ICS 180: Introduction to Cryptography
6/14/2004
Solutions to homework 5
1
Constructing a PRG from a PRF
This question is designed so that you see a relation between a PRF and a PRG. You have
seen in class that with some work one can build a PRF out of any PRG. But PRF does
seem like a more powerful construct, so the other direction, construction of a PRG from a
PRF should be easy. But how shall this be done exactly?
Let
{
f
s

s
∈{
0
,
1
}
τ
}
τ
=1
,
2
,...
be a PRF family, where for each
τ
and each
s
∈{
0
,
1
}
τ
,
function
f
s
maps domain
{
0
,
1
}
τ
onto the same range
{
0
,
1
}
τ
. (Using the notation from the
lecture and the notes, we’d say that
l
(
τ
) =
L
(
τ
) =
τ
.)
Consider the following attempts to construct a PRG from this PRF family. For each of
the attempts, either prove that the PRG is secure or prove that it is not, by showing an
efficient algorithm that distinguishes its outputs from random strings:
1.
G
1
(
x
) = [
f
x
(0
τ
)

f
x
(1
τ
)]
for
x
∈{
0
,
1
}
τ
2.
G
2
(
x
) = [
f
0
τ
(
x
)

f
1
τ
(
x
)]
for
x
∈{
0
,
1
}
τ
Note that both constructions, on purpose, are done in a way so that the
G
i
’s are trivially
stretching:

G
i
(
x
)

= 2

x

for both
i
= 1
,
2.
Hint:
First, recall what a (secure) PRG is and what a (secure) PRF is.
If you want to
prove that a PRG construction is
secure
, use one of the two security arguments we have had.
Namely, either prove that some two required probability distribution are indistinguishable
directly by a series of transformations (for example as in the solutions to problem (1.1) in
homework 4). Or, prove it by contradiction, i.e. assume that there exists a PPT adversary A
that breaks the PRG security property for the construction
G
1
or
G
2
, and use that adversary
to create a PPT attack
A
′
that breaks the PRF security property for the function family
{
f
s
}
.
If you want to show that the PRG construction is
insecure
, you can do so similarly as in
the problem (1.2) in homework 4, i.e. by showing that for
some
PRF family
{
f
s
}
, the family
itself is a secure PRF family, but the
G
i
construction (for
i
either 1 or 2) fails to produce
a pseudorandom number generator.
How can you do this?
Recall the method we used
in problem (1.2) of homework 4 and apply it in this case. Namely, try to
create
function
family
{
f
s
}
from any PRF family
{
¯
f
s
}
s.t.
{
f
s
}
remains a PRF family, but it makes the
G
i
construction fail as a PRG.
Solution:
1.1
The
G
1
construction actually does make a secure PRG.
G
1
is a good PRG if the following
probability distributions are indistinguishable:
{
G
1
(
s
)
}
s
←{
0
,
1
}
τ
≈{
r
}
r
←{
0
,
1
}
2
τ
S51
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
I claim that this is indeed the case. One way to argue this is the following: Since
{
f
s
}
is a
PRF, for every (efficient) adversary
A
we have
{
A
f
s
(1
τ
)
}
s
←{
0
,
1
}
τ
≈{
A
R
(1
τ
)
}
R
←
RNDF CT
(
τ,τ
)
(1)
which reads: “the distribution of outputs of
A
on input 1
τ
and on access to function
f
s
,
where
s
is a random
τ
bit seed is indistinguishable from the distribution of outputs of
A
on
input 1
τ
and on access to a random function
R
”.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '04
 Jarecki
 Pseudorandom number generator, Pseudorandomness, PRF construction

Click to edit the document details