This preview shows pages 1–3. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography 6/14/2004 Solutions to homework 5 1 Constructing a PRG from a PRF This question is designed so that you see a relation between a PRF and a PRG. You have seen in class that with some work one can build a PRF out of any PRG. But PRF does seem like a more powerful construct, so the other direction, construction of a PRG from a PRF should be easy. But how shall this be done exactly? Let { f s  s { , 1 } } =1 , 2 ,... be a PRF family, where for each and each s { , 1 } , function f s maps domain { , 1 } onto the same range { , 1 } . (Using the notation from the lecture and the notes, wed say that l ( ) = L ( ) = .) Consider the following attempts to construct a PRG from this PRF family. For each of the attempts, either prove that the PRG is secure or prove that it is not, by showing an efficient algorithm that distinguishes its outputs from random strings: 1. G 1 ( x ) = [ f x (0 )  f x (1 )] for x { , 1 } 2. G 2 ( x ) = [ f ( x )  f 1 ( x )] for x { , 1 } Note that both constructions, on purpose, are done in a way so that the G i s are trivially stretching:  G i ( x )  = 2  x  for both i = 1 , 2. Hint: First, recall what a (secure) PRG is and what a (secure) PRF is. If you want to prove that a PRG construction is secure , use one of the two security arguments we have had. Namely, either prove that some two required probability distribution are indistinguishable directly by a series of transformations (for example as in the solutions to problem (1.1) in homework 4). Or, prove it by contradiction, i.e. assume that there exists a PPT adversary A that breaks the PRG security property for the construction G 1 or G 2 , and use that adversary to create a PPT attack A that breaks the PRF security property for the function family { f s } . If you want to show that the PRG construction is insecure , you can do so similarly as in the problem (1.2) in homework 4, i.e. by showing that for some PRF family { f s } , the family itself is a secure PRF family, but the G i construction (for i either 1 or 2) fails to produce a pseudorandom number generator. How can you do this? Recall the method we used in problem (1.2) of homework 4 and apply it in this case. Namely, try to create function family { f s } from any PRF family { f s } s.t. { f s } remains a PRF family, but it makes the G i construction fail as a PRG. Solution: 1.1 The G 1 construction actually does make a secure PRG. G 1 is a good PRG if the following probability distributions are indistinguishable: { G 1 ( s ) } s { , 1 } { r } r { , 1 } 2 S51 I claim that this is indeed the case. One way to argue this is the following: Since { f s } is a PRF, for every (efficient) adversary A we have { A f s (1 ) } s { , 1 } { A R (1 ) } R RNDFCT ( , ) (1) which reads: the distribution of outputs of A on input 1 and on access to function f s , where s is a random...
View
Full
Document
This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.
 Spring '04
 Jarecki

Click to edit the document details