Solutions_HW4_547 (1)

# Then an adversary might be able to recover p but he

This preview shows page 1. Sign up to view the full content.

This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: adversary (the encryption is similar to one-time pad). Distinguishing m0 and m1 , where m0 ￿= m1 , under Π would imply learning something about the pad p used. Since this is impossible, Π is CPA secure. On the other hand, suppose that Π2 is the CPA-secure and Π1 it not. Then an adversary might be able to recover p, but he won’t be able to recover m ⊕ p, thus he will still not be able to recover any information concerning the message m. Distinguishing m0 and m1 , where m0 ￿= m1 , under Π would imply being able to distinguish m0 ⊕ p and m1 ⊕ p since p might be known. But Π2 is CPA secure, hence Π must be CPA secure. Exercise 4.4 (a) Let m1 ￿m2 be any message with m1 , m2 ∈ {0, 1}n . Then, the tag on m1 ￿m2 is identical to the tag on m2 ￿m1 . Thus, an adversary A can ask for a tag on m1 ￿m2 and output the message m2 ￿m1 together with the tag received. Fall 2010 Comp 547: Cryptography and Data Security 3 (b) As with the previous item, the tag ￿r, t￿ on m1 ￿m2 is acceptable also for m2 ￿m1 . (c) There is an attack on this scheme that does not request any tags. Let m1 ∈ {0, 1}n/2 be arbitrary, and set r := ￿1￿￿m1 . Then ￿r, 0n ￿ is a valid tag on m1...
View Full Document

## This document was uploaded on 02/24/2014.

Ask a homework question - tutors are online