Introduction to Cryptography Instructor: Chris Peikert

University of Michigan, Fall 2016 Homework 3 Student: SOLUTIONS

This homework is due by 10pm on September 27 via the course Canvas page. Start early!
Instructions. Solutions must be typed, preferably in LATEX (a template for this homework is available on the
course web page). Your work will be graded on correctness, clarity, and concision. You should only submit
work that you believe to be correct; if you cannot solve a problem completely, you will get significantly more
partial credit if you clearly identify the gap(s) in your solution. It is good practice to start any long solution
with an informal (but accurate) “proof summary” that describes the main idea.
You may collaborate with others on this problem set and consult external sources, subject to the course
policies. However, you must write your own solutions and list your collaborators/sources for each problem.

1. (Advantage.) In class we considered two definitions for an algorithm D’s advantage in distinguishing
between distributions X0 , X1 . The first is

Pr [D(x) accepts] − Pr [D(x) accepts],

x←X0 x←X1

while the second is  

1
2 Pr [D(x) outputs b] − .
b←{0,1},x←Xb 2
Prove that the above two quantities are equal, for the same D. (For this problem, “accepts” and “outputs 0”
mean the same thing, as do “rejects” and “outputs 1.”)

Solution: By separately considering the cases b = 0 and b = 1, we have

 
1
2 Pr [D(x) outputs b] −
b←{0,1},x←Xb 2
 
1 1 1
=2 Pr [D(x) outputs 0] + Pr [D(x) outputs 1] −
2 x←X0 2 x←X1 2
= Pr [D(x) accepts] + (1 − Pr [D(x) accepts]) − 1
x←X0 x←X1
= Pr [D(x) accepts] − Pr [D(x) accepts].
x←X0 x←X1

2. (Pseudorandom generators.) Define G(s1 ks2 ) := G1 (s1 )kG2 (s2 ), where |s1 | = |s2 |, G1 and G2 are
PRGs, and k denotes concatenation. (For this problem, G is only run on even-length inputs.)
Show either that G is necessarily a PRG (for any valid G1 , G2 ), or not. If not, give concrete counterexam-
ples for G1 , G2 , and describe and analyze an efficient distinguisher D having non-negligible advantage.
If so, give a proof using one or more reductions.

Solution: We prove that G is a PRG. The idea is that because the seeds s1 , s2 are uniformly random
and independent, we can successively replace G1 (s1 ) and G2 (s2 ) with uniformly random and
independent strings (their “ideal” counterparts). Because the concatenation of two such strings is a
uniformly random string, G(s) is indistinguishable from uniform.
Introduction to Cryptography Instructor: Chris Peikert
University of Michigan, Fall 2016 Homework 3 Student: SOLUTIONS

Formally, let `1 (n), `2 (n) respectively be the stretch functions of G1 , G2 . We define the following
“hybrid” probability distributions, or “experiments” (for convenience we suppress the security
parameter 1n in all that follows):

• H0 (“real”): G(s) = G1 (s1 )kG2 (s2 ) for uniformly random, independent s1 , s2 ∈ {0, 1}n .

• H1 (“hybrid”): z1 kG2 (s2 ) for uniformly random, independent z1 ∈ {0, 1}`1 (n) , s2 ∈ {0, 1}n .
(We have just replaced G1 (s1 ) in H0 by its “ideal” counterpart, a uniformly random z1 .)

• H2 (“ideal”): z = z1 kz2 for uniformly random, independent z1 ∈ {0, 1}`1 (n) , z2 ∈ {0, 1}`2 (n) .
(We have just replaced G2 (s2 ) in H1 by its “ideal” counterpart, a uniformly random z2 .)

Let D be any efficient distinguisher that attacks G. By definition and cancellation, we have

AdvG (D) = AdvH0 ,H2 (D) = AdvH0 ,H1 (D) + AdvH1 ,H2 (D).

We now show that each term on the right is negligible, via corresponding reductions.
For H0 versus H1 , we construct an efficient reduction (algorithm) D1 that attacks G1 : given input
y1 ← {0, 1}`1 (n) (which is either G1 (s1 ) for a uniform s1 , or uniform), the reduction D1 chooses
uniformly random s2 ← {0, 1}n , calls D(y1 kG2 (s2 )), and outputs the same accept/reject decision.
(Clearly, D1 is efficient because G2 and D are efficient.) There are two cases to consider for y1 :

1. If y1 = G1 (s1 ) for uniform s1 ∈ {0, 1}n , then y1 kG2 (s2 ) = G1 (s1 )kG2 (s2 ) for uniform and
independent s1 , s2 , so D1 perfectly simulates H0 to D.

2. If y1 is uniform, then because D1 calls D on y1 kG2 (s2 ) for uniform and independent y1 , s2 , it
perfectly simulates H1 to D.

Therefore,

AdvG1 (D1 )
= Pr[D1 (G1 (s1 )) accepts] − Pr[D1 (z1 ) accepts]
s1 z1
= Pr [D(G1 (s1 )kG2 (s2 )) accepts] − Pr [D(z1 kG2 (s2 )) accepts]
s1 ,s2 z1 ,s2

= AdvH0 ,H1 (D).

By the hypothesis that G1 is a PRG, and because D1 is efficient, the leftmost term is negligible,
hence so is AdvH0 ,H1 (D).
For H1 versus H2 , we similarly construct an efficient reduction D2 that attacks G2 : given input
y2 ∈ {0, 1}`2 (n) , the reduction D2 chooses uniformly random z1 ← {0, 1}`1 (n) , calls D(z1 ky2 ), and
outputs the same accept/reject decision. There are two cases to consider for y2 :

1. If y2 = G2 (s2 ) for uniform s2 ∈ {0, 1}n , then z1 ky2 = z1 kG2 (s2 ) for uniform and indepen-
dent z1 , s2 , so D2 perfectly simulates H1 to D.

2. If z2 is uniform, then D2 perfectly simulates H2 to D.

Introduction to Cryptography Instructor: Chris Peikert
University of Michigan, Fall 2016 Homework 3 Student: SOLUTIONS

Therefore,
AdvG2 (D2 ) = AdvH1 ,H2 (D),
which is negligible by the hypothesis that G2 is a PRG. This completes the proof.

3. (Stream ciphers.) Freddy P. Soft is very excited about a new stream cipher he has designed. One of
its coolest features, he says, is that with every output bit it produces, its state becomes shorter. More
formally, for (y, st0 ) = NextBit(st) with nonempty st, we always have |st0 | < |st|.
Give a convincing argument (or a formal proof) that, no matter how its polynomial-time Init and NextBit
algorithms work, Freddy’s stream cipher cannot possibly be secure (pseudorandom) according to our
definition.

Solution: The main ideas are as follows: recall that to break Freddy’s stream cipher, one just needs
to distinguish a uniformly random string from a string obtained by iterating NextBit some polynomial
number of times, starting from the initial state st0 = Init(s) for seed s ← {0, 1}n . Because Init runs
in polynomial time, the initial state st0 must have polynomial length. So by iterating NextBit a large
enough (but polynomial) number of times, at some point the state will eventually become the empty
string ε. Observe that because NextBit is public and deterministic, its output on the empty state and
all subsequent iterations is completely known to the attacker; in particular, n iterations produce some
known string z ∈ {0, 1}n . So to distinguish the stream cipher’s output from uniformly random, the
attacker just needs to obtain a long enough output string, and check whether z appears as a substring.
This will always be the case for the stream cipher’s output, but will rarely happen for a uniformly
random string.
We now proceed more formally. Because Init is a polynomial-time algorithm, the length of the initial
state st0 = Init(s) is at most nc bits long for some constant c. (We may not know exactly how long
it is, because the length may vary with the value of s.) We define the following distinguisher D,
which takes an input string y of length nc + n = poly(n):

• Iterate NextBit n times starting from the empty state to obtain a string z ∈ {0, 1}n .

• If z is a substring of y, then accept, else reject.

(This can be tested by checking if yi yi+1 · · · yi+n−1 = z for each i = 1, 2, . . . , nc + 1.)

Clearly, D runs in polynomial time. By the reasoning given above, D always accepts when given
an input y generated by Freddy’s stream cipher. However, for a uniform input string y, we have
Pry [D(y) accepts] ≤ (nc + 1)/2n = negl(n), because

Pr[yi yi+1 · · · yi+n−1 = z] = 2−n

y

and by a union bound over all i. Therefore, the advantage of D is 1 − negl(n); it is an almost perfect
distinguisher.

4. (Bogus reductions.) Extra credit! Buck I. Bob claims that G(s) = s1 kG0 (s), where s1 is the first bit
Introduction to Cryptography Instructor: Chris Peikert
University of Michigan, Fall 2016 Homework 3 Student: SOLUTIONS

of s and G0 is a PRG with stretch `0 (n), is itself a PRG with stretch `(n) = `0 (n) + 1.
He says that the following reduction proves it: letting D be an arbitrary efficient distinguisher against G,
define a distinguisher D0 against G0 as follows:
0
• D0 (1n , z ∈ {0, 1}` (n) ): choose a uniformly random bit b ← {0, 1}, run D(1n , bkz), and output
D’s same accept/reject answer.

Buck observes that when z is uniformly random, so is bkz. And when z = G0 (s) for a uniformly random
seed s, there is a 1/2 probability that b = s1 , in which case bkz = G(s). Therefore, AdvG0 (D0 ) =
1 0
2 AdvG (D), and since AdvG (D ) is negligible by hypothesis, so is AdvG (D).
0

(a) Identify the flaw in Buck’s argument.

Solution: The flaw is in concluding that AdvG0 (D0 ) = 12 AdvG (D) just because b = s1 with
probability 1/2. It’s true that the two “ideal” experiments coincide:

Pr 0 (n)
[D0 (1n , z 0 ) accepts] = Pr [D(1n , z) accepts]. (0.1)
z 0 ←{0,1}` z←{0,1}`(n)

However, for the “real” experiments, because b = s1 and b = s1 (the complement of s1 ) each
with 1/2 probability, we have

Pr [D0 (1n , G0 (s)) accepts]

s←{0,1}n
1 1
= Pr n [D(1n , s1 kG0 (s)) accepts] + Pr [D(1n , s1 kG0 (s)) accepts]. (0.2)
2 s←{0,1} 2 s←{0,1}n

Notice that while the first term on the right-hand side is half of D’s acceptance probability
on G(s) = s1 kG0 (s), we don’t know anything about the second term! (In particular, D
could behave in a completely different way on s1 kG0 (s).) Therefore, we cannot conclude that
AdvG0 (D0 ), which is the difference between Equations (0.2) and (0.1), is 12 AdvG (D).

(b) Demonstrate a PRG G0 for which G is definitely not a PRG, and describe and analyze a distinguisher
which proves this. (You can define G0 in terms of another PRG.)

Solution: The idea is that the PRG G0 might simply reveal the first bit of its seed, without
compromising pseudorandomness. If G is built from such a G0 , it is clearly not a PRG.
More formally, let G0 have the form G0 (s0 ) = s01 kH(s0rest ), where s0 = s01 ks0rest for s01 ∈ {0, 1},
and H is a PRG. It’s easy to show that G0 is a PRG (assuming H is one), via a trivial reduction
that just prepends a uniformly random bit to its input.
Now observe that for the above G0 , we have G(s) = s1 kG0 (s) = s1 ks1 kH(srest ) where
s = s1 ksrest . This is easily distinguishable from truly uniform: the distinguisher D just checks
whether the first two bits of its input are equal. It’s easy to verify that D has advantage 1/2
against G, so G is definitely not a PRG.