Intro to Cryptography HW 1

Chaewoon Ki

Mar 19, 2025

Problem 1
Let’s say two round Feistel construction G. Then by definition, with the key k,

Gk (L0 , R0 ) = (f1 (R0 ) ⊕ L0 , R0 ⊕ f2 (f1 (R0 ) ⊕ L0 ))

To say G is a PRP, f1 , f2 must look random when k is unknown, that is, the output of G should
be computationally indistinguishable from a truly random permutation when the key k is un-
known.However, there exists a correlation between specific input pairs (0l/2 , 0l/2 ) and (1l/2 , 0l/2 ),
which allows distinguishing G from a truly random permutation. If we define the output as follows:

(L2 , R2 ) = Fk (0l/2 , 0l/2 ), (L′2 , R2′ ) = Fk (1l/2 , 0l/2 )

then the following holds regardless of key.

L2 ⊕ L′2 = f1 (0l/2 ) ⊕ 0l/2 ⊕ f1 (0l/2 ) ⊕ 1l/2 = 1l/2

This holds for any key k, meaning the function exhibits a deterministic correlation between certain
inputs and outputs, violating the conditions for being a pseudorandom permutation.

Problem 2
Let G : {0, 1}n → {0, 1}2n be a PRG and let m(n) be some polynomial in n.
Prove the following:
(G(X1 ), . . . G(Xm(n) )) ≈ U2n·m(n) ,
where X1 , . . . , Xm(n) are each independently and uniformly distributed over Un (for all n). (What
proof technique should you use?)
Let’s say G′ = G(X1 ), . . . G(Xm(n) )). We want to show that when G is PRG, G’ is also PRG.
We can use the hybrid argument to prove it. We have to show that H0 ≈ Hm(n) when H0 and
Hm(n) is defined as follows:

H0 = G′ (U2n·m(n) ) = (b1 , b2 , b3 , ..., bm(n)

Hm(n) = U2n·m(n) = (bˆ1 , bˆ2 , bˆ3 , ..., b̂m(n) )

1
Each bi is pseudorandom 2n bit number generated by G, and bˆi is random 2n bit number generated
by uniform distribution. Lets define

H1 → (bˆ1 , b2 , b3 , ..., bm(n) )

H2 → (bˆ1 , bˆ2 , b3 , ..., bm(n)) )

Hi → (bˆ1 , ..., bˆi , bi+1 , ..., bm(n) )

If Hi ≈ Hi+1 for every i, H0 ≈ Hm(n) . Hi and Hi+1 only differs by (i+1)th bit, which is bi+1
and b̂i+1 respectively. Since G is a PRG, the distributions of bi+1 and b̂i+1 are computationally
indistinguishable.

Problem 3
I’ll show that fk′ is computationally distinguishable with F (random function). Let’s define distin-
guisher D as follows:

1. First query On any x ∈ {0, 1}n−1 , let y the response of D.

2. Second query x′ = x||0n , let y’ be the response.

3. Checking If y ′ = G0 (y), D outputs 1. Else, it outputs 0

Thus, we have:
1
Pr[DFk (·) (1n ) = 1] = 1, Pr[DF (·) (1n ) = 1] = .
2n
This is because
Fk (x′ ) = Gxn (Fk (x)) = G0 (Fk (x))
(since the last bit of x′ is 0).

Problem 4
We analyze whether the transformed function F ′ = {fk′ } must be a PRF or not.

(a) Case: ∀x ∈ {0, 1}n , y ∈ {0, 1}n , k ∈ {0, 1}n , fk′ (x∥y) := fk (x)∥fk (y).
Since fk (x) and fk (y) are outputs of a PRF, they are computationally indistinguishable from
random functions. Concatenating two independent PRF outputs does not introduce any struc-
ture that an adversary can exploit. Thus, fk′ (x∥y) retains the pseudorandomness property.
Conclusion: F ′ must be a PRF.

(b) Case: ∀x ∈ {0, 1}n , fk′ (x) := fx (k).

Here, the input x is being used as the key, and k is being used as the input. If k happens to
be a ”bad” key (e.g., all zeros), then fk′ may be easily distinguishable. That is, there exists a
specific PRF fk where fk′ does not behave as a PRF, since the security of fk′ now depends on
whether the key x is chosen from a secure distribution.

2
 Distinguishing Attack: An adversary can choose x = 0n , query fk′ (0n ), and check if its
output follows a predictable pattern. If fk is distinguishable under specific key conditions, then
fk′ is also distinguishable.
Conclusion: F ′ is not necessarily a PRF.

(c) Case: ∀x ∈ {0, 1}n , fk′ (x) := fk (x∥0n ).

This transformation extends the input by appending 0n before passing it to the PRF. If fk
is a PRF, then for any input x, fk (x∥0n ) remains indistinguishable from a random function,
because appending a fixed string does not break the security properties of fk .
Conclusion: F ′ must be a PRF.

Problem 5
Let P be a PRP, meaning that for a uniformly random key k, the function Pk : {0, 1}n → {0, 1}n
is a permutation that is computationally indistinguishable from a truly random permutation when
queried forward. In a strong PRP, this property should hold even when the adversary has access
to an inversion oracle. However, we will construct a PRP P ′ such that the inversion oracle leaks
information about k, making it distinguishable.

Define P ′ as follows: (
Pk (x), if x ̸= 0n
Pk′ (x) =
k, if x = 0n
This modification ensures that when querying x = 0n , the function directly returns the key k.

To confirm that P ′ is still a PRP, note that:

• P ′ remains a permutation because it is still bijective; given an output, we can uniquely

determine the input.

• For any x ̸= 0n , Pk′ (x) follows the distribution of Pk (x), maintaining computational indistin-
guishability.

However, P ′ is not a strong PRP. A distinguisher D can exploit the inversion oracle to recover k
as follows:

1. Query the inversion oracle on any y.

2. If y = k, the oracle will return x = 0n , revealing k.

3. With knowledge of k, D can now perfectly compute Pk′−1 (y) for any y.

Since a strong PRP should be indistinguishable from a random permutation even with inversion
queries, this attack breaks the security of P ′ .

Thus, P ′ is a PRP but not a strong PRP, completing the proof.