CIS 5371 Cryptography
QUIZ 2 (5 minutes only) –with answers
This quiz concerns Perfect Secrecy and the One-time Pad.
1. State the last (or, one but last) definition given in class for secure encryption.
Answer.
An encryption scheme is perfectly secret if,
(a) for every probability distribution over M, for every message m ∈ M and every
ciphertext c ∈ C we have: P r[M = m|C = c] = P r[M = m].
(b) for every probability distribution over M, for every message m ∈ M and every
ciphertext c ∈ C we have: P r[C = c|M = m] = P r[C = c].
(c) for every probability distribution over M, for every m0 , m1 ∈ M and every
c ∈ C we have: P r[C = c|M = m0 ] = P r[C = c|M = m1 ].
Here we only consider distributions that assign non-zero probabilities to all m ∈ M,
c ∈ C.
Alternatively, the encryption scheme Π = (Gen, Enc, Dec) is perfectly secret if for
every PPT adversary A it holda that: P r[PrivKeav (A, Π) = 1] = 0.5.
2. The One-time Pad is used for encryption.
Let m, m0 ∈ M be distinct messages, k ∈ K be a key (all binary strings of length `).
It is proposed to use the same key k to encrypt both m and m0 . (At the end of
WWII, the Soviet Union run out of keypads and started re-using earlier ones).
If this were allowed then:
Show that the One-time Pad is not a secure encryption scheme according to the
definition you gave above.
(Assume that the adversary uses a ciphertext only attack)
Answer.
Let
c = k ⊕ m, c0 = k ⊕ m0 .
Then
c ⊕ c0 = k ⊕ m ⊕ k ⊕ m0 = (k ⊕ k) ⊕ (m ⊕ m0 ) = m ⊕ m0 .
So the adversary can derive a funtion (m ⊕ m0 ) of the plaintexts m, m0 by combining
the ciphertexts c, c0 .
Therefore the encryption scheme is not secure.
Mike Burmester