Differences
This shows you the differences between two versions of the page.
|
sasc:laboratoare:04 [2017/03/16 14:26] marios.choudary |
sasc:laboratoare:04 [2017/03/16 16:21] (current) marios.choudary |
||
|---|---|---|---|
| Line 36: | Line 36: | ||
| * c) Let $K_3 = \{0, 1\}^{n+1}$. Construct a new PRF $F_3 : K_3 \times X \to Y$ with the following property: the PRF $F_3$ is secure, however if the adversary learns the last bit of the key then the PRF is no longer secure. This shows that leaking even a single bit of the secret key can completely destroy the PRF security property. | * c) Let $K_3 = \{0, 1\}^{n+1}$. Construct a new PRF $F_3 : K_3 \times X \to Y$ with the following property: the PRF $F_3$ is secure, however if the adversary learns the last bit of the key then the PRF is no longer secure. This shows that leaking even a single bit of the secret key can completely destroy the PRF security property. | ||
| <note tip> | <note tip> | ||
| - | Hint: Let $k_3 = k \| b$ where $k \in \{0,1\}^{n}$ and $b \in \{0,1\}$. Set $F_3(k_3,x)$ to be the same as $F (k, x)$ for all $x \neq 0^{n}$. Define $F_3\left(k_3, 0^{n}\right)$ so that $F_3$ is a secure PRF, but becomes easily distinguishable from a random function if the last bit of the secret key $k_3$ is known to the adversary. Prove that your $F_3$ is a secure PRF by arguing the contra-positive, as in part (b). | + | Hint: Let $k_3 = k \| b$ where $k \in \{0,1\}^{n}$ and $b \in \{0,1\}$. Set $F_3(k_3,x)$ so that $F_3$ is a secure PRF, but becomes easily distinguishable from a random function if the last bit of the secret key $k_3$ is known to the adversary. Prove that your $F_3$ is a secure PRF by arguing the contra-positive, as in part (b). |
| </note> | </note> | ||
| - | * d) Construct a new PRF $F_4 : K_3 × X \to Y$ that remains secure if the attacker learns any single bit of the key. Your function $F_4$ may only call $F$ once. Briefly explain why your PRF remains secure if any single bit of the key is leaked. | ||
| ==== Exercise 3 (2p) ==== | ==== Exercise 3 (2p) ==== | ||
| Line 53: | Line 52: | ||
| We defined security of encryption scheme E against an eavesdropper in two ways: | We defined security of encryption scheme E against an eavesdropper in two ways: | ||
| - | * $Pr[A(c_b)=b] \le negl(n)$ | + | * $Pr[A(c_b)=b] \le \frac{1}{2} + negl(n)$ |
| - | * $|Pr[A(c_1)=1] - Pr[A(c_0)=1]| \le \frac{1}{2} + negl(n)$ | + | * $|Pr[A(c_1)=1] - Pr[A(c_0)=1]| \le negl(n)$ |
| where $A(c_i) = j$ means that when the adversary receives the encryption of message $i$ he returns the bit $b'=j$. | where $A(c_i) = j$ means that when the adversary receives the encryption of message $i$ he returns the bit $b'=j$. | ||
