This preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: Computer Science and Engineering, UCSD Spring 11 CSE 207: Modern Cryptography Instructor: Mihir Bellare Problem Set 3 Solutions April 20, 2011 Problem Set 3 Solutions Problem 1. [80 points] Let E : { , 1 } k × { , 1 } n → { , 1 } n be a block cipher and let algorithm K return K $ ← { , 1 } k . Assume messages to be encrypted have length ℓ < n . Let E be the following encryption algorithm: algorithm E K ( M ) if  M  negationslash = ℓ then return ⊥ // Only encrypts ℓbit messages R $ ← { , 1 } n − ℓ C ← E K ( R bardbl M ) return C Above, “ x bardbl y ” denotes the concatenation of strings x and y . 1. [10 points] Specify a decryption algorithm D such that SE = ( K , E , D ) is a symmetric encryption scheme providing correct decryption. We use the fact that E is a block cipher and thus given the key one can easily compute its inverse E − 1 . Given a nbit string C , the decryption algorithm is then as follows: algorithm D K ( C ) X ← E − 1 K ( C ) M ← X [ n − ℓ + 1 ..n ] return M Above X [ a..b ] means bits a through b of string X . 2. [30 points] Give the best attack you can on this scheme. Given an even number q , your attack should take the form of an indcpa adversary A that makes q oracle queries and has running time around that for O ( q ) applications of E . Specify Adv ind cpa SE ( A ) as a function of q,n,ℓ . Letting n = 128, make a table showing, for values ℓ = 1 , 16 , 32 , 64 , 96, the smallest value of q for which the advantage is at least 1 / 4. (The better the attack, the more points you get.) For the analysis, you may find Lemma A.1 below useful. Based on attacks in class, one might propose the following adversary, where q is an integer parameter: adversary A for i = 1 ,... ,q do C i $ ← LR ( ( i ) , ℓ ) if ∃ i 1 < i 2 such that C i 1 = C i 2 then return 1 else return 0 1 But ( i ) must be an allowed message, which here is an ℓbit string, and i ranges from 1 to q . So the adversary is only valid if q < 2 ℓ . But our ℓ may be very small, such as ℓ = 1, and then we are not making enough queries for a successful attack. We need to make about 2 n − ℓ queries, so this adversary only works if ℓ ≥ n − ℓ , meaning ℓ ≥ n/ 2, which for n = 128 rules out several of the values of ℓ we were asked to consider. Instead, letting q = 2 r be an even integer parameter, our adversary works as follows: adversary A for i = 1 ,... ,r do C ,i $ ← LR (0 ℓ , ℓ ); C 1 ,i $ ← LR (1 ℓ , ℓ ) if ∃ i 1 ,i 2 such that C ,i 1 = C 1 ,i 2 then return 1 else return 0 For the analysis, let R ,i ,R 1 ,i denote the random choices made by the encryption algorithm in the computations of C ,i ,C 1 ,i , respectively....
View
Full
Document
 Winter '08
 daniele
 Computer Science, Cryptography, Encryption, G3, Pr GA

Click to edit the document details