This is an old revision of the document!


Lab 04 - PRGs, PRFs and PRPs

In this lab we shall do some exercises related to PRFs, PRPs and DES. Please check the course, available here: http://cs.curs.pub.ro/2014/pluginfile.php/13095/mod_resource/content/1/sasc_curs4.pdf

Exercise 1 (4p)

Advantage. The purpose of this problem is to clarify the concept of advantage. Consider the following two experiments $\mathsf{EXP}(0)$ and $\mathsf{EXP}(1)$:

  • In $\mathsf{EXP}(0)$ the challenger flips a fair coin (probability $1/2$ for HEADS and $1/2$ for TAILS) and sends the result to the adversary $\mathsf{A}$.
  • In $\mathsf{EXP}(1)$ the challenger always sends TAILS to the adversary.

Let r = 0 for HEADS and r = 1 for TAILS. Then we have the experiment as shown below:

The adversary’s goal is to distinguish these two experiments: at the end of each experiment the adversary outputs a bit $0$ or $1$ for its guess for which experiment it is in. For $b = 0,1$ let $W_{b}$ be the event that in experiment $b$ the adversary output $1$. The adversary tries to maximize its distinguishing advantage, namely the quantity $\mathsf{Adv} = \left| \mathsf{Pr}\left[W_{0}\right] − \mathsf{Pr}\left[W_{1}\right] \right| \in \left[0, 1\right]$ .

The advantage $\mathsf{Adv}$ captures the adversary’s ability to distinguish the two experiments. If the advantage is $0$ then the adversary behaves exactly the same in both experiments and therefore does not distinguish between them. If the advantage is $1$ then the adversary can tell perfectly what experiment it is in. If the advantage is negligible for all efficient adversaries (as defined in class) then we say that the two experiments are indistinguishable.

a. Calculate the advantage of each of the following adversaries:

  • A1: Always output $1$.
  • A2: Ignore the result reported by the challenger, and randomly output $0$ or $1$ with even probability.
  • A3: Output $1$ if HEADS was received from the challenger, else output $0$.
  • A4: Output $0$ if HEADS was received from the challenger, else output $1$.
  • A5: If HEADS was received, output $1$. If TAILS was received, randomly output $0$ or $1$ with even probability.

b. What is the maximum advantage possible in distinguishing these two experiments? Explain why.

Exercise 2 (4p)

Let $F : K × X \to Y$ be a secure PRF with $K = X = Y = \{0, 1\}^{n}$.

  • a) Show that $F_1(k,x) = F(k,x) \| 0$ is not a secure PRF. (for strings $y$ and $z$ we use $y \| z$ to denote the concatenation of $y$ and $z$)
  • b) Prove that $F_2(k, x) = F \left(k, x \oplus 1^{n}\right)$ is a secure PRF. Here $x \oplus 1^{n}$ is the bit-wise complement of $x$. To prove security argue the contra-positive: a distinguisher $A$ that breaks $F_2$ implies a distinguisher $B$ that breaks $F$ and whose running time is about the same as $A$’s.
  • c) Let $K_3 = \{0, 1\}^{n+1}$. Construct a new PRF $F_3 : K_3 \times X \to Y$ with the following property: the PRF $F_3$ is secure, however if the adversary learns the last bit of the key then the PRF is no longer secure. This shows that leaking even a single bit of the secret key can completely destroy the PRF security property.

Hint: Let $k_3 = k \| b$ where $k \in \{0,1\}^{n}$ and $b \in \{0,1\}$. Set $F_3(k_3,x)$ to be the same as $F (k, x)$ for all $x \neq 0^{n}$. Define $F_3\left(k_3, 0^{n}\right)$ so that $F_3$ is a secure PRF, but becomes easily distinguishable from a random function if the last bit of the secret key $k_3$ is known to the adversary. Prove that your $F_3$ is a secure PRF by arguing the contra-positive, as in part (b).

  • d) Construct a new PRF $F_4 : K_2 × X \to Y$ that remains secure if the attacker learns any single bit of the key. Your function $F_2$ may only call $F$ once. Briefly explain why your PRF remains secure if any single bit of the key is leaked.
sasc/laboratoare/04.1489409248.txt.gz · Last modified: 2017/03/13 14:47 by dan.dragan
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0