Scribd
Upload
501 views

Homework Solutions Cryptography

This document contains solutions to problems from a cryptography course. Problem 1 discusses counter-mode encryption using a fixed nonce. Problem 2 modifies an encryption scheme to be secure against chosen-plaintext attacks by including an additional random string. Problem 3 discusses proving security of an authentication scheme by showing nonces do not overlap except with negligible probability. Problem 4 describes a forgery attack on a MAC construction. Problem 5 discusses the security of a variant of CBC-MAC where the block length is chosen by an adversary.

Uploaded by

markkiksmith
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
501 views

Homework Solutions Cryptography

This document contains solutions to problems from a cryptography course. Problem 1 discusses counter-mode encryption using a fixed nonce. Problem 2 modifies an encryption scheme to be secure against chosen-plaintext attacks by including an additional random string. Problem 3 discusses proving security of an authentication scheme by showing nonces do not overlap except with negligible probability. Problem 4 describes a forgery attack on a MAC construction. Problem 5 discusses the security of a variant of CBC-MAC where the block length is chosen by an adversary.

Uploaded by

markkiksmith
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

University of Maryland

CMSC858K Introduction to Cryptography


Professor Jonathan Katz

Problem Set 2 Solutions


Thanks to Dov Gordon for his help with these solutions
1. We use counter-mode encryption, but use the fixed nonce 1 rather than a random nonce.
More formally, let F be a pseudorandom function that (for security parameter n) maps n-bit
strings to n-bit strings. Then the encryption of a message m = m 1 k km` (with |mi | = n)
using key k is given by:
m1 Fk (h1i) k m2 Fk (h2i) k k m` Fk (h`i),
where hii denotes the n-bit representation of the integer i. Decryption is done in the obvious
way.
This scheme handles arbitrary-length messages (that are a multiple of the block-length, n)
and a proof that it has indistinguishable encryptions in the presence of an eavesdropper is
essentially as in class. (The only potential problem is a wrap-around in the counter, but
this only occurs if the message has block-length greater than 2 n . A polynomial-time adversary
cannot output a message this long for n sufficiently large.) Be sure that you would be able to
write such a proof, if asked, on an exam!
The scheme is trivially insecure against a multi-message attack since it is deterministic.
2. (With help from a large hint in Goldreichs book [Chapter 5, exercise 33])
We start with the scheme (Enc, Dec) we saw in class: Let F be a pseudorandom function,
and define Enck (m) as follows: choose r {0, 1}n , and output hr, Fk (r) mi. We modify
this encryption scheme in the following way. Keys are now 2n bits long (parsed as two n-bit
strings k, s) and encryption is defined as:

h0, s, Enc k (m)i if m 6= s
Enc0k (m) =
h1, k, Enc k (m)i if m = s
Decryption simply ignores the first two components of the ciphertext.
It is easy to see that this scheme is not secure against chosen-plaintext attacks. Using two
adaptively-chosen queries to the encryption oracle, the adversary can recover k, at which
point the scheme is completely broken.
Consider the adversary that attempts to distinguish whether a vector of ciphertexts corresponds to the encryption of the vector (m 01 , . . . , m0` ) or the vector (m11 , . . . , m1` ). (Where these
vectors are both output at once.) It is not too hard to see that, unless there exists an i, b with
mbi = s, the modified encryption Enc0 is as secure as the original encryption Enc. Because s
is a randomly-chosen n-bit string, and all the messages are output by the adversary before it
has any information about s, the probability that there exists an i, b with m bi = s is negligible.
This can easily be turned into a proof that (Enc 0 , Dec0 ) is secure in the sense of multi-message
indistinguishability: Let A0 be a ppt adversary attacking 0 = (Enc0 , Dec0 ) in the sense of
multi-message indistinguishability, and construct the following ppt adversary A attacking
1

in the same sense: A runs A0 , obtains two vectors of messages, and outputs these vectors.
When A is given a vector of ciphertexts (c 1 , . . . , c` ), it chooses a random s {0, 1}n and
gives to A0 the vector (h0, s, c1 i, . . . , h0, s, c` i). Then A outputs whatever guess is output
by A0 .
Because the view of A0 , above, is only different from its view when attacking 0 if s {mbi },
we have
Pr[A guesses correctly when attacking ]
h
i
Pr[A0 guesses correctly when attacking 0 ] Pr s {mbi } .


We have already noted that Pr s {mbi } is negligible. Since security of implies that
Pr[A guesses correctly when attacking ]

1
+ negl(n)
2

for some negligible function negl, we have


Pr[A0 guesses correctly when attacking 0 ]

1
+ negl0 (n),
2

for some negligible function negl 0 . This shows that 0 is secure in the desired sense.
3. Say nonces r and r 0 overlap if |r r 0 | < `(n). A proof of security boils down to showing that
the probability that some pair of nonces overlap is negligible. (Make sure you understand
why this is the case!)
Let overlapi,j denote the event that nonces ri and rj overlap, and let Overlap denote the event
that some pair of nonces overlap. Note that Pr[overlap i,j ] = (2`(n) 1)/2n , assuming each
nonce is uniformly-random n-bit string.
Then

Pr[Overlap] = Pr

i6=j

overlapi,j
=

Pr[overlapi,j ]

i6=j

X 2`(n) 1
i6=j

2n


 
q(n)
2`(n) 1
,

2n
2

since q(n) nonces are chosen. This is negligible in n, concluding the proof.
4. The adversary queries the oracle with some (arbitrary) message m of length n, where n is the
input/output length of the PRF Fk . He receives in response a tag M ACk (m) = Fk (0n m) =
Fk (m). He then queries the message mk0 n and receives the tag M ACk (mk0n ) = Fk (Fk (m)).
Finally, he outputs the (message, tag) pair (F k (m), Fk (Fk (m))). Note that the adversary had
never queried the oracle with the message F k (m), and M ACk (Fk (m)) = Fk (Fk (m)), so this
is a forgery.
5. (a) The scheme in the problem is secure. To formally prove this, we need to modify the
standard experiment defining security of a message authentication code. Consider the
following experiment:
i. A random key k is chosen.
2

ii. The adversary A gets to specify some (polynomial) length i , and then gets to
interact with an oracle that computes CBC-MAC using key k for messages of blocklength i .
iii. The adversary succeeds if it outputs a message/tag pair (m, t) such that (1) m has
block-length i ; (2) m was never queried to the MAC oracle; and (3) t is a CBC-MAC
tag on m with respect to key k.
Although we did not explicitly state this in class, it can be shown that if F is a pseudorandom function then any ppt adversary A succeeds with only negligible probability in
the above experiment. (In class, we assumed the length was fixed, not chosen by A.)
Say we have an adversary A0 attacking the variant of CBC-MAC as in the problem.
Let (n) be the probability that A0 succeeds in outputting a forgery. We construct an
adversary A as follows: first, it guesses a random i {1, . . . , `} and outputs it. Then
it chooses keys ki {0, 1}n for all i 6= i , and runs A0 . When A0 requests a MAC for a
message m, there are two cases:
If m has length i , then A requests a MAC on m from its own MAC oracle and
returns the result to A0 .
If m has length i 6= i , then A computes the MAC on its own using key k i .
When A0 outputs (m, t), if m has length i then (m, t) is output by A.
Note that (1) A carries out a valid attack on the original CBC-MAC (as discussed
above), and (2) A provides a perfect simulation for A 0 . Since i is chosen at random and
is independent of the view of A0 , the probability that its final output (m, t) has length i
is 1/`(n) and the probability that A outputs a forgery is (n)/`(n). Because this must
be negligible (by security of regular CBC-MAC), we conclude that  is negligible as well.
(b) Let k be a key of length n, and let F be a pseudorandom function. Then to compute a
MAC on a message m of length i, do:
i. Set ki := Fk (i).
ii. Compute a CBC-MAC on m using key k i .
We leave the proof that this is secure as an exercise.

You might also like