corresponds
to hybrid
i-1
so if r was random this would have
correspond
to hybrid i. if r was generated pseudorandomly
this would have correspond to hybrid i-1
so we sent this w to the adversary
the adversary tells us random or pseudorandom
think about it this way: Which hybrid
is more random? Essentially hybrid
i because hybrid i-1 involves
one more random this pseudorandom generator
therefore if we generated
hybrid i, we expect the adversary to say
random
and when does it happen
it happens if r itself was random, 
so if the adversary says random
we should say random
if instead r was pseudorandom, this means we have generated hybrid i-1
and we expect that the adversary
Should say pseudorandom
in that case so we should also say pseudorandom
essentially the last part is extremely easy
we just say whatever the adversary A says.
are we done? Almost.
the real issue here is our adversary B
needs i
it doesn't know i. We don't know i
so what we're going to do is we will
pick i randomly
and i will be 
anything between 1 up to p(n).
so i is some value between 1 and p
if we pick i as one
and if the r 
value we are given was pseudorandom
then we would have obtained hybrid 0
if r value was random
Well, we pick random i as one 
then we would have computed hybrid 1
Now
there are some more things
we need to argue. So what's the underlying
idea of the proof here
remember
we have hybrid 0
and hybrid p(n) that needs to be indistinguishable
so in between there are these other hybrids, hybrid 1
here, hybrid 2 to here
hybrid 3 here, some hybrid let's say i here
hybrid i+1 here
etc.
Consider this case: if the adversary has
only negligible advantage
in distinguishing these neighboring
hybrids
so between each neighboring hybrid
the adversary has negligible advantage let's say
remember we have
p(n) such neighbors so the total
distinguishing advantage
between hybrid 0 and
hybrid last, hybrid p(n) would be
p(n) times this negligible
value. Remember p(n) is polynomial if
each one of them are negligible this whole thing
would be a negligible.
on the other hand,
distinguishing between hybrid 0
and hybrid p(n) means this whole
distinguishing
advantage is essentially some non-negligible
value. If this is non-negligible
what we need is the following.
this sum is non-neglibile if all of these
were negligible the sum had 
to be negligible therefore
at least one of these neighbors here
must be distinguished with non-negligible
advantage so h0
and hp(n) can be distinguished with
non-negligible advantage at least
one of the neighboring hybrids must be distinguished with
non-negligible advantage
at least 1
maybe all of them can be distinguished by non-negligible advantage
but at least one of them need to be. Therefore
consider that
the distinguishing advantage of the
adversary A
is let's say some E(n)
by
this logic, the distinguishing
advantage of adversary B would be
greater than or equal to E(n)/p(n)
why?
remember if
E(n) is non-negligible
at least one of these neighbors
can be distinguished with non-negligible advantage
but we are picking a 
neighbor randomly here there are p(n) such
neighbors, we are picking one randomly
so if we picked the right one
where the adversary
has non-negligible advantage then
we will also win.
if we picked a wrong one we wouldn't win.
what's the probability that
we picked the right one
there is at least one of them that is
right
meaning that has non-negligible advantage
in distinguishing
If there's at least one
and there are p(n) many of them with at least 1/p(n)
probability we picked the right one.
so we multiply this with 1/p(n)
but this is a lower bound for us
now let's conclude our proof.
if E(n) is 
non-negligible, non-negligible/polynomial
would be non-negligible
and finally the reasoning other way around
if E(n)/p(n)
must be negligible, then E(n)
must be negligible therefore we have these two things
if this Gn+1,
is a secure PRG/
then this Gn+p(n)
is a secure PRG.
so if this has to be negligible,
this has to be negligible.
And this concludes our proof.
