In this lab we shall do some exercises related to PRFs, PRPs and DES. Please check the course, available here: http://cs.curs.pub.ro/2014/pluginfile.php/13095/mod_resource/content/1/sasc_curs4.pdf
Advantage. The purpose of this problem is to clarify the concept of advantage. Consider the following two experiments $\mathsf{EXP}(0)$ and $\mathsf{EXP}(1)$:
Let r = 0 for HEADS and r = 1 for TAILS. Then we have the experiment as shown below:
The adversary’s goal is to distinguish these two experiments: at the end of each experiment the adversary outputs a bit $0$ or $1$ for its guess for which experiment it is in. For $b = 0,1$ let $W_{b}$ be the event that in experiment $b$ the adversary output $1$. The adversary tries to maximize its distinguishing advantage, namely the quantity $\mathsf{Adv} = \left| \mathsf{Pr}\left[W_{0}\right] − \mathsf{Pr}\left[W_{1}\right] \right| \in \left[0, 1\right]$ .
The advantage $\mathsf{Adv}$ captures the adversary’s ability to distinguish the two experiments. If the advantage is $0$ then the adversary behaves exactly the same in both experiments and therefore does not distinguish between them. If the advantage is $1$ then the adversary can tell perfectly what experiment it is in. If the advantage is negligible for all efficient adversaries (as defined in class) then we say that the two experiments are indistinguishable.
Calculate the advantage of each of the following adversaries:
Let $F : K × X \to Y$ be a secure PRF with $K = X = Y = \{0, 1\}^{n}$.
Let $F : K × X \to Y$ be a secure PRF with $K = X = Y = \{0, 1\}^{n}$.
Give example of a secure PRG $G : K \to Z$ with $Z = \{0, 1\}^{nt}$.
In class we showed the indistinguishability game, which we used to determine the advantage of an adversary against an encryption scheme that wants to provide semantic security (i.e. against an eavesdropper that observes a single ciphertext). In the game, the adversary sends two messages, $m_0$ and $m_1$ and gets to see the encryption $c_b = E(k, m_b)$ of one of them (depending on the random bit $b$). The adversary's task is to determine correctly which message was encrypted by returning a bit $b'$.
We defined security of encryption scheme E against an eavesdropper in two ways:
where $A(c_i) = j$ means that when the adversary receives the encryption of message $i$ he returns the bit $b'=j$.
Show that the two are equivalent.