1

So I'm reading this article where they talk shortly about pseudo random generators where I'm not quite familiar with some of the notation. They call $\lambda$ the security parameter.

"Pseudorandom function (PRF). Let $\mathcal{F}=\left\{F_{\text {sk }}:\{0,1\}^{\ell_1(\lambda)} \rightarrow\{0,1\}^{\ell_2(\lambda)} \mid\right.$ sk $\left.\in\{0,1\}^\lambda\right\}$ be a family of functions. $\mathcal{F}$ is a PRF if $F_{\text {sk }}$ is efficiently computable and for all p.p.t. distinguishers $D$, $$ \left|\operatorname{Pr}_{\mathbf{s k} \leftarrow\{0,1\}^\lambda}\left[D^{F_{\mathbf{s k}}(\cdot)}\left(1^\lambda\right)=1\right]-\operatorname{Pr}_f\left[D^{f(\cdot)}\left(1^\lambda\right)=1\right]\right| \leq \operatorname{negl}(\lambda) $$ where $f$ denotes a random function from $\{0,1\}^{\ell_1(\lambda)}$ to $\{0,1\}^{\ell_2(\lambda)}$. PRFs are a standard cryptographic primitive equivalent to one-way functions and can be constructed from standard assumptions [GGM86, HILL99]."

  1. What does it mean that we take the distinguished $D$ in $1^\lambda$?
  2. Im guessing that $l_1(\lambda)$ and $l_2(\lambda)$ are the length of input and output to the pseudorandom function that they define before the random function which from my understanding is the goal to mimic the randomness of. However, then it seems counterintuitive to me that they depend on $\lambda$ and not just on the random function $f$'s input and output dimension? Is it because you would solve for $\lambda$ such that you could match the input and output dimension of $f$?
Maarten Bodewes
  • 92,551
  • 13
  • 161
  • 313
StackExchangeMMH
  • 11
  • 2
  • 1
    For security parameter see this; Why does key generation take an input $1^k$, and how do I represent it in practice?. They use two $\ell_i$ since they want to indicate it is a function ( not permutation) and the security parameter defines the dimensions with the $\ell_i$, where they will be used in the proofs. – kelalaka Sep 27 '23 at 17:39
  • 1
    Also this one that suits more into your case; What does the expression $1^n$ mean as a function argument? and may be it is better to read after the above link. – kelalaka Sep 27 '23 at 17:44
  • Thanks for the answers kelalaka. So from reading from the other links I understand $1^\lambda$ as input to D as we are giving it the security parameter $\lambda$ is this correct? And why does it need it? I also guessed that $\ell_i$ where functions but how does this makes sense with the pseudorandom generator trying to act as the function f which has some input and output dimension independent on $\lambda$? – StackExchangeMMH Sep 27 '23 at 19:06
  • 1
    These are comments. $D$ must be playing same rules. How it will know the key size/ input output size? $\ell$ is used to parametrize the the $F$'s dimension depending on $\lambda$ – kelalaka Sep 27 '23 at 19:19
  • Can someone write a good answer for this? – kelalaka Sep 28 '23 at 16:05
  • Overall, for computational security we need a notion of "efficient" algorithms, which are the key gen, encryptions or even the adversary. So they are all PPTs. Efficiency means polynomial running time in the input. So Q1) We demand that $D$ is an efficient algorithm regarding the security parameter. Arguably, if $D$ can do more computation, it might break the scheme. – Marc Ilunga Sep 29 '23 at 11:05
  • Q2) We think of the security parameter as defining a family of functions. So there isn't a single pseudo random function, but a family of them with input-output length depending on the security parameter and the family itself. So think of this as a generic way to construct similar constructions in a way that we can "tune" the security as high as we want. – Marc Ilunga Sep 29 '23 at 11:10
  • Thank you for taking your time to comment Marc! – StackExchangeMMH Sep 29 '23 at 18:42

0 Answers0