Lecture notes I am reading says:
An issue with characterizing efficiency in terms of P is that the feasibility of a problem is thus considered in terms of its worst-case complexity only. For cryptographic and for cryptanalytic purposes, however, it is much more relevant to consider average-case complexity instead. The critical notion is that of a probabilistic Turing machine, which behaves similarly to a nondeterministic Turing machine, except that on each step it chooses the successor configuration uniformly at random from the possible ones
Now it is recently, that I tried to understand the concept of non-deterministic Turing machine, and on the surface level I'd say I understand it. For example if there is some value on the current tape and it is in certain state next move could be:
- Write a Y, move right, and switch to state 5 or
- Write an X, move left, and stay in state 3.
As I understand probabilistic Turing machine is also non deterministic Turing machine but would choose from (1) or (2) with 50/50.
What I don't understand in above quote, is why is cryptography more interested in probabilistic Turing machines? Why is that more useful for cryptography than say deterministic Turing machines? Why does that reflect the average case complexity as in the quote? Examples would be appreciated, say example of a adversary which is implemented as a probabilistic Turing machine.
