1

We assume that there is at least one PRG .Now prove there is a PRG like $G:\{0,1\}^{n} \rightarrow \{0,1\}^{l(n)} $ such that it is not necessarily one-to-one.

abbas
  • 175
  • 1
  • 9

1 Answers1

2

Suppose $F \colon \lbrace 0,1 \rbrace^n \to \lbrace 0,1 \rbrace^{\ell(n)}$ is a secure PRG. Create $G \colon \lbrace 0,1 \rbrace^{n+1} \to \lbrace 0,1 \rbrace^{\ell(n)}$ as follows:

$$G(b ||s) := F(s), \quad b \in \lbrace 0,1 \rbrace, s \in \lbrace 0,1 \rbrace^n.$$

$G$ is as secure as $F$, and clearly $G(0||s) = G(1 || s)$.

To prove the "$G$ is as secure as $F$" part, consider the following proposition$^*$:

Proposition. If there exists a distinguisher $\mathcal{D}$ against $G$, then we can create a distinguisher $\mathcal{D}'$ against $F$, such that $$| \Pr[\mathcal{D}'(U_{\ell(n)}, 1^n) = 1] - \Pr[\mathcal{D}'(F(U_n), 1^n) = 1]| > \frac{1}{poly(n)}.$$

Proof. Distinguisher $\mathcal{D}'$ receives as input a string $z \in \lbrace 0,1 \rbrace^{\ell(n)}$. Then he simply forwards this string to $\mathcal{D}$ and outputs whatever it outputs. Since $z$ is distributed exactly like in the distinguishing game $\mathcal{D}$ expects, we have in particular $\Pr[\mathcal{D}'(F(U_n), 1^n) = 1] = \Pr[\mathcal{D}'(G(U_{n+1}), 1^n) = 1]$, and the proposition follows. $\blacksquare$

Note that the above proposition is intuitively correct when you realize that the bit $b$ is independent of the output of $G$. That is, one could think of $G$ as first running $F$ on some input $s \in \lbrace 0,1 \rbrace^n$, and afterwards drawing the bit $b$. Clearly, this shouldn't reduce the strength of $F$ as a PRG. It should probably also be emphasized that $G$ is as secure as $F$, not more secure. That is, if $F$ has a security level of $n$ bits, then $G$ also has a security level of $n$, not $n+1$ as the longer seed could maybe lead you to believe.

$^*$Technically the proposition does not hold for $\ell(n) = n + 1$, since then $G$ wouldn't actually be a PRG. But I have ignored this above, and simply assumed the more typical case of $\ell(n) >> n$.

hakoja
  • 2,865
  • 19
  • 23