University of Maryland CMSC858K — Cryptography Professor Jonathan Katz

Midterm Exam — Solutions 1. This question concerned a new notion called bitwise security. (a) Fix an encryption scheme Π for messages of length `(n) and an adversary A, and consider the following experiment BWA,Π (n): i. A random key k ← {0, 1}n and message m ← {0, 1}`(n) are chosen. ii. A is given the ciphertext C ← Enck (m). iii. A outputs a pair (i, b), with i ∈ {1, . . . , `(n)} and b ∈ {0, 1}. The output of the experiment is 1 iff b = mi , where mi denotes the ith bit of m. We say Π is bitwise secure if for all ppt A it holds that Pr[BWA,Π (n) = 1] ≤ 1/2+negl(n). Note: There is a related definition in the book (cf. Claim 3.10). The definition in the book fixes the index i for which the adversary is supposed to guess mi , whereas in the definition here the adversary gets to choose i based on the ciphertext (which makes the attack somewhat stronger). Also, the definition in the book is not well-specified when the length `(n) of the messages being encrypted can depend on n. (b) Say Π has indistinguishable encryptions in the presence of an eavesdropper. We show that it is also bitwise secure. Let A be any ppt adversary attacking Π in the sense of bitwise security. Construct the following ppt adversary A0 : i. A0 chooses uniform, independent messages m0 , m1 ∈ {0, 1}`(n) and outputs them. ii. A0 is given a challenge ciphertext C, which it gives to A. Then A outputs (i, b). iii. If m0,i = m1,i then A0 outputs a random guess. Otherwise, A0 outputs 0 if b = m0,i , and outputs 1 if b = m1,i . We have eav Pr[PrivKeav A0 ,Π (n) = 1] = Pr[PrivKA0 ,Π (n) = 1 | m0,i = m1,i ] Pr[m0,i = m1,i ]

=

=

+ Pr[PrivKeav 6 m1,i ] A0 ,Π (n) = 1 | m0,i 6= m1,i ] Pr[m0,i = 1 · Pr[m0,i = m1,i ] 2 + Pr[PrivKeav 6 m1,i ] A0 ,Π (n) = 1 | m0,i 6= m1,i ] Pr[m0,i = 1 1 + · Pr[BWA,Π (n) = 1 | m0,i 6= m1,i ], 4 2

because A0 outputs a random guess if m0,i = m1,i , and the probability that m0,i = m1,i is exactly 1/2. (This latter point is not immediately obvious, but is true because A sees an encryption of only one of m0 or m1 , and has no information about the other message, which is chosen at random.) Moreover, Pr[BWA,Π (n) = 1 | m0,i 6= m1,i ] = Pr[BWA,Π (n) = 1]. 1

(You should convince yourself that the event m0,i 6= m1,i is independent of whether or not A0 succeeds in its attack.) Since ¯ ¯ ¯Pr[PrivKeav0 (n) = 1] − 1/2¯ A ,Π must be negligible, it follows that |Pr[BWA,Π (n) = 1] − 1/2| must be negligible as well. (c) There are several possible solutions. Here is one I was thinking of: The key is a random string of length n, and messages are length n as well. To encrypt the message m using key k, output the ciphertext (m ⊕ k)k(m1 ⊕ m2 ). Decryption is done in the natural way, using the first n bits of the ciphertext. This is clearly not indistinguishable (since m1 ⊕ m2 is leaked), but it is bitwise secure. (d) Using the same experiment as in part (a), perfect bitwise security requires that for all (even unbounded) A, it holds that Pr[BWA,Π (n) = 1] = 1/2. Perfect security as defined can be achieved using a 1-bit key. To encrypt message m = m1 · · · m` using key k, output the ciphertext (m1 ⊕ k)k · · · k(m` ⊕ k). We prove that this is perfectly bitwise secure. Fix any n, and any index i ∈ {1, . . . , `(n)}. For any bit b and any ciphertext c, we have (remember that upper-case letters are random variables, and lower-case letters are fixed values): Pr[Mi = b | C = c] = = =

Pr[Mi = b ∧ C = c] Pr[C = c] Pr[C = c | Mi = b] · Pr[Mi = b] Pr[C = c] 1/2 · Pr[C = c | Mi = b] , 2−`

where the last equation follows since M is chosen uniformly. Conditioned on Mi = b, we can have C = c only if: (1) K = ci ⊕ b and (2) for every j 6= i, it holds that Mj = K ⊕ cj . These are independent events, each having probability 1/2. Thus, Pr[Mi = b | C = c] =

2−1 · Pr[C = c | Mi = b] 2−1 · 2−` = = 1/2, 2−` 2−`

as required. 2. In this question, F is a pseudorandom function mapping n-bit keys and n-bit inputs to n-bit outputs, and we need to decide if G is a pseudorandom generator. (a) Here, G(k) = Fk (0|k| )kFk (1|k| ). This is a pseudorandom generator. To see this, let D be any ppt distinguishing algorithm. We need to show that ¯ ¯ ¯Prk←{0,1}n [D(G(k)) = 1] − Prr←{0,1}2n [D(r) = 1]¯ ≤ negl(n). (1) Consider the following algorithm A attacking the pseudorandom function F : i. A(1n ) has access to an oracle O. 2

ii. It queries r1 = O(0n ) and r2 = O(1n ), runs D(r1 kr2 ), and outputs whatever D does. Clearly A runs in polynomial time. When O = Fk for some k, then r1 kr2 = G(k). So, Prk←{0,1}n [AFk (·) (1n ) = 1] = Prk←{0,1}n [D(G(k)) = 1]. When O is a random function then r1 kr2 is uniformly distributed. Thus, Prf ←Randn→n [Af (·) (1n ) = 1] = Prr←{0,1}2n [D(r) = 1]. Since F is a pseudorandom function, the following must be negligible: ¯ ¯ f (·) (1n ) = 1]¯. ¯Prk←{0,1}n [AFk (·) (1n ) = 1] − Prf ←Rand n→n [A This proves (1). (b) Here, G(k) = kkFk (0|k| ). This is not a pseudorandom generator. Here is an attack D: • Given r of length 2n, parse it as two n-bit strings kkt. Output 1 iff Fs (0n ) = t. This attack runs in polynomial time. It is easy to see that Prk←{0,1}n [D(G(k)) = 1]. On the other hand, if r = kkt is random then the probability that t is equal to Fs (0n ) is exactly 2−n and so Prr←{0,1}2n [D(r) = 1] = 2−n . This attack succeeds with nonnegligible probability 1 − 2−n . ³ ´ (1) (i) (i−1) (x) for i > 1. Here, for some fixed (c) Define Fk (x) = Fk (x), and Fk (x) = Fk Fk (1)

(p(|k|)

polynomial p, we have G(k, x) = Fk (x)k · · · kFk (x). This is a pseudorandom generator. To see this, let D be any ppt distinguishing algorithm. Construct the following ppt algorithm A attacking the pseudorandom function F : i. A(1n ) has access to an oracle O. ii. A chooses x ← {0, 1}n and queries r1 = O(x), r2 = O(r1 ), . . . , rp = O(rp−1 ). It runs D(r1 k · · · krp ) and outputs whatever D outputs. When O = Fk for some k, then r1 k · · · krp = G(k, x) and therefore Prk←{0,1}n [AFk (·) (1n ) = 1] = Prk,x←{0,1}n [D(G(k, x)) = 1]. When O is a random function, one might think that r1 k · · · krp is random. This is not true! For example, if r1 = r2 then r3 = · · · = rp = r2 as well. It is also not correct to claim that r1 k · · · krp is uniform conditioned on ri 6= rj for all i 6= j: a uniform string might have ri = rj for i 6= j, whereas the stated distribution (by definition) does not. What we can claim, however, is that the distribution over r1 k · · · krp is statistically close to uniform.1 This follows because Pr[∃i 6= j : ri = rj ] ≤ p(n)2 /2n is negligible. So, ¯ ¯ f (·) (1n ) = 1] − Pr ¯Prf ←Func ¯ r←{0,1}pn [D(r) = 1] ≤ negl(n). n→n [A The assumption that F is a pseudorandom function then implies that ¯ ¯ ¯Prk,x←{0,1}n [D(G(k, x)) = 1] − Prr←{0,1}pn [D(r) = 1]¯ ≤ negl0 (n). Since D was arbitrary, this proves that G is a pseudorandom generator. 1 The statistical difference between two distributions A and B over the same set U is defined as SD(A, B) = P · x∈U |PrA [x] − PrB [x]|. Two sequences of distributions {An }n∈N and {Bn }n∈N are statistically close if the function ²(n) = SD(An , Bn ) is negligible. 1 2

3

3. Note that in the given definition of weak pseudorandom functions, when b = 1 the {yi } are chosen independently and uniformly even if ri = rj for some i 6= j. (a) F 0 is clearly not a pseudorandom function. Here is a simple attack: given access to an oracle O, choose odd x and query r1 = O(x) and r2 = O(x + 1). Output 1 iff r1 = r2 . This algorithm outputs 1 with probability 1 when O = Fk for a random k, but outputs 1 with probability 2−n when O is a random function. On the other hand, F 0 is a weak pseudorandom function. We prove this by reduction to the security of F . Let A be any ppt algorithm attacking F 0 and let p be any polynomial, and construct the following algorithm B attacking F : i. B(1n ) has access to an oracle O. Let p = p(n). ii. B chooses independent, uniform r1 , . . . , rp ← {0, 1}n . For each ri do: A. If ri is even, set yi = O(ri ). B. If ri is odd, set yi = O(ri + 1). ¡ ¢ iii. B runs A {(ri , yi )}pi=1 and outputs whatever A outputs. We first analyze what happens when O = Fk for some k. Then we have £ ¡ ¢ ¤ Prk←{0,1}n [B Fk (·) (1n ) = 1] = Prk←{0,1}n A {(ri , yi )}pi=1 = 1 | yi = Fk0 (ri ) £ ¡ ¢ ¤ = Pr A {(ri , yi )}pi=1 = 1 | b = 0 , where the final probability refers to the weak pseudorandom function experiment using F 0 . On the other hand, when O is a random function, then the {yi } are independently and uniformly distributed as long as B never makes the same query twice to O. Define Coll to be the event that for some i 6= j either ri = rj or ri = rj + 1. Note that Pr[Coll] is identical in the weak pseudorandom function experiment and when A is run as a subroutine by B (indeed, in both cases the {ri } are chosen uniformly and independently from {0, 1}n ). We have £ ¡ ¢ ¤ Prf ←Funcn→n [B f (·) (1n ) = 1 | Coll] = Pr A {(ri , yi )}pi=1 = 1 | b = 1 ∧ Coll , and therefore (since Pr[Coll] ≤ 3 · p(n)2 /2n is negligible) ¯ £ ¡ ¢ ¤¯ f (·) (1n ) = 1] − Pr A {(r , y )}p ¯Prf ←Func ¯ i i i=1 = 1 | b = 1 ≤ Pr[Coll] ≤ negl(n). n→n [B B runs in polynomial time and F is a pseudorandom function, so this implies that ¯ £ ¡ ¢ ¤ £ ¡ ¤¯ p ¢ ¯Pr A {(ri , yi )}p ¯ i=1 = 1 | b = 0 − Pr A {(ri , yi )}i=1 = 1 | b = 1 is negligible. Since A and p were arbitrary, we conclude that F 0 is weakly pseudorandom. (b) When the weak pseudorandom function is instantiated as in part (a), an attack is straightforward. This shows that the construction is not secure, in general, when a weak pseudorandom function is used. (c) This scheme is CPA-secure. To see this, fix some ppt adversary A attacking the encryption scheme and construct the following algorithm B attacking the weak pseudorandom function F : 4

i. Let p(n) be a polynomial2 upper bound on the total number of message blocks A sees encrypted (this includes any CPA-queries made by A as well as the challenge ciphertext that A receives). ii. B receives p = p(n) pairs {(ri , yi )}pi=1 . iii. To answer an encryption query m1 , . . . , m` of A, algorithm B takes the next (unused) pairs (ri , yi ), . . . , (ri+`=1 , yi+`−1 ) and returns to A the ciphertext ri , yi ⊕ mi , . . . , ri+`−1 , yi+`−1 ⊕ m` . (By construction, B never runs out of fresh pairs to use.) iv. When A outputs its messages m0 , m1 , then B chooses a random bit b, encrypts mb as in the previous step, and gives the result to A. v. Any additional encryption queries made by A are answered as before. We stress that a fresh pair (ri , yi ) is used for encrypting every block. vi. Eventually A outputs a bit b0 . If b0 = b then B outputs 0; else it outputs 1. The analysis here is fairly easy. When {(ri , yi )}pi=1 are generated by choosing the {ri } independently and uniformly at random and setting yi = Fk (ri ) for a random key k (i.e., b = 0 in the weak pseudorandom function experiment), then the view of A is identical to its view in the CPA-security experiment. Thus, ¡ ¢ Pr[B {(ri , yi )}pi=1 = 0 | b = 0] = Pr[PrivKcpa A,Π (n) = 1]. On the other hand, when {(ri , yi )}pi=1 are generated by choosing the {ri } and the {yi } independently and uniformly at random (i.e., b = 1 in the weak pseudorandom function experiment), then A has no information about what was encrypted and so b0 = b with probability exactly half; i.e., £ ¡ ¢ ¤ Pr B {(ri , yi )}pi=1 = 0 | b = 1 = 1/2. Since B runs in polynomial time and F is a weak pseudorandom function, we conclude that ¯ ¯ ¯ ¯ cpa ¯Pr[PrivKA,Π (n) = 1] − 1/2¯ is negligible, as desired. (d) When the weak pseudorandom function is instantiated as in part (a), an attack is straightforward. This shows that the construction is not secure, in general, when a weak pseudorandom function is used. 4. Fix some ppt algorithm I, and let ²(n) denote I’s probability of inverting G; i.e., £ ¤ def ²(n) = Pr x ← {0, 1}n ; y := G(x); x0 ← I(y) : G(x0 ) = y . Consider the following ppt distinguishing algorithm D: • Given y ∈ {0, 1}2n , run I(y) to get x0 . If G(x0 ) = y output 1; else output 0. 2

Since A runs in polynomial time, we know that such a bound exists.

5

It is immediate that Prx←{0,1}n [D(G(x)) = 1] = ²(n). On the other hand, when y is chosen at random then y is only in the range of G with probability |G(x)| ≤ 2n /22n = 2−n . 22n Furthermore, I cannot possibly invert y (and so D cannot possibly output 1) when y is not in the range of G. So, Pr

y←{0,1}2n

[D(y) = 1] ≤ Pr[y is in the range of G] ≤ 2−n .

Since G is pseudorandom, we must have ¯ ¯ ¯²(n) − 2−n ¯ ≤ negl(n), or ²(n) ≤ negl0 (n). Since I was arbitrary, this proves that G is one-way.

6