ICS 180: Introduction to Cryptography
4/22/2004
Solutions to homework 2
1
Security Defnitions [10+20 points]
Defnition oF some security property oFten goes like this: We call some communication
scheme Σ
secure in the sense of resistance against attack of type “X”
iF For all probabilistic
polynomial time algorithms
A
, the probability that
A
succeeds in an
“attack of type X”
against Σ is negligibly small, i.e. it’s a negligible Function oF the security parameter
τ
.
±or example, the defnition oF
oneway secure
encryption scheme Σ = (
KGen,Enc,Dec
)
has exactly this Form, where
“attack of type X”
oF
A
against Σ is the “decryption attack”,
defned as Follows: (1)
KGen
is executed on the security parameter
τ
to create key
k
, (2)
random
m
is picked in the messages space
M
, (3) ciphertext
c
is computed as
Enc
(
k,m
),
and fnally (4)
A
runs on input
c
and outputs some string
m
′
. We say that
A
succeeds in
this attack iF
m
′
=
m
.
1.1
[10 points]
Show a (trivial) PPT algorithm which succeeds with a nonzero but negligible probability
in an attack against the “one way security” property oF the onetime pad encryption scheme
defned For message space
M
=
{
0
,
1
}
τ
and key space
K
=
{
0
,
1
}
τ
, where
τ
is the security
parameter.
Note that this means that even iF a scheme is
perfectly secure
, let alone
oneway secure
,
there nevertheless usually exist e²cient attacks against it which succeed with
negligible
probability. This, in part, is why we usually cannot ask that that the probability oF suc
cessFul break oF our scheme be zero For all e²cient algorithms.
Solution:
The attack algorithm
A
, on input
c
=
Enc
(
k,m
) =
k
⊗
m
, For
k,m
∈ {
0
,
1
}
τ
,
simply outputs a random string
m
′
← {
0
,
1
}
τ
.
A
succeeds in inverting the onetime pad
encryption iF
m
′
=
m
.
A
is PPT because guessing a
τ
long string takes
O
(
τ
) time, while
its probability oF success is
Adv
A
(
τ
) =
Prob
[
m
′
=
m

k
← K
;
m
← M
;
c
←
k
⊕
m
;
m
′
←
A
(
c
))]
=
Prob
[
m
′
=
m

m
← {
0
,
1
}
τ
;
m
′
← {
0
,
1
}
τ
]
= 2
−
τ
which is nonzero but negligible.
1.2
[bonus 20 points]
Let’s show that the defnitions oF this type are “robust” in the Following sense: Assume
that a scheme Σ is secure against “attack oF type X” in the above sense, but that there
nevertheless exists an e²cient algorithm
A
which
does
succeed in this attack but only with
a negligible probability, For example 2
−
p
(
τ
)
For some polynomial
p
(
·
).
S21