CAS CS 538. Solutions to Problem Set 5

BU CAS CS 538. Fall 2014.
CAS CS 538. Solutions to Problem Set 5
Problem 1. Since domain and range are the same, we just need to prove that f is 1-to-1. Suppose
f (x) = f (y). Write x as x1 . . . xk and y as y1 . . . yk , where xi and yi are three-bit strings. Then
c(xi ) = c(yi ) for all i, and f (d(x1 ) в—¦ . . . в—¦ d(xk )) = f (d(y1 ) в—¦ . . . в—¦ d(yk )). Since f is a permutation, this
means that for all i, d(xi ) = d(yi ). Since for each i, c(xi ) = c(yi ) and d(xi ) = d(yi ), and c(s) and d(s)
uniquely determine s, we have that for each i, xi = yi . Therefore, x = y and f is a permutation.
Suppose f were not one-way. Let I be a inverter for f that succeeds with probability when
f is run on inputs of length 3k. Build an inverter for f for inputs of size 2k as follows: on input
y = f (x ) в€€ {0, 1}2k , prepend y with k random bits, and run I. Note that I is being run on f (x) for
a uniformly random x. (This holds because x is uniformly random, so for each i, d(xi ) is uniformly
random and independent of other bits. Also for each i, c(xi ) is uniformly random and independent,
because we prepend uniformly random bits. And if d(xi ) and c(xi ) are uniform, then so is xi ; so
all the xi are independent uniform strings of three bits, which means x is uniform.) Therefore, the
probability of success of I is . Let z be the output of I. Parse z into three-bit strings z1 в—¦ . . . в—¦ zk
and output d(z1 ) в—¦ . . . в—¦ d(zk ) as the inverse of y.
Finally, c(si ) tells you the majority of bits in si , so you can predict every bit of a random si
with probability 3/4 by just knowing and outputtting c(si ): if si = 000, you’ll be always right, and
otherwise (si = 001, 010, 100), you’ll be right with probability 2/3; 1/4+(2/3)(3/4)=3/4.
Problem 2. Using Chinese Remainder Theorem with moduli nB and nD , and values cB and cD ,
compute the unique value c, 0 ≤ c < nB nD such that c ≡ cB (mod nB ) and c ≡ cD (mod nD ).
Recall that m2 в‰Ў cB (mod nB ) and m2 в‰Ў cD (mod nD ). Note also that because m < nB and
m < nD , 0 ≤ m2 < nB nD . Thus, m2 satisfies the same three conditions as c. But CRT says that
there is only one integer satisfying these three conditions. Hence, m2 = c as integers. Hence, to
find m, simply compute the positive integer square root of c (positive because we know that m was
positive to begin with).
Problem 3. We need to show that encryption of m0 (as carried out in exp0) is indistinguishable
from encryption of m1 (as carried out in exp1), where m0 and m1 are chosen by the adversary upon
seeing the public key.
Consider the an experiment h0 , which is the same as exp0, except that K is computed as g c
for a uniformly random c. I claim that exp0 and h0 are indistinguishable. Indeed, suppose they
are distinguishable by some distinguisher D. They I will build a distinguisher that can distinguish
(p, g, g a , g b , g ab ) from (p, g, g a , g b , g c ) (thus breaking DDH) as follows:
• take the input (p, g, g a , g b , X), where X is either g ab or g c ;
• set P K = (p, g, g a );
• run D(P K) to get m0 , m1 ;
• give back to D the pair (g b , m20 X) as the ciphertext;
• output whatever D outputs.
BU CAS CS 538. Fall 2014.
Observe that when X = g ab , the output will be identically distributed to the output of exp0 (because
the inputs to D are identically distributed to exp0), and when X = g c , the output will be identically
distributed to the output of h0 . So if D can distinguish exp0 from h0 , we can break DDH.
Observe that in h0 , the triple g a , g b , m20 g c is a uniformly distributed triple of elements in QRp .
This holds because no matter how m0 is chosen by the adversary, c is uniform in the integers [1, q],
so g c is uniform in QRp ; and multiplying a fixed value m20 by a uniformly distributed value g c gives
you a uniformly distributed value (indeed, the probability of getting any О± в€€ QRp is the same as the
probability that g c = О±mв€’2
0 , which is 1/q).
Now consider an experiment h1 , which is the same as exp1 (which encrypts m1 ), except that,
again, K is computed as g c for a uniformly random c. By the same argument as in the previous
paragraph, in h1 , the triple g a , g b , m21 g c is a uniformly distributed triple of elements in QRp . Therefore,
h0 is indistinguishable from h1 because what any distinguisher sees in h0 is identically distributed to
what it sees in h1 ; hence, the outputs of the distinguisher will be identically distributed, too.
Finally, h1 is indistinguishable from exp1 by the same reasoning as for h0 and exp0.
Put the chain together, we get that exp0 is indistinguishable from h0 , which is indistinguishable
from h1 , which is indistinguishable from exp1. Thus, by triangle inequality exp0 is indistinguishable
from exp1, which is what we needed to prove.