This preview shows pages 1–2. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: ICS 180: Introduction to Cryptography 6/12/2004 Homework 7 Due Friday noon , 6/18/2004 1 PRGs 1.1 PRG warmup Recall the definition of a PRG. Consider the following attempt at constructing one: G ( x ) outputs x concatenated with the parity bit of x , i.e. G ( x ) = [ x  b par ( x )], where b par ( x ) is the parity bit, i.e. it is 1 if x is even and 0 if x is odd. Is G a good PRG? (Prove or disprove.) 1.2 Perfectly secure PRG? Remember perfectly secure encryption vs. computational notions of encryption security? Consider the following definition of a perfect , rather than computational, PRG: We say that a polynomialtime algorithm G : { , 1 } k → { , 1 } k +1 is a perfect (onebitstretching) PRG if for all algorithms A we have: P rob [ A ( y ) = 1  x ← { , 1 } k ; y = G ( x )] = P rob [ A ( y ) = 1  y ← { , 1 } k +1 ] Note the two differences betwen this definition and the regular PRG definition: (1) The regular definition allows for a negligible difference between the above two probabilities, and (2) the regular definition asks this to hold not for all algorithms A but only for probabilistic polynomial time A ’s. Show that “perfect PRGs” are too much to ask for, i.e. show that perfect PRGs do not exist. In other words, for any algorithm G show an algorithm A (not necessarily polytime) for which the above equation does not hold. What’s your A ’s running time? 2 Encryption: Textbook vs. Indistinguishable Schemes We show one clear flaw in plain (or “textbook”) Rabin encryption, and we also show that an encryption scheme which is secure in the sense of indistinguishability is provably resistant to such flaws. Rabin’s encryption is similar to RSA, and similar type of flaws, although technically slightly harder to show, can be shown for RSA, which is another argument why textbook RSA is not safe and why we need provably indistinguishable encryption schemes instead. Here is a textbook Rabin publickey encryption: Recall the RSA function RSA ( n,e ) : Z * n → Z * n , RSA ( n,e ) ( x ) = x e mod n where n is the RSA modulus and e is for example 3. Rabin function is Rabin n : QR n → QR n , Rabin n ( x ) = x 2 mod n (recall that QR n ⊂ Z * n is a set of squares modulo n ). Inverting Rabin function means taking square roots x = y 1 / 2 mod n , which is easy given the factorization of n . On the other hand, under the assumption that factoring is hard, one can prove (easily) that Rabin function is a TDP....
View
Full
Document
This homework help was uploaded on 01/30/2008 for the course ICS 180 taught by Professor Jarecki during the Spring '04 term at UC Irvine.
 Spring '04
 Jarecki

Click to edit the document details