Definition Of Perfect

Reviews

Tags

definition of perfect man, definition of a perfect woman, definition of perfect, definition of perfect effectiveness in d..., definition of the perfect man

Stats

views:: 4
rating:: not rated
reviews:: 0
posted:: 7/24/2009
language:: English
pages:: 0

Public Domain

Mastermath Cryptology February 18, 2008 Homework 1 Lecturer: Eike Kiltz Due: Feb 26 Problem 1 (Some Simple Combinatorics of Perfect Encryption) Let Σ be a non-empty, ﬁnite set. Write |Σ| = n. An n × n matrix with entries in Σ is a Latin Square of order n if each of the symbols from Σ occurs exactly once in any given row and in any given column as well. In other words, the rows and the columns “are permutations of Σ”. We can associate a matrix with a symmetric encryption scheme in the following way, assuming that the ciphertext is determined deterministically from the key and the message: label the rows of the matrix with the possible keys, and label the columns with the possible messages. The (i, j)-entry is deﬁned as the ciphertext corresponding to key i and message j. (a) Suppose we are given a perfectly secure one-time encryption scheme where the number of possible keys equals the number of possible messages. Show that the matrix associated to this encryption scheme is a Latin Square. (b) Conversely, show that each Latin Square of order n gives rise to a perfectly secure one-time encryption scheme where n is both the number of possible keys and the number of possible messages. (c) Let G be a ﬁnite associative group of order n. Write G = {g1 , . . . , gn }. Consider the n × n matrix over G whose (i, j)-entry equals gi · gj ∈ G. Show that this is a Latin Square. Also: for which choice of G can you recover the particular OTP construction from the lecture? Problem 2 (Perfect Encryption of Two Messages) In class we discussed perfect one-time secrecy for the case when the adversary sees the encryption of a single message: for all messages M0 , M1 ∈ M and ciphertexts C ∈ C, we have Pr[Enc(K, M0 ) = C] = Pr[Enc(K, M1 ) = C] , where the probability is taken over the uniform choice of the keys K ∈ K. (a) Formulate (similar to the above) a deﬁnition of perfect two-time secrecy for the case when the adversary sees the encryption of two messages (using the same key K). (Hint: you should have messages M0 , M1 , M0 , M1 .) (b) Argue that no deterministic encryption scheme can satisfy the deﬁnition in part (a). Does it help if we allow encryption to be randomized? (Hint: consider ﬁrst and second message being the same in one pair and diﬀerent in another.) PS1-1 (c) Try to give another deﬁnition of security for encryption of two messages (call them M and M ) which captures that “the only information Eve leans about M and M after seeing Enc(M ) and Enc(M ) is whether M = M ”. (d) Consider the following scheme and prove that it satisﬁes your deﬁnition in part (c). Let p be a random n-bit prime (which is known to everybody once chosen) and let Zp be the set of integers {0, . . . , p − 1}. The shared secret key is a pair of random integers K1 , K2 ∈ Zp , where K1 = 0. To encrypt a message M ∈ Zp , compute Enc((K1 , K2 ), M ) = (K1 · M + K2 ) mod p. To decrypt C, compute (C − K2 )/K1 mod p. Problem 3 (A more ﬂexible Message Authentication Code) Let Σ be a non-empty, ﬁnite set and let n be a positive integer. A code of length n over Σ is a non-empty set C ⊂ Σn , where Σn denotes the n-fold Cartesian product of Σ. Let C be a code of length n over Σ. For c = (c1 , . . . , cn ) ∈ Σn and for σ ∈ Σ we deﬁne δ(c; σ) = |{i : 1 ≤ i ≤ n, ci = σ}|. Then we deﬁne δ(c) = max δ(c; σ). σ∈Σ In other words, δ(c) is the frequency of the symbol σ that occurs most as a coordinate of c. Finally we deﬁne δ(C) = max δ(c). c∈C\{0} (a) Show that n |Σ| ≤ δ(C) ≤ n. (b) Now assume that Σ is a ﬁnite ﬁeld, denoted K instead. If C is subspace of the n-dimensional vectorspace K n , then we say that C is a linear code of length n over K. The dimension of a code is its dimension as a K-vectorspace. As an aside, a typical parameter of interest for a linear code is the minimum distance d(C): the number of non-zero coordinates in a codeword, minimized over all codewords c = 0. Equivalently, d(C) = n − maxc∈C\{0} δ(c; 0). Let C be a linear code of length n over K and of dimension r, and consider the following (one-time) message authenticity code. The message-space is K r , and we are given a bijection φ : K r −→ C that maps messages to codewords. The key-space is {1, . . . , n} × K, and the tag-space is K. Given a message m ∈ K r and given a key (i, k) ∈ {1, . . . , n} × K, the tag τ is deﬁned as τ = (φ(m))i + k ∈ K. Thus, we take the codeword c associated to m, i.e., c = φ(m). Then we take the i-th coordinate of it, and add k to it in order to obtain τ . Assume that we choose a secret key (i, k) with the uniform probability distribution on {1, . . . , n} × K, independently from anything else. An adversary is now allowed to make a single query: he submits m ∈ K r of his choice and gets τ ∈ K in return from us, where τ is the corresponding tag consistent with our chosen key and the message m. His goal is to PS1-2 produce a forgery, a pair (m , τ ) ∈ K r ×K with m = m and τ a correct tag for m consistent with our secret key. The forgery probability is the probability of the best strategy. Show that if δ(C) = n, then the forgery probability is 1. (c) Now assume δ(C) < n. The game is as in Question 2. Show that, conditioned on the pair (m, τ ), the element i from the secret key still has the uniform distribution on {1, . . . , n} from the point of view of the adversary. Also, use this fact to show that the forgery probability is at most δ(C) < 1. n (d) Let K be a ﬁnite ﬁeld, and write |K| = n and write K = {P1 , . . . , Pn }. Let d be an integer with 1 ≤ d < n. Deﬁne the linear code C of length n and dimension d as follows: c ∈ C if and only if c = (0, . . . , 0) ∈ K n or c = (f (P1 ), . . . , f (Pn )) ∈ K n for some polynomial f (X) ∈ K[X] of degree at most d with constant term zero. Consider the message authenticity code based on C. Thus, τ = fm (Pi ) + k, where fm is the polynomial associated with m ∈ K d (via the implicit function φ). Show that the forgery probability is at most d |K| < 1. The advantage of this latter MAC over the one presented in the lecture is that the forgery probability and the message length can be designed more freely, which is particularly useful especially if the message length is very large. Problem 4 (One way functions) For two bitstrings x and y, let x y denote the binary concatenation of x and y. Assume f : {0, 1}∗ → {0, 1}∗ is a length-preserving one-way function. For the functions gi , 1 ≤ i ≤ 4 deﬁned below, either show that gi is a one-way function by giving a formal proof or disprove that gi is a one-way function by giving a counterexample of a one-way function f showing the implication is false. (a) g1 (x) := 0n : x = 0n f (x) : otherwise (b) g2 (x y) := (f (x) ⊕ y) y, where |x| = |y| = n. (c) g3 (x) := f (f (x)). (d) g4 (x) := f (x) ⊕ x. Problem 5 (Hard core predicates) Let f be a one-way function. We say that b is a weak hard core of f if • there exists a PPT algorithm that compute b(x) from x; • for all PPT algorithms A, we have Pr[b(x) = y : y ←R A(f (x))] < 1 . x PS1-3 Consider the discrete exponentiation function modulo a prime p, exp = expg,p : Zp−1 → Z∗ p deﬁned as exp(x) := g x mod p, ∗ where g is a generator of Zp . Assume that it is one-way. (a) Deﬁne the predicate lsb = lsbp on Zp−1 as lsb(x) = x mod 2. lsb(x) resembles the least signiﬁcant bit. Browse through the number theoretic facts mentioned in the lecture notes to derive that lsb is not a weak hard core for the function exp. (b) We deﬁne the following predicate msb = msbp on Zp−1 which resembles the most signiﬁcant bit. 0 : x < (p − 1)/2 msb(x) := 1 : x ≥ (p − 1)/2. Prove that msb is a weak hard core for the function exp. PS1-4