Scribd
Upload
26 views2 pages

Tutorial4 Solutions

Uploaded by

soekris
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
26 views2 pages

Tutorial4 Solutions

Uploaded by

soekris
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

CS60084: Foundations of Cryptography February 15, 2019

Spring 2019

Tutorial 2: Pseudorandom Objects

Submission Guidelines All problems must be solved in class today. Searching on the internet for solutions
is strictly discouraged.
1. Prove that an efficient pseudorandom function with lengths of the input and key being log2 n and p(n)
respectively (for some polynomial p) exist unconditionally. State any assumptions you make about p
and also specify what the output length of the PRF should be.

A: Assume n∣p(n). We will define a random function Fk with output length m(n) = p(n)/(2log2 n ) bits. Define
Fk (x) for k ∈ {0, 1}p(n) and x ∈ {0, 1}log2 n as follows: divide k into n = 2log2 n blocks k1 , k2 , . . . , kn of m(n)
bits each; output will be kx which is m(n) bits long. Since k is uniformly distributed in {0, 1}p(n) , so is kx in
{0, 1}m(n) .
Even when n ∤ p(n), one can choose m(n) = ⌈p(n)/n⌉ (assuming p(n) ≥ n), discarding the last p(n) mod n bits
of k.

2. Let G ∶ {0, 1}n → {0, 1}` be a pseudorandom generator. Define G′ (s) (for s ∈ {0, 1}n ) to be the first
n bits of G(s). Is the function Fk ∶ {0, 1}n → {0, 1}n (where k ∈ {0, 1}n ) defined as Fk (x) = G′ (k) ⊕ x
pseudorandom? Justify your answer.

A: Fk is not pseudorandom when more than one query is allowed. An attacker can query Fk (0n ), obtain
G′ (k) and compute the Fk (x) for any input x of its choice without knowledge of k (thus making it completely
deterministic).

3. Let F = {Fk ∶ {0, 1}n → {0, 1}n }k∈{0,1}n be a pseudorandom function and G a pseudorandom generator
with input length n and output length ` = n + 1. For each of the following encryption schemes, state
whether the scheme has IND-EAV-secure and whether it is IND-CPA-secure. In each case, the shared
key k is chosen uniformly at random from {0, 1}n .
(a) To encrypt m ∈ {0, 1}2n+2 , parse m as m1 ∣∣m2 with ∣m1 ∣ = ∣m2 ∣ and send ⟨G(k)⊕m1 , G(k +1)⊕m2 ⟩.

A: Essentially, the key stream of length 2n + 2 masking the message is generated as G(k)∣∣G(k + 1). This
string need not be pseudorandom since k +1 is not uniformly distributed in {0, 1}n conditioned on k. Hence,
we cannot say that the scheme has indistinguishable encryptions in the presence of an eavesdropper i.e.,
IND-EAV security.
R
(b) For a message m ∈ {0, 1}n+1 , choose a random r ←Ð {0, 1}n and compute the ciphertext as
⟨r, G(r) ⊕ m⟩.
A: This scheme is not secure at all since there is no secret key used in encryption. Using r (given in the
clear), one can compute G(r) and unmask the message.
(c) Encrypt m ∈ {0, 1}n as m ⊕ Fk (0n ).
A: Fk (0n ) is pseudorandom but produces the same output each time the function is evaluated, it can be
used for one encryption. Thus the scheme is IND-EAV-secure.
R
(d) Parse message m ∈ {0, 1}2n as m1 ∣∣m2 with ∣m1 ∣ = ∣m2 ∣, choose r ←Ð {0, 1}n and encrypt as
⟨r, m1 ⊕ Fk (r), m2 ⊕ Fk (r + 1)⟩.
A: Since k is chosen at random and Fk is a pseudorandom function, Fk (r) and Fk (r + 1) are uniformly and
independently distributed in {0, 1}n . Hence, the scheme is IND-CPA-secure (detailed proof may be worked
out in class).
4. Assume that F is a pseudorandom permutation. Show that there exists a function F ′ that is a PRP
but is not a strong PRP.

A: Define


⎪ 0n if x = k

Fk′ (x)
= ⎨ Fk (k) if x = Fk−1 (0) ,

⎪ Fk (x) otherwise


so that Fk remains a permutation. The inverse of Fk′ would be defined as follows.



⎪ k if y = 0n

(Fk′ )−1 (y) = ⎨ Fk−1 (0) if y = Fk (k)

⎪ F −1 (y)

⎩ k otherwise

So, given (Fk′ )−1 , a distinguisher can completely recover the key by querying on 0n and detect whether or not
the function is random.

Page 2

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy