ICS 180: Introduction to Cryptography
6/12/2004
Homework 7
Due
Friday noon
, 6/18/2004
1
PRGs
1.1
PRG warmup
Recall the definition of a PRG. Consider the following attempt at constructing one:
G
(
x
)
outputs
x
concatenated with the parity bit of
x
, i.e.
G
(
x
) = [
x

b
par
(
x
)], where
b
par
(
x
) is the
parity bit, i.e. it is 1 if
x
is even and 0 if
x
is odd. Is
G
a good PRG? (Prove or disprove.)
1.2
Perfectly secure
PRG?
Remember perfectly secure encryption vs. computational notions of encryption security?
Consider the following definition of a
perfect
, rather than computational, PRG: We say that
a polynomialtime algorithm
G
:
{
0
,
1
}
k
→ {
0
,
1
}
k
+1
is a perfect (onebitstretching) PRG
if for
all algorithms
A
we have:
Prob
[
A
(
y
) = 1

x
← {
0
,
1
}
k
;
y
=
G
(
x
)] =
Prob
[
A
(
y
) = 1

y
← {
0
,
1
}
k
+1
]
Note the two differences betwen this definition and the regular PRG definition: (1) The
regular definition allows for a negligible difference between the above two probabilities, and
(2) the regular definition asks this to hold not for all algorithms
A
but only for
probabilistic
polynomial time
A
’s.
Show that “perfect PRGs” are too much to ask for, i.e. show that perfect PRGs do not
exist. In other words, for any algorithm
G
show an algorithm
A
(not necessarily polytime)
for which the above equation does not hold. What’s your
A
’s running time?
2
Encryption: Textbook vs. Indistinguishable Schemes
We show one clear flaw in plain (or “textbook”) Rabin encryption, and we also show that an
encryption scheme which is secure in the sense of indistinguishability is provably resistant
to such flaws.
Rabin’s encryption is similar to RSA, and similar type of flaws, although
technically slightly harder to show, can be shown for RSA, which is another argument why
textbook RSA is not safe and why we need provably indistinguishable encryption schemes
instead.
Here is a textbook Rabin publickey encryption: Recall the RSA function
RSA
(
n,e
)
:
Z
*
n
→
Z
*
n
,
RSA
(
n,e
)
(
x
) =
x
e
mod
n
where
n
is the RSA modulus and
e
is for example
3.
Rabin function is
Rabin
n
:
QR
n
→
QR
n
,
Rabin
n
(
x
) =
x
2
mod
n
(recall that
QR
n
⊂
Z
*
n
is a set of squares modulo
n
).
Inverting Rabin function means taking square roots
x
=
y
1
/
2
mod
n
, which is easy given the factorization of
n
. On the other hand, under the
assumption that factoring is hard, one can prove (easily) that Rabin function is a TDP.
Therefore it has a hardcore bit function, and therefore with some work we can construct
H71
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
a provably indistinguishable encryption from it.
However, in a
plain
Rabin encryption,
assuming message
m
∈
QR
n
,
1
the ciphertext is simply
c
=
Rabin
n
(
m
) =
m
2
mod
n
.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Spring '04
 Jarecki
 Cryptography, Publickey cryptography, Pretty Good Privacy, Rabin, secure MAC scheme

Click to edit the document details