Modern Crytpography Oct 16, 2018

Solutions to Homework 2
Lecturer: Krzysztof Pietrzak, TA: Michael Walter

1. The Shannon entropy H(X) and min-entropy H∞ (X) of a random variable X are given by
def
(below px = Pr[X = x]) X
H(X) = − log2 (px ) · px
x

H∞ (X) = min(− log(Pr[X = x])

x

The von-Neumann extractor vNE takes as input a sequence X1 , X2 , . . . , X2n of bits, it splits
it into two-tuples, and then maps each tuple (1, 0) to 1, (0, 1) to 0 and ignores all the tuples
(0, 0), (1, 1), e.g. vNE(0010011110) = 101 as shown below

00 |{z}
10 |{z}
01 11 |{z}
10
1 0 1

(a) What is the Shannon entropy and min-entropy of a sequence X1 , . . . , X2n (where the Xi
are independent and distributed as Pr[Xi = 1] = p) as a function of n, p and for concrete
parameters p = 0.1, n = 100.
Solution: We make use of the fact that H and H∞ are additive for independent distri-
butions:
Lemma 1 If X and Y are two independent random variables, then H(XY ) = H(X) +
H(Y ) and H∞ (XY ) = H∞ (X) + H∞ (Y ).
We give the proof for completeness, but it was not required to get full score for this
exercise:
Proof: We have
X
H(XY ) = −px py log2 (px py )
x,y
X
= −px py (log2 (px ) + log2 (py ))
x,y
X X
= −px py log2 (px ) + −px py log2 (py ))
x,y x,y
X X X X
= py −px log2 (px ) + px −py log2 (py ))
y x x y
X X
= py H(X) + px H(Y )
y x

= H(X) + H(Y )

PS2-1
 Similarily,

H∞ (XY ) = min(− log2 (px py ))

x,y

= min(− log2 (px ) − log2 (py ))

x,y

= min(− log2 (px )) + min(− log2 (py ))

x y

= H∞ (X) + H∞ (Y )

P P
Using Lemma 1 it easily follows that H(X) = i H(Xi ) and H∞ (X) = i H∞ (Xi ),
and since the Xi are all identically distributed, this simplifies to H(X) = 2nH(X1 ) and
H∞ (X) = 2nH∞ (X1 ). It remains to determine H(X1 ) and H∞ (X1 ). Using the defini-
tions, we get H(X1 ) = −p log2 (p)−(1−p) log2 (1−p) and H∞ (X1 ) = min(− log2 p, − log2 (1−
p)). To summarize,

H(X) = 2n(−p log2 (p) − (1 − p) log2 (1 − p))

H∞ (X) = 2n min(− log2 p, − log2 (1 − p))

For the specific values of p = 0.1 and n = 100, we get H(X) ≈ 93.8 and H∞ (X) ≈ 30.4.
An alternative acceptable solution without Lemma 1 would have been to directly evaluate
the probabilities of the individual strings. This would lead to the same result for H∞ (X),
but leads to the more cumbersome (but correct) formula:
n  
X n
H(X) = − pi log2 (pi )
i
i=0

where pi = pi (1 − p)n−i . This can also be evaluated and will lead to the same values for
specific p and n.
(b) Prove that the output vNE(X1 , . . . , X2n ) (with Xi as above) is uniformly random.
Solution: It is obvious that the output bits of vNE(X1 , . . . , X2n ) are independent, since
each is the result of a pair of random variables independent of the rest of the input. For
each input pair Xi Xi+1 (for odd i), the probability of vNE outputting a 1 is p(1 − p) and
the probability of a 0 is (p − 1)p. Since these are the same, and 0 and 1 are the only
possible outcomes, it follows that each output bit is an independent uniformly random
bit, which shows that the entire output is uniformly random.
(c) What is the expected output length as function of n, p and for concrete parameters
p = 0.1, n = 100.
Solution: We denote by |vNE(X1 , . . . , X2n )| the length of the output of vNE, which
Pitself a random variable, if the inputs X1 , . . . , X2n are. Since |vNE(X1 , . . . , X2n )| =
is
i |vNE(X2i−1 , X2i )|, we have by linearity of expectation,
n
X
E[|vNE(X1 , . . . , X2n )|] = E[|vNE(X2i−1 , X2i )|].
i

PS2-2
 Since the Xi are identically and independently distributed, so are the pairs X2i−1 , X2i ,
and so E[|vNE(X2i−1 , X2i )|] = E[|vNE(X1 , X2 )|], which yields

E[|vNE(X1 , . . . , X2n )|] = nE[|vNE(X1 , X2 )|].

Finally, we compute

E[|vNE(X1 , X2 )|] = Pr[|vNE(X1 , X2 )| = 1] = Pr[(X1 = 1 ∧ X2 = 0) ∨ (X1 = 0 ∧ X2 = 1)].

Since the events (X1 = 1 ∧ X2 = 0) and (X1 = 0 ∧ X2 = 1) are disjoint, this is

E[|vNE(X1 , X2 )|] = Pr[(X1 = 1 ∧ X2 = 0)] + Pr[(X1 = 0 ∧ X2 = 1)] = 2p(1 − p).

This gives us the final result:

E[|vNE(X1 , . . . , X2n )|] = 2np(1 − p).

For the specific values of p = 0.1 and n = 100 we get E[|vNE(X1 , . . . , X2n )|] = 18.

2. (2.3 in book) Prove or refute: An encryption scheme with message space M is perfectly
secret if and only if for every probability distribution over M and every c0 , c1 ∈ C we have
Pr[C = c0 ] = Pr[C = c1 ].

Solution: Recall that one of the definitions of perfect secrecy states that an encryption
scheme is perfectly secret if the ciphertext distribution does not depend on the message. In
other words, every message induces the same ciphertext distribution. The condition stated in
the exercise implies that every message induces the uniform ciphertext distribution. Clearly,
if that is true, then the scheme is also perfectly secret, since every message induces the same
ciphertext distribution (the uniform distribution). However, the condition is strictly stronger
than perfect secrecy, since there are perfectly secret schemes that do not meet the condition.
Since the question was if the condition is equivalent to perfect secrecy (i.e. “if and only if”),
the statement is wrong.
We now give a counterexample of a perfectly secret scheme, where above condition does not
hold. Let Π = (Gen, Enc, Dec) be any perfectly secure encryption scheme (for example the
One-Time Pad). We define Π0 = (Gen, Enc0 , Dec0 ) as

Enc0k (m):
c ← Π.Enck (m)
pick b uniformly at random from {0, 1}2
if b = 00
return c||0
else
return c||1

PS2-3
 Dec0 simply truncates the last bit from the ciphertext and uses Dec to decrypt the ciphertext.
Clearly, Π0 is correct if Π is. Furthermore, note that if the ciphertext distribution of Π does
not depend on the message, then neither does the ciphertext distribution of Π0 , since it is
the same distribution with a bit appended, and this bit is independent of the message. It
follows that Π0 is perfectly secret. However, the ciphertext distribution of Π0 is clearly not
uniform, since ciphertexts ending in 1 are three times as likely as ciphertexts ending in 0.
This contradicts the condition given in the exercise.

3. (2.13 in book) In this problem we consider definitions of perfect secrecy for the encryption
of two messages (using the same key). Here we consider distributions over pairs of messages
from the message space M; we let M1 , M2 be random variables denoting the first and sec-
ond message, respectively. (We stress that these random variables are not assumed to be
independent.) We generate a (single) key k, sample a pair of messages (m1 , m2 ) according
to the given distribution, and then compute ciphertexts c1 ← Enck (m1 ) and c2 ← Enck (m2 );
this induces a distribution over pairs of ciphertexts and we let C1 , C2 be the corresponding
random variables.

(a) Say encryption scheme (Gen, Enc, Dec) is perfectly secret for two messages if for all dis-
tributions over M × M, all m1 , m2 ∈ M, and all ciphertexts c1 , c2 ∈ C with Pr[C1 =
c1 ∧ C2 = c2 ] > 0:

Pr[M1 = m1 ∧ M2 = m2 | C1 = c1 ∧ C2 = c2 ]
= Pr[M1 = m1 ∧ M2 = m2 ]

Prove that no encryption scheme can satisfy this definition.

Hint: Take c1 = c2

Solution: The definition requires the equation to hold for any distribution over pairs
of messages, any messages m1 , m2 and any ciphertexts c1 , c2 . We consider the uniform
distribution over M × M, any m1 , m2 such that m1 6= m2 and some ciphertext c ∈ C
with Pr[C1 = c ∧ C2 = c] > 0. Note that such a c must exist since Pr[M1 = M2 ] > 0
under the uniform message distribution, in which case Pr[C1 = c ∧ C2 = c] > 0.
1
It is clear that Pr[M1 = m1 ∧ M2 = m2 ] = |M| 2 under the distribution that we chose.

But due to the correctness of the scheme, we have that Pr[C1 = c ∧ C2 = c | M1 =

m1 ∧ M2 = m2 ] = 0 for m1 6= m2 , since otherwise decryption errors would necessarily
have non zero probability. Applying Bayes’ Theorem now shows that also Pr[M1 =
m1 ∧ M2 = m2 | C1 = c ∧ C2 = c] = 0, which contradicts the definition. Since this is
true for any encryption scheme, no encryption scheme can achieve this definition.
(b) Say encryption scheme (Gen, Enc, Dec) is perfectly secret for two messages if for all distri-
butions over M × M where the first and second messages are guaranteed to be different
(i.e., distributions over pairs of distinct messages), all m1 , m2 ∈ M, and all c1 , c2 ∈ C
with Pr[C1 = c1 ∧ C2 = c2 ] > 0:

Pr[M1 = m1 ∧ M2 = m2 | C1 = c1 ∧ C2 = c2 ]
= Pr[M1 = m1 ∧ M2 = m2 ]

PS2-4
Show an encryption scheme that provably satisfies this definition.
Hint: The encryption scheme you propose need not be efficient, although an efficient
solution is possible.

Solution: We show that a generlized version of the mono-alphabetic substitution cipher

satisfies this definition. For any message space M, we define the substitution cipher as:
• Gen: select a permutation π over M uniformly at random and return it as key.
• Enc: on input a message m and key π, return π(m) as the ciphertext
• Dec: on input a ciphertext c and a key π, return π −1 (c) as the message.
Clearly, this scheme is correct. For any distribution over distinct message pairs, we have

Pr[M1 = m1 ∧ M2 = m2 | C1 = c1 ∧ C2 = c2 ]
Pr[C1 = c1 ∧ C2 = c2 | M1 = m1 ∧ M2 = m2 ] Pr[M1 = m1 ∧ M2 = m2 ]
=
Pr[C1 = c1 ∧ C2 = c2 ]
Pr[C1 = c1 ∧ C2 = c2 | M1 = m1 ∧ M2 = m2 ] Pr[M1 = m1 ∧ M2 = m2 ]
=P
mi 6=mj Pr[C1 = c1 ∧ C2 = c2 | M1 = mi ∧ M2 = mj ] Pr[M1 = mi ∧ M2 = mj ]

Now notice that for any distinct m, m0 , we have

(|M| − 2)!
Pr[C1 = c1 ∧ C2 = c2 | M1 = m ∧ M2 = m0 ] =
|M|!

because exactly (|M|−2)! of the |M|! possible keys (which is picked uniformly at random)
def (|M|−2)!
yield the two ciphertext. So let δ = |M|! . Plugging it into the above equation yields

δ Pr[M1 = m1 ∧ M2 = m2 ]
Pr[M1 = m1 ∧ M2 = m2 | C1 = c1 ∧ C2 = c2 ] = P
i6=j δ Pr[M1 = mi ∧ M2 = mj ]

which is equal to Pr[M1 = m1 ∧ M2 = m2 ].

PS2-5