CS 171, Spring 2024 Prof.

Sanjam Garg

CS 171: Problem Set 3

Due Date: February 15th, 2024 at 8:59pm via Gradescope

1. Pseudorandom Functions
Let f : {0, 1}n × {0, 1}n → {0, 1}n be a pseudorandom function (PRF). For the functions f ′
below, either prove that f ′ is a PRF (for all choices of f ), or prove that f ′ is not a PRF.

(a) fk′ (x) := fk (0||x)||fk (1||x).

(b) fk′ (x) := fk (0||x)||fk (x||1).

Solution

(a) Yes, f ′ is a PRF. Suppose for the purpose of contradiction that f ′ is not a PRF. Then,
there exists a PPT A that breaks the PRF security of f ′ . Construct PPT B using A to
break the PRF security of f as follows: B runs A internally. To answer A’s queries for
x, B queries the oracle (or challenger) with input 0||x and 1||x to get back y0 and y1 . B
then responds y0 ||y1 to A. Finally, B outputs whatever A outputs.
By definition, B querying fk (·) gives A access to fk′ (·). If B is querying a random function
F : {0, 1}n → {0, 1}n , this gives A access to a random function F ′ : {0, 1}n−1 → {0, 1}2n ,
where F ′ is defined as F ′ (x) = F (0||x)||F (1||x) (this defines a one-to-one mapping from
random F to random F ′ ). Therefore,
′ ′ (·)
Pr[B fk (·) (1n ) = 1] − Pr[B F (·) (1n ) = 1] = Pr[Afk (·) (1n−1 ) = 1] − Pr[AF (1n−1 ) = 1]
≥ nonnegl(n)

Hence B breaks the PRF security of f , contradiction.

(b) No. Construct A to break f ′ : it queries for x = 0 . . . 0 and x = 0 . . . 01.

2. Weak CPA Security

Consider a weaker definition of CPA security where in the indistinguishability experiment
the adversary A is not given oracle access to Enck (·) after choosing m0 , m1 . That is, A can
only query Enck (·) in phase 1, but not in phase 2. We call this definition weak-CPA-security.
Prove that weak-CPA-security is equivalent to CPA-security (i.e., Definition 3.22 in the text-
book).

Hint: Begin by showing via a hybrid argument that any A interacting in the usual CPA game
cannot distinguish whether its phase 2 queries are answered honestly (that is, if the response
to the query m is Enck (m) or an encryption of 0; Enck (0)).

Solution One of the directions is easy to see. We will show that weak-CPA-security
implies CPA security.

1
CS 171, Spring 2024 Prof. Sanjam Garg

Consider an encryption scheme (Gen, Enc, Dec) for message space M that is weak-CPA
secure. We will now show that it is CPA secure via a hybrid argument. Specifically, we will
define a sequence of hybrids starting with the hybrid which corresponds to the CPA exper-
iment with the bit b = 0 and end with a hybrid which corresponds to the CPA experiment
with the bit b = 1. We will show that each of the intermediate hybrids are indistinguishable
from the weak CPA security of the encryption scheme.

Hyb0 : This corresponds to the standard CPA experiment where the bit b = 0. More formally,
for any adversary A,

1. A key k is generated by running Gen(1n ).

2. The adversary A on input 1n and oracle access to Enck (·) produces a pair of messages
m0 , m1 .

3. c∗ is generated as Enck (m0 ).

4. The adversary A continues to have oracle access to Enck (·) and outputs a bit b′ .

5. The output of the experiment is defined to be b′ .

We now give the next hybrid.

Hyb1 : This is identical to the previous hybrid except that the last query to the encryption
oracle (say on a message m) in Phase-2 is answered as Enck (m∗ ) where m∗ is an arbitrary
message in M. More formally, for any adversary A,

1. A key k is generated by running Gen(1n ).

2. The adversary A on input 1n and oracle access to Enck (·) produces a pair of messages
m0 , m1 .

3. c∗ is generated as Enck (m0 ).

4. The adversary A continues to have oracle access to Enck (·) except that for the last
query on a message m ∈ M, we answer it as Enck (m∗ ) for some arbitrary m∗ ∈ M.
The adversary outputs b′

5. The output of the experiment is defined to be b′ .

More generally, we define Hybj as follows:

Hybj :

1. A key k is generated by running Gen(1n ).

2. The adversary A on input 1n and oracle access to Enck (·) produces a pair of messages
m0 , m1 ∈ M.

3. c∗ is generated as Enck (m0 ).

2
CS 171, Spring 2024 Prof. Sanjam Garg

4. The adversary A continues to have oracle access to Enck (·) except that for the last
j queries to the encryption oracle, we answer them as independent encryptions of m∗ .
The adversary outputs b′

5. The output of the experiment is defined to be b′ .

We now show that for any j ∈ [q] where q is the number of queries that adversary makes in
phase-2, Hybj is computationally indistinguishable to Hybj−1 .

Claim 0.1 Assume that (Gen, Enc, Dec) satisfies the weak CPA security definition. Then,
for any adversary A and j ∈ [r], there exists a negligible function negl(·)

| Pr[Hybj−1 outputs 1] − Pr[Hybj outputs 1] ≤ negl(n)

Proof Assume for the sake of contradiction that there exists an adversary A and j ∈ [r]
such for every negligible function negl(·),

| Pr[Hybj−1 outputs 1] − Pr[Hybj outputs 1] ≥ negl(n)

We will now use such an adversary A and the corresponding j, to construct an adversary B
against the weak CPA security definition of (Gen, Enc, Dec). We now give the description of
B.

Description of B.

1. B on input 1n , starts running A on input 1n .

2. Phase-1 oracle queries. For every query that A makes to the the encryption oracle
in phase-1, B answers them using its own encryption oracle. Specifically, for every
message m that A queries to Enck (·) oracle, B submits m as the message to its Enck (·)
oracle and obtains the response. It forwards this response to A.

3. Challenge Messages. A now submits two messages m0 , m1 . B queries its encryption

oracle on m0 and obtains the response and gives it to A.

4. Phase-2 oracle queries. For every query except that last j queries that A makes
to the encryption oracle, B answers them exactly as in phase-1. When the A asks its
(q − j + 1)-th query on a message m, B does the following. It makes (j − 1) queries to its
encryption oracle on m∗ and obtains the corresponding ciphertexts. It then produces
(m, m∗ ) as the challenge messages to the weak CPA security challenger and obtains c∗
as the challenge ciphertext. It returns c∗ as the response to the (q − j + 1)-th query.
For the last (j − 1) queries, it uses the encryptions obtained on m∗ to answer them.

5. A finally outputs a bit b′ and B outputs this bit.

Now, note that if c∗ is an encryption of the message m, then the view of A is identically
distributed to Hybj−1 . On the other hand, if c∗ was an encryption of the message m∗ , then
the view of A is identically distributed to Hybj . Thus, if for every negligible function,

| Pr[Hybj−1 outputs 1] − Pr[Hybj outputs 1] ≥ negl(n)

3
CS 171, Spring 2024 Prof. Sanjam Garg

then, for every negligible function negl(·)

W cpa
Pr[P rivKB,Π = 1] ≥ 1/2 + negl(n)

and this contradicts the weak CPA security of Π = (Gen, Enc, Dec).

X
| Pr[Hyb0 outputs 1] − Pr[Hybq outputs 1]| ≤ | Pr[Hybj−1 outputs 1] − Pr[Hybj outputs 1]|
j∈[q]
≤ q · negl(n) (from Claim 0.1)
= negl′ (n)

Now, notice that in Hybq , all the phase two queries of A are answered with encryptions of
an arbitrary message m∗ . Thus, via an identical argument as in Claim 0.1, we can show that
Hybq is computationally indistinguishable to Hyb∗ where the challenge ciphertext that was
given to A is an encryption of m1 . Now, again via a same argument as before, we can show
that Hyb∗ is computationally indistinguishable to the standard CPA security game where
b = 1. Thus, (Gen, Enc, Dec) is standard CPA secure.

3. Modes of operations are not CCA-Secure

Show that the CBC and CTR modes of encryption are not CCA-secure.

Solution

1. CBC: Define an adversary A that outputs the messages m0 = 0n and m1 = 1n to the

challenger, and receives a challenge ciphertext (IV, c). Note that for CBC mode, we
have c = Fk (IV ⊕ mb ). The adversary then issues a decryption query for the ciphertext
(0n , c). This is a valid query since IV ̸= 0n with overwhelming probability.
Now, the result for this query is m′ = Fk−1 (c) ⊕ 0n which turns out to just be IV . The
adversary then computes m′ ⊕ IV – this is either m0 or m1 , which allows the adversary
to guess the correct bit.

2. CTR: Define an adversary A that outputs the messages m0 = 0n and m1 = 1n to

the challenger, and receives a challenge ciphertext (IV, c). Note that for CTR mode,
we have c = Fk (IV + 1) ⊕ mb . The adversary then issues a decryption query for the
ciphertext (IV, 0n ). This is a valid query since c ̸= 0n with overwhelming probability.
Now, the result for this query is m′ = Fk (IV + 1) ⊕ 0n , which turns out to just be
Fk (IV + 1). The adversary then computes m′ ⊕ c – this is either m0 or m1 , which
allows the adversary to guess the correct bit.