Solutions_HW4_547 (1)

E cb iv c1 c iv fk m01 iv fk c1 m02

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: easy to see that b￿ = b. In fact, if b = 0, that is cb = c0 = Enck (m0 ), i.e cb = (IV, c1 , .., c￿ ) = (IV, Fk (m01 ⊕ IV ), Fk (c1 ⊕ m02 ), .., Fk (c￿−1 ⊕ m0￿ )) Recall that c = (IV + 1, c1 , .., c￿ ) = (IV + 1, Fk ((m01 ⊕ 1) ⊕ (IV + 1)), .., Fk (˜￿−1 ⊕ m0￿ )) ˜ ˜ ˜ c then c1 = c1 since Fk (m01 ⊕ IV ) = Fk ((m01 ⊕ 1) ⊕ (IV + 1)). This, clearly, ˜ implies ci = ci for all 2 ≤ i ≤ ￿. Hence, when b = 0 the adversary always sets ˜ b￿ = 0 as wanted. On the other hand, if b = 1 cb = c1 = (IV, c1 , .., c￿ ) = (IV, Fk (m11 ⊕ IV ), Fk (c1 ⊕ m12 ), .., Fk (c￿−1 ⊕ m1￿ )) which, since m0 ￿= m1 , is cannot be equal to c0 (otherwise decryption is not possible). Since (˜1 , .., c￿ ) = (Fk (m01 ⊕ IV ), .., Fk (c￿−1 ⊕ m0￿ )), we must have c ˜ (˜1 , .., c￿ ) ￿= (c1 , .., c￿ ) when b = 1. Hence, when b = 1 the adversary always sets c ˜ b￿ = 1 as wanted. Therefore, we can conclude that the adversary will guess b with probability 1; the scheme is not CPA secure. 1 Fall 2010 Comp 547: Cryptography and Data Security 2 Exercise 3.21 Let Π1 = (Gen1 , Enc1 , Dec1 ) and Π2 = (Gen2 , Enc2 , Dec2 ) be two encrypt...
View Full Document

This document was uploaded on 02/24/2014.

Ask a homework question - tutors are online