ss3 - Computer Science and Engineering UCSD Spring 11 CSE...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 3 Solutions April 20, 2011 Problem Set 3 Solutions Problem 1. [80 points] Let E : { , 1 } k × { , 1 } n → { , 1 } n be a block cipher and let algorithm K return K $ ← { , 1 } k . Assume messages to be encrypted have length ℓ < n . Let E be the following encryption algorithm: algorithm E K ( M ) if | M | negationslash = ℓ then return ⊥ // Only encrypts ℓ-bit messages R $ ← { , 1 } n − ℓ C ← E K ( R bardbl M ) return C Above, “ x bardbl y ” denotes the concatenation of strings x and y . 1. [10 points] Specify a decryption algorithm D such that SE = ( K , E , D ) is a symmetric encryption scheme providing correct decryption. We use the fact that E is a block cipher and thus given the key one can easily compute its inverse E − 1 . Given a n-bit string C , the decryption algorithm is then as follows: algorithm D K ( C ) X ← E − 1 K ( C ) M ← X [ n − ℓ + 1 ..n ] return M Above X [ a..b ] means bits a through b of string X . 2. [30 points] Give the best attack you can on this scheme. Given an even number q , your attack should take the form of an ind-cpa adversary A that makes q oracle queries and has running time around that for O ( q ) applications of E . Specify Adv ind- cpa SE ( A ) as a function of q,n,ℓ . Letting n = 128, make a table showing, for values ℓ = 1 , 16 , 32 , 64 , 96, the smallest value of q for which the advantage is at least 1 / 4. (The better the attack, the more points you get.) For the analysis, you may find Lemma A.1 below useful. Based on attacks in class, one might propose the following adversary, where q is an integer parameter: adversary A for i = 1 ,... ,q do C i $ ← LR ( ( i ) , ℓ ) if ∃ i 1 < i 2 such that C i 1 = C i 2 then return 1 else return 0 1 But ( i ) must be an allowed message, which here is an ℓ-bit string, and i ranges from 1 to q . So the adversary is only valid if q < 2 ℓ . But our ℓ may be very small, such as ℓ = 1, and then we are not making enough queries for a successful attack. We need to make about 2 n − ℓ queries, so this adversary only works if ℓ ≥ n − ℓ , meaning ℓ ≥ n/ 2, which for n = 128 rules out several of the values of ℓ we were asked to consider. Instead, letting q = 2 r be an even integer parameter, our adversary works as follows: adversary A for i = 1 ,... ,r do C ,i $ ← LR (0 ℓ , ℓ ); C 1 ,i $ ← LR (1 ℓ , ℓ ) if ∃ i 1 ,i 2 such that C ,i 1 = C 1 ,i 2 then return 1 else return 0 For the analysis, let R ,i ,R 1 ,i denote the random choices made by the encryption algorithm in the computations of C ,i ,C 1 ,i , respectively....
View Full Document

Page1 / 6

ss3 - Computer Science and Engineering UCSD Spring 11 CSE...

This preview shows document pages 1 - 3. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online