solutions 4

solutions 4 - ICS 180 Introduction to Cryptography...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ICS 180: Introduction to Cryptography 5/25/2004 Solutions to homework 4 1 “One-bit-streching” PRG = > “polynomially-streching” PRG Assume that G is a PRG which stretches input by only one bit, i.e. for all inputs x , the length | G ( x ) | , of the output of G on x is equal to | x | + 1. 1.1 For any polynomial p ( · ), use the 1-bit stretching PRG G to construct a PRG G ′ which stretches the (random) k-bit input into a (pseudorandom) output of length p ( k ). Prove that your construction G ′ is indeed a PRG if G is a PRG. Hint(s) : First try to construct a two-bit stretching G ′ , i.e. do it for p ( k ) = k + 2. (Note that in the subsection below you have some wrong ways of making the 2-bit stretching PRG. I think that all ways where you try to use G just once will fail, and to get (2+ k )-bit output you need to use G twice.) If you do get it for 2-bit stretching PRG, chances are that your construction generalizes to any polynomial number of extra bits, and that you can prove this generalized construction using the proof you did for the 2-bit case and induction. And how can you prove that your construction for G ′ is secure? You can try to prove this by contradiction, i.e. assume that G ′ is not a PRG, i.e. that there exists a PPT adversary which distinguishes outputs of G ′ from random strings, and try to use that adversary to attack the PRG G itself, which is supposed to be secure. You might also try a direct proof (this could in fact be easier!) to argue why the distribu- tion { G ′ ( x ) } x ←{ , 1 } k is computationally indistinguishable from distribution { r } r ←{ , 1 } k +2 . Recall that the fact that G is a good (1-bit stretching) PRG can be phrased as { G ( x ) } x ←{ , 1 } k ≈ { r } r ←{ , 1 } k +1 (where “ ≈ ” stands for “computationally indistinguishable”). In coming up with the direct proof, you can use the following two lemmas, which we used recently in lectures: Lemma 1 If X, Z are two computationally indstinguishable distributions, i.e. { s } s ← X ≈ { s } s ← Z , and f ( · ) is a PPT algorithm, then { f ( s ) } s ← X ≈ { f ( s ) } s ← Z . Using a simplified notation: If { X } ≈ { Y } and f is PPT then { f ( X ) } ≈ { f ( Y ) } . Lemma 2 (Hybrid Lemma) If X 1 , ..., X n are distributions s.t. { X i } ≈ { X i +1 } for every i = 1 , ..., n- 1 , and n is polynomial in the security parameter , then { X 1 } ≈ { X n } ....
View Full Document

This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.

Page1 / 4

solutions 4 - ICS 180 Introduction to Cryptography...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online