cryptology ii - exercise session 1 · cryptology ii - exercise session 1 sanja scepanovic exercise...

CRYPTOLOGY II - EXERCISE SESSION 1

SANJA SCEPANOVIC

Exercise 1. A company holds electronic lotteries briefly described below.A secure hardware is used to generate the output x ! {0, 1}20. The input x is

fed into a specially designed garbling algorithm (worldwide patented), which takesin x and broadcasts a garbled output y to everybody. All participants submit theirguesses qi about x. The company releases x and everybody uses the description ofthe garbling algorithm to verify that y was computed form x. The one who guessedx gets a prize.

(a) Formalise the lottery system using abstract primitives for appropriate actions.Describe such functional requirements that the organiser cannot cheat and thatparticipants can verify the correctness.

(b) Define an attack scenario where participants try to cheat. Quantify the successof the malicious participant. Formalise the corresponding security definition.

(c) Show that no garbling algorithm can meet functional requirements and be secureat the same time.

1. Solution

(a) Electronic lottery system may be represented as on the diagram bellow.

Grabling circuit

Input x Output y

P1

P2

P3

P4

P5

The requirement that the organizer cannot cheat means he cannot find twodi!erent values x1 and x2 ! {0, 1}20 s.t. their garbled values are equal. Thismeans that the garbling functions should be “1 -1” i.e., injection.

The requirement that the participant can verify correctness is fulfilled sincethe garbling algorithm is worldwide patented.

(b) A scenario where a participant wants to cheat is the following. He/she will try tobrute force the garbling algorithm on all possible inputs x ! {0, 1}20 comparing

Date: 28 April, 2011.1991 Mathematics Subject Classification. MTAT.07.003 Cryptology II.Key words and phrases. Formalisation of cryptographic primitives, Self-reducibility and Di!e-

Hellman problem.This exercises are submitted by me as a part of the course Research Seminar on Cryptography

given by Swen Laur, spring 2011.

1

2 SANJA SCEPANOVIC

whether the output is equal to y. The maximum number of executions necessaryto find the correct x is 220.

Formal security definition of the attacking scenario is given bellow:

GA

!

"#

x " Z220

s " Ag(·)p (g(x))

return [s =?x]

By choosing a random input as his ouput s, the adversary can always guessthe secret with probability 2!20. Since this strategy requires almost no com-putational resources, the success probability 2!20 is often considered as trivialand subtracted from the winning probability to count non-trivial advantage.The latter assures that, in principle, one could design a garbling circuit, s.t.,for certain time-bound the advantage Adv = 0 is achievable:

Adv(A) = Pr[GA = 1]# 2(!20).

(c) No garbling algorithm g(x) can be at the same time functional and secure, dueto the previously discussed. Namely:(i) If it is functional, i.e., tg as defined above is relatively small - then it is

not secure as the attacker will be able to run it 220 times.(ii) If the garbling algorithm is secure, then for the opposite case of the same

reason, it means it cannot be functional (i.e., relatively fast) algorithm.

Exercise 2. Let G be a finite group such that all elements y ! G can be expressed aspowers of g ! G. Then the Decisional Di!e-Hellman (DDH) problem is following.Given x = ga and y = gb and z, decide whether z = gxy or not.

(a) Show that Decisional Di!e-Hellman problem can be reduced to ComputationalDi!e-Hellman problem, i.e., for any algorithm A that achieves AdvcdhG (B),there exists an oracle algorithm BA that has has roughly the same running timeand give an estimate to the advantage

AdvddhG (B) .=

$$$$Pr%x, y, z " G :B(x, y, z) = 1

&# Pr

%x, y " G, z " glog x log y :

B(x, y, z) = 1

&$$$$ .

(b) Provide a reductions between DL, CDH and DDH problems.(c) Show that if there exists an e!cient procedure that can always compute the

highest bit of logg(y) then the DL problem is easy.

2. Solution

(a) Reduction of DDH to CDH is given in figure bellow.For an adversary B, who is a DDH finder, if we can use existing CDH finder,

A, as an oracle - then BA has roughly the same running time as A. Namely, Bwill query A with arguments x and y to obtain glog x log y and then will comparethat value to its own third input argument z, and output YES if they are equal,and NO otherwise.

For the advantage of B we can give an estimate using next observations:

CRYPTOLOGY II - EXERCISE SESSION 1 3

Figure 1. Reduction of DDH to CDH.

Pr

%x, y " G, z " glog x log y :

B(x, y, z) = 1

&.= AdvcdhG (A)

and

Pr

%x, y, z " G :B(x, y, z) = 1

&.= 1/|G|

Using this observations and the one given for the AdvddhG (B) we find nextlower bound to the advantage AdvddhG (B):

AdvddhG (B) $ AdvcdhG (A)# 1/|G|.

Reduction given here, stated in simple word means that DDH is a strongerassumption than CDH. Actually, it is much stronger assumption, for example,there exist discrete groups where CDH is considered di"cult problem, but inwhich algorithms for distinguishing distributions z " G and z̃ " glog x log y,exist (for given g, x and z).

The relation that one problem is reducible to another is often denoted byinequality sign %, so we have showed CDH % DDH.

(b) The relation between CDH and DL is given in lecture slides, where the reductionis shown for DL % CDH. Using what we showed in the previous question andwhat is stated now, by transitivity, we also conclude DL % DDH.

(c) We want to show that, if there exist an oracle algorithm that answers in polyno-mial time what is the highest bit of logg y, then we can construct an algorithmthat will, also in polynomial time, find x = logg y, i.e., that will solve DLproblem using the given oracle.

Such algorithm may be constructed in multiple ways.First, we present a solution in the case when the group |G| is a modular

group where modulus p is a prime. The solution is given in the algorithmbelow. In this case, we first obtain the lowest bit xi of logqy. The lowest bit ofa logarithm in a modular group having prime modulus can be calculated fromLegendre symbol, i.e., as shown in the algorithm, we need to calculate y

p!12 .

Afterwards we need to obtain the square roots of y. In the case of a primemodulus, there are exactly two square roots. The algorithm to find the twosquare roots of y, let us denote them as y1 and y2, is simple in the case when pmod 4 = 3, but it becomes a bit more complex in other cases. One solution isgiven in the online resource [2]. The di"culty of the square root problem comesin deciding which of the two square roots, that we obtain using such algorithm,is the principal square root. By the definition, the principal square root

4 SANJA SCEPANOVIC

yj = gxj , is the square root for which it holds 0 < xj < p!12 . The oracle A

is used for the purpose of helping to distinguish the principal square root, asshown in the algorithm bellow. The oracle is queried p times, until all the bitsof x are output.

Algorithm 1: solving DL by querying the oracle for the highest bit of loggy

read input y = [y1y2...yp]

assign: i = p {where we assume x = [x1x2...xp]}while (y $ 1)

print xi= the last bit of loggy

{We know the last bit of loggy by using the following test

if'yp

(== 1, i.e., y is a QR & xi = 0,

if'yp

(== #1, i.e., y is a QNR & xi = 1.}

if (xi == 1) then y :=y

gFind the two square roots of y, denote them by y1 and y2 :

to find out if y1 is a principal square root - query the oracle for

the highest bit of logg y1 and denote the output from the oracle as s.

if (s == 0) then y := y1

else y := y2

i = i# 1

Second, we give a general solution, for a modular group G, where |G| = m,in figure 2.

Figure 2. Algorithm for solving DL using existing oracle A thatreturns MSB for DL.

The generic constructions given above show how we can use the oracle Aassuming that A will always return the correct answer.


However, if we would want to prove similar allowing that A returns thecorrect answer with probability 0 < ! < 1, it would require rather complexproof, we refer to [1] for it.

References

[1] Blum, Manuel and Micali, Silvio, How to generate cryptographically strong sequences ofpseudo-random bits, SIAM J. Comput. 1984

[2] How to computse modular square roots when modulus is prime,http://groups.google.com/group/aliquot/web/square-root-modulo-prime?pli=1, page ac-cessed May 2011.

Appendix A. Licence

This work is licensed under the Creative Commons Attribution 3.0 Unported Li-cense. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco,California, 94105, USA.

E-mail address: [email protected]


SANJA SCEPANOVIC

Exercise 1. Let G be a finite group such that all elements y ! G can be expressedas powers of g ! G. Then the discrete logarithm problem is following. Given y ! G,find a smallest integer x such that gx = y in finite group G. Discrete logarithmproblem is known to be hard in general, i.e., all universal algorithms for computinglogarithm run in time !(

!|G|).

(a) Show that for a fixed group G, there exists a Turing machine that finds thediscrete logarithm for every y ! G in O(log2 |G|) steps.

(b) Show that for a fixed group G, there exists an analogous Random Access Ma-chine that achieves the same e!ciency.

(c) Generalise the previous construction and show that for every fixed functionf : {0, 1}n " {0, 1}m there exists a Turing machine and a Random AccessMachine such that they compute f(x) for every input x ! {0, 1}n in O(n+m)steps.

(d) Are these constructions also valid in practise? Explain why these inconsis-tencies disappear when we formalise algorithms through universal computingdevices.

1. Solution

(a) Group G s.t. |G| = p# 1, is fixed. We create a table consisting of pairs: (1, g);(2, g2); ... ; (p# 1, gp!1). The program of the Turing machine, TM, should usedescribed structure in a binary search manner as a look up table.

For input y on the input tape the algorithm should read first bit. If by thisthe input is ended, i.e., if it was a 1-bit number, then the result is output, elsethe algorithm continues to branch according to the rest of the bits, until thelast bit of the input is read. The algorithm bellow represents the described TMbehavior:

if y == 0 then print ! (for undefined)

if y == 1 then print 0

else

for y = 0 go to state sL

for y = 1 go to state sR

Date: 29 April, 2011.Key words and phrases. Turing Machines. Random Access Machines; Total probability for-

mula and analysis by exhaustive decomposition.This exercises are submitted by me as a part of the course Research Seminar on Cryptography


1

2 SANJA SCEPANOVIC

And from the each state, we would have preprogrammed next state depend-ing whether we read 1 or 0. When we reach the end of the input y, the statewould have - HALT and f(y), i.e., the element from the precomputed tablethat corresponds to to gx = y is output on the resulting tape.

Figure 1. TM finite-state diagram

It is clear that described program will output result in log2 y steps, i.e., atmaximum it will take log2 |G| steps.

(b) We should use very similar idea as in the previous question. This time bycreating a similar table in RAM model, which would be kept in its registers, R.

! g g2 · · · gp!1

0 1 2 · · · p! 1

If we think of Harvard architecture RAM, this table would belong to thefinite-state portion of the machine together with the program.

On input y, such RAM machine would output R[y], where we would utilizeRAM machine’s direct addressing capability.

(c) For a general function f : {0, 1}n " {0, 1}m, a specific TM for calculating thefunction would have finite-state representation as in figure 1.

From there we see that for an input y (length n), n steps is needed for findingthe value in the look-up table and m steps is needed to output the result from{0, 1}m (length m).

Similarly we would evaluate complexity of the program in the case of RAMmodel.

(d) Those algorithms are not consistent to our experience in reality.The reason is that the computational models above allow precomputing and

arbitrarily large programs (though still finite). Thus actually, the real load ofcomputation is on the phase before models even start “computing” the func-tions.

In the case we try to use the similar approach for a universal computingmodel, let us reason what would cause the inconsistency.


Universal TM for all the possible groups would require di!erent programs forall of them. Thus the asymptotic complexity with respect to groups of di!erentsizes G1, G2,... would require that the corresponding TM would be infinite.

For a fixed group G and universal computing device the running-time of theconstruction is O(program length) + O(running time). Universal TM takes aprogram code as a first input and thus reaching the first argument takes atleast O(program length) time for single input tape. For multi-input tape, notethat a command (value, state, headmove) can take O(program length) time, asnext instruction can be far away.

In practical computing device same problems occur if the program does notfit into the main memory. Physical limitation is O(program length 1/3).

Exercise 2. Let A1,A2,A3,A5 be algorithms for finding discrete logarithm suchthat the success probability is bounded

49 ·AdvdlG (Ai) ! Pr [x " Ai(y) : y = gx] ! 7 ·AdvdlG (Ai)

if !(y) = 1. Find tight lower and upper bounds of AdvdlG (B) for the followingadversary B

B(y)!

"""""""""#

i ! {1, 2, 3} , x ! Ai(y)

if !i(y) = 1 then$if gx "= y # !4(y) = 1 then return A4(y)

else return x

else if !5(y) = 1 then return A5(y)

else return A1(y)

provided that Pr [y " G : !i(y) = 1] = 142+i and AdvdlG (Ai) = i2 · ".

2. Solution

We are given a compound adversary B and we do his success analysis by exhaus-tive decomposition.

Depending on the initial sampling i " {1, 2, 3}, we have three possible executionsof the algorithm for B. The success in each of the cases, we shall denote it by Si

can be expressed by the formula:

Si =

1

3

!Pr[y " G : !i(y) = 1] ·

"Pr[x " Ai(y) : y = gx|!i(x) = 1]+

Pr[y " G : !4(y) = 1] · Pr[x " A4(y) : y = gx|!4(x) = 1]#+

Pr[y " G : !i(y) #= 1] ·"Pr[y " G : !5(y) = 1] · Pr[x " A5(y) : y = gx|!5(y) = 1]+

Pr[y " G : !5(y) #= 1] · Pr[x " A1(y) : y = gx|!i(x) #= 1]#$

, for i = 1, 2, 3.

Si, can be bound as:

Smini $ Si $ Smaxi,

where the values for Smini and Smaxi are calculated as follows:

4 SANJA SCEPANOVIC

Smini !1

3

!Pr[y " G : !i(y) = 1] ·

"Prmin

[x " Ai(y) : y = gx|!i(x) = 1]+

Pr[y " G : !4(y) = 1] · Prmin

[x " A4(y) : y = gx|!4(x) = 1]#+

Pr[y " G : !i(y) #= 1] ·"Pr[y " G : !5(y) = 1] · Pr

min[x " A5(y) : y = gx|!5(y) = 1]+

Pr[y " G : !5(y) #= 1] · Prmin

[x " A1(y) : y = gx|!i(x) #= 1]#$

, for i = 1, 2, 3.

Smini !1

3

! 1

42 + i·"7AdvdlG (Ai) +

1

46· 7AdvdlG (A4)

#+

(1$ 1

42 + i) ·

" 1

45· 7AdvdlG (A5) + (1$ 1

45) · 0

#$, for i = 1, 2, 3.

Smaxi %1

3

!Pr[y " G : !i(y) = 1] ·

"Prmax

[x " Ai(y) : y = gx|!i(x) = 1]+

Pr[y " G : !4(y) = 1] · Prmax

[x " A4(y) : y = gx|!4(x) = 1]#+

Pr[y " G : !i(y) #= 1] ·"Pr[y " G : !5(y) = 1] · Pr

max[x " A5(y) : y = gx|!5(y) = 1]+

Pr[y " G : !5(y) #= 1] · Prmax

[x " A1(y) : y = gx|!i(x) #= 1]#$

, for i = 1, 2, 3.

Smaxi %1

3

! 1

42 + i·"49AdvdlG (Ai) +

1

46· 49AdvdlG (A4)

#+

(1$ 1

42 + i) ·

" 1

45· 49AdvdlG (A5) + (1$ 1

45) · 1

#$, for i = 1, 2, 3.

Then the success of B in total is expressed as the sum:

AdvdlG (B) =3%

i

Si,

and tightly bounded as follows:

3%

i

Smini ! AdvdlG (B) !3%

i

Smaxi.

Calculation gives:

0.7884" ! AdvdlG (B) ! 0.7884"+ 0.9555.


Appendix A. Licence




SANJA SCEPANOVIC

Exercise 1. Let A be a t-time distinguisher and let !(A) = Pr[A = 1|H0] and"(A) = Pr[A = 0|H1] be the ratios of false negatives and false positives. Show thatfor any c there exists a t+O(1)-time adversary B such that

!(B) = (1! c) · !(A) and "(B) = c+ (1! c) · "(A).

Are there any practical settings where such trade-o!s are economically justified?Give some real world examples. Hint: What happens if you first throw a fair coinand run A only if you get tail and otherwise output 0?

1. Solution

Given A, a t-time distinguisher it holds:

!(A) = Pr[A = 1|H0],

"(A) = Pr[A = 0|H1].

We need to find t+O(1)-time distinguisher B s.t.

!(B) = (1! c) · !(A) and

"(B) = c+ (1! c) · "(A),

for any given c.Let us define the behavior of B like this:

(1) Throw a coin for which the probability of falling head is c and probabilityof falling tail is 1! c.

(2) If the tail, run the distinguisher A, otherwise output 0.

Obviously, the running time of such defined distinguisher B is O(1) + t, whereO(1) is fixed time necessary for coin toss.Now we have:

!(B) = Pr[B = 1|H0] = Pr[coin toss = tail] · Pr[A = 1|H0]

= (1! c) · !(A),

"(B) = Pr[B = 0|H1] = Pr[coin toss = head] + Pr[coin toss = tail] · Pr[A = 0|H1]

= c+ (1! c) · "(A).

Defined adversary B fulfills the requirements.

Date: 10 May, 2011.1991 Mathematics Subject Classification. MTAT.07.003 Cryptology II.Key words and phrases. Trade-o!s between false positives and false negatives, Naive estimates

on computational distance, Properties of computational distance.This exercises are submitted by me as a part of the course Research Seminar on Cryptography


1

2 SANJA SCEPANOVIC

Examining total error

!(B) ="(B) + #(B)=(1! c) · "(A) + c+ (1! c) · #(A) =

=c(1! !(A)) + !(A)

shows that the trade-o! increases the total error !(B) compared to !(A).However, this approach may be useful if we need to reduce only one of the errors,

for example - false negatives, "(B). By choosing c " 1, "(B) becomes close to 0. Anadversary could be constructed in similar way to minimise false positives #(B). Forexample: in highly-risky environment, it is definitely better to throw away a partthat is working (a false negative) than to use a part that is not working properly(a false positive).

Exercise 2. Let X0 and X1 e!ciently samplable distributions that are (t, $)-indistinguishable.Show that distributions X0 and X1 remain computationally indistinguishable evenif the adversary can get n samples.

(a) First estimate computational distances between following games

GA00!

"#

x0 # X0

x1 # X0

return A(x0, x1)

GA01!

"#

x0 # X0

x1 # X1

return A(x0, x1)

GA11!

"#

x0 # X1

x1 # X1

return A(x0, x1)

Hint: What happens if you feed a sample x0 # X0 together with an unknownsample x1 # Xi to A and use the reply to guess i.

(b) Generalise the argumentation to the case, where the adversary A gets n samplesfrom a distribution Xi. That is, define the corresponding sequence of gamesG00...0, . . . ,G11...1.

(c) Why do we need to assume that distributions X0 and X1 are e!ciently sam-plable?

2. Solution

(a) Let us examine computational distances between following games.

GA00!

"#

x0 # X0

x1 # X0

return A(x0, x1)

GA01!

"#

x0 # X0

x1 # X1

return A(x0, x1)

First, we can define the next adversary:

B(x)!

"#

x0 # X0

x1 # x

return A(x0, x1)


against indistinguishability games

QB0

!x ! X0

return B(x)

QB1

!x ! X1

return B(x)

For all t-time adversaries B holds nextAdvindX0,X1

(B) = |Pr[QB0 = 1]" Pr[QB

1 = 1]| # !(due to the (t, !)-indistinguishability of X0 and X1). Inserting our concrete

adversary B, however into the definition gives:

QB0

"

###$

x ! X0

x0 ! X0

x1 ! x

return A(x0, x1)

QB1

"

###$

x ! X1

x0 ! X0

x1 ! x

return A(x0, x1)

from which we easily see that we may convert QB0 to GA

00 and respectively QB1

to GA01. That leads to the next inequality

(2.1) |Pr[GA00] = 1]" Pr[GA

01 = 1]| # !

for a t-time adversary B.Since running time of B can be expressed as ts + tA, where ts is time for

sampling from X0 and tA is time for running ofA, then 2.1 holds for (t"ts)-timeadversaries A.

In a similar way we could prove that for the games GA01 and GA

11 it holds

(2.2) |Pr[GA01] = 1]" Pr[GA

11 = 1]| # !

Finally, using triangular inequality we obtain from 2.1 and 2.2

(2.3) |Pr[GA00] = 1]" Pr[GA

11 = 1]| # 2!

Since by definition cdt!(G1,G2) = maxA is t"time|Pr[G1 = 1] " Pr[G2 = 1]| itmeans that we have calculated next computational distances:

cdt"ts! (G00,G01) = !, cdt"ts

! (G01,G11) = ! and cdt"ts! (G00,G11) = 2!.

(b) To generalize previous result for n-samples we would need to analyse n-games:G0...0, G0...1, ... , G1...0, G1...1. In the worst case, the resulting advantage wouldbe (2n"1)!, since that is the number of the games that we would cycle throughcounting their distances between each next two. However, there is optimalstrategy to cycle only through the necessary n-games. For example in the casen = 4 we could cycle like this:

G0000 ... ! ... G0001 ... ! ... G0011 ... ! ... G0111 ... ! ... G1111,resulting in advantage 4!, instead of 31!.Running time of the adversary A is in every case (t" (n" 1)ts).

(c) Since showed advantage for an adversary that runs in time (t " ts), i.e., weused sampling time, distributions need to be e!ciently samplable, otherwisewe would not be able to bound the time for the adversary.

4 SANJA SCEPANOVIC

Appendix A. Licence




SANJA SCEPANOVIC

Exercise 1.

Let A be the adversary that tries to distinguish a random permutation f :{1, 2, 3} !{ 1, 2, 3} from a random function f : {1, 2, 3} !{ 1, 2, 3} according tothe adaptive deterministic querying strategy depicted above. More formally, nodesrepresents adversary’s queries. The adversary A starts form the root node andmoves to next nodes according to the answers depicted as arc labels. The dashedline corresponds to the decision border, where A stops querying and outputs his orher guess.

(i) Compute the following probabilities Pr[f " Fall : A reaches vertex u] ,Pr[f " Fall : A reaches vertex u # ¬ collision ],Pr[f " Fall : ¬ collision ],Pr[f " Fall : A reaches vertex u|¬ collision ],Pr[f " Fprm : A reaches vertex u]for all nodes u in the decision border.

(ii) Compute these probabilities for an arbitrary message space M under the as-sumption that A makes exactly q queries and conclude

Pr[A = 0|Fall # ¬ collision ] = Pr[A = 0|Fprm].

Date: 19 May, 2011.1991 Mathematics Subject Classification. MTAT.07.003 Cryptology II.Key words and phrases. PRP/PRF switching lemma.This exercises are submitted by me as a part of the course Research Seminar on Cryptography


1

2 SANJA SCEPANOVIC

1. Solution

(i)

Pr[f ! Fall : A reaches vertex u] =

=1

9, for i = 1, ..., 6,

=1

3, for i = 7.

Pr[f ! Fall : A reaches vertex u " ¬ collision ] =

= 0, for i = 1 and i = 5,

=1

9, for i # {2, 3, 4, 6},

=1

3, for i = 7.

Pr[f ! Fall : ¬ collision ] =

=7!

i=1


=0 + 4 · 19+

1

3=

7

9.

To calculate given conditional probability Pr[f ! Fall : A reaches vertex u|¬ collision ]we use Bayes formula:

(1.1) Pr[A|B] =Pr[A $B]

Pr[B]

We have previously calculated values:Pr[A $B] = Pr[f ! Fall : A reaches vertex u " ¬ collision ] and,Pr[B] = Pr[f ! Fall : ¬ collision ].

Using those values as in 1.1 we obtain:

Pr[f ! Fall : A reaches vertex u|¬ collision ] =

= 0, for i = 1, and i = 5,

=1

7, for i # {2, 3, 4, 6},

=1

3, for i = 7.

(ii) Now we consider an arbitrary space M, let us denote |M| = m; and A isdefined to make exactly q queries about f , obviously the value of q being1 % q % m.

In this general case, the previous probabilities become:


Pr[f ! Fall : A reaches vertex u] =

=1

mq

Pr[f ! Fall : A reaches vertex u " ¬ collision ] =!

1mq when no collision,

0 otherwise.

Pr[f ! Fall : ¬ collision ] =

=7"

i=1


= # of vertices that A reaches without collision · 1

mq=

= m · (m# 1) · ... · (m# q + 1)1

mq=

(m# 1) · ... · (m# q + 1)

mq!1.

Pr[f ! Fall : A reaches vertex ui|¬ collision ] = ( using 1.1)

=

!Pr[f"Fall:A reaches vertex u#¬ collision ]

Pr[f"Fall:¬ collision ] when no collision,

0 otherwise;

i.e.,

=

!1

m·(m!1)·...·(m!q+1) when no collision,

0 otherwise.

Pr[f ! Fprm : A reaches vertex ui] =

=1

m· ... · 1

m# q + 1.

Exercise 2. A block cipher is commonly modelled as a (t, q, !)-pseudorandom per-mutation family F . As such, it is perfect for encrypting a single block.

(i) The electronic codebook mode Ecb uses a same permutation f $ F for allmessage blocks. Ecbf (m1||...||mn) = f(m1)||...||(mn) is known to be insecurepseudorandom permutation. Find an algorithm that can distinguish Ecbf :Mn $ Mn from a random permutation over Mn. Is this weakness relevant inpractise or not?

(ii) Let Mn0 = {(m1, ...,mn) % Mn : mi &= mj} denote the set of messages with

distinct blocks. Show that Ecbf : Mn0 $ Mn

0 is (t, q/n, !)-pseudorandompermutation family if F is (t, q, !)-pseudorandom permutation family.

(iii) If addition is defined over M, random shifts c1, ..., cn ! M can be used toavoid equalities in the message m̃ = (m1 + c1, ...,mn + cn). Compute theprobability Pr[c1, ..., cn ! M : m̃ /% Mn

0 .].

4 SANJA SCEPANOVIC

(iv) The cipher-block chaining mode CBC uses the permutation f ! F to linkplaintext and ciphertexts: CBCf (m1||...||mn) = c1||...||cn where ci = f(mi "ci!1) and c0 is know as initialisation vector (nonce). The CBC mode canbe viewed as more e!cient way to modify the message by setting shifts ci !f(m̃i!1). Again, compute the probability Pr[c0 ! M, ..., cn ! f(mn!1 +cn# 1) : m /$ Mn.]. Conclude that CBCf is a secure pseudorandom permu-tation over Mn.

2. Solution

(i) Described weakness of Ecb is know and relevant, that is why this mode of op-erations should be avoided in practice. An example of distunguishing strategyis depicted on the figure 1.

Challenger A

m ∈ M n

s.t. m = (m1, …, mn) and m1 == m2

f(m) = (c1, … ,cn)

ECB if c1 == c2

else PRP

Figure 1. Distunguishing Ecb from PRP .

(ii) We are given Mn0 = {(m1, ...,mn) $ Mn : mi %= mj} and we want to show

that ECBf : Mn0 & Mn

0 is (t, qn , !)-pseudorandom permutation family, if

F ' f is a (t, q, !)-pseudorandom permutation family.Let us denote F : Mn

0 & Mn0 , the set of all permutations with domain

Mn0 , and e $ ECBf , an ECB permutation we want to distinguish from all

permutations.We now consider a t-time adversary A which can make q

n queries for e(x)in order to distinguish an ECBf from a random permutation from F. Theadvantage of A is defined as bellow:

(2.1) AdvindECBf ,F(A) = |Pr[A = 0|e $ ECBf ]# Pr[A = 0|e $ F]|.

We have e(m1, ...,mn) = f(m1)||...||f(mn), s.t. it holds, if e $ ECBf , thenf $ F . Thus we can provide a transformation for the adversary A into thenew adversary, Af as shown in figure ii to help us in calculating the desiredadvantage.

Af is a t#time adversary to distinguish a pseudorandom permutation be-longing to the set F , from all the permutations, belonging to the set Fperms.

Now it holds for the advantage of A:


Figure 2. AdversaryA transformation to the adversaryAf whichqueries f().

(2.2) AdvindECBf ,F(A) = |Pr[Af = 0|f ! F ]" Pr[Af = 0|f ! Fperms]|,

Additionally, since corresponding to one query for A, there are n queries tobe made by Af (for f(m1), ..., f(mn)), then the number of queries Af makesis q

n · n = q.Since it is given that F is a (t, q, !)-pseudorandom permutations family,

this implies that for the defined adversary Af it holds:

(2.3) |Pr[Af = 0|f ! F ]" Pr[Af = 0|f ! Fperms]| # !.

From the formulas 2.2 and 2.3, we obtain:

(2.4) AdvindECBf ,F(A) # !.

With this we have proved that ECBf is a (t, qn , !)-pseudorandom permuta-

tion family under the condition that F is a (t, q, !)-pseudorandom permutationfamily.

(iii) Since values ci are randomly sampled from M, this means that required

(2.5) Pr[c1, ..., cn $ M : m̃ /! Mn0 ]

equals to the next probability

(2.6) Pr[m1, ...,mn $ M : m̃ /! Mn0 ]

since under the conditions mi are as well randomly sampled from M.Probability in the formula 2.6 is a probability that m̃ from randomly sam-

pled mi is a n-permutation over Mn. Such probability is calculated accordingto the formula:

(2.7)|M|(|M|" 1)(|M|" 2)...(|M|" n)

|M|n .

(iv) In order to calculate required probability of collision in m̃, we shall use math-ematical induction. Starting from definition of probability of event that the

6 SANJA SCEPANOVIC

collision happens in the first j blocks, denote it by Pr[Sj ], we will calculatefinal probability that the collision happens among all n blocks in m̃. We claim:

(2.8) Pr[Sj ] !(j " 1)n

|M| .

Inductive base Pr[S1] = 0 obviously holds. For any j > 1, we can representPr[sj ] like this:

(2.9) Pr[Sj ] ! Pr[Sj!1] + Pr[Sj |Sj!1].

Using our inductive assumption, we can bound the first element in the formula2.9 and for the second, we can reason like follows. In the case there was nocollision among the previous j " 1 elements, the collision of the j-th elementwith any of the previous elements will occur with probability at most (j!1)

M .Namely, since the CBC function f is a (t, !)-pseudo-random permutation

f # F , we can consider f belonging to the set of all permutations F with errorbound !. And then by using the PRP/PRF switching lemma, we can in theend observe the set of all unctions Fall. In that case, according to the givenformula, the value assigned to cj is random, thus also m̃j is also random.

So we calculate:

(2.10) Pr[Sj ] !(j " 2)n

|M| +(j " 1)

M ! (j " 2)n

|M| +n

|M| !(j " 1)n

|M| .

With this our induction is proved.Finally, we conclude about probability of m̃ /# M under given circum-

stances, which equals Pr[Sn].

(2.11) Pr[Sn] !n2

|M| .

For the property of CBC being a pseudorandom function we conclude asfollows. Thanks to PRP-PRF switching lemma, we can think if the randompermutation that CBC uses as a random function. Then the advantage forthe distiguisher is always 0, unless he finds a collision in the input. And wehave showed that the collision appears with probability that is negligible aslong as n << |M|.

Appendix A. Licence



cryptology ii - exercise session 1 · cryptology ii - exercise session 1 sanja scepanovic exercise...

Documents