ss2 - Computer Science and Engineering, UCSD CSE 207:...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 2 Solutions April 13, 2011 Problem Set 2 Solutions Problem 1. [20 points] Define the family of functions F : { 0 , 1 } 128 × { 0 , 1 } 128 → { 0 , 1 } 128 by F ( K,M ) = AES ( M,K ). Assuming AES is a secure PRF, is F a secure PRF? If so, explain why. If not, present the best attack (with analysis) that you can. F is not a secure PRF. The easiest way to see this is to note that it is not even secure against key-recovery: given one input-output example ( M,C ) of F K , we can recover K via K AES - 1 M ( C ). However, this is not enough. The question was whether it is a secure PRF, not whether one can recover the key. However we have seen that PRF security implies security against key recovery. To use this we first formalize the above attack to present the following key-recovery adversary: adversary B Let M be any 128 bit string C Fn ( M ) ; K AES - 1 M ( C ) Return K Now, recalling the definition of key-recovery advantage, we see that Adv kr F ( B ) = 1. Now we can apply the result from class to conclude that F is not a secure PRF. An alternative solution is to demonstrate the insecurity of F as PRF directly, by considering the following adversary A that is given an oracle Fn : { 0 , 1 } 128 → { 0 , 1 } 128 : adversary A Let M,N be any two distinct 128 bit strings C Fn ( M ) ; L AES - 1 M ( C ) D Fn ( N ) if ( AES ( N,L ) = D ) then return 1 else return 0 We claim that Pr h Real A F 1 i = 1 and Pr h Rand A { 0 , 1 } 128 1 i = 2 - 128 . Why? If Fn = F K is an instance of F then C = F ( K,M ) = AES ( M,K ), and thus L = AES - 1 M ( C ) = K . Then D = F ( K,N ) = AES ( N,K ), but this equals AES ( N,L ), since L = K , so A returns 1 with probability one, justifying the first equation above. If Fn is a random function, then D is 1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Game G procedure Initialize K $ ← { 0 , 1 } k ; b $ ← { 0 , 1 } procedure LR ( x 0 ,x 1 ) Ret F ( K,x b ) procedure Finalize ( b 0 ) Ret ( b = b 0 ) Figure 1: Game G for Problem 2. distributed uniformly and independently of
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

Page1 / 4

ss2 - Computer Science and Engineering, UCSD CSE 207:...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online