Professional Documents
Culture Documents
A
S
Sample solution to assignment 3
SA
IS
R
A VIE NS Cornelius Brand, Marc Roth
Exercise 3.1 (Be nice to your tutors and TAs, 1 Bonus Point) Write the name
and matriculation number of every author as well as number, time slot and the name of
the tutor of your tutorial group on the first page of your solution. Furthermore write in
english and staple all sheets of your solution.
G0 : s 7→ G(s1 . . . sb n2 c ) , where s = s1 . . . sn
(b) Decide for each i whether Gi is always a PRG and prove your answer:
(i) G1 (s) := G(0|s| ||s)
(ii) G2 (s) := G(s1 . . . s|s|−1 )||s|s|
(iii) G3 (s) := G(s)||0
(iv) G4 (s) := G(s||0)
(v) G5 (s) := G(s)||G(s + 1), where + denotes the addition on binary numbers.
Hint: To prove that Gi is a PRG one usually gives a proof by reduction. To prove
that Gi is not secure you can give a counter example, i.e. a PRG G and a ppt
algorithm D such that D can distinguish Gi (s) from a random sting with non-
negligible probability (of course you have to prove this). You could try to construct
a counter example by using a construction you already proved to result in a PRG.
(a) We first show that f 0 is negligible. Let therefore c be a natural number. We have to
show that there is an N 0 such that for all n > N 0 it holds that f 0 (n) < n−c . As f
is negligible and p0 (n) = 2c · (n + 1)c is a polynomial we conclude that there is an
N such that for all n > N it holds that f (n) < p0 (n)−1 . Now let N 0 := 2N + 1. We
have for all n > N 0 :
j n k j n k−1 j n k c −1 n c −1
f 0 (n) = f < p0 = 2c · +1 ≤ 2c · = n−c
2 2 2 2
Next we proof that G0 is a PRG. Let `0 be the expansion factor of G0 . It holds that
`0 (n) = `(b n2 c) > 2(b n2 c) + 1 ≥ n. Now let D an arbitrary ppt distinguisher. As G is
a PRG it holds that
1
Prs←{0,1}n [D(G0 (s)) = 1] − Prr←{0,1}`0 (n) [D(r) = 1]
= Prs←{0,1}b n2 c [D(G(s)) = 1] − Prr←{0,1}`0 (n) [D(r) = 1]
= Prs←{0,1}b n2 c [D(G(s)) = 1] − Prr←{0,1}`(b n2 c) [D(r) = 1]
j n k
≤ negl
2
where negl is a negligible function. As negl0 (n) := negl n2 is also negligible the
proof is finished.
(b) Only G2 is a PRG. In some of the refutation proofs we will use G0 instead of G.
To ensure that the expansion factor of G0 is large enough we can just assume the
expansion factor of G to be strictly larger than 4n + 1.
(i) G1 is not necessarily a PRG because otherwise G0 (0|s| ||s) = G(0|s| ) would also
be a PRG which is clearly not the case: As D knows G and its expansion factor
` it can on input r just check whether r = G(0n ) for n with `(n) = |r|. Then
D wins with probability 1 − 2−|r| which is not negligible.
(ii) G2 is always a PRG. We give a proof by reduction: Assuming G2 is not a PRG,
there is a distinguisher D2 for G2 which wins with non-negligible probability.
We construct a distinguisher D for G from D2 . On input r, D will just simulate
D2 on r||b for a randomly choosen bit b. If r was a random string, then r||b is
also and if r = G(s) for a random s then r||b = G(s)||b = G2 (s||b). Formaly it
holds that
Pr [D(G(s)) = 1] − Pr [D(r) = 1]
n
s←{0,1} r←{0,1}`(n)
= Prs||b←{0,1}n+1 [D2 (G(s)||b) = 1] − Prr||b←{0,1}`(n)+1 [D2 (r||b) = 1]
= Prs||b←{0,1}n+1 [D2 (G2 (s||b)) = 1] − Prr←{0,1}`(n)+1 [D2 (r) = 1]
= Prs←{0,1}n+1 [D2 (G2 (s)) = 1] − Prr←{0,1}`2 (n+1) [D2 (r) = 1]
≥ (n + 1)−c
(iii) G3 is not a PRG as a distinguisher would just have to check whether the last
bit is 0 and win with probability 21 which is not negligible.
(iv) G4 is not always a PRG because otherwise G2 (s||0) would be a PRG (as G2 is
PRG). But G2 (s||0) = G3 (s) which is not a PRG.
(v) G5 is not always a PRG. Assuming it is G2 (s)||G2 (s + 1) would also be a PRG.
But for every s whose last bit equals zero we have that G2 (s)||G2 (s + 1) =
G(s1 . . . s|s−1| )||0||G(s1 . . . s|s−1| )||1 ,that is, on input r ∈ {0, 1}2n a distinguis-
her just has to check whether r1 . . . rn−1 = rn+1 . . . r2n−1 and therefore the
winning probability is at least 12 (1 − 2−(n−1) ) which is not negligible.
2
Exercise 3.3 (Pseudorandom Functions, 4 Points) Consider the following keyed
function F : For the security parameter n, the key is a matrix A ∈ Mat(n × n, F2 ) and a
vector b ∈ Fn2 , where F2 denotes the field with 2 elements, i.e. F2 = ({0, 1}, ⊕, ·) and Fn2
denotes the corresponding vector space of dimension n. Now we define FA,b : Fn2 → Fn2
by
FA,b (x) = Ax + b
Decide whether F is a pseudorandom function and prove your answer.
1
≥
nc
for a constant c as D has can distinguish with non-negligible probability by assumtion.
Therefore DF can also distinguish with non-negligible probability which concludes the
reduction.