This preview shows page 1. Sign up to view the full content.
Unformatted text preview: adversary (the encryption is
similar to onetime pad). Distinguishing m0 and m1 , where m0 = m1 , under Π
would imply learning something about the pad p used. Since this is impossible,
Π is CPA secure.
On the other hand, suppose that Π2 is the CPAsecure and Π1 it not. Then an
adversary might be able to recover p, but he won’t be able to recover m ⊕ p,
thus he will still not be able to recover any information concerning the message
m. Distinguishing m0 and m1 , where m0 = m1 , under Π would imply being
able to distinguish m0 ⊕ p and m1 ⊕ p since p might be known. But Π2 is CPA
secure, hence Π must be CPA secure. Exercise 4.4
(a) Let m1 m2 be any message with m1 , m2 ∈ {0, 1}n . Then, the tag on
m1 m2 is identical to the tag on m2 m1 . Thus, an adversary A can ask
for a tag on m1 m2 and output the message m2 m1 together with the
tag received. Fall 2010 Comp 547: Cryptography and Data Security 3 (b) As with the previous item, the tag r, t on m1 m2 is acceptable also for
m2 m1 .
(c) There is an attack on this scheme that does not request any tags. Let
m1 ∈ {0, 1}n/2 be arbitrary, and set r := 1m1 . Then r, 0n is a valid
tag on m1...
View
Full
Document
This document was uploaded on 02/24/2014.
 Spring '12

Click to edit the document details