CSCI 5440: Cryptography
The Chinese University of Hong Kong
Homework 1 Solutions
Problem 1
Suppose (Enc, Dec) is a private key encryption scheme with key length k and message length m
with k < m. Show that there exist a pair of messages (M, M 0 ) such that
PrK∼{0,1}k [Enc(K, M ) is a possible ciphertext for M 0 ] < 1/2.
Solution
Assume for contradiction that the conclusion is false. Let us first do the proof when Enc is
deterministic. By assumption, for every M and M 0
PrK∼{0,1}k [Enc(K, M ) is a possible ciphertext for M 0 ] ≥ 1/2.
Look at the table Enc(K, M ) whose columns are indexed by keys K ∈ {0, 1}k , rows are indexed by
messages M ∈ {0, 1}m , and the (M, K)th entry is the ciphertext Enc(K, M ). The row indexed by
the message 0m contains at most 2k possible ciphertexts C. Each of the other rows must have at
least 2k−1 ciphertexts from C, so the remaining part of the table has at least (2m −1)2k−1 ciphertexts
from C, and so the whole table has at least (2m − 1)2k−1 + 2k = (2m + 1)2k−1 ciphertexts from
C. By averaging, there exists a ciphertext C ∈ C that is present in at least (2m + 1)/2 cells of the
table. Since m ≥ k + 1, we have that (2m + 1)/2 ≥ 2k + 1/2, so (2m + 1)/2 ≥ 2k + 1 (because k is
an integer).
By the pigeonhole principle, there must exist a column of the table where C occurs at least
twice. In other words, there must exist a key K and a pair of messages M 6= M 0 so that
C = Enc(K, M ) = Enc(K, M 0 ). This contradicts the fact that (Enc, Dec) is an encryption scheme,
because Dec(K, Enc(K, M )) must be different from Dec(K, Enc(K, M 0 )).
To extend the proof for randomized algorithms, notice that the same argument works if we use the
weaker assumption that for some randomness of Enc and M = 0m
EM 0 6=0m PrK∼{0,1}k [Enc(K, 0m ) is a possible ciphertext for M 0 ] ≥ 1/2.
The expectation is taken over a random message M 0 sampled from the set {0, 1}m − {0m }. By
averaging, if the conclusion is false, there must always exist a fixing of the randomness of Enc for
which this statement holds.
1
2
Problem 2
Let G : {0, 1}k → {0, 1}3k be a pseudorandom generator. Are these functions also pseudorandom
generators?
(a) G0 : {0, 1}2k → {0, 1}3k given by G0 (x, x0 ) = G(x) + G(x0 )
(b) G0 : {0, 1}k → {0, 1}4k given by G0 (x) = (x, G(x)) + (G(x), x).
Here x and x0 are strings of length k. If you answer yes, give a proof that G0 is pseudorandom
assuming G is. If you answer no, you need to provide a pair of functions G, G0 with proofs that G
is pseudorandom but G0 is not (assuming pseudorandom generators exist).
Solution
(a) We show that if G is (s, ε) pseudorandom, then G0 is also (s, ε) pseudorandom. Suppose not.
Then there is a circuit D fo size s such that
|PrX,X 0 ∼{0,1}k [D(G(X) + G(X 0 )) = 1] − Prr∼{0,1}3k [D(R) = 1]| > ε.
There must exist a specific value x0 for which
|PrX∼{0,1}k [D(G(X) + G(x0 )) = 1] − Prr∼{0,1}3k [D(R) = 1]| > ε.
Now consider the circuit D0 that on input z outputs D(z + G(x0 )). Since x0 is fixed, so is
G(x0 ) and D0 has the same circuit size as D0 (it may have a few more not gates which don’t
count towards the size). Notice that D0 (G(X)) is distributed like D(G(X) + G(x0 )) while
D0 (R) is distributed like D(R + G(x0 )), which is identically distributed to D0 (R). Therefore
|Pr[D0 (G(X)) = 1] − Pr[D0 (R) = 1]| > ε
and G is not (s, ε) pseudorandom.
(b) G0 is not a pseudorandom generator Consider the following distinguishing circuit D:
D: On input z ∈ {0, 1}4k , write z = z1 z2 z3 z4 where each zi has length k. If
z1 + z2 + z3 + z4 equals 0 output 1, otherwise,output 0.
D has size O(k). It is easy to check that D(G0 (x)) always outputs 1. On the other hand,
When X ∼ {0, 1}4k , Prx∼{0,1}4k [X1 + X2 + X3 + X4 = 0] = 2−k and therefore
PrX∼{0,1}k [D(G0 (X)) = 1] − PrX∼{0,1}4k [D(X) = 1] = 1 − 2−k .
3
Problem 3
Let FK : {0, 1}n → {0, 1}n be a pseudorandom function. Are these functions also pseudorandom?
(a) The function GK (x, y) = FK (x) + FK (y).
(b) The function GK,K 0 (x, y) = FK (x) + FK 0 (y), where K, K 0 ∼ {0, 1}k are independent random
keys.
(c) (Optional) The function GK (x) = FK (x + K).
If you answer yes, you need to give a proof that G is pseudorandom if F is, namely prove that if G
has an efficient distinguisher so does F . If you answer no, you need to give a pair of functions F ,
G such that F is pseudorandom but G is not (assuming pseudorandom functions exist).
Solution
(a) GK is not a pseudorandom function. Consider the oracle circuit DF which outputs 1 if
F (1n , 1n ) = 0n and 0 otherwise. Then D? has size O(n). DGK always accepts because
GK (1n , 1n ) = FK (1n ) + FK (1n ) = 0n
and therefore PrK [DGK = 1] = 1. On the other hand,
Pr[DR = 1] = Pr[R(1n , 1n ) = 0] = 2−n
where R is a random function from {0, 1}2n → {0, 1}n . This gives
PrK [DGK = 1] − PrR [DR = 1] = 1 − 2−n .
(b) GK,K 0 is not a pseudorandom function. Consider the distinguisher DF which outputs 1 if
F (x, x) + F (x, y) + F (y, x) + F (y, y) = 0n
and 0 otherwise. Here x and y can be any pair of distinct inputs, e.g. x = 0n and y = 1n .
Then D? has size O(n). Notice that DGK,K 0 always outputs 1 because
GK,K 0 (x, x) + GK,K 0 (x, y) + GK,K 0 (y, x) + GK,K 0 (y, y)
= FK (x) + FK 0 (x) + FK (x) + FK 0 (y) + FK (y) + FK 0 (x) + FK (y) + FK 0 (y) = 0n ,
and therefore PrK,K 0 [DGK,K 0 = 1] = 1. On the other hand, we have PrR [DR = 1] = 2−n .
Therefore,
PrK [DGK = 1] − PrR [DR = 1] = 1 − 2−n .
4
(c) GK may not be a pseudorandom function. Let {HK } be an (s, ε) pseudorandom function
family. Let
(
HK (x), if x 6= K
FK (x) =
0n ,
if x = K.
We will show that {FK } is then (O(s), 2ε+s2−n ) pseudorandom, but GK is not even (O(n), 1−
2−n ) pseudorandom.
The second part is easy: the distinguisher DF outputs 1 if F (0n ) = 0n and 0 if not. By the
definition of FK ,
Pr[DFK = 0] = Pr[FK (0n ) = 0] = Pr[HK (K) = 0n ] = 1
while Pr[DR = 0] = Pr[R(0) = 0] = 1 − 2−n .
We now argue that {FK } is an (O(s), 2ε + s2−n )-pseudorandom function family. Suppose not
and let D? be a distinguisher of size s0 such that
|Pr[DFK = 1] − Pr[DR = 1]| > 2ε + s2−n .
Then we must either one of the following:
|Pr[DFK = 1] − Pr[DHK = 1]| > ε + s2−n
or |Pr[D
HK
(1)
R
= 1] − Pr[D = 1]| > ε
The second condition violates the assumption that {HK } is (s, ε)-pseudorandom, so let’s
assume the first condition holds. Now the intuition is this: The only way D? can distinguish
FK from HK is if it makes a query on input K. But then D? “learns” the key K and it can
use it to distinguish HK from a random function.
More formally, we consider the following oracle circuit D0F : Simulate DF and remember all
the queries x1 , . . . , xq that it makes. Choose a random Y ∼ {0, 1}n . If F (Y ) = Hxi (Y ) for
some i accept, otherwise reject.
Since the random variables DFK = 1 and DHK = 1 are identically distributed conditioned on
the event “D does not query K”, (1) implies (via conditioning) that
PrK [DHK queries input K] > ε + s2−n
Now assume DHK queries K and let i be the index of the corresponding query in D0HK .
Then Hxi (Y ) = HK (Y ) so D0HK outputs 1. On the other hand D0R outputs 1 only if
Hxi (Y ) = R(Y ) for some i. Since Y is independent of the queries made by D0 , Pr[Hxi (Y ) =
0
R(Y )] = 2−n , and by a union bound over all queries DR outputs 1 with probability at most
s2−n . It follows that
Pr[D0HK = 1] − Pr[DR = 1] > (ε + s2−n ) − s2−n ≥ ε
contradicting the assumption that {HK } is (s, ε) pseudorandom.
5
Problem 4
In our setup of private-key encryption we assumed that Alice and Bob share identical copies of the
random key K ∈ {0, 1}k . Now suppose that Alice’s and Bob’s copies of the key are not exactly
the same but they differ in one random bit (which Alice and Bob don’t know). Formally, the pair
of keys (KA , KB ) is chosen from the following distribution on {0, 1}k × {0, 1}k : First, choose KA
uniformly at random from {0, 1}k , then choose i ∈ {1, . . . , k} uniformly at random and flip the i-th
bit of KA to obtain KB . Let’s call this noisy key encryption.
(a) Give a definition of a message indistinguishable noisy key encryption scheme.
(b) Assuming the existence of pseudorandom generators, prove the existence of a message indistinguishable noisy key encryption scheme.
(c) (Optional) Can you do part (b) in case KA and KB differ in 0.1k positions? What about
0.51k?
Solution
(a) Let D be the aforementioned distribution on {0, 1}k × {0, 1}k . A message indistinguishable
noisy key encryption scheme is a pair of randomized polynomial-time algorithms (Enc, Dec),
and a function m(k) so that
• Functionality: For every k, every pair of key (KA , KB ) ∼ D of length 2k and every
message M of length m(k), we have
Dec(KB , Enc(KA , M )) = M.
• Security: For every polynomial p, every sufficiently large integer k, every (possibly
randomized) circuit A of size p(k), every i ∈ {A, B} and every pair of messages M and
M 0 and length m(k),
|PrK∼{0,1}k [A(Enc(KA , M )) = 1] − PrK∼{0,1}k [A(Enc(KA , M 0 )) = 1]| ≤ 1/p(k).
(b) Assume k is a multiple of 3. Let G : {0, 1}k/3 → {0, 1}m be a (s, ε) pseudorandom generator.
Consider the following noisy key encryption scheme:
• Enc(Ki , M ) = (M + G(KA1 ), M + G(KA2 ), M + G(KA3 ))
• Dec(Ki , C = (C1 , C2 , C3 )) = majority of(C1 + G(KA1 ), C2 + G(KA2 ), C3 + G(KA3 ))
where KA = KA1 KA2 KA3 , each of length k/3, and C = C1 C2 C3 .
Since KA and KB only differ in 1-bit, exactly two of Ki1 , Ki2 , Ki3 are the same for both i = A
and i = B. Therefore, after taking majority we have
Dec(KB , Enc(KA , M )) = M.
6
To show (Enc, Dec) is a message indistinguishable noisy key encryption scheme, we show
that if G is a pseudorandom generator against size s and bias ε, and is computable by a
circuit of size t, then G0 : {0, 1}k → {0, 1}3m given by G0 (x1 , x2 , x3 ) = G(x1 ), G(x2 ), G(x3 ) is
a pseudorandom generator against size s − 2t and bias 3ε.
Suppose not, there exists a distinguishing circuit D of size at most s − 2t such that
|Prx∼{0,1}k [D(G0 (x) = 1] − Pry∼{0,1}3m [D(y) = 1]| > 3ε.
Let Hi be the hybrid string R1 , . . . , Ri−1 , G(xi ), . . . G(x3 ), where each Ri ∼ {0, 1}m is sampled
independently. By a hybrid argument, there exists an i from {1, 2, 3} such that
|PrR1 ,...,Ri−1 ,xi ,...,x3 [D(Hi−1 ) = 1] − PrR1 ,...,Ri ,xi+1 ,...,x3 [D(Hi ) = 1]| > ε.
We use D construct a circuit A to distinguish G(xi ) from a random string:
A: On input z, choose R1 , . . . , Ri−1 ∼ {0, 1}m , xi+1 , . . . , x3 ∼ {0, 1}k/3 and simulate
D on (R1 , . . . , Ri−1 , z, G(xi+1 ), . . . , G(x3 )).
By construction, A has size at most s − 2t + 2t = s. Note that A(R) = D(Hi−1 ) and
A(G(x)) = D(Hi ), and therefore
|Prx [A(G(x)) = 1] − PrR [A(R)) = 1]| > ε,
contradicting the pseudorandomness of G. Since G0 is a pseudorandom generator of size s−2t
and bias 3ε, (Enc, Dec) is (s − 2t, 6ε) message indistinguishable.