patternMinor
Is F(F(s,x), x) necessarily a PRF if F is?
Viewed 0 times
prfnecessarilystackoverflow
Problem
Given a PRF - F, is $G_s(x)=F_{F_s(x)}(x)$ necessarily a PRF?
First I thought how to tackle this problem. First I tried using a hybrid argument:
$|\mathbb P[F_{F_s(x)}(x)] -\mathbb P[f(x)]|\leq |\mathbb P[F_{F_s(x)}(x)] -\mathbb P[F_{f(x)}(x)]| + |\mathbb P[F_{f(x)}(x)] -\mathbb P[f(x)]|$ so I can contradict the possibility that the first part of the is not negligible but the second part of the sum is problematic.
Then I tried to think of counter examples. But it seems to me that because I dont know what the key of F will be if I could break G then I could break F with one single query..
So i'm pretty stuck and would appreciate help.
First I thought how to tackle this problem. First I tried using a hybrid argument:
$|\mathbb P[F_{F_s(x)}(x)] -\mathbb P[f(x)]|\leq |\mathbb P[F_{F_s(x)}(x)] -\mathbb P[F_{f(x)}(x)]| + |\mathbb P[F_{f(x)}(x)] -\mathbb P[f(x)]|$ so I can contradict the possibility that the first part of the is not negligible but the second part of the sum is problematic.
Then I tried to think of counter examples. But it seems to me that because I dont know what the key of F will be if I could break G then I could break F with one single query..
So i'm pretty stuck and would appreciate help.
Solution
Let $\mathrm{RF}_n$ be the set of random functions over $\{0,1\}^n$. Let $F_{f,i}$ be an oracle that answers the first $i$ queries with $F_{f(\cdot)}(\cdot)$ and answers the remaining queries with $f(\cdot)$. Now suppose a polynomial-time distinguisher $D$ can distinguish $\{f\leftarrow \mathrm{RF}_n:F_{f(\cdot)}(\cdot)\}$ and $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$, it can also distinguish $\{f\leftarrow \mathrm{RF}_n:F_{f,k-1}(\cdot)\}$ and $\{f\leftarrow \mathrm{RF}_n:F_{f,k}(\cdot)\}$ for some $k$.
Now construct a new distinguisher $D'$. Given an oracle $\mathcal{O}(\cdot)$, it selects a random function $f$, then calls $D$. Each time $D$ gives a query $x$ (suppose it is the $i$th query), $D'$ returns
-
$F_{f(x)}(x)$ if $i
-
$\mathcal{O}(x)$ if $i=k$, or
-
$f(x)$ if $i>k$.
We can see if $\mathcal{O}$ is $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$, the queries $D$ made as well as their answers have the same distribution as the ones when $D$ is facing $\{f\leftarrow \mathrm{RF}_n:F_{f,k}(\cdot)\}$. If $\mathcal{O}$ is $\{s\leftarrow\{0,1\}^n:F_s(\cdot)\}$, the queries $D$ made as well as their answers have the same distribution as the ones when $D$ is facing $\{f\leftarrow \mathrm{RF}_n:F_{f,k-1}(\cdot)\}$. Since $D$ can distinguish $\{f\leftarrow \mathrm{RF}_n:F_{f,k-1}(\cdot)\}$ and $\{f\leftarrow \mathrm{RF}_n:F_{f,k}(\cdot)\}$, our distinguisher $D'$ can distinguish $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$ and $\{s\leftarrow\{0,1\}^n:F_s\}$, which contradicts to the fact that $F$ is a PRF.
So $\{f\leftarrow \mathrm{RF}_n:F_{f(\cdot)}(\cdot)\}$ and $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$ cannot be distinguished by any polynomial-time distinguisher. Your second part of the sum is negligible.
Now construct a new distinguisher $D'$. Given an oracle $\mathcal{O}(\cdot)$, it selects a random function $f$, then calls $D$. Each time $D$ gives a query $x$ (suppose it is the $i$th query), $D'$ returns
-
$F_{f(x)}(x)$ if $i
-
$\mathcal{O}(x)$ if $i=k$, or
-
$f(x)$ if $i>k$.
We can see if $\mathcal{O}$ is $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$, the queries $D$ made as well as their answers have the same distribution as the ones when $D$ is facing $\{f\leftarrow \mathrm{RF}_n:F_{f,k}(\cdot)\}$. If $\mathcal{O}$ is $\{s\leftarrow\{0,1\}^n:F_s(\cdot)\}$, the queries $D$ made as well as their answers have the same distribution as the ones when $D$ is facing $\{f\leftarrow \mathrm{RF}_n:F_{f,k-1}(\cdot)\}$. Since $D$ can distinguish $\{f\leftarrow \mathrm{RF}_n:F_{f,k-1}(\cdot)\}$ and $\{f\leftarrow \mathrm{RF}_n:F_{f,k}(\cdot)\}$, our distinguisher $D'$ can distinguish $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$ and $\{s\leftarrow\{0,1\}^n:F_s\}$, which contradicts to the fact that $F$ is a PRF.
So $\{f\leftarrow \mathrm{RF}_n:F_{f(\cdot)}(\cdot)\}$ and $\{f\leftarrow \mathrm{RF}_n:f(\cdot)\}$ cannot be distinguished by any polynomial-time distinguisher. Your second part of the sum is negligible.
Context
StackExchange Computer Science Q#111308, answer score: 3
Revisions (0)
No revisions yet.