homework 7

Homework 7 - ICS 180 Introduction to Cryptography Homework 7 Due Friday noon 1 PRGs 1.1 PRG warm-up Recall the definition of a PRG Consider the

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ICS 180: Introduction to Cryptography 6/12/2004 Homework 7 Due Friday noon , 6/18/2004 1 PRGs 1.1 PRG warm-up Recall the definition of a PRG. Consider the following attempt at constructing one: G ( x ) outputs x concatenated with the parity bit of x , i.e. G ( x ) = [ x | b par ( x )], where b par ( x ) is the parity bit, i.e. it is 1 if x is even and 0 if x is odd. Is G a good PRG? (Prove or disprove.) 1.2 Perfectly secure PRG? Remember perfectly secure encryption vs. computational notions of encryption security? Consider the following definition of a perfect , rather than computational, PRG: We say that a polynomial-time algorithm G : { , 1 } k → { , 1 } k +1 is a perfect (one-bit-stretching) PRG if for all algorithms A we have: P rob [ A ( y ) = 1 | x ← { , 1 } k ; y = G ( x )] = P rob [ A ( y ) = 1 | y ← { , 1 } k +1 ] Note the two differences betwen this definition and the regular PRG definition: (1) The regular definition allows for a negligible difference between the above two probabilities, and (2) the regular definition asks this to hold not for all algorithms A but only for probabilistic polynomial time A ’s. Show that “perfect PRGs” are too much to ask for, i.e. show that perfect PRGs do not exist. In other words, for any algorithm G show an algorithm A (not necessarily polytime) for which the above equation does not hold. What’s your A ’s running time? 2 Encryption: Textbook vs. Indistinguishable Schemes We show one clear flaw in plain (or “textbook”) Rabin encryption, and we also show that an encryption scheme which is secure in the sense of indistinguishability is provably resistant to such flaws. Rabin’s encryption is similar to RSA, and similar type of flaws, although technically slightly harder to show, can be shown for RSA, which is another argument why textbook RSA is not safe and why we need provably indistinguishable encryption schemes instead. Here is a textbook Rabin public-key encryption: Recall the RSA function RSA ( n,e ) : Z * n → Z * n , RSA ( n,e ) ( x ) = x e mod n where n is the RSA modulus and e is for example 3. Rabin function is Rabin n : QR n → QR n , Rabin n ( x ) = x 2 mod n (recall that QR n ⊂ Z * n is a set of squares modulo n ). Inverting Rabin function means taking square roots x = y 1 / 2 mod n , which is easy given the factorization of n . On the other hand, under the assumption that factoring is hard, one can prove (easily) that Rabin function is a TDP....
View Full Document

This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.

Page1 / 4

Homework 7 - ICS 180 Introduction to Cryptography Homework 7 Due Friday noon 1 PRGs 1.1 PRG warm-up Recall the definition of a PRG Consider the

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online