# homework 7 - ICS 180 Introduction to Cryptography Homework...

This preview shows pages 1–3. Sign up to view the full content.

ICS 180: Introduction to Cryptography 6/12/2004 Homework 7 Due Friday noon , 6/18/2004 1 PRGs 1.1 PRG warm-up Recall the definition of a PRG. Consider the following attempt at constructing one: G ( x ) outputs x concatenated with the parity bit of x , i.e. G ( x ) = [ x | b par ( x )], where b par ( x ) is the parity bit, i.e. it is 1 if x is even and 0 if x is odd. Is G a good PRG? (Prove or disprove.) 1.2 Perfectly secure PRG? Remember perfectly secure encryption vs. computational notions of encryption security? Consider the following definition of a perfect , rather than computational, PRG: We say that a polynomial-time algorithm G : { 0 , 1 } k → { 0 , 1 } k +1 is a perfect (one-bit-stretching) PRG if for all algorithms A we have: Prob [ A ( y ) = 1 | x ← { 0 , 1 } k ; y = G ( x )] = Prob [ A ( y ) = 1 | y ← { 0 , 1 } k +1 ] Note the two differences betwen this definition and the regular PRG definition: (1) The regular definition allows for a negligible difference between the above two probabilities, and (2) the regular definition asks this to hold not for all algorithms A but only for probabilistic polynomial time A ’s. Show that “perfect PRGs” are too much to ask for, i.e. show that perfect PRGs do not exist. In other words, for any algorithm G show an algorithm A (not necessarily polytime) for which the above equation does not hold. What’s your A ’s running time? 2 Encryption: Textbook vs. Indistinguishable Schemes We show one clear flaw in plain (or “textbook”) Rabin encryption, and we also show that an encryption scheme which is secure in the sense of indistinguishability is provably resistant to such flaws. Rabin’s encryption is similar to RSA, and similar type of flaws, although technically slightly harder to show, can be shown for RSA, which is another argument why textbook RSA is not safe and why we need provably indistinguishable encryption schemes instead. Here is a textbook Rabin public-key encryption: Recall the RSA function RSA ( n,e ) : Z * n Z * n , RSA ( n,e ) ( x ) = x e mod n where n is the RSA modulus and e is for example 3. Rabin function is Rabin n : QR n QR n , Rabin n ( x ) = x 2 mod n (recall that QR n Z * n is a set of squares modulo n ). Inverting Rabin function means taking square roots x = y 1 / 2 mod n , which is easy given the factorization of n . On the other hand, under the assumption that factoring is hard, one can prove (easily) that Rabin function is a TDP. Therefore it has a hard-core bit function, and therefore with some work we can construct H7-1

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
a provably indistinguishable encryption from it. However, in a plain Rabin encryption, assuming message m QR n , 1 the ciphertext is simply c = Rabin n ( m ) = m 2 mod n .
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

### What students are saying

• As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

Kiran Temple University Fox School of Business ‘17, Course Hero Intern

• I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

Dana University of Pennsylvania ‘17, Course Hero Intern

• The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

Jill Tulane University ‘16, Course Hero Intern