CIS 5371 Cryptography QUIZ 3 (5 minutes only)

advertisement
CIS 5371 Cryptography
QUIZ 3 (5 minutes only)
This quiz concerns Private Key Encryption.
1. In the experiment PrivKeav (A, Π) for the symmetric encryption scheme Π, the adversary A selects
two messages m0 , m1 (these could be identical!) and is then given an encryption c b of one of these,
randomly selected. A must then identify the bit b of the corresponding plaintext. For indistinguishability we require that his rate of success is 12 + negligible.
Suppose that Π is a deterministic symmetric encryption scheme. Show that there is an adversary
A that will succeed in distinguishing the encryption of m b with certainty after one try (describe his
strategy, and the messages he choses).
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
2. The following encryption scheme Π is used to capture computational security (based on indistingishability). Let p be a prime number of binary length n, k ∈ Z p−1 a key and g a generator of Zp∗ . For
any message m ∈ Zp∗ :
Enck (m) = (c1 , c2 ) where c1 = g r mod p, and c2 = g rk · m mod p, with r randomly selected in Z p−1 .
Suppose that the adversary A can get hold of some plaintext-ciphertext pairs. Show how to reduce
the problem:
“There is an efficient algorithm B that on input a prime p of binary length n, a generator g of Z p∗ and
an element y ∈ Zp∗ , will output with non-negligible probability a number x for which y = g x mod p
(the Discrete Logarithm of y)”,
to the problem
“Π can be broken by an efficient algorithm with non-negligible probability”.
Hint: Describe a reduction algorithm A 0 that uses B as a subroutine to break Π. Note that from a
plaintext-cipertext pair the adversary can compute some expressions whose discrete logarithm will
reveal the key. What should the adversary A compute and give to the reduction algorithm A 0 so
that can break Π.
1
(You may assume that φ(p−1)
p−1 > poly(n) .)
..........................................................................................
..........................................................................................
..........................................................................................
..........................................................................................
Mike Burmester
Download