Add to collection(s) Add to saved
  1. Math
  2. Statistics And Probability
  3. Probability

CIS 5371 Cryptography QUIZ 3 (5 minutes only) – with answers

advertisement 
CIS 5371 Cryptography
QUIZ 3 (5 minutes only) – with answers
This quiz concerns Private Key Encryption.
1. In the experiment PrivKeav (A, Π) for the symmetric encryption scheme Π, the adversary A selects
two messages m0 , m1 (these could be identical!) and is then given an encryption cb of one of
these, randomly selected. A must then identify the bit b of the corresponding plaintext. For
indistinguishability we require that his rate of success is 21 + negligible.
Suppose that Π is a deterministic symmetric encryption scheme. Show that there is an adversary
A that will succeed in distinguishing the encryption of mb with certainty after one try (describe his
strategy, and the messages he choses).
Answer: For the first test A selects m = m0 = m1 to get c = c0 = c1 . In this test he only
succeeds with probability 0.5. He is not discouraged and proceeds. In the following tests he selects
m0 , m01 6= m0 . If he gets cb = c0 then he outputs m0 ; else he outputs m01 . For these tests he succeeds
with certainty.
2. The following encryption scheme is used to capture computational security (based on indistingishability). Let p be a prime number of n, k ∈ Zp−1 a key and g a generator of Zp∗ . For any message
m ∈ Zp :
Enck (m) = (g r mod p, g rk ·m mod p), where r is randomly selected in Zp−1 .
Suppose that the adversary A can get hold of some plaintext-ciphertext pairs. Show how to reduce
the problem:
“There is an efficient algorithm B that on input a prime p of binary length n, a generator g of Zp∗ and
an element y ∈ Zp∗ , will output with non-negligible probability a number x for which y = g x mod p
(the Discrete Logarithm of y)”,
to the problem
“Π can be broken by an efficient algorithm with non-negligible probability”.
Hint: Describe a reduction algorithm A0 that uses B as a subroutine to break Π. Note that from a
plaintext-cipertext pair the adversary can compute some expressions whose discrete logarithm will
reveal the key. What should the adversary A compute and give to the reduction algorithm A0 so
that can break Π.
1
(You may assume that φ(p−1)
p−1 > poly(n) .)
Answer. We must describe a reduction algorithm A0 that uses B as subroutine which the adversary
A can use to break Π with non-negligible probability.
Let one of the plaintext-ciphertext pairs that A gets hold of be (m, c1 , c2 ) where c1 = g r mod p,
c2 = g rk · m mod p. A computes g rk = c2 m−1 mod p.
Algorithm A0
Step 1. Input to B: c1 = g r mod p, g rk = c2 m−1 mod p, to get r, rk, with probability ≥
Step 2. With probability
(rk)r−1
φ(p−1)
p−1
1
poly1(n)2
.
the exponent r is invertible in Zp−1 . When so, compute k =
mod (p − 1). The probability to get k is at least
φ(p−1)
(p−1)·poly1(n)2
>
1
poly2(n)
.
So the probability that A0 can get the key k and hence break Π is non-negligible.
Mike Burmester
Related documents
CIS 5371 Cryptography QUIZ 3 (5 minutes only)
CIS 5371 Cryptography QUIZ 3 (5 minutes only)
Applied Algebra
Applied Algebra
CIS 5371 Cryptography QUIZ 4 (5 minutes only)
CIS 5371 Cryptography QUIZ 4 (5 minutes only)
MA342J: Introduction to Modular Forms Homework 5, due on March 28
MA342J: Introduction to Modular Forms Homework 5, due on March 28
MATH 3360 Exam I July 25, 1994
MATH 3360 Exam I July 25, 1994
MATH 433 April 24, 2015 Quiz 11: Solutions
MATH 433 April 24, 2015 Quiz 11: Solutions
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
Document10389957 10389957
Document10389957 10389957
MOONEY N66ET SPECS
MOONEY N66ET SPECS
A New Rabin-type Trapdoor Permutation Equivalent to Factoring
A New Rabin-type Trapdoor Permutation Equivalent to Factoring
Lecture Notes on Cryptography Shafi Goldwasser Mihir Bellare
Lecture Notes on Cryptography Shafi Goldwasser Mihir Bellare
Download
advertisement