ICS 180: Introduction to Cryptography
5/25/2004
Solutions to homework 4
1
“Onebitstreching” PRG
=
>
“polynomiallystreching” PRG
Assume that
G
is a PRG which stretches input by only one bit, i.e. for all inputs
x
, the
length

G
(
x
)

, of the output of
G
on
x
is equal to

x

+ 1.
1.1
For
any
polynomial
p
(
·
), use the 1bit stretching PRG
G
to construct a PRG
G
′
which
stretches the (random)
k
bit input into a (pseudorandom) output of length
p
(
k
).
Prove
that your construction
G
′
is indeed a PRG if
G
is a PRG.
Hint(s)
: First try to construct a twobit stretching
G
′
, i.e. do it for
p
(
k
) =
k
+ 2. (Note
that in the subsection below you have some
wrong
ways of making the 2bit stretching PRG.
I think that all ways where you try to use
G
just once will fail, and to get (2+
k
)bit output
you need to use
G
twice.) If you do get it for 2bit stretching PRG, chances are that your
construction generalizes to any polynomial number of extra bits, and that you can prove
this generalized construction using the proof you did for the 2bit case and induction.
And how can you prove that your construction for
G
′
is secure? You can try to prove this
by contradiction, i.e. assume that
G
′
is not a PRG, i.e. that there exists a PPT adversary
which distinguishes outputs of
G
′
from random strings, and try to use that adversary to
attack the PRG
G
itself, which is supposed to be secure.
You might also try a direct proof (this could in fact be easier!) to argue why the distribu
tion
{
G
′
(
x
)
}
x
←{
0
,
1
}
k
is computationally indistinguishable from distribution
{
r
}
r
←{
0
,
1
}
k
+2
.
Recall that the fact that
G
is a good (1bit stretching) PRG can be phrased as
{
G
(
x
)
}
x
←{
0
,
1
}
k
≈{
r
}
r
←{
0
,
1
}
k
+1
(where “
≈
” stands for “computationally indistinguishable”).
In coming up with the direct proof, you can use the following two lemmas, which we
used recently in lectures:
Lemma 1
If
X, Z
are two computationally indstinguishable distributions, i.e.
{
s
}
s
←
X
≈
{
s
}
s
←
Z
, and
f
(
·
)
is a PPT algorithm, then
{
f
(
s
)
}
s
←
X
≈{
f
(
s
)
}
s
←
Z
.
Using a simplified notation: If
{
X
}≈{
Y
}
and
f
is PPT then
{
f
(
X
)
}≈{
f
(
Y
)
}
.
Lemma 2 (Hybrid Lemma)
If
X
1
, ..., X
n
are distributions s.t.
{
X
i
}≈{
X
i
+1
}
for every
i
= 1
, ..., n

1
, and
n
is
polynomial in the security parameter
, then
{
X
1
}≈{
X
n
}
.
Solution:
Let’s first do a 2bit stretching
G
′
. Namely, let’s have
G
′
(
x
) =
G
(
G
(
x
))
Clearly,

G
′
(
x
)

=

x

+ 2 for all
x
. Now we’ll show that
G
′
is a PRG. By assumption on
G
, we have:
{
G
(
x
)
}
x
←{
0
,
1
}
k
≈
U
k
+1
(1)
S41