\section{Problem 6}
\paragraph{Construction}

Fix the security parameter $n$.

\begin{enumerate}
    \item Sample two independent keys  
    $k_1, k_2 \leftarrow \mathcal{K}_n$ for the given CRHF family $F$,  
    and two independent random strings  
    $r_1, r_2 \leftarrow \{0,1\}^{2n}$.

    \item Define the public index  
    $j := (k_1, k_2, r_1, r_2)$ and the function  
    \[
    g_j : \{0,1\}^{4n} \longrightarrow \{0,1\}^{2n}, \qquad  
    g_j(x_L \| x_R) = f_{k_1}(x_L) \; \| \; f_{k_2}(x_R),
    \]
    where $x_L, x_R \in \{0,1\}^{2n}$.

    \item Define two predicates  
    \[
    h_1(x_L \| x_R) = \langle r_1, x_L \rangle, \qquad  
    h_2(x_L \| x_R) = \langle r_2, x_R \rangle,
    \]
    where $\langle \cdot, \cdot \rangle$ is the inner product modulo 2.
\end{enumerate}

We obtain a family  
\[
G = \{ G^n = \{ g_j \}_{j \in \mathcal{J}_n} \}_{n \in \mathbb{N}}
\]
with:

\begin{itemize}
    \item Input length $l(n) = 4n$,  
    \item Output length $m(n) = 2n$ (hence $l(n) = 2m(n)$).
\end{itemize}

\paragraph{1. Collision resistance of $G$}

Assume a PPT adversary outputs a collision  
$x_L \| x_R \neq x_L' \| x_R'$ with  
$g_j(x_L \| x_R) = g_j(x_L' \| x_R')$.  

Then
\[
f_{k_1}(x_L) = f_{k_1}(x_L') \quad \text{and} \quad  
f_{k_2}(x_R) = f_{k_2}(x_R').
\]
If $x_L \neq x_L'$, we obtain a collision for $f_{k_1}$;  
otherwise, $x_R \neq x_R'$ gives a collision for $f_{k_2}$.  
Either case contradicts the collision resistance of $F$.  
Hence $G$ is a CRHF.

\paragraph{2. $G$ is one-way}

We first show a general fact.

\textbf{Claim.} Any collision-resistant hash function $H : \{0,1\}^M \to \{0,1\}^N$ with $M > N$ is a one-way function.

\textbf{Proof.}  
Suppose a PPT $A$ inverts $H$ with non-negligible probability:  
given $y \gets H(x)$, it outputs $x'$ such that $H(x') = y$.  
Pick $x \leftarrow \{0,1\}^M$, set $y = H(x)$, and run $A(y) \to x'$.  
With probability at least $1/2$, we have $x' \neq x$ (because $|\text{Dom}| > |\text{Rng}|$), producing the collision $(x, x')$.  
This contradicts collision resistance. \qed

Since $G$ is collision resistant and $4n > 2n$, $g_j$ is one-way.

\paragraph{3. Hardcore bits $h_1, h_2$}

The Goldreich–Levin (GL) theorem states that for \textbf{any} one-way function $F$, the predicate $\langle r, x \rangle$ (for random $r$) is hardcore.  
Applying GL to the one-way function $x \mapsto g_j(x)$, we obtain:

\[
\Pr\!\bigl[\operatorname{Adv}(1^n, j, g_j(x)) = \langle r_1, x_L \rangle \bigr]  
\le \tfrac{1}{2} + \operatorname{negl}(n),
\]
and the same for $r_2$.  

Because the two inner products involve independent random strings and disjoint parts of the input, the best strategy to predict \textbf{both} bits is to guess; thus

\[
\Pr\!\bigl[\operatorname{Adv}(1^n, j, g_j(x)) = (h_1(x), h_2(x)) \bigr]  
\le \tfrac{1}{4} + \operatorname{negl}(n).
\]

\paragraph{Result}

The family $G$ defined above:

\begin{itemize}
    \item Halves the input length ($l(n) = 2m(n)$),  
    \item Is collision resistant,  
    \item Possesses two hardcore bits $h_1, h_2$ satisfying the required bound.
\end{itemize}

Hence, it fulfills all the conditions of the problem. \qed
\end{document}
