"polynomially-streching PRG Assume that G is a PRG">
solutions 4

# solutions 4 - ICS 180 Introduction to Cryptography...

• Homework Help
• davidvictor
• 4
• 100% (2) 2 out of 2 people found this document helpful

This preview shows pages 1–3. Sign up to view the full content.

ICS 180: Introduction to Cryptography 5/25/2004 Solutions to homework 4 1 “One-bit-streching” PRG = > “polynomially-streching” PRG Assume that G is a PRG which stretches input by only one bit, i.e. for all inputs x , the length | G ( x ) | , of the output of G on x is equal to | x | + 1. 1.1 For any polynomial p ( · ), use the 1-bit stretching PRG G to construct a PRG G which stretches the (random) k -bit input into a (pseudorandom) output of length p ( k ). Prove that your construction G is indeed a PRG if G is a PRG. Hint(s) : First try to construct a two-bit stretching G , i.e. do it for p ( k ) = k + 2. (Note that in the subsection below you have some wrong ways of making the 2-bit stretching PRG. I think that all ways where you try to use G just once will fail, and to get (2+ k )-bit output you need to use G twice.) If you do get it for 2-bit stretching PRG, chances are that your construction generalizes to any polynomial number of extra bits, and that you can prove this generalized construction using the proof you did for the 2-bit case and induction. And how can you prove that your construction for G is secure? You can try to prove this by contradiction, i.e. assume that G is not a PRG, i.e. that there exists a PPT adversary which distinguishes outputs of G from random strings, and try to use that adversary to attack the PRG G itself, which is supposed to be secure. You might also try a direct proof (this could in fact be easier!) to argue why the distribu- tion { G ( x ) } x ←{ 0 , 1 } k is computationally indistinguishable from distribution { r } r ←{ 0 , 1 } k +2 . Recall that the fact that G is a good (1-bit stretching) PRG can be phrased as { G ( x ) } x ←{ 0 , 1 } k ≈{ r } r ←{ 0 , 1 } k +1 (where “ ” stands for “computationally indistinguishable”). In coming up with the direct proof, you can use the following two lemmas, which we used recently in lectures: Lemma 1 If X, Z are two computationally indstinguishable distributions, i.e. { s } s X { s } s Z , and f ( · ) is a PPT algorithm, then { f ( s ) } s X ≈{ f ( s ) } s Z . Using a simplified notation: If { X }≈{ Y } and f is PPT then { f ( X ) }≈{ f ( Y ) } . Lemma 2 (Hybrid Lemma) If X 1 , ..., X n are distributions s.t. { X i }≈{ X i +1 } for every i = 1 , ..., n - 1 , and n is polynomial in the security parameter , then { X 1 }≈{ X n } . Solution: Let’s first do a 2-bit stretching G . Namely, let’s have G ( x ) = G ( G ( x )) Clearly, | G ( x ) | = | x | + 2 for all x . Now we’ll show that G is a PRG. By assumption on G , we have: { G ( x ) } x ←{ 0 , 1 } k U k +1 (1) S4-1

This preview has intentionally blurred sections. Sign up to view the full version.

(where U k
This is the end of the preview. Sign up to access the rest of the document.
• Spring '04
• Jarecki
• Cryptography, one-way function, PRG, pseudorandom generator

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern