CS783: Theoretical Foundations of Cryptography Fall 2024

Assignment 2
August 14, 2024
Instructor: Chethan Kamath

Exercise 1 (Unpredictability vs. pseudorandomness).

1. (Lecture 4, Exercise 3) Let’s start by writing down a simple reduction. Recall the
definitions of pseudorandomness and next-bit unpredictability (a.k.a. unpredictabil-
ity on the right) from Lecture 4. Show that if a PRG G is pseudorandom, then it is
also next-bit unpredictable.

2. Recall the definition of first-bit unpredictability (a.k.a unpredictability on the left)

as defined in Lecture 4: the predictor can ask for bits y2 , · · · , yi (for i ∈ [1, n + 1]
of its choice) and has to predict the first bit y1 .

(a) Show that if a PRG G is pseudorandom, then it is also first-bit unpredictable.

(b) Does the converse hold? That is, does first-bit unpredictability imply pseudo-
randomness? Come up with a proof or a counter-example.
(c) Does first-bit unpredictability imply next-bit unpredictability? Come up with a
proof or a counter-example.

Exercise 2 (Hybrid argument). In this exercise, we will practice hybrid arguments. In

each question, describe the hybrid worlds, and explain why consecutive worlds are indis-
tinguishable.
1. Let G be a PRG that with expansion factor n+1. Consider the following construction
of length-doubling PRG G′ that came up during discussions in Lecture 4. To compute
G′ (s),

ˆ Set s0 := s and ℓ := |s|

ˆ For each i ∈ [1, ℓ], compute si = G(si−1 )
ˆ Output sℓ

Prove that G′ is a PRG using a hybrid argument. What are the advantages and
disadvantages of this construction over the one in the lecture?

2. Recall the two-world definition of PRF from Definition 1, Lecture 5. Now consider
the alternative definition, Definition 1′ , via the following experiment:

ˆ The distinguisher D is given query access to the PRF Fk (·), and it can (adap-
tively) make polynomially-many queries x1 , · · · , xq to obtain Fk (x1 ), · · · , Fk (xq ).
ˆ In the end, D issues a challenge x∗ ∈
/ {x1 , . . . , xq }: in the pseudorandom world
∗ ∗
it gets y := Fk (x ) and in the random world it gets a uniformly random value
r∗ from the co-domain of the PRF.

CS783 Page 1 of 3 Assignment 2

 F is a PRF if the behaviour of the distinguisher changes only by a negligible value in
the two worlds. Using a hybrid argument, show that Definition 1′ implies Definition
1, that is, any PRF that satisfies Definition 1′ also satisfies Definition 1.

ˆ Hint: given a distinguisher in the sense of Definition 1, construct a distin-

guisher in the sense of Definition 1′ ; note that the distinguisher in Definition
1′ has much more flexibility.

Exercise 3 (PRF or not).

1. For a PRF {Fk : {0, 1}n → {0, 1}n }k∈{0,1}n , the “complementing” PRF defined as
Fk′ (x) := Fk (x) (where the overline denotes bit-string complement)?

2. For F as above, a second “complementing” PRF defined as Fk′ (x) := Fk (x)?

3. Recall the tree-based construction of PRF from length-doubling PRF (Construction

2) we saw in Lecture 5. Recall that the value Fk (x), x ∈ {0, 1}n , was computed
by taking the key k as the seed of the root PRG, and computing the leaf output sx .
What about the “dual” construction where to compute Fk (x), you use the input x
as the seed of the root PRG, and then output the leaf value sk ?

Exercise 4 (Weak PRFs). Recall that in the definition of PRFs, the distinguisher can
(adaptively) query its oracle (which is either the PRF or a random function) on inputs of
its choice. Let’s consider a weaker notion where the distinguisher only gets to see output
value on random input points. To be precise, {Fk : {0, 1}n → {0, 1}n }k∈{0,1}n is a weak
PRF if for all PPT (oracle) distinguishers D, the following is negligible

δ(n) := Pr [DFk ($) (1n ) = 0] − Pr [Df ($) (1n ) = 0] .

k←{0,1}n f ←Fn

Here the $ in the oracle (instead of (·)) denotes access to output on random input points.

1. Show that if F is a PRF then it is also a weak PRF.

2. If F is a PRF, show that F ′ , defined below, is a weak PRF, but not a PRF:
(
Fk (x) if x is even
Fk′ (x) :=
Fk (x + 1) otherwise

Exercise 5 (Chosen Plaintext Attack (CPA)). Recall the definition of CPA from Lec-
ture 5 (cf. [KL14, Definition 3.21] for a formal definition). This exercise will help you
understand CPA secrecy better.

1. Let Π = (Gen, Enc, Dec) be a symmetric-key encryption (SKE) scheme with deter-
ministic encryption. Show that Π cannot be CPA-secret.

2. Let Π1 = (Gen1 , Enc1 , Dec1 ) and Π2 = (Gen2 , Enc2 , Dec2 ) be two SKE schemes. We
are in a situation where only one of the two schemes is CPA-secret (and we don’t
know which one). Construct a SKE scheme Π that is CPA-secret as long as Π1 or
Π2 is secure. (Such a construction is called a “combiner”.)

CS783 Page 2 of 3 Assignment 2

 ˆ Hint: it is instructive to first think about constructing such schemes against
eavesdroppers.

3. (Easier version of Lecture 5, Exercise 4) Consider the following restriction of CPA,

denoted CPA′ , where the adversary cannot make any queries after the challenge.
Show that, if the underlying PRF is secure, then Construction 1 from Lecture 5 is
CPA′ -secret. To make your life easier, assume that the PRF satisfies Definition 1′
above.

ˆ Hint: Use the fact that in the random world in Definition 1′ the challenge
output is uniformly random and thus a OTP.

References
[KL14] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography (3rd ed.). Chapman
and Hall/CRC, 2014.

CS783 Page 3 of 3 Assignment 2