University of Maryland
CMSC858K — Cryptography
Professor Jonathan Katz
Midterm Exam — Solutions
1. This question concerned a new notion called bitwise security.
(a) Fix an encryption scheme Π for messages of length `(n) and an adversary A, and consider
the following experiment BWA,Π (n):
i. A random key k ← {0, 1}n and message m ← {0, 1}`(n) are chosen.
ii. A is given the ciphertext C ← Enck (m).
iii. A outputs a pair (i, b), with i ∈ {1, . . . , `(n)} and b ∈ {0, 1}. The output of the
experiment is 1 iff b = mi , where mi denotes the ith bit of m.
We say Π is bitwise secure if for all ppt A it holds that Pr[BWA,Π (n) = 1] ≤ 1/2+negl(n).
Note: There is a related definition in the book (cf. Claim 3.10). The definition in the
book fixes the index i for which the adversary is supposed to guess mi , whereas in the
definition here the adversary gets to choose i based on the ciphertext (which makes the
attack somewhat stronger). Also, the definition in the book is not well-specified when
the length `(n) of the messages being encrypted can depend on n.
(b) Say Π has indistinguishable encryptions in the presence of an eavesdropper. We show
that it is also bitwise secure. Let A be any ppt adversary attacking Π in the sense of
bitwise security. Construct the following ppt adversary A0 :
i. A0 chooses uniform, independent messages m0 , m1 ∈ {0, 1}`(n) and outputs them.
ii. A0 is given a challenge ciphertext C, which it gives to A. Then A outputs (i, b).
iii. If m0,i = m1,i then A0 outputs a random guess. Otherwise, A0 outputs 0 if b = m0,i ,
and outputs 1 if b = m1,i .
We have
eav
Pr[PrivKeav
A0 ,Π (n) = 1] = Pr[PrivKA0 ,Π (n) = 1 | m0,i = m1,i ] Pr[m0,i = m1,i ]
=
=
+ Pr[PrivKeav
6 m1,i ]
A0 ,Π (n) = 1 | m0,i 6= m1,i ] Pr[m0,i =
1
· Pr[m0,i = m1,i ]
2
+ Pr[PrivKeav
6 m1,i ]
A0 ,Π (n) = 1 | m0,i 6= m1,i ] Pr[m0,i =
1 1
+ · Pr[BWA,Π (n) = 1 | m0,i 6= m1,i ],
4 2
because A0 outputs a random guess if m0,i = m1,i , and the probability that m0,i = m1,i
is exactly 1/2. (This latter point is not immediately obvious, but is true because A sees
an encryption of only one of m0 or m1 , and has no information about the other message,
which is chosen at random.) Moreover,
Pr[BWA,Π (n) = 1 | m0,i 6= m1,i ] = Pr[BWA,Π (n) = 1].
1
(You should convince yourself that the event m0,i 6= m1,i is independent of whether or
not A0 succeeds in its attack.) Since
¯
¯
¯Pr[PrivKeav0 (n) = 1] − 1/2¯
A ,Π
must be negligible, it follows that |Pr[BWA,Π (n) = 1] − 1/2| must be negligible as well.
(c) There are several possible solutions. Here is one I was thinking of: The key is a random
string of length n, and messages are length n as well. To encrypt the message m using
key k, output the ciphertext
(m ⊕ k)k(m1 ⊕ m2 ).
Decryption is done in the natural way, using the first n bits of the ciphertext. This is
clearly not indistinguishable (since m1 ⊕ m2 is leaked), but it is bitwise secure.
(d) Using the same experiment as in part (a), perfect bitwise security requires that for all
(even unbounded) A, it holds that Pr[BWA,Π (n) = 1] = 1/2. Perfect security as defined
can be achieved using a 1-bit key. To encrypt message m = m1 · · · m` using key k, output
the ciphertext
(m1 ⊕ k)k · · · k(m` ⊕ k).
We prove that this is perfectly bitwise secure. Fix any n, and any index i ∈ {1, . . . , `(n)}.
For any bit b and any ciphertext c, we have (remember that upper-case letters are random
variables, and lower-case letters are fixed values):
Pr[Mi = b | C = c] =
=
=
Pr[Mi = b ∧ C = c]
Pr[C = c]
Pr[C = c | Mi = b] · Pr[Mi = b]
Pr[C = c]
1/2 · Pr[C = c | Mi = b]
,
2−`
where the last equation follows since M is chosen uniformly. Conditioned on Mi = b, we
can have C = c only if: (1) K = ci ⊕ b and (2) for every j 6= i, it holds that Mj = K ⊕ cj .
These are independent events, each having probability 1/2. Thus,
Pr[Mi = b | C = c] =
2−1 · Pr[C = c | Mi = b]
2−1 · 2−`
=
= 1/2,
2−`
2−`
as required.
2. In this question, F is a pseudorandom function mapping n-bit keys and n-bit inputs to n-bit
outputs, and we need to decide if G is a pseudorandom generator.
(a) Here, G(k) = Fk (0|k| )kFk (1|k| ). This is a pseudorandom generator. To see this, let D
be any ppt distinguishing algorithm. We need to show that
¯
¯
¯Prk←{0,1}n [D(G(k)) = 1] − Prr←{0,1}2n [D(r) = 1]¯ ≤ negl(n).
(1)
Consider the following algorithm A attacking the pseudorandom function F :
i. A(1n ) has access to an oracle O.
2
ii. It queries r1 = O(0n ) and r2 = O(1n ), runs D(r1 kr2 ), and outputs whatever D does.
Clearly A runs in polynomial time. When O = Fk for some k, then r1 kr2 = G(k). So,
Prk←{0,1}n [AFk (·) (1n ) = 1] = Prk←{0,1}n [D(G(k)) = 1].
When O is a random function then r1 kr2 is uniformly distributed. Thus,
Prf ←Randn→n [Af (·) (1n ) = 1] = Prr←{0,1}2n [D(r) = 1].
Since F is a pseudorandom function, the following must be negligible:
¯
¯
f (·) (1n ) = 1]¯.
¯Prk←{0,1}n [AFk (·) (1n ) = 1] − Prf ←Rand
n→n [A
This proves (1).
(b) Here, G(k) = kkFk (0|k| ). This is not a pseudorandom generator. Here is an attack D:
• Given r of length 2n, parse it as two n-bit strings kkt. Output 1 iff Fs (0n ) = t.
This attack runs in polynomial time. It is easy to see that Prk←{0,1}n [D(G(k)) = 1].
On the other hand, if r = kkt is random then the probability that t is equal to Fs (0n )
is exactly 2−n and so Prr←{0,1}2n [D(r) = 1] = 2−n . This attack succeeds with nonnegligible probability 1 − 2−n .
³
´
(1)
(i)
(i−1)
(x) for i > 1. Here, for some fixed
(c) Define Fk (x) = Fk (x), and Fk (x) = Fk Fk
(1)
(p(|k|)
polynomial p, we have G(k, x) = Fk (x)k · · · kFk
(x). This is a pseudorandom generator. To see this, let D be any ppt distinguishing algorithm. Construct the following
ppt algorithm A attacking the pseudorandom function F :
i. A(1n ) has access to an oracle O.
ii. A chooses x ← {0, 1}n and queries r1 = O(x), r2 = O(r1 ), . . . , rp = O(rp−1 ). It runs
D(r1 k · · · krp ) and outputs whatever D outputs.
When O = Fk for some k, then r1 k · · · krp = G(k, x) and therefore
Prk←{0,1}n [AFk (·) (1n ) = 1] = Prk,x←{0,1}n [D(G(k, x)) = 1].
When O is a random function, one might think that r1 k · · · krp is random. This is not
true! For example, if r1 = r2 then r3 = · · · = rp = r2 as well. It is also not correct to
claim that r1 k · · · krp is uniform conditioned on ri 6= rj for all i 6= j: a uniform string
might have ri = rj for i 6= j, whereas the stated distribution (by definition) does not.
What we can claim, however, is that the distribution over r1 k · · · krp is statistically close
to uniform.1 This follows because Pr[∃i 6= j : ri = rj ] ≤ p(n)2 /2n is negligible. So,
¯
¯
f (·) (1n ) = 1] − Pr
¯Prf ←Func
¯
r←{0,1}pn [D(r) = 1] ≤ negl(n).
n→n [A
The assumption that F is a pseudorandom function then implies that
¯
¯
¯Prk,x←{0,1}n [D(G(k, x)) = 1] − Prr←{0,1}pn [D(r) = 1]¯ ≤ negl0 (n).
Since D was arbitrary, this proves that G is a pseudorandom generator.
1
The statistical difference between two distributions A and B over the same set U is defined as SD(A, B) =
P
· x∈U |PrA [x] − PrB [x]|. Two sequences of distributions {An }n∈N and {Bn }n∈N are statistically close if the
function ²(n) = SD(An , Bn ) is negligible.
1
2
3
3. Note that in the given definition of weak pseudorandom functions, when b = 1 the {yi } are
chosen independently and uniformly even if ri = rj for some i 6= j.
(a) F 0 is clearly not a pseudorandom function. Here is a simple attack: given access to an
oracle O, choose odd x and query r1 = O(x) and r2 = O(x + 1). Output 1 iff r1 = r2 .
This algorithm outputs 1 with probability 1 when O = Fk for a random k, but outputs 1
with probability 2−n when O is a random function.
On the other hand, F 0 is a weak pseudorandom function. We prove this by reduction to
the security of F . Let A be any ppt algorithm attacking F 0 and let p be any polynomial,
and construct the following algorithm B attacking F :
i. B(1n ) has access to an oracle O. Let p = p(n).
ii. B chooses independent, uniform r1 , . . . , rp ← {0, 1}n . For each ri do:
A. If ri is even, set yi = O(ri ).
B. If ri is odd, set yi = O(ri + 1).
¡
¢
iii. B runs A {(ri , yi )}pi=1 and outputs whatever A outputs.
We first analyze what happens when O = Fk for some k. Then we have
£ ¡
¢
¤
Prk←{0,1}n [B Fk (·) (1n ) = 1] = Prk←{0,1}n A {(ri , yi )}pi=1 = 1 | yi = Fk0 (ri )
£ ¡
¢
¤
= Pr A {(ri , yi )}pi=1 = 1 | b = 0 ,
where the final probability refers to the weak pseudorandom function experiment using F 0 . On the other hand, when O is a random function, then the {yi } are independently and uniformly distributed as long as B never makes the same query twice to O.
Define Coll to be the event that for some i 6= j either ri = rj or ri = rj + 1. Note
that Pr[Coll] is identical in the weak pseudorandom function experiment and when A
is run as a subroutine by B (indeed, in both cases the {ri } are chosen uniformly and
independently from {0, 1}n ). We have
£ ¡
¢
¤
Prf ←Funcn→n [B f (·) (1n ) = 1 | Coll] = Pr A {(ri , yi )}pi=1 = 1 | b = 1 ∧ Coll ,
and therefore (since Pr[Coll] ≤ 3 · p(n)2 /2n is negligible)
¯
£ ¡
¢
¤¯
f (·) (1n ) = 1] − Pr A {(r , y )}p
¯Prf ←Func
¯
i i i=1 = 1 | b = 1 ≤ Pr[Coll] ≤ negl(n).
n→n [B
B runs in polynomial time and F is a pseudorandom function, so this implies that
¯ £ ¡
¢
¤
£ ¡
¤¯
p ¢
¯Pr A {(ri , yi )}p
¯
i=1 = 1 | b = 0 − Pr A {(ri , yi )}i=1 = 1 | b = 1
is negligible. Since A and p were arbitrary, we conclude that F 0 is weakly pseudorandom.
(b) When the weak pseudorandom function is instantiated as in part (a), an attack is
straightforward. This shows that the construction is not secure, in general, when a
weak pseudorandom function is used.
(c) This scheme is CPA-secure. To see this, fix some ppt adversary A attacking the encryption scheme and construct the following algorithm B attacking the weak pseudorandom
function F :
4
i. Let p(n) be a polynomial2 upper bound on the total number of message blocks A
sees encrypted (this includes any CPA-queries made by A as well as the challenge
ciphertext that A receives).
ii. B receives p = p(n) pairs {(ri , yi )}pi=1 .
iii. To answer an encryption query m1 , . . . , m` of A, algorithm B takes the next (unused)
pairs (ri , yi ), . . . , (ri+`=1 , yi+`−1 ) and returns to A the ciphertext
ri , yi ⊕ mi , . . . , ri+`−1 , yi+`−1 ⊕ m` .
(By construction, B never runs out of fresh pairs to use.)
iv. When A outputs its messages m0 , m1 , then B chooses a random bit b, encrypts mb
as in the previous step, and gives the result to A.
v. Any additional encryption queries made by A are answered as before. We stress
that a fresh pair (ri , yi ) is used for encrypting every block.
vi. Eventually A outputs a bit b0 . If b0 = b then B outputs 0; else it outputs 1.
The analysis here is fairly easy. When {(ri , yi )}pi=1 are generated by choosing the {ri }
independently and uniformly at random and setting yi = Fk (ri ) for a random key k (i.e.,
b = 0 in the weak pseudorandom function experiment), then the view of A is identical
to its view in the CPA-security experiment. Thus,
¡
¢
Pr[B {(ri , yi )}pi=1 = 0 | b = 0] = Pr[PrivKcpa
A,Π (n) = 1].
On the other hand, when {(ri , yi )}pi=1 are generated by choosing the {ri } and the {yi }
independently and uniformly at random (i.e., b = 1 in the weak pseudorandom function
experiment), then A has no information about what was encrypted and so b0 = b with
probability exactly half; i.e.,
£ ¡
¢
¤
Pr B {(ri , yi )}pi=1 = 0 | b = 1 = 1/2.
Since B runs in polynomial time and F is a weak pseudorandom function, we conclude
that
¯
¯
¯
¯
cpa
¯Pr[PrivKA,Π (n) = 1] − 1/2¯
is negligible, as desired.
(d) When the weak pseudorandom function is instantiated as in part (a), an attack is
straightforward. This shows that the construction is not secure, in general, when a
weak pseudorandom function is used.
4. Fix some ppt algorithm I, and let ²(n) denote I’s probability of inverting G; i.e.,
£
¤
def
²(n) = Pr x ← {0, 1}n ; y := G(x); x0 ← I(y) : G(x0 ) = y .
Consider the following ppt distinguishing algorithm D:
• Given y ∈ {0, 1}2n , run I(y) to get x0 . If G(x0 ) = y output 1; else output 0.
2
Since A runs in polynomial time, we know that such a bound exists.
5
It is immediate that Prx←{0,1}n [D(G(x)) = 1] = ²(n). On the other hand, when y is chosen
at random then y is only in the range of G with probability
|G(x)|
≤ 2n /22n = 2−n .
22n
Furthermore, I cannot possibly invert y (and so D cannot possibly output 1) when y is not
in the range of G. So,
Pr
y←{0,1}2n
[D(y) = 1] ≤ Pr[y is in the range of G] ≤ 2−n .
Since G is pseudorandom, we must have
¯
¯
¯²(n) − 2−n ¯ ≤ negl(n),
or ²(n) ≤ negl0 (n). Since I was arbitrary, this proves that G is one-way.
6