Determine if a function is a PRG when PRG concatenated with Seed?

cryptonoob

11/3/22, 10:29 PM

I am a newbie in Cryptography and have trouble to solve the following question.

Let $G: \{0,1 \}^n \rightarrow \{0,1 \}^{l(n)}$ be a PRG and $x \epsilon \{0,1 \}^n$. Determine if the function $Z: \{0,1 \}^n \rightarrow \{0,1 \}^{(l(n)+n)}$ s.t. $Z(x) := G(x)||x$ is also a PRG.

My first assumption was that it is a PRG, because the concatenation of the PRG Output G(x) as pseudorandomstring with a uniformly distributed random String x is also a random string. Hence, it can also not be distinguished by an adversary. Furthermore l(n)+n > n, so Expansion is also ok.

How can i prove that? My idea is a Reduction that if there is a distinguisher D who breaks Z(x) would break also G(x) with non-negl probability, which contradicts the initial assumption that G(x) is a PRG.

Am i on the right track or completely lost?

223

0 + 6

pseudo-random-generator

Maarten Bodewes

11/4/22, 12:41 AM

So your function Z is outputting the seed together with the random values derived from it? The algorithm is known as well.

cryptonoob

11/4/22, 2:38 AM

@MaartenBodewes Yes, exactly. But what do you mean with "algorithm is known as well"? G ist not specified any further. Therefore, if I need to give a counterexample for the case that Z is not a PRG, I can design G however I want.

Maarten Bodewes

11/4/22, 9:26 AM

No, this is not usually correct. We generally assume Kerckhoff's principle: any security is not in the algorithm but in the key or - in this case - seed. You can design $G$ however you want, but you should assume that any adversary knows the algorithm. In other words: you cannot assume $G$ to generate any secrecy besides the seed $x$. Now what would happen if you first generate a key and then an IV using $Z$?

SEJPM

11/4/22, 9:40 AM

Hint: Is there perhaps some kind of test / distinguisher that can check whether a given random-looking string is coming from $Z$ or just plain random? Assume the adversary can compute $G$ as well.

cryptonoob

11/12/22, 2:31 AM

@MaartenBodewes The only idea that i have is that an adversary can get the key/seed from the output of Z by performing a cut (because adversary knows the algorithm and knows that the key has a length of n). Then he can input this "key" into the function and check whether it is the same output or not. As far as I know, a PRG is deterministic. And in this case he even knows the key. Right track?

Maarten Bodewes

11/12/22, 7:04 AM

Yeah, that's the right track. Generally it should not be possible to derive the state of the RNG as it would leak information about all the other bytes in the stream.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Determine if a function is a PRG when PRG concatenated with Seed?

TH: ตรวจสอบว่าฟังก์ชันเป็น PRG เมื่อ PRG เชื่อมกับ Seed หรือไม่

RO: Determinați dacă o funcție este un PRG atunci când PRG este concatenat cu Seed?

RU: Определить, является ли функция PRG, когда PRG объединяется с Seed?

VI: Xác định xem một chức năng có phải là PRG khi PRG nối với Seed không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.