CS151: Intro to Cryptography and Computer Security
Mar 3, 2016
Homework 6
Instructor: Anna Lysyanskaya
Due: Mar 10, 2016
Problem 1: Pseudo-Random Generators and One-Way Functions
a. We want to show that if f is a one-way function and G is a pseudorandom generator, then
h(x) = f (G(x)) is a one-way function. The contrapositive of this statement is that if h is not a
one-way function, either f is not one-way or G is not pseudorandom.
So, let’s start by assuming that there exists some algorithm A which takes h(x) and outputs some
x0 such that h(x0 ) = h(x). We assume that A does this with non-negligible probability .
If we assume such an A, we need to show that we can build a B that either breaks the one-wayness
of f or breaks the pseudorandomness of G. If B is breaking f , when given f (x) it will return
x0 such that f (x0 ) = f (x) with non-negligible probability. If B is breaking G, it will distinguish
with non-negligible probability between the following two distributions:
n
o
k
D0 = s ← {0, 1} : G(s) and
n
o
2k
D1 = x ← {0, 1} : x .
(a) First, we assume that A succeeds with non-negligible probability when given f (x) for x ←
2k
2k
{0, 1} . Our algorithm B picks some y ← {0, 1} and computes f (y). It then provides f (y)
as input to A. With non-negligible probability, A will return a y 0 such that h(y 0 ) = h(y);
thus, B outputs G(y 0 ) and is correct with the same non-negligible probability.
2k
(b) Now, let’s assume A succeeds with negligible probability when run on f (x) for x ← {0, 1} .
Since we are assuming overall that A succeeds with non-negligible probability on input
f (G(x)), this in particular tells us that A won’t/can’t act on inputs of the form f (y), where
it is somehow clear that y cannot be of the form G(x) for any x. Then A is implicitly
distinguishing with non-negligible probability between the sets
n
o
k
DP R = x ← {0, 1} : f (G(x)) and
n
o
2k
DR = y ← {0, 1} : f (y) .
We now show how to construct a B which distinguishes between D0 and D1 . Given some
element x ∈ D0 ∪ D1 , B computes f (x) and provides it as input to A. With non-negligible
probability by assumption, A will output an x0 such that f (x0 ) = f (x); if it outputs such an
x0 , B outputs 0, and otherwise B outputs 0 or 1 randomly and with equal probability.
k
Case 1 If x was from D0 , it was equal to G(y) for some y ∈ {0, 1} . Thus f (x) will look
like f (G(x)), which in turn looks like an element of DP R . A will output an x0 such
that f (x0 ) = f (x) with non-negligible probability in this case, and will therefore have
probability .5 + of being correct.
2k
Case 2 If x was from D1 , then the input that A sees looks like f (x) for random x ← {0, 1} ,
which is what elements of DR look like. By assumption, A does not correctly output an
x0 except negligibly often, and thus A has probability .5 + ν(k) of being correct.
HW 6-1
Thus B is correct with probability 21 + 12 , and therefore distinguishes between D0 and D1 .
Thus, G cannot be a pseudorandom generator.
(c) To show that h is one-way, we decided to prove the predicate
h is not a OWF =⇒ G is not a PRG ∨ f is not a OWF.
We showed that, under the assumption that h is not a OWF,
G is a PRG =⇒ f is not a OWF
f is a OWF =⇒ G is not a PRG.
Thus, our claim was true. Since by assumption G is a PRG and f is a OWF, h must be one
way.
b. A permutation must have equal domain and codomain. Since h is defined as a function from
{0, 1}k 7→ {0, 1}2k it cannot be a OWP.
Problem 2: PRG and Symmetric-Key Authentication
a. Proof. First we note that, for a fixed m, c ∈ Z∗p , there are p − 1 possible pairs a, b ∈ Z∗p such that
am + b = c. Eve has no information about a and b other than that am + b = c, so she cannot do
better than picking a random one of these pairs a0 , b0 . If Eve now picks m0 6= m and computes
c0 = a0 m0 + b0 then, for her to be correct, the following four equations must hold:
am + b = c
am0 + b = c0
a0 m + b0 = c
a0 m0 + b0 = c0
By subtracting first two equations, we get a(m − m0 ) = c − c0 . Since m =
6 m0 , we know that
c−c0
0
m − m 6= 0, so we can divide through to get a = m−m0 . Similarly by the last two, we get
a0 (m − m0 ) = c − c0 , so
c − c0
a0 =
= a.
m − m0
Substituting this in, we see that am + b = c and am + b0 = c, so we must have that b = b0 .
Therefore, we know that a = a0 and b = b0 , so the only way for Eve to compute a c0 such that
am0 + b = c0 is for Eve to have correctly picked a and b, which she can only do with probability
1/(p − 1). Therefore, we see that, even if A is a computationally unbounded adversary,
"
#
a ← Z∗p ; b ← Z∗p ; c ≡ am + b (mod p);(m0 , c0 ) ← A(p, m, c)
1
Pr
=
0
0
0
p
−
1
:m 6= m ∧ am + b = c
1
∈O
p
b. For this problem we will assume that `(k) = 2kn for some 2 ≤ n ∈ Z. If not, we can redefine `(k) =
kb `(k)
2k c to have that property (which still works assuming `(k) is a large enough polynomial).
HW 6-2
First Alice and Bob must agree on some prime p of at least k + 1 bits (so any k-bit string other
than 0k can be interpreted as an element of Z∗p ). They can agree on p publicly, since it doesn’t
matter if Eve knows.
Now, given a secret seed s ← {0, 1}k , Alice first computes G(s) = R. She then cuts R into n
strings each with 2k bits, say R1 , R2 , . . . , Rn such that R1 ◦ R2 ◦ · · · ◦ Rn = R. Then for each
Ri , she lets ai , bi such that ai (◦)bi = Ri (so ai is the first k bits of Ri , and bi is the last k bits of
Ri ). Then, to send a message mi , Alice computes ci = ai mi + bi mod p and sends Bob (i, mi , ci ).
Since Bob has the same secret s, he can compute the same ai , bi knowing only i, so, if he receives
(i, m̂, ĉ), he can correctly verify that m̂ = mi and ĉ = ci as in part (a). Also as in part (a), if Eve
tries to substitute (i, m0 , c0 ) with m0 6= mi , she will pass Bob’s verification with probably only
O(1/p).
Finally, we note that this algorithm allows Alice to send
to Bob by sharing a single secret seed of length k.
`(k)
2k
∈ Θ(`(k)/k) authenticated messages
Note: This algorithm fails if any of the ai s or bi s is 0, but this will happen with probability
1 − (1 − 1/2k )2n ≈ 1/22kn for large enough k and small enough n. This probability is negligible,
so we ignore in above.
c. Use the above construction, but instead of having R1 , . . . , Rn each have length 2k, make R1 , . . . , Rn
each have length 3k, and split them such that Ri = ai ◦ bi ◦ xi with
|ai | = |bi | = |xi | = k.
Then, instead of sending (i, mi , ci ), Alice sends (i, mi ⊕ xi , ci ). Since Bob can compute the same
ai , bi , and xi knowing only i, he can easily compute mi by computing (mi ⊕ xi ) ⊕ xi , and he can
then authenticate mi by computing ai mi + bi .
Since G is a PRG, xi is indistinguishable from a truly random k-bit string (by a computationally
bounded adversary), so this acts exactly as a one-time pad on mi . Therefore, Eve gains no
information about the contents of mi . Moreover, the MAC works the same way it did when mi
was sent in the clear, so Bob can still verify that the Alice sent the message and Eve did not
tamper with it. Therefore, this system allows Alice to send `(k)
3k ∈ Θ(`(k)/k) messages to Bob all
of which are both private and authenticated.
Problem 3: Pseudo-Random Generators and the Hybrid Argument
We want to argue that, if Bpk is a hardcore bit for fpk , then Hi (1k ) is indistinguishable from
Hi+1 (1k ). To prove this we will show the contrapositive; that is, if there exists an adversary A
distinguishing between Hi (1k ) and Hi+1 (1k ) with non-negligible probability, we can construct an
adversary B to distinguish between the distributions D0 and D1 defined by
D0 = {pk ← KeyGen(1k ); x ← Domain(fpk ) : (pk, f (x), Bpk (x)}
and
D1 = {pk ← KeyGen(1k ); x ← Domain(fpk ); b ← {0, 1} : (pk, x, b)}.
We know that A will take as input (R1 , . . . , Ri , ri+1 , . . . , rn , pk, f (n−i) (x)) and output either 0
or 1, where a 0 means that it thinks it came from the distribution Hi (1k ) and therefore has
the form (R1 , . . . , Ri , Bpk (x), . . . , Bpk (f (n−i−1) (x)), pk, f (n−i) (x)) and a 1 means it has the form
(R1 , . . . , Ri+1 , Bpk (x), . . . , Bpk (f (n−i−2) (x)), pk, f (n−i−1) (x)) and so came from Hi+1 (1k ). Let’s denote by pi,0 the probability that A outputs 0 when given a random element from Hi (1k ) and pi+1,0
HW 6-3
as the probability that A outputs 0 when given a random element from Hi+1 (1k ). Then, if we are
assuming A succeeds with non-negligible probability, we are assuming that |pi,0 − pi+1,0 | = (k) for
some non-negligible function . Assume without loss of generality that A is more likely to output a
0 when given an element from Hi (1k ) than when given an element from Hi+1 (1k ) (so assume that
pi,0 > pi+1,0 ).
Now, we want to show that we can build an algorithm B that takes as input (pk, y, z) and outputs 0
if it thinks it is from distribution D0 , and 1 if it is from D1 . We need B to do this with non-negligible
probability 0 , so that
|Pr[e ← D0 ; b ← B(e) : b = 0] − Pr[e ← D1 ; b ← B(e) : b = 0]| = 0 (k)
(1)
for some non-negligible function 0 .
So what should B do on input (pk, y, z)? First, it should compute f n−i (x) = f n−i−1 (y). It will also
need to compute the hardcore bits for each iteration of f . Then, it provides to A the tuple
(b1 , . . . , bi , z, Bpk (y), . . . , Bpk (f (n−i−2) (y), pk, f (n−i−1) (y)))
as input, where the bj are all randomly chosen bits. If A outputs 0 then that means the input looks
like it came from Hi (1k ), and so B should output 0 to indicate the distribution D0 . Otherwise, B
should output a 1 to indicate D1 .
To make sure that this tuple looks like Hi+1 (1k ) if it doesn’t look like Hi (1k ), we note that y is
just randomly drawn from the domain of f if we have an element (pk, y, z) from D1 . Therefore, our
sequence of Bpk (y), Bpk (f (y)), . . . at the end will still look as it should, except there will now be
i + 1 “random” elements. To see this, note that we already have i random elements (the bi ). If we
are drawing random y and z using D1 , then our y will function as the base, and our z can function
as our last random bit bi+1 . Therefore, this tuple does look like an element of Hi+1 (1k ) if y and z
are chosen randomly.
Now we just need to prove that B succeeds with non-negligible probability. Using the left-hand side
of equation (1), we substitute in explicit values to see that
LHS of (1)
= |Pr[(pk, f (x), Bpk (x)) ← D0 ; b → B(pk, f (x), Bpk (x)) : b = 0]
− Pr[(pk, y, b0 ) ← D1 ; b ← B(pk, y, b0 ) : b = 0]|
= |Pr[( ) ← D0 ; b ← A(. . . , Bpk (x), . . . , Bpk (f (n−i−1) (x)), pk, f (n−i−1) (f (x))) : b = 0]
− Pr[( ) ← D1 ; b ← A(b1 , . . . , b0 , Bpk (y), . . . , Bpk (f (n−i−2) (y)), pk, f (n−i−1) (y)) : b = 0]|
= |pi,0 − pi+1,0 |
= .
Therefore, B has the same advantage as A, which we assumed to be non-negligible.
Problem 4: The Hybrid Argument
We point out the flaw in the hybrid argument. As discussed in class, a valid hybrid argument has 3
components. First, the “extreme” hybrids must correspond to the distributions which we want to
prove are indistinguishable. That is satisfied here (plugging in i = 0 and i = 2k gives U0,2k −1 and
U2k ,2k+1 −1 as desired.
Second, each hybrid pair must be shown to be indistinguishable. Here, that holds. I omit the proof
of this since we find a fatal error in the third part.
HW 6-4
Third, the number of hybrids must be polynomial in k. Here that is violated. The number of hybrids
is 2k + 1, which is exponential. Therefore, the ability to distinguish the distributions will increase
by an exponential, not polynomial factor, and the distributions will become distinguishable. A
detailed explanation of the requirement for polynomial hybrids appears in Introduction to Modern
Cryptography, Katz and Lindell.
Thus, the argument fails.
Problem 5: Hardcore Bits
For the sake of contradiction, assume that a one-to-one function f with a hardcore bit is not one-way.
Then there exists some PPT machine A that on input y outputs, with non-negligible probability, an
x0 such that f (x0 ) = y. Now we construct a PPT machine B that tries to distinguish D0 and D1 . On
input (y, b), B runs A on input y. Upon getting output x from A, B verifies if indeed y = f (x0 ). If
so, then B computes B(x0 ) and compares it with b. If B(x0 ) = b then B outputs 0; if not B outputs
1. (Equivalently, B outputs B(x0 ) ⊕ b.) If it is not the case that y = f (x0 ), B randomly picks a 0 or
1 to return.
Now we will analyze this reduction:
• If A outputs x0 such that f (x0 ) = y then, since f is one-to-one, B(x) will evaluate to b or b̄
corresponding to whether B was passed a sample from D0 or D1 , respectively, and as such B
will correctly distinguish between the given distributions.
• Alternatively, if A outputs x0 such that f (x0 ) 6= y, then B will correctly distinguish between
the given distributions exactly half of the time.
Since the former will happen with non-negligible probability (k) and the latter will happen with
probability 1 − (k), B will output the correct answer with probability .5 + (k)/2, which is a nonnegligible advantage.
HW 6-5