Add to collection(s) Add to saved
  1. No category

CSE 207 Homework 5

advertisement 
CSE 207 Homework 5
Huaxia Xia 05/25/2001
Problem 1.
Proof:(a).
Given p  3 is a prime and G=Zp*. Thus m=|G| = p-1.
We know that for any a  G, if a is not a square, then
Jp(a) = a(p-1)/2  -1 (mod p).
Now given g, h  Gen(G), we want to find two messages (x1, y1) and (x2, y2) such
that:
gx1hy1  gx2hy2  gx1-x2  hy2-y1 (mod p)
We have known from the homework 4 that:
h  Gen(G)  DLOGG,g(h) = i  Zm* = Zp-1*
 DLOGG,g(h) = i is odd
 h is not a square
And of course g isn’t a square either. Therefore, we have:
g(p-1)/2  h(p-1)/2  -1 (mod p)
So we only need to choose two different messages (x1, y1) and (x2, y2) such that
x1-x2  y2-y1  (p – 1)/2 (mod p-1).
We design the adversary algorithm as below:
AHkkcr (( g , h))
Ignore the parameter.
M1  ((p-1)/2, 0)
M2  (0, (p-1)/2)
Return (M1, M2).
Then the experiment will always return 1, i.e.
AdvHkkcr (t ) 1.
The time for A is O(|p|). Extra time is needed for the experiment to pick an element of
Keys(H) at random and to decide if the two messages are collisional, the latter one is
O(|p|). So the total time for experiment is
t = O(|p|) + the time to pick an element of Keys(H) at random.
Proof:(b).
Given: m=|G| is a prime.
This means, Zm* = {1, 2, …, m-1}, i.e.,
Gen(G) = G – {I}, where I is the identity element of G.
So for any non-identity elements of G, say h, we have (g, h)  Keys(H).
“m is prime” also means that:
ga+ib = 1  a + ib  0 (mod m)  a  -ib (mod m)
Lemma: If a and b cannot be both zero and -m  a, b <m, then there is only one i
satisfying the above condition and 1  i < m. The time for computing i is O(|m|2).
Proof: First, it is obviously that neither a nor b is zero, else if only one of them is
zero, there won’t be any solution.
Second, there can only be at most one i. Otherwise, if there are i1 and i2 that satisfy
1  i1, i2 < m, i1  i2, and ………(1)
a + i1 * b  0 (mod m) ……………(2)
a + i2 * b  0 (mod m) ……………(3)
Then we get from (2) – (3):
(i1 – i2) * b  0 (mod m) …………(4)
From (1) we get:
1  | i1 – i2| < m
Since 1  | b | < m and m is prime, the equation (4) cannot be satisfied. So there
could be at most one i satisfying the condition.
Finally, we can find such i. Since gcd(b, m) = 1, we can get the reverse j of b using
EXT-EUCLID algorithm, then let i = - aj mod m. The time for computing i is O(|m|2).
Assume we have got algorithm B attacking H on KKCR, we try to design an algorithm
A using B to attack (G, g) on discrete log.
AGdl, g (h)
If h = I, then return 0.
Run B(g, h) and get two messages (x1, y1) and (x2, y2).
If x1=x2 or y1=y2 then return false;
Else find i such that
(x1-x2) + i (y1-y2)  0 mod m.
Return i.
We claim that
AdvGdl, g , A  AdvHkkcr, B
 Pr[ EXPGdl, g , A  1]  Pr[ EXPHkkcr
, B  1]
dl
We only need to show that for h  I, EXPHkkcr
, B  1 EXPG , g , A  1 :
EXPHkkcr
, B  1 (remind: we have show that (g, h)  Keys(H) for hI)
 B(g, h) returns two different messages (x1, y1) and (x2, y2) such that
gx1hy1 = gx2hy2, i.e. g(x1-x2) + i(y1-y2) = 1 where i = DLOGG,g (h).
 (x1-x2) + i (y1-y2)  0 (mod m), and
(x1-x2) and (y1-y2) cannot be both zero.
According to the Lemma, there is only one i satisfying the above condition and it can
be computed in time O(|m|2).
Thus we have proved that:
AdvGdl, g (t ' )  AdvHkkcr (t )
where t’ = t + O(|m|2).
Problem 2.
Proof:
Assume we are given an algorithm B attacking AE on IND-CPA, we want to design an
algorithm A using B attacking AE on ROR-CPA.
Assume we are given an oracle Epk(RoR(,b)).
ror  cpa
AAE
()
R

s
{0, 1}
Run B, when B queries (Mi0, Mi1), then:
make query Mis on Epk(RoR(,b)),
return Epk(RoR(Mis , b)) to B.
until B returns bit d.
If d=s, return 1,
else return 0.
First, we check the probability:
ror  cpa 1
Pr[ EXPAE
 1]
,A
ind  cpa 1
ind  cpa  0
 Pr[ s  1 and EXPAE
 1]  Pr[ s  0 and EXPAE
 0]
,B
,B
1
1
ind  cpa 1
ind  cpa  0
Pr[ EXPAE
 1]  Pr[ EXPAE
 0]
,B
,B
2
2
1
1
ind  cpa 1
ind  cpa  0
 Pr[ EXPAE
 1]  (1  Pr[ EXPAE
 1])
,B
,B
2
2
1 1
ind  cpa 1
ind  cpa  0
  (Pr[ EXPAE
 1]  Pr[ EXPAE
 1])
,B
,B
2 2
1 1
 cpa
  Advind
AE , B
2 2

and
ror  cpa  0
Pr[ EXPAE
1]
,A
 Pr[ s  1 and B outputs 1 on random queries ]
 Pr[ s  0 and B outputs 0 on random queries ]
1
 Pr[ B outputs 1 on random queries ]
2
1
 Pr[ B outputs 0 on random queries ]
2
1

2
Thus we get:
ror  cpa
ror  cpa 1
ror  cpa  0
Adv AE
 Pr[ EXPAE
1]  Pr[ EXPAE
1]
,A
,A
,A
1
 cpa
Adv inf
AE , B
2
Since A makes one query each time when B makes one query, the time for one query is
same, we get:

cpa
rorcpa
Adv inf
(t , q,  )  2 Adv AE
(t , q,  )
AE
Related documents
THE IMPLEMENTATION OF SUDAN COMPREHENSIVE PEACE
THE IMPLEMENTATION OF SUDAN COMPREHENSIVE PEACE
Self-Employment Presentation
Self-Employment Presentation
Carolyn L. King
Carolyn L. King
Business Plan Basics - The Controllership Group
Business Plan Basics - The Controllership Group
Powerpoint - The CPA Consultants` Alliance
Powerpoint - The CPA Consultants` Alliance
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
CMPSYSENG 1&2 PC PRO LESSON PLAN 6TH PER WEEK OF
MOONEY N66ET SPECS
MOONEY N66ET SPECS
Download
advertisement