{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

Solutions_HW4_547 (1)

Solutions_HW4_547 (1) - Solution set for Assignment 4...

Info iconThis preview shows pages 1–3. Sign up to view the full content.

View Full Document Right Arrow Icon
Solution set for Assignment 4 Giulia Alberini Exercise 3.16 Let us consider the variant of CBC-mode encryption where the sender simply increment the IV by 1 each time a message is encrypted. Consider the encryption consisting of blocks each of length n . Recall that a system is CPA secure if an adversary A is not able to distinguish the encryption of two arbitrary messages even when A is given access to an encryption oracle. Let m 0 = ( m 01 , m 02 , .., m 0 ) and m 1 = ( m 11 , m 12 , .., m 1 ), where | m bi | = n for b { 0 , 1 } and 1 i , be the two messages of length n · outputted by the adversary, and let c b = Enc k ( m b ) = ( IV, c 1 , .., c ), for b R { 0 , 1 } , be the challenge ciphertext. At this point the adversary still has oracle access to Enc k ( · ) before deciding which of the previous two messages has been encrypted, that is to find out the value of b . It will be enough for the adversary to query the oracle with the message m 0 = ( m 01 1 , m 02 , .., m 0 ). Then the adversary will receive a ciphertext ˜ c = ( IV + 1 , ˜ c 1 , .., ˜ c ). Now: If (˜ c 1 , .., ˜ c ) = ( c 1 , .., c ), then set b = 0; Otherwise, set b = 1. It is easy to see that b = b . In fact, if b = 0, that is c b = c 0 = Enc k ( m 0 ), i.e c b = ( IV, c 1 , .., c ) = ( IV, F k ( m 01 IV ) , F k ( c 1 m 02 ) , .., F k ( c 1 m 0 )) Recall that ˜ c = ( IV + 1 , ˜ c 1 , .., ˜ c ) = ( IV + 1 , F k (( m 01 1) ( IV + 1)) , .., F k c 1 m 0 )) then ˜ c 1 = c 1 since F k ( m 01 IV ) = F k (( m 01 1) ( IV + 1)). This, clearly, implies ˜ c i = c i for all 2 i . Hence, when b = 0 the adversary always sets b = 0 as wanted. On the other hand, if b = 1 c b = c 1 = ( IV, c 1 , .., c ) = ( IV, F k ( m 11 IV ) , F k ( c 1 m 12 ) , .., F k ( c 1 m 1 )) which, since m 0 = m 1 , is cannot be equal to c 0 (otherwise decryption is not possible). Since (˜ c 1 , .., ˜ c ) = ( F k ( m 01 IV ) , .., F k ( c 1 m 0 )), we must have c 1 , .., ˜ c ) = ( c 1 , .., c ) when b = 1. Hence, when b = 1 the adversary always sets b = 1 as wanted. Therefore, we can conclude that the adversary will guess b with probability 1; the scheme is not CPA secure. 1
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Fall 2010 Comp 547: Cryptography and Data Security 2 Exercise 3.21 Let Π 1 = (Gen 1 , Enc 1 , Dec 1 ) and Π 2 = (Gen 2 , Enc 2 , Dec 2 ) be two encryption schemes for which is known that at least one is CPA-secure. Let m be the origi- nal plaintext message that we would like to encrypt using Π 1 and Π 2 and having the certainty that it will be a CPA-secure encryption. Let M = { 0 , 1 } n be the plaintext space. Let us construct the encryption scheme Π = (Gen , Enc , Dec) as follows: Gen: on input 1 n , run Gen 1 and Gen 2 and generate a key k = ( k 1 , k 2 ) where k 1 , k 2 have been generated by Gen 1 and Gen 2 respectively. Enc: on input k = ( k 1 , k 2 ) and a message m { 0 , 1 } n , choose p { 0 , 1 } n uniformly at random and output the ciphertext c := Enc 1 , k 1 ( p ) , Enc 2 , k 2 ( m p ) Dec: on input the key k = ( k 1 , k 2 ) and a ciphertext c = c 1 , c 2 output the plaintext message m := Dec 1 , k 1 ( c 1 ) Dec 2 , k 2 ( c 2 ) Claim. The encryption scheme Π = (Gen , Enc , Dec) is CPA secure.
Background image of page 2
Image of page 3
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}