E R SIT

UN IV Cryptography, winter term 16/17:

A
S
Sample solution to assignment 5
SA

IS
R
A VIE NS Cornelius Brand, Marc Roth

Exercise 5.1 (Warm up, 5 Bonus Points) Decide for each of the following state-
ments whether it is true or false. Explain your answer briefly.

(a) Perfect indistinguishability and perfect secrecy are equivalent.

(b) For all events A and B it holds that

Pr[A] = Pr[A|B]Pr[B] + Pr[A ∧ ¬B]

(c) Given a PRF Fk , the function Fk0 (x) := Fk (x)||Fk (x) is also a PRF.

(d) It is possible to construct an encryption scheme with a keyspace of constant size

that has indistinguishable encryptions in the presence of an eavesdropper.

(e) It is possible to construct an encryption scheme that is perfectly secret but not
CPA-secure.

Solution 5.1 (Warm up, 5 Bonus Points) a) Yes, proof was e.g. on sheet 2.

b) Yes, by definition of conditional probability, the first product is just PrA ∩ B, and
now by additivity of Pr·, the claim follows (since (A ∩ B) ∪ (A ∩ ¬B) = A).

c) No, because every y in the image of Fk0 has the property that yi = yi+|y|/2 for
1 ≤ i ≤ |y|/2, which a random string has only with negligible probability.

d) No, the adversary can brute-force the key.

e) Yes, e.g. the one-time-pad.

Exercise 5.2 (Basic Probability, 4 Bonus Points) Assume you are a TA in the
cryptography lecture and you want to pose a fair multiple choice exercise in the midterm
exam. There will be n questions and each question has 4 options from which exactly one
is correct. This exercise will be graded as follows:
A correct answer will give 1 point. An answer is correct if the right option was chosen
and no other option was. An invalid answer will give 0 points. An answer is invalid if
no or more than one option was chosen. To avoid the possibility of guessing, a wrong
answer will give −k points. An answer is wrong if exactly one wrong option was picked.
Your task is to compute the value of k such that a student who picks one option of each
question uniformly at random will get 0 points in expectation.

1
Solution 5.2 (Basic Probability, 4 Bonus Points) By linearity of expectation and
the fact that 0 + 0 = 0, it suffices to show that the expected gain of a student is 0 for a
single question. The correct answer is picked with probability 1/4, and gives one point.
Thus, the expectation is 41 · 1 − 34 k. Setting this expression to 0 and solving for k yields
k = 1/3.

Exercise 5.3 (Composition of PRGs, 4 Bonus Points) Let G1 and G2 be PRGs

with expansion factors `1 and `2 , respectively. Prove that G(s) := G1 (G2 (s)) is a PRG
with expansion factor `(n) = `1 (`2 (n)).

Solution 5.3 (Composition of PRGs, 4 Bonus Points) First, note that if `1 and
`2 are polynomials, then `1 ◦ `2 =: p is one as well. Assume we had a distinguisher D for
1
G1 ◦ G2 that succeeds with probability, say, q(n) for some positive polynomial q.
We claim that this enables us to construct a distinguisher D2 for G2 as follows: Upon
input x, D2 just runs D(G1 (x)) and returns its answer. We analyse the success proba-
bility:
 
Prs∈{0,1}n [D2 (G2 (s)) = 1] − Prr∈{0,1}`2 (n) [D2 (r) = 1] =
 
 
Prs∈{0,1}n [D(G1 (G2 (s))) = 1] − Prr∈{0,1}`2 (n) [D(G1 (r)) = 1] =
 
 
Prs∈{0,1}n [D(G(s)) = 1] − Prr∈{0,1}`2 (n) [D(G1 (r)) = 1] =
 

|Prs∈{0,1}n [D(G(s)) = 1] − Prr∈{0,1}`1 (`2 (n)) [D(r) = 1]

+ Prr∈{0,1}`1 (`2 (n)) [D(r) = 1] − Prr∈{0,1}`2 (n) [D(G1 (r)) = 1]| ≥
 
Pr [D(G(s)) = 1] − Pr [D(r) = 1]
 
n
 s∈{0,1} r∈{0,1}`1 (`2 (n)) 
 
− Prr∈{0,1}`1 (`2 (n)) [D(r) = 1] − Prr∈{0,1}`2 (n) [D(G1 (r)) = 1]
 

1
≥ − negl(p(n))
q(n)
where the first inequality follows from the reverse triangle inequality |x + y| ≥ |x| − |y|,
and the second from the assumption on D and the fact that we know that G1 is a
pseudorandom generator, and hence D can only have success probability bounded by
negl(`1 (`2 (n)) = negl(p(n)), which is again negligible.
1
The proof is finished by noting that q(n) − negl(n) is non-negligible for all positive
polynomials q and negligible functions negl.

Exercise 5.4 (Modification of CBC, 4 Bonus Points) Consider the variant of CBC-
mode where the sender simply increments the IV by 1 each time a message is encrypted
(rather than choosing IV at random each time). Show that the resulting scheme is not
CPA-secure.

Solution 5.4 (Modification of CBC, 4 Bonus Points) We design an adversary A

that wins over guessing with non-negligible probability. It proceeds as follows:

2
 a) Query the encryption oracle with m = 0n−1 1 and receive a ciphertext hIV, ci.

b) If IV is odd, i.e. has as last bit 1, then output a random bit

c) If IV is even, i.e. has as last bit 0, then output m0 = 0n and arbitrary m1 to be

encrypted.

d) Receive the challenge ciphertext hIV +1, c0 i, and output 0 if c0 = c, and 1 otherwise.

We claim that this adversary succeeds with probability that is greater than 1/2 by a non-
negligible function (in fact, even a constant). First, by guessing randomly, A succeeds
with probability 12 if IV is odd, which is 14 of the cases.
If IV is even, then IV + 1 = IV ⊕ 0n−1 1. Therefore, c = Fk (IV ⊕ m0 ) = Fk (IV ⊕
0n−1 1) = Fk (IV + 1) = Fk (IV + 1 ⊕ 0) = Fk ((IV + 1) ⊕ m0 ), and so if m0 was encrypted,
then c = c0 . On the other hand, if m1 was encrypted, then c 6= c0 . That is, whenever IV
is even, A decides correctly which message was encrypted. This covers exactly 12 of the
cases. In total, this shows that A wins in 43 of all cases.