ss2 - Computer Science and Engineering UCSD CSE 207 Modern...

This preview shows pages 1–3. Sign up to view the full content.

Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 2 Solutions April 13, 2011 Problem Set 2 Solutions Problem 1. [20 points] Deﬁne the family of functions F : { 0 , 1 } 128 × { 0 , 1 } 128 → { 0 , 1 } 128 by F ( K,M ) = AES ( M,K ). Assuming AES is a secure PRF, is F a secure PRF? If so, explain why. If not, present the best attack (with analysis) that you can. F is not a secure PRF. The easiest way to see this is to note that it is not even secure against key-recovery: given one input-output example ( M,C ) of F K , we can recover K via K AES - 1 M ( C ). However, this is not enough. The question was whether it is a secure PRF, not whether one can recover the key. However we have seen that PRF security implies security against key recovery. To use this we ﬁrst formalize the above attack to present the following key-recovery adversary: adversary B Let M be any 128 bit string C Fn ( M ) ; K AES - 1 M ( C ) Return K Now, recalling the deﬁnition of key-recovery advantage, we see that Adv kr F ( B ) = 1. Now we can apply the result from class to conclude that F is not a secure PRF. An alternative solution is to demonstrate the insecurity of F as PRF directly, by considering the following adversary A that is given an oracle Fn : { 0 , 1 } 128 → { 0 , 1 } 128 : adversary A Let M,N be any two distinct 128 bit strings C Fn ( M ) ; L AES - 1 M ( C ) D Fn ( N ) if ( AES ( N,L ) = D ) then return 1 else return 0 We claim that Pr h Real A F 1 i = 1 and Pr h Rand A { 0 , 1 } 128 1 i = 2 - 128 . Why? If Fn = F K is an instance of F then C = F ( K,M ) = AES ( M,K ), and thus L = AES - 1 M ( C ) = K . Then D = F ( K,N ) = AES ( N,K ), but this equals AES ( N,L ), since L = K , so A returns 1 with probability one, justifying the ﬁrst equation above. If Fn is a random function, then D is 1

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
Game G procedure Initialize K \$ ← { 0 , 1 } k ; b \$ ← { 0 , 1 } procedure LR ( x 0 ,x 1 ) Ret F ( K,x b ) procedure Finalize ( b 0 ) Ret ( b = b 0 ) Figure 1: Game G for Problem 2. distributed uniformly and independently of
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

Page1 / 4

ss2 - Computer Science and Engineering UCSD CSE 207 Modern...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document
Ask a homework question - tutors are online