BU CAS CS 538.
1
CAS CS 538. Problem Set 3
Due via websubmit on Thursday, September 24, 2015, at 11:59pm
Note: The answers for problems 1 and 2 must be proven using one of the two definitions of pseudorandomness used in class.
Problem 1. (20 points) Suppose an algorithm G is a pseudorandom generator. Let G0 be the
following algorithm: on input seed s, run G(s) to get w. Let bit b be the exclusive-or of all the bits
of w. Output the concatenation b ◦ w. Is G0 a pseudorandom generator? Prove your answer.
Problem 2. (40 points)
(a) (20 points)
Suppose an algorithm G is a pseudorandom generator. Let Ḡ be the following algorithm: on input
seed s, run G(s) to get w, then negate every bit of w to get w̄ (i.e., for bit i, w̄i = 1 − wi ), and output
the result. Prove by using a reduction that Ḡ is also a pseudorandom generator.
(b) (20 points)
Suppose algorithms G1 and G2 are pseudorandom generators. Let G3 be the following algorithm: on
input s, G3 runs G1 (s) to get w1 , runs G2 (s) to get w2 , and ouptuts the concatenation of the two
strings: w3 = w1 ◦ w2 . Show that G3 is not necessarily a pseudo-random generator. (Hint: it may be
helpful to use what you proved in the previous part.)
Problem 3. (40 points) In class we almost proved B(x) = (x < p/2) is a hardcore bit for the
one-way function fp,g (x) = g x mod p. I say ”almost” because we proved that if there is a polynomialtime algorithm D that computes this bit perfectly, then there is another polynomial-time algorithm
I that inverts the one-way function perfectly. In this problem, you will (almost) extend the proof to
the case when D is imperfect, but successful with probability 21 + for some nonnegligible (in this
case, the probability is taken over a random choice of x between 1 and p − 1). You will show that in
this case, it is possible to invert f with nonnegligible probability in polynomial time.
The following definition will be helpful: if x is even and 1 ≤ x ≤ p − 1, then of the two modular
square roots of g x , the square root equal to g x/2 mod p is called principal. If you recall the work
we did in class, then you will realize that all we need to do is give an algorithm for reliably finding
principal square roots.
(a) Given a random nonzero square y modulo p, let s1 and s2 ≡ −s1 ≡ s1 g (p−1)/2 be its two square
roots. Show how to use D to find which of s1 , s2 is the principal square root correctly with probability
(over the choice of y) at least 21 + (assume you are given p, g, y, s1 , s2 ).
(b) Let ”t-initial segment” (t-IS) be the set of values with small discrete logarithms: {g x mod
p such that x is even and 1 ≤ x ≤ (p − 1)/tc}. Suppose y is a square in t-IS. Choose r at random in
1, 2, . . . , (p − 1)/2. Let z = yg 2r . Show that for every y in t-IS, the following is true with probability
(over the choice of r) no greater that 1/t: the principal square root of z is not congruent to g r times
the principal square root of y.
(c) Using the previous two parts, show a polynomial-time algorithm that uses D in order to correctly
find the principal square root of any square y in t-IS with probability 12 + − 1t (here the probability
BU CAS CS 538.
2
is only over the random coins of your algorithm). Assume that you can easily find the two square
roots of y; the challenge is merely identifying the principal one.
(d) We will now use the previous part repeatedly n times, and select the principal square root of y
by majority vote. Using some version of the Chernoff bound (I suggest Hoeffding’s inequality—look
it up if you don’t know it, for example, on Wikipedia), bound the probability that the majority vote
is wrong (note by the previous part that each vote is correct with probability at least 12 + − 1t ).
(e) This is FYI, so you know how to complete the argument. There is nothing to hand in for this
part. Let us set t = 2/. By the previous part, you know how find principal square roots of values
in t-IS with high probability. Note that a polynomial (in the security parameter, which is log p) n
1
suffices to reduce the chance of a mistake to as a small 2 log
. Also note that if y is in t-IS, then so are
p
the subsequent values that result from right-shifting the bits of y (because the exponent x gets only
smaller as we right-shift). So the chances of a mistake after log p square roots that our algorithms
1
= 12 . Thus, if y is t-IS, the our algorithm will succeed with
needs to take are at most log p · 2 log
p
probability at least 21 . And the probability that y is in t-IS is 1t . Thus, the overall probability of
inverting f on a random y is at least 1t · 12 = 4 , which is nonnegligible. And the algorithm runs in
polynomial time, because n is polynomial.