solutions 5

# solutions 5 - ICS 180 Introduction to Cryptography...

This preview shows pages 1–3. Sign up to view the full content.

ICS 180: Introduction to Cryptography 6/14/2004 Solutions to homework 5 1 Constructing a PRG from a PRF This question is designed so that you see a relation between a PRF and a PRG. You have seen in class that with some work one can build a PRF out of any PRG. But PRF does seem like a more powerful construct, so the other direction, construction of a PRG from a PRF should be easy. But how shall this be done exactly? Let { f s | s ∈{ 0 , 1 } τ } τ =1 , 2 ,... be a PRF family, where for each τ and each s ∈{ 0 , 1 } τ , function f s maps domain { 0 , 1 } τ onto the same range { 0 , 1 } τ . (Using the notation from the lecture and the notes, we’d say that l ( τ ) = L ( τ ) = τ .) Consider the following attempts to construct a PRG from this PRF family. For each of the attempts, either prove that the PRG is secure or prove that it is not, by showing an efficient algorithm that distinguishes its outputs from random strings: 1. G 1 ( x ) = [ f x (0 τ ) | f x (1 τ )] for x ∈{ 0 , 1 } τ 2. G 2 ( x ) = [ f 0 τ ( x ) | f 1 τ ( x )] for x ∈{ 0 , 1 } τ Note that both constructions, on purpose, are done in a way so that the G i ’s are trivially stretching: | G i ( x ) | = 2 | x | for both i = 1 , 2. Hint: First, recall what a (secure) PRG is and what a (secure) PRF is. If you want to prove that a PRG construction is secure , use one of the two security arguments we have had. Namely, either prove that some two required probability distribution are indistinguishable directly by a series of transformations (for example as in the solutions to problem (1.1) in homework 4). Or, prove it by contradiction, i.e. assume that there exists a PPT adversary A that breaks the PRG security property for the construction G 1 or G 2 , and use that adversary to create a PPT attack A that breaks the PRF security property for the function family { f s } . If you want to show that the PRG construction is insecure , you can do so similarly as in the problem (1.2) in homework 4, i.e. by showing that for some PRF family { f s } , the family itself is a secure PRF family, but the G i construction (for i either 1 or 2) fails to produce a pseudorandom number generator. How can you do this? Recall the method we used in problem (1.2) of homework 4 and apply it in this case. Namely, try to create function family { f s } from any PRF family { ¯ f s } s.t. { f s } remains a PRF family, but it makes the G i construction fail as a PRG. Solution: 1.1 The G 1 construction actually does make a secure PRG. G 1 is a good PRG if the following probability distributions are indistinguishable: { G 1 ( s ) } s ←{ 0 , 1 } τ ≈{ r } r ←{ 0 , 1 } 2 τ S5-1

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
I claim that this is indeed the case. One way to argue this is the following: Since { f s } is a PRF, for every (efficient) adversary A we have { A f s (1 τ ) } s ←{ 0 , 1 } τ ≈{ A R (1 τ ) } R RNDF CT ( τ,τ ) (1) which reads: “the distribution of outputs of A on input 1 τ and on access to function f s , where s is a random τ -bit seed is indistinguishable from the distribution of outputs of A on input 1 τ and on access to a random function R ”.
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern