{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

homework 7 - ICS 180 Introduction to Cryptography Homework...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
ICS 180: Introduction to Cryptography 6/12/2004 Homework 7 Due Friday noon , 6/18/2004 1 PRGs 1.1 PRG warm-up Recall the definition of a PRG. Consider the following attempt at constructing one: G ( x ) outputs x concatenated with the parity bit of x , i.e. G ( x ) = [ x | b par ( x )], where b par ( x ) is the parity bit, i.e. it is 1 if x is even and 0 if x is odd. Is G a good PRG? (Prove or disprove.) 1.2 Perfectly secure PRG? Remember perfectly secure encryption vs. computational notions of encryption security? Consider the following definition of a perfect , rather than computational, PRG: We say that a polynomial-time algorithm G : { 0 , 1 } k → { 0 , 1 } k +1 is a perfect (one-bit-stretching) PRG if for all algorithms A we have: Prob [ A ( y ) = 1 | x ← { 0 , 1 } k ; y = G ( x )] = Prob [ A ( y ) = 1 | y ← { 0 , 1 } k +1 ] Note the two differences betwen this definition and the regular PRG definition: (1) The regular definition allows for a negligible difference between the above two probabilities, and (2) the regular definition asks this to hold not for all algorithms A but only for probabilistic polynomial time A ’s. Show that “perfect PRGs” are too much to ask for, i.e. show that perfect PRGs do not exist. In other words, for any algorithm G show an algorithm A (not necessarily polytime) for which the above equation does not hold. What’s your A ’s running time? 2 Encryption: Textbook vs. Indistinguishable Schemes We show one clear flaw in plain (or “textbook”) Rabin encryption, and we also show that an encryption scheme which is secure in the sense of indistinguishability is provably resistant to such flaws. Rabin’s encryption is similar to RSA, and similar type of flaws, although technically slightly harder to show, can be shown for RSA, which is another argument why textbook RSA is not safe and why we need provably indistinguishable encryption schemes instead. Here is a textbook Rabin public-key encryption: Recall the RSA function RSA ( n,e ) : Z * n Z * n , RSA ( n,e ) ( x ) = x e mod n where n is the RSA modulus and e is for example 3. Rabin function is Rabin n : QR n QR n , Rabin n ( x ) = x 2 mod n (recall that QR n Z * n is a set of squares modulo n ). Inverting Rabin function means taking square roots x = y 1 / 2 mod n , which is easy given the factorization of n . On the other hand, under the assumption that factoring is hard, one can prove (easily) that Rabin function is a TDP. Therefore it has a hard-core bit function, and therefore with some work we can construct H7-1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
a provably indistinguishable encryption from it. However, in a plain Rabin encryption, assuming message m QR n , 1 the ciphertext is simply c = Rabin n ( m ) = m 2 mod n .
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}