CIS 5371 Cryptography QUIZ 3 (5 minutes only)
advertisement
CIS 5371 Cryptography QUIZ 3 (5 minutes only) This quiz concerns Private Key Encryption. 1. In the experiment PrivKeav (A, Π) for the symmetric encryption scheme Π, the adversary A selects two messages m0 , m1 (these could be identical!) and is then given an encryption c b of one of these, randomly selected. A must then identify the bit b of the corresponding plaintext. For indistinguishability we require that his rate of success is 12 + negligible. Suppose that Π is a deterministic symmetric encryption scheme. Show that there is an adversary A that will succeed in distinguishing the encryption of m b with certainty after one try (describe his strategy, and the messages he choses). .......................................................................................... .......................................................................................... .......................................................................................... .......................................................................................... 2. The following encryption scheme Π is used to capture computational security (based on indistingishability). Let p be a prime number of binary length n, k ∈ Z p−1 a key and g a generator of Zp∗ . For any message m ∈ Zp∗ : Enck (m) = (c1 , c2 ) where c1 = g r mod p, and c2 = g rk · m mod p, with r randomly selected in Z p−1 . Suppose that the adversary A can get hold of some plaintext-ciphertext pairs. Show how to reduce the problem: “There is an efficient algorithm B that on input a prime p of binary length n, a generator g of Z p∗ and an element y ∈ Zp∗ , will output with non-negligible probability a number x for which y = g x mod p (the Discrete Logarithm of y)”, to the problem “Π can be broken by an efficient algorithm with non-negligible probability”. Hint: Describe a reduction algorithm A 0 that uses B as a subroutine to break Π. Note that from a plaintext-cipertext pair the adversary can compute some expressions whose discrete logarithm will reveal the key. What should the adversary A compute and give to the reduction algorithm A 0 so that can break Π. 1 (You may assume that φ(p−1) p−1 > poly(n) .) .......................................................................................... .......................................................................................... .......................................................................................... .......................................................................................... Mike Burmester
