Pseudorandom Functions and
Introduction
Chosen Plaintext Attacks
Cryptography and Protocols
Andrei Bulatov
Cryptography and Protocols Pseudorandom Functions
Two Problems of PRG-Based Encryption Schemes
Single key multiple messages
All the theoretically an

Final Exam on
CMPT-404
Cryptography and Protocols
1. Let G : cfw_0, 1n cfw_0, 1m be a function such that for some y0 cfw_0, 1m
Pr[G(x) = y0 ]
1
,
n2
where the probability is over the choice of x. Show that G is not a pseudorandom
generator.
We construct

CMPT 404 Cryptography and Protocols
Outline Solutions to Exercises on Public Key Cryptography.
1. Prove the following: if there exists a collision resistant hash function collection mapping n + 1 bit strings
into n bits strings, then there exists a collec

CMPT 404 Cryptography
Exercises on Pseudorandom Generators, Functions and Permutations.
Due: Thursday, March 1st (at the beginning of the class)
1. (a)
Which of the following functions are superpolynomial:
- 2 n;
- nlog n ;
- n log n?
1
(b) Prove that for

CMPT 404 Cryptography and Protocols
Spring 2012
Exercises
on
Probability
and
Perfect
Security.
Due: Thursday, February 2nd (at the beginning of the class)
Reminder: the work you submit must be your own. Any collaboration and consulting outside
resources m

2/2/2015
Cryptography and Protocols Block Ciphers
9-2
Pseudorandom Permutations
A pseudorandom function F = cfw_ f s scfw_0,1* is called a
pseudorandom permutation if f s : cfw_0,1m cfw_0,1m is one-to-one
for all s.
Pseudorandom Permutations
Introduction

1/23/2015
Cryptography and Protocols PRG
6-2
Pseudorandom Generators
Let T(n), (n) be functions. A collection cfw_ X n of random
variables with X n cfw_0,1n is called (T,)-pseudorandom if
cfw_ X n T , cfw_U n
Pseudo Random Generators
Introduction
A col

16/02/2015
Cryptography and Protocols CCA-Security
12-2
CCA Security (take 1)
Let (K,E,D) be a symmetric encryption scheme and (T,) a
superpolynomial pair. Consider the following game:
(1) Alice and Bob choose a shared k at random from cfw_0,1n
(2) Eve ge

05/02/2015
Cryptography and Protocols Data Integrity and CCA
10-2
Data Integrity
Privacy is not the same as integrity!
If we encrypt data with a CPA-secure scheme, does it mean that
we also protect its integrity?
NO
Suppose we encrypt message P = P K Pn w

1/27/2015
Cryptography and Protocols Pseudorandom Functions
8-2
Two Problems of PRG-Based Encryption Schemes
Single key multiple messages
All the theoretically analyzed schemes aim to send only one
message, while in practice we need to send multiple messa

1/25/2015
Cryptography and Protocols Stream Ciphers
7-2
Pseudorandom Generators
Let T(n), (n) be functions. A collection cfw_ X n of random
variables with X n cfw_0,1n is called (T,)-pseudorandom if
cfw_ X n T , cfw_U n
Stream
Introduction Ciphers
A co

Problem
Mark
CMPT 404
1
2
3
Total
Quiz Test
Some Day 2015
This is a sample!
Last Name
First Name and Initials
Student No.
NO AIDS allowed. Answer ALL questions on the test paper. Use backs of
sheets for scratch work.
Total Marks: 100
1. What are the main

1/11/2015
Cryptography and Protocols - Probability
3-2
Sample Space and Outcomes
Experiments and outcomes
Sample space is the set of all possible outcomes
Examples
- flipping a coin = cfw_heads, tails
- flipping a pair of coins = cfw_HH, HT, TH, TT
- hors

Cryptography and Protocols - Classical Cryptosystems
2-2
Notation
message
Classical Cryptosystems
Introduction
Alice
Bob
Eve
Plaintext
Ciphertext
Key
Cryptography and Protocols
Andrei Bulatov
Cryptography and Protocols - Classical Cryptosystems
Protocol:

16/01/2015
Cryptography and Protocols Perfect Security
5-2
Symmetric Encryption Scheme
A symmetric encryption scheme is a triple of algorithms (K,E,D)
- K keys generation
- E encryption algorithm
- D decryption algorithm
For simplicity assume that k K uni

CMPJ. 40/1 Cryptography and Protocols
Spring 2015
ExerCises on Probability and Perfect Security.
Due: Wednesday, February 4th (at the beginning of the class)
Reminder: the work you submit. must be your own. Any collaboration and consulting outside
resourc

18/02/2015
Cryptography and Protocols Secure Channel
11-2
Secure Channel: Security Requirements
Alice sends a sequence of messages P , P2 , K
1
Bob receives (after removing those failed authentication) a
sequence of messages P '1 , P '2 , K
R1. Eve does n

1/20/2015
5-2
Cryptography and Protocols Statistical Security
Statistical Distance
Let X and Y be two distributions over cfw_0,1m The statistical
distance between X and Y, denoted (X,Y) is
max | Pr[X T ] Pr[Y T ] |
Statistical and
Introduction
Computation

18/02/2015
Cryptography and Protocols CCA-Security
12-2
Commitment
Making a bet
Flipping a coin by phone
Commitment
Introduction Schemes
Definition
A commitment scheme Com is an unkeyed family of functions cfw_ f n
that take two inputs: a plaintext P and

CMPT 404
Quiz Test 1
This is a sample!
Total Marks: 100
1. Prove that if a SES is statistically secure then it is computationally secure.
[34]
2. Explain the dierence between pseudorandom generator and pseudorandom function
[33]
3. Give an example of a CP

Problem
Mark
CMPT 404
1
2
3
Total
Quiz Test
Some Day, 2015
This is a sample!
Total Marks: 100
1. Is it true that every one-way permutation is a trapdoor function? That
every trapdoor function is a one-way permutation? Explain.
[33]
2. Describe a digital s

Final Exam on
CMPT-404 Cryptography and Protocols
Some Day, 2015
This is a sample!
1. Explain the symmetric encryption scheme based on pseudorandom functions and prove it is CPAsecure.
2. What is the largest set M of plaintexts you can nd, for which the s

CMPT 404 Cryptography and Protocols
Exercises on Public Key Cryptography.
Due: Wednesday, April 8th (at the beginning of the class)
1. Prove the following: if there exists a collision resistant hash function collection mapping n + 1
bit strings into n bit

2/25/2015
Cryptography and Protocols Public Key Cryptography
14-2
Asymmetric Encryption Schemes
Main idea: Use two keys, public and private
Everyone can encrypt, but to decrypt one needs the private key
Useful if we need to communicate with someone we don

16/03/2015
19-2
Cryptography and Protocols Passwords
Password Authentication Protocol
password
password
Passwords
Introduction
welcome
User
Cryptography and Protocols
Andrei Bulatov
Cryptography and Protocols Passwords
Usual approach to counter unlawful a

25/03/2015
Cryptography and Protocols Oblivious Transfer and Private Information Retrieval
22-2
Oblivious Transfer
Oblivious Transfer and
Introduction
Private Information Retrieval
Cryptography and Protocols
Andrei Bulatov
Cryptography and Protocols Obliv

22/03/2015
Cryptography and Protocols Passwords
19-2
Zero-Knowledge Proofs
Very informally, a zero-knowledge proof allows one person to
convince another person of some fact without revealing any
information about the proof. These proofs take the form of
i

3/20/2015
Cryptography and Protocols Kerberos
23-2
Model and Threats
Kerberos
Introduction
Cryptography and Protocols
Andrei Bulatov
23-3
Cryptography and Protocols Kerberos
Authentication Server (AS)
Cryptography and Protocols Kerberos
23-4
Simple Dialog

3/2/2015
Cryptography and Protocols Digital Signatures
16-2
Definition
Similar to symmetric case we need to care about data integrity
A triple (Gen, Sign, Ver) is called a (T,)-secure signature
scheme if
validity
for any pair (s,v) generated by Gen and ev