Modern Crytpography Oct 23, 2018

Solutions to Homework 3
Lecturer: Krzysztof Pietrzak, TA: Michael Walter

To get credit for this homework it must be submitted no later than Wednesday, October 31 via
email to michael.walter@ist.ac.at, please use “MC18 Homework 3” as subject.
Please put your solutions into a single pdf file1 and name this file Yourlastname HW3.pdf, e.g.
Turing HW3.pdf

1. Recall that f : N → R≥0 is negligible if for all positive polynomials p(·) there exists an N s.t.
for all n > N we have f (n) < 1/p(n).
A function f : N → R≥0 is noticeable if there exists a positive polynomial p(·) and an N s.t.
for all n > N we have f (n) ≥ 1/p(n).

Construct a function that is neither neglibile nor noticeable.

Solution: Define f : N → R≥0 as f (n) = n mod 2. We claim that f is neither negligible nor
noticeable.
In order to show that f is not negligible, we need to show that there is a positive polynomial
p such that for any N ∈ N there exists an n > N with f (n) ≥ 1/p(n). We simply consider
the constant polynomial p(x) = 1/2. Note that for any N ∈ N we have either f (N + 1) = 1
or f (N + 2) = 1. Since 1 > 1/2 = p(N + 1) = p(N + 2), f is not negligible.
Now we show that f is not noticeable. For this we need to show that for any positive
polynomial p and N ∈ N, there exist some n > N with f (n) < 1/p(n). Note that for any
N ∈ N we have either f (N + 1) = 0 or f (N + 2) = 0. Furthermore, for every positive
polynomial p it holds that 1/p(n) > 0, which shows that either for n = N + 1 > N or
n = N + 2 > N we have f (n) < 1/p(n).

2. (a) Let G : {0, 1}n → {0, 1}3n be a pseudorandom generator. In each of the cases below,
say whether G0 is necessarily a PRG. If yes, give a proof; if not, show a counterexample.
We assume G0 is only defined for even n (so n/2 is an integer), let S = s1 . . . sn denote
the seed and SL = s1 . . . sn/2 , SR = sn/2+1 . . . sn denote the left and right half of S.
i. G0 (S) = G(SL ) ⊕ G(SR )
Solution: G0 is a PRG. To see this, first consider its output length: `0 (n) = `(n/2) =
3n/2 > n, which shows that G0 is expanding. Now assume for constradiction that
G is a PRG but G0 is not, i.e. there exists a PPT distinguisher D0 such that

| Pr [D0 (G0 (s)) = 1] − Pr [D0 (r) = 1]| = δ(n)

s←{0,1}n r←{0,1}3n/2

1
If you don’t know how to do it, you can use e.g. https://www.pdfmerge.com/

PS3-1
 for some function δ that is not negligible. Consider the following algorithm D,
which on input r ∈ {0, 1}3n/2 chooses a uniform string s0 ∈ {0, 1}n/2 , computes
r0 = r ⊕ G(s0 ) and outputs D0 (r0 ). Clearly, D is also a PPT algorithm. We analyze
the distribution of r0 : if r was chosen uniformly at random, then r0 is also uniformly
random (cf. One-time Pad). On the other hand, if r = G(s) for some s chosen
uniformly at random from {0, 1}n/2 , then r0 = G(s) ⊕ G(s0 ) = G0 (sks0 ) for uniformly
chosen (sks0 ) ∈ {0, 1}n . It follows that
| Prs←{0,1}n/2 [D(G(s)) = 1] − Pr [D(r) = 1]|
r←{0,1}3n/2

=| Pr [D0 (G0 (sks0 )) = 1] − Pr [D0 (r) = 1]| = δ(n) = δ 0 (n/2)

(sks0 )←{0,1}n r←{0,1}3n/2

where δ 0 (n) = δ(2n). Since δ(n) is not negligible, δ 0 (n) is also not negligible. This
is a contradiction to the assumption that G is a PRG.
ii. G0 (S) = SL kG(SL ⊕ SR , SR )
Solution: G0 is not necessarily a PRG. To see this, consider G(S) = G1 (SL ⊕ SR ),
where G1 is a PRG with output length `1 (n) > 6n (so G has output length `(n) =
3n). Clearly, if S is chosen uniformly at random, then SL ⊕ SR is also uniformly
random, so G is a PRG if G1 is. On the other hand,
G0 (S) = SL kG(SL ⊕ SR , SR ) = SL kG1 (SL ⊕ SR ⊕ SR ) = SL kG1 (SL ).
This shows that G0 can clearly be distinguished from the uniform distribution, since
it consists of input/output pairs of G1 .
(b) A cryptographic combiner takes two candidate constructions of some primitive, and
outputs a construction that is secure if at least one of the candidate constructions
is secure, in this question you are asked to construct a combiner for PRGs: given
two functions G1 : {0, 1}n → {0, 1}`(n) , G2 : {0, 1}n → {0, 1}`(n) , give a construction
0
G : {0, 1}n → {0, 1}` (n) s.t. G is a PRG if at least one of G1 , G2 is a PRG. You can
assume that `(n) = 3n.

E.g. G(S) = G1 (S)kG2 (S) is not a good combiner, as if G1 is a PRG but G2 simply
outputs `(n) 0’s, then G(S) can trivially be distinguished from random by checking
whether the last `(n) bits are 0.
Solution: One might be tempted to consider the combiner G(S) = G1 (S) ⊕ G2 (S).
However, there is a simple counterexample showing that this cannot be a good combiner:
consider the case when G1 and G2 are the same PRG G0 (which is secure). Then
0
G(S) = G0 (S) ⊕ G0 (S) = 0` (n) , which is clearly distinguishable from uniform.
But a simple modification works: G(SL kSR ) = G1 (SL ) ⊕ G2 (SR ). This resembles the
construction in 2. a) i. with the same output length, so G is expanding.
We show that G is a PRG if G1 is (independently of whether G2 is a secure PRG or
not). The proof for showing that G is a PRG if G2 is, is symmetrical.
Assume that G1 is a PRG but G0 is not, i.e. there exists a distinguisher D0 such that
| Pr [D0 (G0 (s)) = 1] − Pr [D0 (r) = 1]| > δ(n)
s←{0,1}n r←{0,1}3n/2

PS3-2
for some function δ that is not negligible. Consider the following algorithm D, which on
input r ∈ {0, 1}3n/2 chooses a uniform string s0 ∈ {0, 1}n/2 , computes r0 = r ⊕ G2 (s0 )
and outputs D0 (r0 ). Clearly, D is also a PPT algorithm. We analyze the distribution of
r0 : if r was chosen uniformly at random, then r0 is also uniformly random (cf. One-time
Pad). On the other hand, if r = G1 (s) for some s chosen uniformly at random from
{0, 1}n/2 , then r0 = G1 (s) ⊕ G2 (s0 ) = G0 (sks0 ) for uniformly chosen (sks0 ) ∈ {0, 1}n . It
follows that

| Prs←{0,1}n/2 [D(G1 (s)) = 1] − Pr [D(r) = 1]|

r←{0,1}3n/2

=| Pr [D0 (G0 (sks0 )) = 1] − Pr [D0 (r) = 1]| = δ(n) = δ 0 (n/2)

(sks0 )←{0,1}n r←{0,1}3n/2

where δ 0 (n) = δ(2n). This is a contradiction to the assumption that G1 is a PRG.

PS3-3