Answered step by step
Verified Expert Solution
Link Copied!

Question

1 Approved Answer

Q 1 : Let G: { 0 , 1 } ^ n - > { 0 , 1 } ^ n is a PRG .

Q1: Let G:{0,1}^n->{0,1}^n is a PRG. We define H_k (x)=G(k)x, is H_k a PRF? If yes, explain why; if not, give an explicit attack (a PPT adversary that violates the definition).(10 pts)
Q2: Given a PRF E:K\times {0,1}^n->{0,1}^m, we construct F:K\times {0,1}^(n-1)->{0,1}^2m as follows:
F(K,x):=E(K,x||0)||E(K,x||1).
Is F(K,) still a PRF? If yes, give a brief proof, if not, give a brief attack showing the violation of PRF definition. (10 pts)
Q3: Can we construct a PRG from a PRF (assuming the PRF output length is larger than the key length or the input length)? If yes, give the concrete construction and briefly explain; if not, explain why. (10 pts)
Symmetric key encryption: Suppose (KeyGen, Enc, Dec) is an IND-CPA secure symmetric key encryption. We define the following new encryption algorithms, are the new schemes still IND-CPA secure? Briefly explain why. If you believe it is insecure, provide an explicit attacker violating the IND-CPA definition.
Q4: Enc_1(k,m) is defined as follows:
-It runs Enc(k,m) and obtains c_0;
- It runs Enc(k,m) again to obtain c_1. The final ciphertext will be (c_0,c_1).(10 pts)
Q5: Enc_2(k,m) is defined as follows:
-It runs Enc(k,m) and obtains c_0;
-It runs f on m to obtain c_1, where f is a pseudorandom generator. The final ciphertext will be (c_0,c_1).(10 pts)
Message Authentication Codes.
Suppose \Pi _1:=(KeyGen_1,Tag_1,Verify_1) and \Pi _2:=(KeyGen_2,Tag_2,Verify_2) are two message authentication code schemes.
Q6: \Pi _3:=(KeyGen_3,Tag_3,Verify_3) is defined as follows:
KeyGen_3 first runs KeyGen_1 obtains k_1, and then runs KeyGen_2 obtains k_2, the output key is (k_1, k_2).
Tag_3[(k_1, k_2),(m_1, m_2)] first runs Tag_1(k_1, m_1) and obtains \sigma _1 and it runs Tag_2(k_2, m_1m_2) and obtains \sigma _2, where the message m that Tag_3 works on is a pair of messages m_1, m_2. The final tag is \sigma _3\sigma _1||\sigma _2. The verification can be defined accordingly.
Is \Pi _3 a secure MAC? Briefly explain why. (10 pts)
Q7: \Pi _4:=(KeyGen_4,Tag_4,Verify_4) is defined as follows:
KeyGen_4 is identical to KeyGen_1, and it outputs a key k.
Tag_4[k,(m_1, m_2)] first runs Tag_1(k, m_1) and obtains \sigma _1 and it runs Tag_2(k, m_2) and obtains \sigma _2. The final tag is
\sigma \sigma _1\sigma _2.
Is \Pi _4 a secure MAC? Briefly explain why. (10 pts)
Q8: Given two constructions of message authentication codes \Pi _1:=(KeyGen_1,Tag_1,Verify_1),\Pi _2:=(KeyGen_2,Tag_2,Verify_2). Construct a secure MAC scheme \Pi _3:=(KeyGen_3,Tag_3,Dec_3) which will be secure (unforgeable) as long as one of \Pi _1,\Pi _2 is unforgeable (but you dont know which one), and briefly explain why. (15 pts)
Q9: Explain why the following paradigm does not provide secure authenticated encryption, i.e. an encryption scheme that satisfies both IND-CPA security and ciphertext integrity (where the adversary cannot create new ciphertexts without knowing the key or asking the encryption oracle). The paradigms encryption algorithm initially executes an Enc algorithm on message m to obtain c, then runs a Tag algorithm on message m and obtains \sigma . The final ciphertext will be (c,\sigma ).(15 pts)

Step by Step Solution

There are 3 Steps involved in it

Step: 1

blur-text-image

Get Instant Access to Expert-Tailored Solutions

See step-by-step solutions with expert insights and AI powered tools for academic success

Step: 2

blur-text-image

Step: 3

blur-text-image

Ace Your Homework with AI

Get the answers you need in no time with our AI-driven, step-by-step assistance

Get Started

Students also viewed these Databases questions