This preview shows pages 1–3. Sign up to view the full content.
Computer Science and Engineering, UCSD
Spring 11
CSE 207:
Modern Cryptography
Instructor:
Mihir Bellare
Problem Set 2 Solutions
April 13, 2011
Problem Set 2 Solutions
Problem 1. [20 points]
Deﬁne the family of functions
F
:
{
0
,
1
}
128
× {
0
,
1
}
128
→ {
0
,
1
}
128
by
F
(
K,M
) =
AES
(
M,K
). Assuming
AES
is a secure PRF, is
F
a secure PRF? If so, explain why. If
not, present the best attack (with analysis) that you can.
F
is
not
a secure PRF. The easiest way to see this is to note that it is not even secure against
keyrecovery: given one inputoutput example (
M,C
) of
F
K
, we can recover
K
via
K
←
AES

1
M
(
C
).
However, this is not enough. The question was whether it is a secure PRF, not whether one can
recover the key. However we have seen that PRF security implies security against key recovery. To
use this we ﬁrst formalize the above attack to present the following keyrecovery adversary:
adversary
B
Let
M
be any 128 bit string
C
←
Fn
(
M
) ;
K
←
AES

1
M
(
C
)
Return K
Now, recalling the deﬁnition of keyrecovery advantage, we see that
Adv
kr
F
(
B
) = 1. Now we can
apply the result from class to conclude that
F
is not a secure PRF.
An alternative solution is to demonstrate the insecurity of
F
as PRF directly, by considering the
following adversary
A
that is given an oracle
Fn
:
{
0
,
1
}
128
→ {
0
,
1
}
128
:
adversary
A
Let
M,N
be any two distinct 128 bit strings
C
←
Fn
(
M
) ;
L
←
AES

1
M
(
C
)
D
←
Fn
(
N
)
if (
AES
(
N,L
) =
D
) then return 1 else return 0
We claim that
Pr
h
Real
A
F
⇒
1
i
= 1
and
Pr
h
Rand
A
{
0
,
1
}
128
⇒
1
i
= 2

128
.
Why? If
Fn
=
F
K
is an instance of
F
then
C
=
F
(
K,M
) =
AES
(
M,K
), and thus
L
=
AES

1
M
(
C
) =
K
. Then
D
=
F
(
K,N
) =
AES
(
N,K
), but this equals
AES
(
N,L
), since
L
=
K
, so
A
returns 1
with probability one, justifying the ﬁrst equation above. If
Fn
is a random function, then
D
is
1
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentGame G
procedure Initialize
K
$
← {
0
,
1
}
k
;
b
$
← {
0
,
1
}
procedure LR
(
x
0
,x
1
)
Ret
F
(
K,x
b
)
procedure Finalize
(
b
0
)
Ret (
b
=
b
0
)
Figure 1: Game G for Problem 2.
distributed uniformly and independently of
This is the end of the preview. Sign up
to
access the rest of the document.
 Winter '08
 daniele
 Computer Science

Click to edit the document details