This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography 5/25/2004 Solutions to homework 4 1 “Onebitstreching” PRG = > “polynomiallystreching” PRG Assume that G is a PRG which stretches input by only one bit, i.e. for all inputs x , the length  G ( x )  , of the output of G on x is equal to  x  + 1. 1.1 For any polynomial p ( · ), use the 1bit stretching PRG G to construct a PRG G ′ which stretches the (random) kbit input into a (pseudorandom) output of length p ( k ). Prove that your construction G ′ is indeed a PRG if G is a PRG. Hint(s) : First try to construct a twobit stretching G ′ , i.e. do it for p ( k ) = k + 2. (Note that in the subsection below you have some wrong ways of making the 2bit stretching PRG. I think that all ways where you try to use G just once will fail, and to get (2+ k )bit output you need to use G twice.) If you do get it for 2bit stretching PRG, chances are that your construction generalizes to any polynomial number of extra bits, and that you can prove this generalized construction using the proof you did for the 2bit case and induction. And how can you prove that your construction for G ′ is secure? You can try to prove this by contradiction, i.e. assume that G ′ is not a PRG, i.e. that there exists a PPT adversary which distinguishes outputs of G ′ from random strings, and try to use that adversary to attack the PRG G itself, which is supposed to be secure. You might also try a direct proof (this could in fact be easier!) to argue why the distribu tion { G ′ ( x ) } x ←{ , 1 } k is computationally indistinguishable from distribution { r } r ←{ , 1 } k +2 . Recall that the fact that G is a good (1bit stretching) PRG can be phrased as { G ( x ) } x ←{ , 1 } k ≈ { r } r ←{ , 1 } k +1 (where “ ≈ ” stands for “computationally indistinguishable”). In coming up with the direct proof, you can use the following two lemmas, which we used recently in lectures: Lemma 1 If X, Z are two computationally indstinguishable distributions, i.e. { s } s ← X ≈ { s } s ← Z , and f ( · ) is a PPT algorithm, then { f ( s ) } s ← X ≈ { f ( s ) } s ← Z . Using a simplified notation: If { X } ≈ { Y } and f is PPT then { f ( X ) } ≈ { f ( Y ) } . Lemma 2 (Hybrid Lemma) If X 1 , ..., X n are distributions s.t. { X i } ≈ { X i +1 } for every i = 1 , ..., n 1 , and n is polynomial in the security parameter , then { X 1 } ≈ { X n } ....
View
Full
Document
This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.
 Spring '04
 Jarecki

Click to edit the document details