CSE 207 Homework 1
advertisement
CSE 207 Homework 1
Huaxia Xia 04/18/2001
Problem 1
Proof:
If F is inner-product preserving, then we can design the following machine A to tell
whether an oracle g is from family F or a random function:
Adversary Ag:
y1 g(0l);
y1 g(10l-1);
if <y1, y2> = <0l,10l-1> = 1, then return 1;
else return 0;
Then if g F, A will certainly return 1,
Pr[ ExpFprf, A1 1] 1
If g is a random function, then
Pr[ ExpFprf, A0 1]
= Pr[<y1, y2> =1| y1, y2 are random L bits string]
= Pr[there are odd positions on which y1, y2 are both ‘1’]
So if y1=0L, then Ag=0;
If y10L, i.e., there are some ‘1’ positions in y1. The value of Ag depends on the
parity of the number of ‘1’ in the corresponding positions in y2, so
1
Pr[ ExpFprf, A0 1 | y1 0 L ]
2
So we have:
Pr[ ExpFprf, A0 1]
Pr[ y1 0 L ] 0 Pr[ y1 0 L ] Pr[ ExpFprf, A0 1 | y1 0 L ]
1
1
(1 L )
2
2
Then
1
1
1
1
(1 L ) (1 L )
2
2
2
2
1
1
AdvFprf (t ,2,2l ) max AdvFprf, A (t ,2,2l ) (1 L )
A
2
2
AdvFprf, A (t ,2,2l ) 1
The larger prf-advantage of F, the less security the algorithm has. So we know that F
is not a secure PRF.
Problem 2.
Proof:
Assume that adversary B for E(2) has the largest probability. Then we construct
adversary AB for E as following:
Adversary ABg:
R
K2
{0, 1}l
Run adversary B, replying to its queries as follows:
When B makes an oracle query x do:
x’ E(K2, x)
y g(x’)
Return y to B as the answer.
Until B stops and outputs a bit b
Return b
If g E, then g(E(K2, x) E(2), then ABg=1 if and only if Bg(E(K2, )=1. Since K2 is a
randomly selected bits string, g(E(K2, ) is over E(2). So
cpa1
cpa1
Pr[ ExpEprp
1] Pr[ ExpEprp
1]
2
, AB
,B
If gE, then
cpa0
cpa0
Pr[ ExpEprp
1] Pr[ ExpEprp
1] 1 / 2l
2
, AB
,B
So,
-cpa
-cpa
AdvE,PrpA-Bcpa (t , q, lq ) AdvEPrp
(t , q, lq ) AdvEPrp
(t , q, lq )
2
2
,B
-cpa
AdvEPrp-cpa (t , q, lq ) AdvEPrp
(t , q, lq )
2
If E is secure PRP then AdvEPrp-cpa (t , q, lq ) is small enough for security, thus
-cpa
AdvEPrp
(t , q, lq) is also small enough, so we know that E(2) is a secure PRP.
2
