CIS 5371 Cryptography
Home Assignment 3
Due: At the beginning of the class on February 25, 2016
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to
Modern Cryptography.
1. Let G be a pseudorandom generator where |G(s)| > 2|s|. Take s = s1 · · · sn , and for
simplicity, n even.
def
(a) Define G0 (s) = G(s0|s| ). Is G0 necessarily a pseudorandom generator?
[Hint: Note that |G0 (s)| > 4|s|, and by repeating the process: |G00 (s)| > 8|s| for inputs of type s0|s| 02|s| , and so on, giving eventually |G(n) (s)| > 2n+1 |s|. So unbounded
output lengths in terms of |s|—too good to be true!
Next note that although G(s0|s| ) is pseudorandom for random inputs in {0, 1}2|s| ,
the probability of an input of type s0|s| (when all bits are randomly selected) is only
. . . . . . . . . . . . , so inputs of this type cannot be truly random (for truly random the
probability is . . . . . . . . . . . . ). Therefore the output of G is not necessarily pseudorandom.]
def
(b) Define G0 (s) = G(s1 · · · sn/2 ). Is G0 necessarily a pseudorandom generator?
vspace1 mm
[Hint: Let |G(s)| = `(n) and
def
ε(n) = |Prr←{0,1}`(n) [D(r) = 1] − Prs←{0,1}n/2 [D(G(s · 0n/2 )) = 1]|,
for a probabilistic polynomial-time distinguisher D. You will need to make two substitutions:
def
Prs←{0,1}n/2 [D(G0 (s)) = 1] = Prs←{0,1}n/2 [D(G(s · 0n/2 )) = 1], and ε0 (n) = ε(2n)
to get the result.]
2. Let G be a pseudorandom generator. Define G0 (s) to be the output of G truncated to n
bits, where n = |s|. Prove that the function Fk (x) = G0 (k) ⊕ x is not pseudorandom.
[Hint: Consider a distinguisher D that is given oracle access either to a function f that is
truly random, or Fk as defined above for a uniform choice of k. D queries the oracle with
(any) two distinct inputs x and x0 of length n, and gets the responses y and y 0 . D then
outputs 1 if and only if x ⊕ x0 = y ⊕ y 0 . Find the probabililty of success of D for the two
cases: (i) when D is given oracle access to Fk , (ii) when D is given access to a random
function f .]
3. Present a construction of a variable output-length pseudorandom generator from any pseudorandom function. Prove that your construction satisfies Definition 3.17.
[Hint: Let F be a pseudorandom function mapping n-bit inputs to n-bit outputs. Define
Fk [`] to be the series Fk (0), Fk (1), . . . truncated to exactly ` bits (there are 2n possible
inputs to F and thus Fk [`] is well-defined for any ` ≤ n · 2n ). Define G(s, 1` ) = Fs [`]. Show
that G fulfills the requirements of Definition 3.17.]
Mike Burmester