Cryptography HW2
Cryptography HW2
Chaewoon Ki
Problem 1
Let’s say two round Feistel construction G. Then by definition, with the key k,
To say G is a PRP, f1 , f2 must look random when k is unknown, that is, the output of G should
be computationally indistinguishable from a truly random permutation when the key k is un-
known.However, there exists a correlation between specific input pairs (0l/2 , 0l/2 ) and (1l/2 , 0l/2 ),
which allows distinguishing G from a truly random permutation. If we define the output as follows:
This holds for any key k, meaning the function exhibits a deterministic correlation between certain
inputs and outputs, violating the conditions for being a pseudorandom permutation.
Problem 2
Let G : {0, 1}n → {0, 1}2n be a PRG and let m(n) be some polynomial in n.
Prove the following:
(G(X1 ), . . . G(Xm(n) )) ≈ U2n·m(n) ,
where X1 , . . . , Xm(n) are each independently and uniformly distributed over Un (for all n). (What
proof technique should you use?)
Let’s say G′ = G(X1 ), . . . G(Xm(n) )). We want to show that when G is PRG, G’ is also PRG.
We can use the hybrid argument to prove it. We have to show that H0 ≈ Hm(n) when H0 and
Hm(n) is defined as follows:
1
Each bi is pseudorandom 2n bit number generated by G, and bˆi is random 2n bit number generated
by uniform distribution. Lets define
Problem 3
I’ll show that fk′ is computationally distinguishable with F (random function). Let’s define distin-
guisher D as follows:
Thus, we have:
1
Pr[DFk (·) (1n ) = 1] = 1, Pr[DF (·) (1n ) = 1] = .
2n
This is because
Fk (x′ ) = Gxn (Fk (x)) = G0 (Fk (x))
(since the last bit of x′ is 0).
Problem 4
We analyze whether the transformed function F ′ = {fk′ } must be a PRF or not.
(a) Case: ∀x ∈ {0, 1}n , y ∈ {0, 1}n , k ∈ {0, 1}n , fk′ (x∥y) := fk (x)∥fk (y).
Since fk (x) and fk (y) are outputs of a PRF, they are computationally indistinguishable from
random functions. Concatenating two independent PRF outputs does not introduce any struc-
ture that an adversary can exploit. Thus, fk′ (x∥y) retains the pseudorandomness property.
Conclusion: F ′ must be a PRF.
2
Distinguishing Attack: An adversary can choose x = 0n , query fk′ (0n ), and check if its
output follows a predictable pattern. If fk is distinguishable under specific key conditions, then
fk′ is also distinguishable.
Conclusion: F ′ is not necessarily a PRF.
Problem 5
Let P be a PRP, meaning that for a uniformly random key k, the function Pk : {0, 1}n → {0, 1}n
is a permutation that is computationally indistinguishable from a truly random permutation when
queried forward. In a strong PRP, this property should hold even when the adversary has access
to an inversion oracle. However, we will construct a PRP P ′ such that the inversion oracle leaks
information about k, making it distinguishable.
Define P ′ as follows: (
Pk (x), if x ̸= 0n
Pk′ (x) =
k, if x = 0n
This modification ensures that when querying x = 0n , the function directly returns the key k.
• For any x ̸= 0n , Pk′ (x) follows the distribution of Pk (x), maintaining computational indistin-
guishability.
However, P ′ is not a strong PRP. A distinguisher D can exploit the inversion oracle to recover k
as follows:
3. With knowledge of k, D can now perfectly compute Pk′−1 (y) for any y.
Since a strong PRP should be indistinguishable from a random permutation even with inversion
queries, this attack breaks the security of P ′ .