CPSC 91 Computer Security Fall Computer Security. Assignment #2

Transcription

1 CPSC 91 Computer Security Assignment #2 Note that for many of the problems, there are many possible solutions. I only describe one possible solution for each problem here, but we could examine other possible solutions during the lab on Friday Sept. 30. Show that the following are bad pseudorandom functions. 1. H : {0, 1} k {0, 1} n+1 {0, 1} n+1 defined by H(K, b x) = b E(K, x) where b is a single bit ask 0 n+1 to its oracle, receive result y if the first bit of y is a 0, output 1, else output 0 If the oracle is H, then the first bit of the value returned by the oracle is always a 0, so the probability that A outputs 1 is 1. On the other hand, if the oracle is a random function, then the answer to the query is a random string of length n 1, so the probability that the first bit is a 0 is 1 2. Adv P RF A,E = = 1 2

2 2. J : {0, 1} k+n 2n {0, 1} 2n defined by J(K 1 K 2, x 1 x 2 ) = E(K 1, x 2 ) K 2 x 2 ask 0 02n to its oracle, receive result y ask 0 1n 0 n to its oracle, receive result y split y into two halves y 1 y 2 split y into two halves y 3 y 4 if y 2 = y 4, output 1, else output 0 If the oracle is J, then the second halves of y and y will always be the same because the second halves of 0 2n and 1 n 0 n are the same. So the adversary will output 1 with probability 1. On the other hand, if the oracle is a random function, then the answer to both queries are random strings of length 2n. The second half of the first string string can be anything so 2 n possible choices, but the second half of the second string has to be the same. So in total, there are 2 n possible choices for the two second halves that can make the adversary output 1, compared to a total of 2 2n choices for two strings of length n. So the probability that the adversary outputs 1 when the oracle is a random function is 2n = 1 2 2n 2. n 3. L : {0, 1} k {0, 1} 2n {0, 1} 2n defined by L(K, x 1 x 2 ) = E(K, x 1 ) E(K, 0 n ) x 2 where 0 n is the string composed of n zeroes The exact same adversary as in the previous problem will work for the exact same reason.

3 Show that the following pseudorandom function is good. 4. C : {0, 1} k+n {0, 1} n {0, 1} n defined by C(K 1 K 2, x) = E(K 1, x) K 2 Suppose there is an adversary A O( ) against C. We construct adversary B O ( ) against E as follows: pick a random key K 2 $ {0, 1} n run A O( ). When A O( ) makes a query x to its oracle, B answers it as follows: ask x to oracle O, get answer y calculate z = y K 2 give z back to A as the answer to its query When A is done and outputs a bit b, B outputs the same bit b. Note that, by construction, when B s oracle is the block cipher E, then B s answer to A s oracle queries perfectly simulate the computation of the function C. In addition, B outputs the same result as A. P (K 1 $ {0, 1} k : B E(K 1, ) = 1) = P (K 1 K 2 $ {0, 1} k+n : A C(K 1 K 2, ) On the other hand, when B s oracle is a random function, then B s answers to A s oracle queries are that of a slightly different random function (all the outputs of the function are shifted by an exclusive or with K 2 ), but the probability space is unchanged because for every random function f, there is another random function f whose outputs are exactly the outputs of f exclusive-or-ed with K 2, and both functions have the same probability. P (f $ Rand n n : B f( ) = 1) = P (f $ Rand n n : A f( ) Thus AdvA,G P RF = AdvP RF B,E. In addition, A and B have essentially the same running time. So if A is a good adversary against G, then B is a good adversary against E. Conversely, if no good adversary exist against E, then no good adversary against G can exist either.

4 The remaining questions are from the assignment. 5. Suppose that E : {0, 1} K {0, 1} n {0, 1} n is a secure block cipher (or PRF). Consider E : {0, 1} K {0, 1} 2n {0, 1} 2n defined as follows: E (k, x 0 x 1 ) = E(k, x 0 ) E(k, x 0 x 1 ) where both x 0 and x 1 are bitstrings of lentgh n and denotes the string concatenation operation. Show that E is not a secure PRF by describing a PRF-adversary that can distinguish E from a random function. ask 0 2n to its oracle (so x 0 = x 1 = 0 n ), receive result y split y into two halves y 1 y 2 if y 1 = y 2 output 1, else output 0 If the oracle is E, then x 0 = x 0 x 1, so the two halves y 1 and y 2 will always be equal, so the probability that the adversary outputs 1 when the oracle is the block cipher is 1. On the other hand, if the oracle is a random function, then the answer to the query is a random string of length 2n. The first half of that string can be anything so 2 n possible choices, but the second half has to be the same, so only 1 choice for the second half. So in total, there are 2 n possible strings that can make the adversary output 1, compared to a total of 2 2n strings of length 2n. So the probability that the adversary outputs 1 when the oracle is a random function is 2n 2 2n = 1 2 n. Adv P RF A,E = n

5 6. Suppose that F : {0, 1} n {0, 1} n {0, 1} n is a secure block cipher. Consider F : {0, 1} n {0, 1} 2n {0, 1} 2n defined as follows: Show that F is not a secure PRF. E (k, x 0 x 1 ) = E(k, x 0 ) E(x 0, x 1 ) ask 0 2n to its oracle (so x 0 = x 1 = 0 n ), receive result y split y into two halves y 1 y 2 calculate z = E(0 n, 0 n ) if y 2 = z output 1, else output 0 If the oracle is F, then the second half of y will always be E(0 n, 0 n ), so A outputs 1 with probability 1. On the other hand, if the oracle is a random function, then the answer to the query is a random string of length 2n. The first half of that string can be anything so 2 n possible choices, but the second half would have to be exactly E(0 n, 0 n ) for the adversary to output 1, so only 1 choice for the second half. Similarly as in the previous problem, the probability that A outputs 1 is 1 2. n AdvA,F P RF = n

6 7. Suppose that G : {0, 1} K {0, 1} 2n {0, 1} 2n is a secure pseudo-random function (PRF). Consider G : {0, 1} K {0, 1} 2n {0, 1} n defined as follows: G : on input (k,x), compute C = G(k, x) and return the first half of the bits of C. Prove that G is a secure PRF by showing that an adversary that breaks the PRF-security of G could be used to create an adversary that breaks the PRF-security of G. Solution To show that G is a secure PRF if G is a secure PRF, we show that if G was insecure, then G would be insecure as well. Let A be a PRF-adversary that breaks G. Construct a PRF-adversary B against G as follows: run A. Whenever A asks a query M to its oracle, B makes the query M to its own oracle, receives a string C = C 0 C 1 where each of C 0 and C 1 are strings of n bits, and gives C 0 to A as the answer to its query. eventually, A terminates and outputs a bit b. B outputs this b as its output. Note that if B s oracle is G, then the answer to A s queries are exactly G since G consists exactly of the first half of the bits of G s output. So we have that P (k $ {0, 1} K : B G(k, ) = 1) = P (k $ {0, 1} K : A G (k, ) = 1) On the other hand, if B s oracle is a random function from Rand 2n 2n, then the output of the random function is 2n random bits. The first half of those bits will be n random bits, which is exactly what a random function from Rand n n would give A. Therefore, Hence, P (f $ Rand 2n 2n : B f( ) = 1) = P (f $ Rand n n : A f( ) = 1) Adv P RF B = P (k $ {0, 1} K : B G(k, ) = 1) P (f $ Rand 2n 2n : B f( ) = 1) = P (k $ {0, 1} K : A G (k, ) = 1) P (f $ Rand n n : A f( ) = 1) = Adv P RF A So that if F is insecure, then F is insecure as well. Since we assume that F is a secure PRF, then it must be the case that F is secure as well.