{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

# ss3 - Computer Science and Engineering UCSD CSE 207 Modern...

This preview shows pages 1–3. Sign up to view the full content.

Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 3 Solutions April 20, 2011 Problem Set 3 Solutions Problem 1. [80 points] Let E : { 0 , 1 } k ×{ 0 , 1 } n →{ 0 , 1 } n be a block cipher and let algorithm K return K \$ ←{ 0 , 1 } k . Assume messages to be encrypted have length ℓ < n . Let E be the following encryption algorithm: algorithm E K ( M ) if | M |negationslash = then return // Only encrypts -bit messages R \$ ←{ 0 , 1 } n C E K ( R bardbl M ) return C Above, “ x bardbl y ” denotes the concatenation of strings x and y . 1. [10 points] Specify a decryption algorithm D such that SE = ( K , E , D ) is a symmetric encryption scheme providing correct decryption. We use the fact that E is a block cipher and thus given the key one can easily compute its inverse E 1 . Given a n -bit string C , the decryption algorithm is then as follows: algorithm D K ( C ) X E 1 K ( C ) M X [ n + 1 ..n ] return M Above X [ a..b ] means bits a through b of string X . 2. [30 points] Give the best attack you can on this scheme. Given an even number q , your attack should take the form of an ind-cpa adversary A that makes q oracle queries and has running time around that for O ( q ) applications of E . Specify Adv ind - cpa SE ( A ) as a function of q,n,ℓ . Letting n = 128, make a table showing, for values = 1 , 16 , 32 , 64 , 96, the smallest value of q for which the advantage is at least 1 / 4. (The better the attack, the more points you get.) For the analysis, you may find Lemma A.1 below useful. Based on attacks in class, one might propose the following adversary, where q is an integer parameter: adversary A for i = 1 ,...,q do C i \$ LR ( ( i ) , 0 ) if i 1 <i 2 such that C i 1 = C i 2 then return 1 else return 0 1

This preview has intentionally blurred sections. Sign up to view the full version.

View Full Document
But ( i ) must be an allowed message, which here is an -bit string, and i ranges from 1 to q . So the adversary is only valid if q < 2 . But our may be very small, such as = 1, and then we are not making enough queries for a successful attack. We need to make about 2 n queries, so this adversary only works if n , meaning n/ 2, which for n = 128 rules out several of the values of we were asked to consider. Instead, letting q = 2 r be an even integer parameter, our adversary works as follows: adversary A for i = 1 ,...,r do C 0 ,i \$ LR (0 , 0 ) ; C 1 ,i \$ LR (1 , 0 ) if i 1 ,i 2 such that C 0 ,i 1 = C 1 ,i 2 then return 1 else return 0 For the analysis, let R 0 ,i ,R 1 ,i denote the random choices made by the encryption algorithm in the computations of C 0 ,i ,C 1 ,i , respectively. In game Left SE we have C 0 ,i = E K ( R 0 ,i bardbl 0 ) and C 1 ,i = E K ( R 1 ,i bardbl 1 ) for all i = 1 ,...,r . The fact that E K is a permutation implies that for all i 1 ,i 2 we will have C 0 ,i 1 negationslash = C 1 ,i 2 . This means that A always returns 0 in game Left SE . Thus Pr bracketleftBig Left A SE 1 bracketrightBig = 0 .
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}