Timeline for Building adversary to show a PRF is not secure
Current License: CC BY-SA 3.0
7 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Nov 27, 2019 at 7:16 | comment | added | Maeher | @Jason if you choose the key, you don't need an oracle. You know the description of the algorithm for computing $F$, so just follow it for the key and input of your choice. | |
| Nov 27, 2019 at 0:31 | comment | added | user16972 | @Maeher do we have oracle access to $F(k,x)$ by the PRF definition for every $k$ of our choice? It seems to me as if the definition only gives $F(k,x)$ with a fixed $k$ (uniformly random, not of our choice) or $f(x)$: random... Where is my misunderstanding? | |
| Nov 10, 2018 at 20:53 | vote | accept | Daniel | ||
| Apr 18, 2018 at 1:36 | comment | added | Maeher | The function $F$ is known and both inputs are known (the key is $b$ and the input is $0^n$). So you just compute the value. | |
| Apr 17, 2018 at 22:12 | comment | added | Maeher | I did not define $F(b,0^n)=a$. I defined $a\Vert b$ as the output of the oracle. The oracle is either the PRF with a uniformly chosen random key (in which case it happens to be true that $F(b,0^n)=a$) or it is a truly random function (in which case it is highly unlikely). And your distinguisher needs to distinguish between those two cases. I get the feeling that maybe your problem is a misunderstanding of the definition of a PRF? | |
| Apr 17, 2018 at 20:53 | comment | added | Daniel | What's the meaning of this first line? You call the output $a \Vert b$ and then ask if $F(b, 0^n) = a$, but you just defined $F(b, 0^n) = a$ when you said the output was $a \Vert b$, it looks to me like comparing $x$ with $x$. | |
| Apr 17, 2018 at 4:39 | history | answered | Maeher | CC BY-SA 3.0 |