Introduction to cryptography (89-656) - Exercise 1 Prof. Amir Herzberg Assistant: Roi Dover Deliver at class of Nov. 17th. Work in singles or pairs. 1. You wish to produce random bits for your encryption scheme. You decide to buy a PRG from a known vendor, with seed length s. After a while you find that the adversary can guess correctly 20% of the output bits from the PRG (you don’t know which ones). How can it affect your encryption scheme? a. If it is a One Time Pad scheme? b. If it is a block cipher, with key length k>2s? Assume that the only feasible attack against your block cipher is brute-force, exhaustive search over all possible keys. 2. Consider the following suggestion for extracting randomness from weakly random bits: use fseed where f is a PRG and seed are weakly-random bits. Assume half of the bits of seed are completely controlled by an adversary. Show a PRG f s.t. the adversary is able to ensure that fseed always outputs the same value (say all output bits are 0); prove that your f is indeed a PRG. Hints: you can assume that you are given another PRG f’ which you can use to construct f. The PRG f’ may be `trivially improper` for the goal above (but about as secure as f’ when used as a PRG). If you prefer you can answer the question for the similar construction using a PRP, using fseed(i) where i is a counter (producing the pseudo-random bit string f(1), f(2),…) [the solution is almost the same]. 3. Consider encryption scheme Ek,k’(p)=k+(k’p), where k, k’ are random n-bit keys, p is n-bit plaintext, is bitwise XOR and + is addition modulo 2n. Show a known or chosen plaintext attack that recovers key k. Try to minimize the number of plaintext-ciphertext pairs required for the attack (why?).