Scribd
Upload
8 views

Assignment 1

Uploaded by

Tinklus Pinklus
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
8 views

Assignment 1

Uploaded by

Tinklus Pinklus
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

CS783: Theoretical Foundations of Cryptography Fall 2024

Assignment 1
Instructor: Chethan Kamath

Exercise 1 (Classical ciphers [KL14]). Let’s understand the conditions under which some
of the classical ciphers we discussed in Lecture 2 become perfectly secure.

1. Show that (monoalphabetic) shift cipher is perfectly secure for messages of length
one, i.e., message-space {a, · · · , z}.

2. What is the maximum message-space for which (monoalphabetic) substitution cipher


is perfectly secure?

Exercise 2 (Statistical secrecy). An SKE Π = (Gen, Enc, Dec) is said to be statistically-


secret if for every eavesdropper Eve

δ(n) := Pr [Eve(c) = 0] − Pr [Eve(c) = 0]


(m0 ,m1 )←Eve(1n ) (m0 ,m1 )←Eve(1n )
k←Gen(1n ) k←Gen(1n )
c←Enc(k,m0 ) c←Enc(k,m1 )

is negligible (as defined in Lecture 3). Since we allow a slack, this is a weaker requirement
than perfect secrecy. Does Shannon’s impossibility still extend to statistically-secret SKE
schemes?

Exercise 3 (One-time pad (OTP)). Recall the definition of OTP from Lecture 2.

1. The goal of this exercise is to help you understand more about randomness in en-
cryption algorithm. Recall that the encryption algorithm of OTP is deterministic.
Modify OTP to come up with two perfectly-secure SKE schemes P S1 and P S2 that
have randomised encryption algorithm, and such that leaking the random coins used
in encryption leads (a) P S1 to become insecure (b) P S2 to remain secure.

2. Let’s consider OTP against a tampering adversary Tam who can modify a cipher-
text c of some message m = m0 · · · mℓ−1 ∈ {0, 1}ℓ before it reaches the recipient,
Caeser’s general. Can Tam tamper c to some ciphertext c′ such that Caeser’s gen-
eral decrypts c′ to the following. If your answer is ‘yes’, then describe Tam; if it is
‘no’, justify.

(a) m ⊕ (110ℓ−2 ), i.e., m with first two bit flipped (asssume ℓ ≥ 2)


(b) 0n
(c) m1 m0 m2 · · · mℓ−1 , i.e., the first two bits of m swapped

3. Suppose an OTP key is used to encrypt two messages m0 and m1 of your choice.
Is it possible to recover the key with certainty?

CS783 Page 1 of 3 Assignment 1


Exercise 4 (Negligible functions). Recall the definition of negligible functions from Lec-
ture 3.

1. Are fp and fM negligible, and why? Here, a Mersenne prime is a prime of the form
Mn := 2n − 1. (
1/n314159 if n is a prime
fp (n) :=
1/2n otherwise
(
1/n314159 if Mn is a Mersenne prime
fM (n) :=
1/nlog(n) otherwise

2. If ν1 and ν2 are negligible function, which of these following functions are also
(always) negligible? In case the function is negligible, provide a security reduction;
in case not, provide a counter-example.

(a) f+ (n) := ν1 (n) + ν2 (n)


(b) f× (n) := ν1 (n) × ν2 (n)
(c) f÷ (n) := ν1 (n) ÷ ν2 (n)

Exercise 5 (Message length in definitions [KL14]). Recall the definition of adversarial


indistinguishability (Definition 4) from Lecture 3. I didn’t stress during the lecture that
the messages m0 , m1 that Eve outputs must be of same length (i.e., |m0 | = |m1 |). You will
try to understand why through this exercise. Prove that a Π that supports arbitrary length
messages (i.e., the message-space is {0, 1}∗ ) cannot satisfy adversarial indistinguishability
if Eve is not restricted to challenging on equal length messages.

Exercise 6 (PRGs). Recall the definition of PRGs from Lecture 3.

1. Let G be a PRG that stretches from n bits to n + 1 bits. Which of the following can-
didates based on G are also (always) PRGs? In case your claim is that a candidate
is a PRG, provide a proof; in case not, provide a counter-example and the efficient
distinguisher.

(a) Duplicating PRG: Gd (s) := s∥s, where ∥ denotes string concatenation


(b) Leaky PRG: Gℓ (s∥b) := G(s)∥b, where b ∈ {0, 1}
(c) Complementary PRGs G1 (s) := G(s) and G2 (s) := G(s), where for a bit-string
s, s denotes bit-complement.
(d) Singly punctured PRG:
(
0|s|+1 if s of the form 0|s|
Gp (s) :=
G(s) otherwise

(e) Mildly punctured PRG:


( l√ m
|s|
0|s|+1 if s of the form 0 ∥{0, 1}∗
Gm (s) :=
G(s) otherwise

CS783 Page 2 of 3 Assignment 1


(f ) Heavily punctured PRG:
(
0|s|+1 if s of the form 0⌊log(|s|)⌋ ∥{0, 1}∗
Gh (s) :=
G(s) otherwise

(g) Prefixing PRG: Gf (s) := G(0|s| ∥s)

2. Recall the definition of computational indistinguishability (CI) at the end of Lecture


3. Show formally that CI is a transitive property. That is, if X1 is CI from X2 ,
and X2 is CI from X3 , then X1 is CI also from X3 .

References
[KL14] Jonathan Katz and Yehuda Lindell. Introduction to Modern Cryptography (3rd ed.). Chapman
and Hall/CRC, 2014.

CS783 Page 3 of 3 Assignment 1

You might also like