- $\G3$ we don't. We construct a number of hybrid games~$\H{i}$ for $0 \le i
- \le q$ in which encryption query~$j$ (for $0 \le j < q$) is handled as
- follows: if $0 \le j < i$ then the query is handled as in $\G3$; if $i \le
- j < q$ then the query is handed as in $\G2$. Let $T_i$ be the event that
- the adversary wins in game $\H{i}$. Clearly, $\H0 \equiv \G2$, and $\H{q}
- \equiv \G3$. For each adjacent pair of hybrid games $\H{i}, \H{i+1}$ (for
- $0 \le i < q$), we can bound $|{\Pr[T_{i+1}} - \Pr[T_i]|$ by considering an
- adversary attacking~$g^{(n)}$ by running~$A$ and using its input as the XOR
- mask~$p$ for query~$i$, and following the rules of game~$\H{i}$ for the
- other queries: then if $y$~is random, it simulates $\H{i+1}$, whereas if
- $y$ is the output of $g^{(n)}$ then it simulates $\H{i}$. Thus
- $|{\Pr[T_{i+1}} - \Pr[T_i]| \le \mu \cdot \InSec{prg}(g; t)$ (by the answer
- to \ref{ex:dbl-prg}), and $|{\Pr[S_3]} - \Pr[S_2]| = |{\Pr[T_{q-1}]} -
- \Pr[T_0]| \le q \mu \cdot \InSec{prg}(g; t)$ as claimed.
+ $\G3$ we don't. Unfortunately, while the left-or-right attack game allows
+ multiple queries and hence multiple samples from the PRG, the PRG attack
+ game only provides one sample. To bridge the gap, we construct a number of
+ hybrid games~$\H{i}$ for $0 \le i \le q$ in which encryption query~$j$ (for
+ $0 \le j < q$) is handled as follows: if $0 \le j < i$ then the query is
+ handled as in $\G3$; if $i \le j < q$ then the query is handed as in $\G2$.
+ Let $T_i$ be the event that the adversary wins in game $\H{i}$. Clearly,
+ $\H0 \equiv \G2$, and $\H{q} \equiv \G3$. For each adjacent pair of hybrid
+ games $\H{i}, \H{i+1}$ (for $0 \le i < q$), we can bound $|{\Pr[T_{i+1}} -
+ \Pr[T_i]|$ by considering an adversary attacking~$g^{(n)}$ by running~$A$,
+ using as its input the XOR mask~$p$ for query~$i$, and following the rules
+ of game~$\H{i}$ for the other queries: then if $y$~is random, it simulates
+ $\H{i+1}$, whereas if $y$ is the output of $g^{(n)}$ then it simulates
+ $\H{i}$. Thus $|{\Pr[T_{i+1}} - \Pr[T_i]| \le \mu \cdot \InSec{prg}(g; t)$
+ (by the answer to \ref{ex:dbl-prg}), and $|{\Pr[S_3]} - \Pr[S_2]| =
+ |{\Pr[T_{q-1}]} - \Pr[T_0]| \le q \mu \cdot \InSec{prg}(g; t)$ as claimed.