CIS 5371 Cryptography QUIZ 2 (5 minutes only) –with answers This quiz concerns Perfect Secrecy and the One-time Pad. 1. State the last (or, one but last) definition given in class for secure encryption. Answer. An encryption scheme is perfectly secret if, (a) for every probability distribution over M, for every message m ∈ M and every ciphertext c ∈ C we have: P r[M = m|C = c] = P r[M = m]. (b) for every probability distribution over M, for every message m ∈ M and every ciphertext c ∈ C we have: P r[C = c|M = m] = P r[C = c]. (c) for every probability distribution over M, for every m0 , m1 ∈ M and every c ∈ C we have: P r[C = c|M = m0 ] = P r[C = c|M = m1 ]. Here we only consider distributions that assign non-zero probabilities to all m ∈ M, c ∈ C. Alternatively, the encryption scheme Π = (Gen, Enc, Dec) is perfectly secret if for every PPT adversary A it holda that: P r[PrivKeav (A, Π) = 1] = 0.5. 2. The One-time Pad is used for encryption. Let m, m0 ∈ M be distinct messages, k ∈ K be a key (all binary strings of length `). It is proposed to use the same key k to encrypt both m and m0 . (At the end of WWII, the Soviet Union run out of keypads and started re-using earlier ones). If this were allowed then: Show that the One-time Pad is not a secure encryption scheme according to the definition you gave above. (Assume that the adversary uses a ciphertext only attack) Answer. Let c = k ⊕ m, c0 = k ⊕ m0 . Then c ⊕ c0 = k ⊕ m ⊕ k ⊕ m0 = (k ⊕ k) ⊕ (m ⊕ m0 ) = m ⊕ m0 . So the adversary can derive a funtion (m ⊕ m0 ) of the plaintexts m, m0 by combining the ciphertexts c, c0 . Therefore the encryption scheme is not secure. Mike Burmester