Introduction to cryptography (89-656) - Exercise 1
Prof. Amir Herzberg
Assistant: Roi Dover
Deliver at class of Nov. 17th. Work in singles or pairs.
1. You wish to produce random bits for your encryption scheme. You decide to buy
a PRG from a known vendor, with seed length s. After a while you find that the
adversary can guess correctly 20% of the output bits from the PRG (you don’t
know which ones). How can it affect your encryption scheme?
a. If it is a One Time Pad scheme?
b. If it is a block cipher, with key length k>2s? Assume that the only feasible
attack against your block cipher is brute-force, exhaustive search over all
possible keys.
2. Consider the following suggestion for extracting randomness from weakly
random bits: use fseed where f is a PRG and seed are weakly-random bits. Assume
half of the bits of seed are completely controlled by an adversary. Show a PRG f
s.t. the adversary is able to ensure that fseed always outputs the same value (say all
output bits are 0); prove that your f is indeed a PRG. Hints: you can assume that
you are given another PRG f’ which you can use to construct f. The PRG f’ may
be `trivially improper` for the goal above (but about as secure as f’ when used as a
PRG). If you prefer you can answer the question for the similar construction using
a PRP, using fseed(i) where i is a counter (producing the pseudo-random bit string
f(1), f(2),…) [the solution is almost the same].
3. Consider encryption scheme Ek,k’(p)=k+(k’p), where k, k’ are random n-bit
keys, p is n-bit plaintext,  is bitwise XOR and + is addition modulo 2n. Show a
known or chosen plaintext attack that recovers key k. Try to minimize the number
of plaintext-ciphertext pairs required for the attack (why?).