Computer Science and Engineering, UCSD
Spring 11
CSE 207:
Modern Cryptography
Instructor:
Mihir Bellare
Problem Set 3 Solutions
April 20, 2011
Problem Set 3 Solutions
Problem 1. [80 points]
Let
E
:
{
0
,
1
}
k
×{
0
,
1
}
n
→{
0
,
1
}
n
be a block cipher and let algorithm
K
return
K
$
←{
0
,
1
}
k
. Assume messages to be encrypted have length
ℓ < n
. Let
E
be the following
encryption algorithm:
algorithm
E
K
(
M
)
if

M
negationslash
=
ℓ
then return
⊥
//
Only encrypts
ℓ
bit messages
R
$
←{
0
,
1
}
n
−
ℓ
C
←
E
K
(
R
bardbl
M
)
return
C
Above, “
x
bardbl
y
” denotes the concatenation of strings
x
and
y
.
1.
[10 points]
Specify a decryption algorithm
D
such that
SE
= (
K
,
E
,
D
) is a symmetric
encryption scheme providing correct decryption.
We use the fact that
E
is a block cipher and thus given the key one can easily compute its
inverse
E
−
1
. Given a
n
bit string
C
, the decryption algorithm is then as follows:
algorithm
D
K
(
C
)
X
←
E
−
1
K
(
C
)
M
←
X
[
n
−
ℓ
+ 1
..n
]
return
M
Above
X
[
a..b
] means bits
a
through
b
of string
X
.
2.
[30 points]
Give the best attack you can on this scheme.
Given an even number
q
, your
attack should take the form of an indcpa adversary
A
that makes
q
oracle queries and has
running time around that for
O
(
q
) applications of
E
. Specify
Adv
ind

cpa
SE
(
A
) as a function of
q,n,ℓ
.
Letting
n
= 128, make a table showing, for values
ℓ
= 1
,
16
,
32
,
64
,
96, the smallest
value of
q
for which the advantage is at least 1
/
4. (The better the attack, the more points
you get.) For the analysis, you may find Lemma A.1 below useful.
Based on attacks in class, one might propose the following adversary, where
q
is an integer
parameter:
adversary
A
for
i
= 1
,...,q
do
C
i
$
←
LR
(
(
i
)
,
0
ℓ
)
if
∃
i
1
<i
2
such that
C
i
1
=
C
i
2
then return 1
else return 0
1
This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
But
(
i
)
must be an allowed message, which here is an
ℓ
bit string, and
i
ranges from 1 to
q
.
So the adversary is only valid if
q <
2
ℓ
.
But our
ℓ
may be very small, such as
ℓ
= 1, and
then we are not making enough queries for a successful attack. We need to make about 2
n
−
ℓ
queries, so this adversary only works if
ℓ
≥
n
−
ℓ
, meaning
ℓ
≥
n/
2, which for
n
= 128 rules
out several of the values of
ℓ
we were asked to consider.
Instead, letting
q
= 2
r
be an even integer parameter, our adversary works as follows:
adversary
A
for
i
= 1
,...,r
do
C
0
,i
$
←
LR
(0
ℓ
,
0
ℓ
) ;
C
1
,i
$
←
LR
(1
ℓ
,
0
ℓ
)
if
∃
i
1
,i
2
such that
C
0
,i
1
=
C
1
,i
2
then return 1
else return 0
For the analysis, let
R
0
,i
,R
1
,i
denote the random choices made by the encryption algorithm
in the computations of
C
0
,i
,C
1
,i
, respectively.
In game Left
SE
we have
C
0
,i
=
E
K
(
R
0
,i
bardbl
0
ℓ
) and
C
1
,i
=
E
K
(
R
1
,i
bardbl
1
ℓ
) for all
i
= 1
,...,r
. The
fact that
E
K
is a permutation implies that for all
i
1
,i
2
we will have
C
0
,i
1
negationslash
=
C
1
,i
2
. This means
that
A
always returns 0 in game Left
SE
. Thus
Pr
bracketleftBig
Left
A
SE
⇒
1
bracketrightBig
= 0
.
This is the end of the preview.
Sign up
to
access the rest of the document.
 Winter '08
 daniele
 Computer Science, Cryptography, Encryption, G3, Pr GA

Click to edit the document details