advertisement

CSE 207 Homework 1 Huaxia Xia 04/18/2001 Problem 1 Proof: If F is inner-product preserving, then we can design the following machine A to tell whether an oracle g is from family F or a random function: Adversary Ag: y1 g(0l); y1 g(10l-1); if <y1, y2> = <0l,10l-1> = 1, then return 1; else return 0; Then if g F, A will certainly return 1, Pr[ ExpFprf, A1 1] 1 If g is a random function, then Pr[ ExpFprf, A0 1] = Pr[<y1, y2> =1| y1, y2 are random L bits string] = Pr[there are odd positions on which y1, y2 are both ‘1’] So if y1=0L, then Ag=0; If y10L, i.e., there are some ‘1’ positions in y1. The value of Ag depends on the parity of the number of ‘1’ in the corresponding positions in y2, so 1 Pr[ ExpFprf, A0 1 | y1 0 L ] 2 So we have: Pr[ ExpFprf, A0 1] Pr[ y1 0 L ] 0 Pr[ y1 0 L ] Pr[ ExpFprf, A0 1 | y1 0 L ] 1 1 (1 L ) 2 2 Then 1 1 1 1 (1 L ) (1 L ) 2 2 2 2 1 1 AdvFprf (t ,2,2l ) max AdvFprf, A (t ,2,2l ) (1 L ) A 2 2 AdvFprf, A (t ,2,2l ) 1 The larger prf-advantage of F, the less security the algorithm has. So we know that F is not a secure PRF. Problem 2. Proof: Assume that adversary B for E(2) has the largest probability. Then we construct adversary AB for E as following: Adversary ABg: R K2 {0, 1}l Run adversary B, replying to its queries as follows: When B makes an oracle query x do: x’ E(K2, x) y g(x’) Return y to B as the answer. Until B stops and outputs a bit b Return b If g E, then g(E(K2, x) E(2), then ABg=1 if and only if Bg(E(K2, )=1. Since K2 is a randomly selected bits string, g(E(K2, ) is over E(2). So cpa1 cpa1 Pr[ ExpEprp 1] Pr[ ExpEprp 1] 2 , AB ,B If gE, then cpa0 cpa0 Pr[ ExpEprp 1] Pr[ ExpEprp 1] 1 / 2l 2 , AB ,B So, -cpa -cpa AdvE,PrpA-Bcpa (t , q, lq ) AdvEPrp (t , q, lq ) AdvEPrp (t , q, lq ) 2 2 ,B -cpa AdvEPrp-cpa (t , q, lq ) AdvEPrp (t , q, lq ) 2 If E is secure PRP then AdvEPrp-cpa (t , q, lq ) is small enough for security, thus -cpa AdvEPrp (t , q, lq) is also small enough, so we know that E(2) is a secure PRP. 2