Differences
This shows you the differences between two versions of the page.
|
sasc:laboratoare:04 [2017/03/13 14:46] dan.dragan |
sasc:laboratoare:04 [2017/03/16 16:21] (current) marios.choudary |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 04 - PRFs and PRPs ===== | + | ===== Lab 04 - PRGs, PRFs and PRPs ===== |
| Line 20: | Line 20: | ||
| The advantage $\mathsf{Adv}$ captures the adversary’s ability to distinguish the two experiments. If the advantage is $0$ then the adversary behaves exactly the same in both experiments and therefore does not distinguish between them. If the advantage is $1$ then the adversary can tell perfectly what experiment it is in. If the advantage is negligible for all efficient adversaries (as defined in class) then we say that the two experiments are indistinguishable. | The advantage $\mathsf{Adv}$ captures the adversary’s ability to distinguish the two experiments. If the advantage is $0$ then the adversary behaves exactly the same in both experiments and therefore does not distinguish between them. If the advantage is $1$ then the adversary can tell perfectly what experiment it is in. If the advantage is negligible for all efficient adversaries (as defined in class) then we say that the two experiments are indistinguishable. | ||
| - | a. Calculate the advantage of each of the following adversaries: | + | Calculate the advantage of each of the following adversaries: |
| * A1: Always output $1$. | * A1: Always output $1$. | ||
| * A2: Ignore the result reported by the challenger, and randomly output $0$ or $1$ with even probability. | * A2: Ignore the result reported by the challenger, and randomly output $0$ or $1$ with even probability. | ||
| Line 27: | Line 27: | ||
| * A5: If HEADS was received, output $1$. If TAILS was received, randomly output $0$ or $1$ with even probability. | * A5: If HEADS was received, output $1$. If TAILS was received, randomly output $0$ or $1$ with even probability. | ||
| - | b. What is the maximum advantage possible in distinguishing these two experiments? Explain why. | ||
| ==== Exercise 2 (4p) ==== | ==== Exercise 2 (4p) ==== | ||
| Line 37: | Line 36: | ||
| * c) Let $K_3 = \{0, 1\}^{n+1}$. Construct a new PRF $F_3 : K_3 \times X \to Y$ with the following property: the PRF $F_3$ is secure, however if the adversary learns the last bit of the key then the PRF is no longer secure. This shows that leaking even a single bit of the secret key can completely destroy the PRF security property. | * c) Let $K_3 = \{0, 1\}^{n+1}$. Construct a new PRF $F_3 : K_3 \times X \to Y$ with the following property: the PRF $F_3$ is secure, however if the adversary learns the last bit of the key then the PRF is no longer secure. This shows that leaking even a single bit of the secret key can completely destroy the PRF security property. | ||
| <note tip> | <note tip> | ||
| - | Hint: Let $k_3 = k \| b$ where $k \in \{0,1\}^{n}$ and $b \in \{0,1\}$. Set $F_3(k_3,x)$ to be the same as $F (k, x)$ for all $x \neq 0^{n}$. Define $F_3\left(k_3, 0^{n}\right)$ so that $F_3$ is a secure PRF, but becomes easily distinguishable from a random function if the last bit of the secret key $k_3$ is known to the adversary. Prove that your $F_3$ is a secure PRF by arguing the contra-positive, as in part (b). | + | Hint: Let $k_3 = k \| b$ where $k \in \{0,1\}^{n}$ and $b \in \{0,1\}$. Set $F_3(k_3,x)$ so that $F_3$ is a secure PRF, but becomes easily distinguishable from a random function if the last bit of the secret key $k_3$ is known to the adversary. Prove that your $F_3$ is a secure PRF by arguing the contra-positive, as in part (b). |
| </note> | </note> | ||
| - | * d) Construct a new PRF $F_4 : K_2 × X \to Y$ that remains secure if the attacker learns any single bit of the key. Your function $F_2$ may only call $F$ once. Briefly explain why your PRF remains secure if any single bit of the key is leaked. | ||
| + | ==== Exercise 3 (2p) ==== | ||
| + | |||
| + | Let $F : K × X \to Y$ be a secure PRF with $K = X = Y = \{0, 1\}^{n}$. | ||
| + | |||
| + | Give example of a secure PRG $G : K \to Z$ with $Z = \{0, 1\}^{nt}$. | ||
| + | |||
| + | ==== Exercise 4 (2p) ==== | ||
| + | |||
| + | In class we showed the indistinguishability game, which we used to determine the advantage of an adversary against an encryption scheme that wants to provide semantic security (i.e. against an eavesdropper that observes a single ciphertext). | ||
| + | In the game, the adversary sends two messages, $m_0$ and $m_1$ and gets to see the encryption $c_b = E(k, m_b)$ of one of them (depending on the random bit $b$). The adversary's task is to determine correctly which message was encrypted by returning a bit $b'$. | ||
| + | |||
| + | We defined security of encryption scheme E against an eavesdropper in two ways: | ||
| + | |||
| + | * $Pr[A(c_b)=b] \le \frac{1}{2} + negl(n)$ | ||
| + | * $|Pr[A(c_1)=1] - Pr[A(c_0)=1]| \le negl(n)$ | ||
| + | |||
| + | where $A(c_i) = j$ means that when the adversary receives the encryption of message $i$ he returns the bit $b'=j$. | ||
| + | |||
| + | Show that the two are equivalent. | ||
| + | |||
| + | <hidden> | ||
| + | Hint: start from the first form ($Pr[A(c_b)=b] \le negl(n)$) and develop the probability as | ||
| + | $\frac{1}{2}Pr[A(c_0)=0] + \frac{1}{2}Pr[A(c_1)=1]$. | ||
| + | Then replace $Pr[A(c_0)=0]$ by $1 - Pr[A(c_0)=1]$. | ||
| + | </hidden> | ||
