CAS CS 538. Solutions to Problem Set 3

BU CAS CS 538. Fall 2012. 1
Problem 1.
(a)
CAS CS 538. Solutions to Problem Set 3
∆(X, Y ) =
=
max | Pr[X ∈ T ] − Pr[Y ∈ T ]|
T
�
� n� � 1
max � Pr[Xi ∈ T ] −
T �n
i=1
1
�
n� �
�
Pr[Yi ∈ T ] �
n
�
i=1
≤ 1
n max
n�
| Pr[Xi ∈ T ] − Pr[Yi ∈ T ]|
T
≤ 1
n
= 1
n
n�
i=1
i=1
max | Pr[Xi ∈ T ] − Pr[Yi ∈ T ]|
T
n�
∆(Xi, Yi) .
i=1
(b) We know that for any m0, m1 ∈ M,
∆(Enck(m0), Enck(m1)) ≤ ɛ .
Let the function f(x) be defined as f(x) = (m1, x). Applying this function to both random variables
in the above inequality (which is allowed by Problem 2.5 from PS2), we get
∆((m1, Enck(m0)), (m1, Enck(m1))) ≤ ɛ .
The above holds for every message m1 ∈ M, so let us enumerate all the messages in M as msg 1, . . . ,
msg |M|, and let Xi = (msg i, Enck(m0)) and Yi = (msg i, Enck(msg i)). The above formula simply says
that ∆(Xi, Yi) ≤ ɛ.
Note that choosing a random i and then the value of Xi gives us the distribution X = (m, Enck(m0)),
and choosing a random i and then the value of Yi gives us the distribution Y = (m, Enck(m)). By
the previous part, ∆(X, Y ) ≤ 1
|M|
� |M|
i=1 ∆(Xi, Yi) ≤ ɛ.
(c) Suppose |K| < |M|(1 − ɛ). We know from the previous part that if for all m0, m1 ∈ M,
∆(Enck(m0), Enck(m1)) ≤ ɛ, then for all m0, ∆(X, Y ) ≤ ɛ, where X = (m, Enck(m0)) and Y =
(m, Enck(m)). Consider the following set T : T = {(m, c) | m ∈ M and ∃k ′ s.t. Deck ′(c) = m}. Then
Pr[X ∈ T ] = Pr
k∈K,m∈M [∃k′ s.t. Deck ′(Enck(m0)) = m] .
For any k, because there are at most |M|(1 − ɛ) different values for k ′ , the result of Deck ′(Enck(m0))
can take on fewer than |M|(1 − ɛ) different values. The chances that a random m ∈ M is one of
those are therefore less than |M|(1−ɛ)
= 1 − ɛ. Since this holds for every k, it also holds for a random
|M|
k, hence Pr[X ∈ T ] < 1 − ɛ. On the other hand, Pr[Y ∈ T ] = 1 (simply take k ′ = k; by correctness
of encryption, Deck ′(Enck(m)) = m). So ∆(X, Y ) > |1 − ɛ − 1| = ɛ, which contradicts the previous
part.

BU CAS CS 538. Fall 2012. 2
Problem 2.
(a) Suppose for contradiction that ¯ G is not a pseudorandom generator. Then there must be a
polynomial time distinguisher Ā that with nonnegligible probability distinguishes outputs of ¯ G versus
random strings. In other words,
|Prs∈{0,1} k[ Ā( ¯ G(s)) = 1] − Prr∈{0,1} | ¯ G(0k )|[ Ā(r) = 1]| = f(k),
where f is some nonnegligible function. We can now build A, a polynomial time distinguisher for G
that on input x works as follows:
• let ¯x be x with bits negated (¯xi = 1 − xi)
• run Ā(¯x) and output whatever it does.
The probability that A distinguishes outputs of G on random seeds with length k versus random
strings, is exactly f(k). To see that, notice that:
1. if A is given x = G(s) for random s ∈ {0, 1} k , then ¯x = ¯ G(s), and so Pr[ Ā( ¯ G(s)) = 1] =
Pr[A(G(s)) = 1]
2. if x is a randomly chosen string, then ¯x is a randomly chosen string too, and so Pr[A(x) = 1] =
Pr[ Ā(x) = 1].
This confirms that
|Pr s∈{0,1} k[A(G(s)) = 1] − Pr r∈{0,1} |G(0 k )|[A(r) = 1]| = f(k),
which contradicts the pseudorandomness of G.
(b) We can construct a counterexample. Let G1 be an arbitrary pseudorandom generator, and
G2 = ¯ G1 (G2(s) outputs G1(s) but with each bit negated). As we saw in the previous problem, G2
is a pseudorandom generator too. But G3(s) = G1(s) ◦ ¯ G1(s) can be told apart from random, and
here is a distinguisher (with input x):
• let l = |x|
• if x1 = xl/2+1 then output 0 else output 1 .
When given G3(s), this distinguisher always outputs 1, because the first bit of G3(s) is always the
negation of the (l/2 + 1)-st one. But when given a random string, the distinguisher outputs either
1 or 0 with probability 1/2, because there is exactly 1/2 chance that the first and the (l/2 + 1)-st
bits are equal. So we have a 1/2 probability of distinguishing outputs of G3 versus random, which is
nonnegligible.
Problem 3.
(a) (First solution)
We define experiments exp 0, exp 1 and exp 2.
exp i(k) :

BU CAS CS 538. Fall 2012. 3
• generate random k-bit strings s1 and s2
• generate random strings r1 and r2 of lengths |G1(0 k )| and |G2(0 k )| respectively
• output A(r1 ◦ r2) or A(G1(s1) ◦ r2) or A(G1(s1) ◦ G2(s2)) depending on whether i is 0, 1 or 2,
respectively .
Notice that exp 0 describes the run of the distinguisher A on a random string, exp 2 on a pseudorandom
string output by G3, and exp 1 on a hybrid. To prove that G3 is a pseudorandom generator, we need
to make sure that f(k) = |Pr[exp 0(k) = 1] − Pr[exp 2(k) = 1]| is negligible.
Let f1(k) = |Pr[exp 0(k) = 1] − Pr[exp 1(k) = 1]| and f2(k) = |Pr[exp 1(k) = 1] − Pr[exp 2(k) = 1]|.
By triangle inequality, f(k) ≤ f1(k)+f2(k). We now need to prove that both f1 and f2 are negligible.
Each proof will be done by contradiction:
1. If f1(k) = |Pr[exp 0(k) = 1] − Pr[exp 1(k) = 1]| were nonnegligible then we could construct A1
that breaks G1 on seeds of length k ∈ K: A1(y) simply calls A(y ◦r) where r is a random string
of length |G2(0 k )|; y ◦ r is distributed either as in exp 0, or as in exp 1, depending on whether y
is random or output by G1, so A1 “works” with probability at least f1(k). Contradiction!
2. If f2(k) = |Pr[exp 1(k) = 1] − Pr[exp 2(k) = 1]| were nonnegligible then we could construct A2
that breaks G2 on seeds of length k ∈ K: A2(y) calls A(G1(s) ◦ y) for a random s ∈ {0, 1} k ;
depending on whether y is random or output by G2, the distribution of G1(s) ◦ y is either as in
exp 1 or as in exp 2; here it is important to note that s is indeed chosen independently of y. We
conclude that A2 “works” with probability at least f2(k). Contradiction!
(b) (Alternate solution)
The first solution was based on the indistinguishability definition of a pseudorandom generator. This
one employs the next-bit unpredictability definition.
Suppose for contradiction that there exists A, a polynomial time next-bit predictor for G3 with
nonnegligible predicting probability. Consider the predicting experiment exp(k):
• select random s ∈ {0, 1} k and compute y = G3(s)
• call A(1 k ) giving it bits of y as answers to its next requests
• output whatever A does .
Recall that we say that exp succeeds if its output after i stages is equal to yi. By our assumption,
we have that Pr[exp(k) succeeds] = f(k) for some nonnegligible function f. Now let l(k) be the
length of G1(0 k ). If exp(k) succeeds, then it either succeeds after i < l(k) or i ≥ l(k) stages. So
Pr[exp(k) succeeds] = Pr[exp(k) succeeds after < l(k) st.] + Pr[exp(k) succeeds after ≥ l(k) st.].
Let f1(k) = Pr[exp(k) succeeds after < l(k) st.] and f2(k) = Pr[exp(k) succeeds after ≥ l(k) st.].
Since f(k) = f1(k) + f2(k) is nonnegligible, then at least one of f1, f2 must be nonnegligible too.
Suppose f1 is nonnegligible. Then we can build A1, a predictor for G1. A1(k) simply does the
same as A(2k), and outputs whatever A(2k) does. The only difference is that in case A(2k) makes
too many (more than l(k)) next requests, A1 just outputs zero and terminates. A1(k) predicts some
bit of G1’s output with probability f1(2k). Contradiction!

BU CAS CS 538. Fall 2012. 4
If, on the other hand, f2 is nonnegligible, then we build A2, a predictor for G2. A2(k) first
computes y = G1(s) for random s ∈ {0, 1} k . Then it calls A(2k), and answers its first l(k) next
requests with bits of y. Subsequent A’s next requests are just relayed (A2 makes its own next request
and forwards the answer to A). Finally, A2 outputs whatever A does. Again, A2(k) predicts some bit
of G2’s output with probability f2(2k) (as in the first solution, the independence of seeds is crucial
here: A2 choses s independently of y, which ensures the distribution of answers to next requests is
the right one). Again a contradiction!
Note that, even though at least one of A1, A2 succeeds in predicting bits of a corresponding
generator, we do not know which one is it. Still this is a contradiction, to the statement “both G1
and G2 are pseudorandom generators”.