efficient adversary should be able to distinguish these two distributions. In

fact, if you could distinguish these two distributions, it's easy to show that you

would break the original PRG. Okay, but essentially you see that the reason we can

do this replacement, we can replace the output of G, with truly random values, is

exactly because of the definition of the PRG, which says the out put of the PRG is

indistinguishable from random, so we might as well just put random there, and no

efficient adversary can distinguish the resulting two distributions. Okay, so far

so good, but now we can do the same thing again to the left hand side. In other

words, we can replace these two pseudo random outputs, by truly random outputs.

And again because the generator G is secure, no efficient adversary can tell

the difference between these two distributions. But differently, if an

adversary can distinguish these two distributions, then we would also give an

attack on the generator G. And now finally we're gonna do this one last time. We're

gonna replace this pseudo random pair By a truly random pair, and low and behold we

get the actual distribution that we were shooting for, we would get a distribution

that is really made of four independent blocks. And so now we have proved this

transition basically that these two indistinguishable, these two

indistinguishable, and these two indistinguishable, and therefore these two

are indistinguishable, which is what we wanted to prove. Okay so this is kind of

the high level idea for the proof, it is not too difficult to make this rigorous,

but i just wanted to show you kinda intuition for how the proof works. Well,

if we were able to extend the generators outputs once, there's nothing preventing

us from doing it again so here is a generator G1 that outputs four elements in

the key space. And remember the output here is indistinguishable from our random

four couple, that's what we just proved. And so there's nothing preventing us from

applying the generator again. So we'll take the generator apply it to this random

looking thing and we should be able to get this random looking thing. This pair over

here that's random looking. And we can do the same thing again, and again, and

again. And now basically we've built a new generator that outputs elements in K to

the eighth, as opposed to K to the fourth. And again the proof of security is very

much the same as the one I just showed you essentially you gradually change the

outputs into truly random outputs. So we would change this to a truly random

output, then this, then that, then this, then that and so on and so forth. Until

finally we get something that's truly random and therefore the original two

distributions we started with G2K and truly random are indistinguishable. Okay,

so far so good. So now we have a generator that outputs elements in K to the eighth.

Now if we do that basically we get a three bit PRF. In other words, at zero, zero,

zero this PRF would output this block, and so on and so forth until one, one, one it

would output this block. Now the interesting thing is that in fact this PRF

is easy to compute. For example, suppose we wanted to compute the PRF at the point

one zero one. Okay, it's a three bit PRF. Okay so one zero one. How would we do

that? Well basically we would start from the original key K. And now we would apply

the generator G but we would only pay attention to the right output of G,

because the first bit is one. And then we will apply the generator again, but we

would only pay attention to the left of the output of the generator because the

second bit is zero. And then we would apply the generator again and only pay

attention to the right outputs because the third bit is one and that would be the

final output. Right, so you can see that, that lead us to 101, and in fact because

the [inaudible] generator is pseudo random, we know that, in particular that,

this output here is pseudo random. Okay, so this gives us a three bit PRF. Well, if

it worked three times, there's no reason why it can't work N times. And so if we

apply this transformation again and again, we arrive at what's called a GGMPRF. Ggm

stands for Goldreich, Goldwasser and Micali these are the inventors of

this PRF and the way it works is as follows. So we start off with a generator

just doubles its outputs, and now we're able to build a PRF that acts on a large

domain mainly a domain of size zero one to the N. Or N could be as big as 128 or even

more. So let's see, suppose we're given an input in 01 to the N, let me show you how

to evaluate the PRF. Well by now you should actually have a good idea for how

to do it. Essentially we start from the original key and then we apply the

generator and we take either the left or the right side depending on the bit X0 and

then we arrive at the next key, K1. And then we apply the generator again and we

take the left or the right side depending on X1 and we arrive at the next key. And

then we do this again and again, until finally we are arrive at the output. So we

have processed all end bits, and we arrive at the output of this function. And

basically we can prove security again pretty much along the same lines as we did

before, and we can show that if G is a secure PRG, then in fact we get a secure

PRF, on 01 to the N, on a very large domain. So that's fantastic. Now we have

we have essential, we have a PRF that's provably secure, assuming that the

underlying generator is secure, and the generator is supposedly much easier to

build than an actual PRF. And in fact it works on blocks that can be very large, in

particular, 01 to the 128th, which is what we needed. So you might ask well why isn't

this thing being used in practice? And the reason is, that it's actually fairly slow.

So imagine we plug in as a generator we plug in the salsa generator. So now to

evaluate this PRF at a 128 bit inputs, we would basically have to run the salsa

generator 128 times. One time per bit of the input. But then we would get a PRF

that's 128 times slower than the original salsa. And that's much, much, much slower

than AES. Aes is a heuristic PRF. But nevertheless it's much faster then what we

just got here. And so even though this is a very elegant construction, it's not used

in practice to build pseudo random functions although in a week we will be

using this type of construction to build a message integrity mechanism. So the last

step, is basically now that we've built a PRF, the questions is whether we can

actually build the block cypher. In other words, can we actually build a secure PRP

from a secure PRG. Everything we've done so far is not reversible. Again if you

look at this construction here, we can't decrypt basically given the final outputs.

It is not possible to go back or at least we don't know how to go back the, the

original inputs. So now the question of interest is so can we actually solve the

problem we wanted solve initially? Mainly, can we actually build a block cipher from

a secure PRG? So ill let you think about this for a second, and mark the answer. So

of course I hope everyone said the answer is yes and you already have all the

ingredients to do it. In particular, you already know how to build a PRF from a

pseudo random generator. And we said that once we have a PRF we can plug it into the

Luby-Rackoff construction, which if you remember, is just a three-round feistel.

So we said that if you plug a secure PRF into a three-round feistel, you get a

secure PRP. So combining these two together, basically gives us a secure PRP

from a pseudo random generator. And this is provably secure as long as the

underlying generator is secure. So it's a beautiful result but unfortunately again

it's not used in practice because it's considerably slower than heuristics

constructions like AES. Okay so this completes our module on constructing

pseudo random permutations, and pseudo random functions. And then in the next

module we're gonna talk about how to use these things to do proper encryption.