Cryptography, winter term 16/17: Sample solution to assignment 2

Size: px

Start display at page:

Download "Cryptography, winter term 16/17: Sample solution to assignment 2"

Melinda Jenkins
5 years ago
Views:

1 U N S A R I V E R S A V I E I T A S N I S S Cryptography, winter term 6/7: Sample solution to assignment Cornelius Brand, Mar Roth Exerise. (Messing up the one-time pad) Consider the following modifiation of the one-time pad: K = M = {0, } l, C = {0, } l+ GEN generates a uniform key ENC outputs := (m k) Parity(k) (on input (k, m)) DEC outputs m := (... l ) k (on input ( =,... l l+, k) ) where is the bitwise exlusive-or, is string onatenation and Parity(k) is defined as the number of s in k modulo. We give an example: Let l = 6, m = 000 and assume GEN did output the key k = 000. As the number of s in k is odd, it holds that Parity(k) =. Therefore and ENC k (m) = (m k) Parity(k) = 0000 = 0000 DEC k () = ( ) k = = 000 Prove that this modifiation of the one-time pad is not perfetly seret. Hint: A ommon way to show that a sheme is not perfetly seret is to onstrut an adversary A and to show that A wins the adversarial indistinguishability experiment with probability >. Solution. (Messing up the one-time pad) We onstrut an adversary A that will always win: A sends messages m = 0 l and m = 0 l. After A reieves the hallenge text =... l l+, it heks whether Parity(... l m ) = l+. If this is the ase it outputs otherwise it outputs 0. We show that A is always right. If b = then = (m k) Parity(k) Parity(... l m ) = Parity(m k m ) = Parity(k) = l+. It follows that A outputs whih is right. If b = 0 then = (m k) Parity(k) = (m 0 l k) Parity(k) Parity(... l m ) = Parity(m 0 l k m ) = Parity(0 l k) Parity(k) = l+. It follows that A outputs 0 whih is right. Therefore A,Π = ] = >

2 Exerise. (Negligible funtions) Reall the definition of a negligible funtion (Definition 3.4). (a) Let be a onstant. Whih of the following two funtions is negligible? Prove your answer. ) (i) f(n) := ( n (ii) g(n) := (log n) log n (b) Prove Proposition 3.6. Solution. (Negligible funtions) (a) (i) Not negligible: It holds that ( n ) n ( n ) n (ii) Negligible: Fix a onstant. It holds that for all n suh that log log n >. g(n) = (log n) log n = (b) Let p be an arbitrary but fixed polynomial. n log log n < n (i) As p is a polynomial, p (x) := p(x) is also a polynomial. As negl and negl are negligible, there are N and N suh that n N : negl (n) < p (n) and n N : negl (n) < p (n). Therefore n max{n, N } : negl (n) + negl (n) < (ii) We have to show that for a fixed polynomial q, it holds that there is an N suh that forall n N we have q(n) negl (n) < As q is a polynomial, q p is also and as negl is negligible we have that there exists an N suh that Therefore n > N : negl (n) < n > N : q(n) negl (n) < q(n) q(n) q(n) =

3 Exerise.3 (Perfet serey) Reall Lemma.4. One diretion was proven in the leture. In this exerise it is your task to prove the other diretion, i.e., show that perfet serey of (GEN, ENC, DEC) implies for all m, m M, C. Pr [ENC k (m) = ] = Pr [ ENC k (m ) = ] () Solution.3 (Perfet serey) Let m, m and be arbitrary but fixed and onsider the following probability distribution over the message spae M: { Pr [M = m] = if m = m or m = m 0 otherwise Furthermore, let If P = 0 we are done. Otherwise we have P := Pr [ENC k (m ) = ] + Pr [ENC k (m ) = ] Pr [ENC k (m ) = ] = P Pr [ENC k(m ) = ] P Pr [ENC k (m ) = ] = P (Pr [ENC k(m ) = ] + Pr [ENC k (m ) = ]) Pr [ENC k (m ) = ] Pr [M = m ] = P m M Pr [ENC k(m) = ] Pr [M = m] Pr [ENC k (M) = M = m ] Pr [M = m ] = P m M Pr [ENC k(m) = M = m] Pr [M = m] Pr [C = M = m ] Pr [M = m ] = P Pr [C = M = m] Pr [M = m] m M = P Pr [C = M = m ] Pr [M = m ] Pr [C = ] = P Pr [M = m C = ] = P Pr [M = m ] = P Similary, with the same omputation we get Pr [ENC k (m ) = ] = P Pr [ENC k (m ) = ] = Pr [ENC k (m ) = ] Exerise.4 (Perfet indistinguishability) Reall Lemma.6: An enryption sheme Π is perfetly seret if and only if it is perfetly indistinguishable. Prove one diretion of your hoie. Hint: It may be advisable to use the equivalent definition of perfet serey as stated in Lemma.4. Bonus: Prove the other diretion as well. 3

4 Solution.4 (Perfet indistinguishability) First we show that perfet serey implies perfet indistinguishability. Therefore let A be an arbitrary but fixed adversary. Consider an exeution of the adversarial indistinguishability experiment. Let B be the bit that was hosen uniformly at random, Chal be the iphertext (the hallenge) A reieved and B the output of A. We laim that A,Π = B = ] = A,Π = 0 B = 0 ] whih an be proven as follows: A,Π = B = ] = Pr [ B = Chal = ENC k (m ) ] Pr [ B = Chal = ENC k (m ), ENC k (m ) = ] Pr [ENC k (m ) = ] Pr [ B = Chal = ] Pr [ENC k (m ) = ] Pr [ B = Chal = ] Pr [ENC k (m 0 ) = ] Pr [ B = Chal = ENC k (m 0 ), ENC k (m 0 ) = ] Pr [ENC k (m 0 ) = ] = Pr [ B = Chal = ENC k (m 0 ) ] = A,Π = 0 B = 0 ] where the fourth equation follows from perfet serey. Similary we an prove that A,Π = B = 0 ] = A,Π = 0 B = ] It follows that A,Π = ] = A,Π = B = ] Pr [B = ] + A,Π = B = 0 ] Pr [B = 0] = ( A,Π = B = ] + A,Π = B = 0 ] ) = ( A,Π = 0 B = 0 ] + A,Π = 0 B = ] ) = A,Π = 0 B = 0 ] Pr [B = 0] + A,Π = 0 B = ] Pr [B = ] = A,Π = ] = Now we show the that perfet indistinguishability implies perfet serey. Atually we show the ontraposition, i.e., we assume that the enryption sheme is not perfet. In this ase there are messages m 0, m and a iphertext and an ɛ > 0 suh that Pr [ENC k (m ) = ] = Pr [ENC k (m 0 ) = ] + ɛ () 4

5 We onstrut an adversary A as follows: A outputs m and m 0 in the first step and as soon as it reieves a hallenge it heks whether =. If this is the ase then A outputs and otherwise it outputs a bit at random. The intuition behind the following omputation an easily be seen by drawing the tree for the different ases of the experiment. Let B, and B as before. It holds that A,Π = B = ] = ( A,Π = B =, ENC k (m ) = ] Pr [ENC k (m ) = ] + A,Π = B =, ENC k (m ) ] Pr [ENC k (m ) ]) = ( Pr [ENC k (m ) = ] + Pr [ENC k(m ) ]) = Pr [ENC k (m ) = ] + Pr [ENC k(m ) ] And furthermore we have A,Π = B = 0 ] = ( A,Π = B = 0, ENC k (m 0 ) = ] Pr [ENC k (m 0 ) = ] + A,Π = B = 0, ENC k (m 0 ) ] Pr [ENC k (m 0 ) ]) = (0 Pr [ENC k (m 0 ) = ] + Pr [ENC k(m 0 ) ]) = Pr [ENC k(m 0 ) ] Putting these two together we get that A,Π = ] = A,Π = B = ] + A,Π = B = 0 ] = Pr [ENC k(m ) = ] + 4 Pr [ENC k(m ) ] + 4 Pr [ENC k(m 0 ) ] A similar omputation yields = Pr [ENC k(m 0 ) = ] + 4 Pr [ENC k(m 0 ) ] + 4 Pr [ENC k(m ) ] Using Equation we onlude A,Π = ] = ( Pr [ENC k(m ) = ] ) Pr [ENC k(m 0 ) = ] = ɛ > 0 A,Π = ] > 5

Block ciphers And modes of operation. Table of contents

Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation