Introduction to Cryptography Instructor: Chris Peikert

University of Michigan, Fall 2016 Homework 5 Student: SOLUTIONS

This homework is due by 10pm on October 25 via the course Canvas page. Start early!
Instructions. Solutions must be typed, preferably in LATEX (a template for this homework is available on the
course web page). Your work will be graded on correctness, clarity, and concision. You should only submit
work that you believe to be correct; if you cannot solve a problem completely, you will get significantly more
partial credit if you clearly identify the gap(s) in your solution. It is good practice to start any long solution
with an informal (but accurate) “proof summary” that describes the main idea.
You may collaborate with others on this problem set and consult external sources, subject to the course
policies. However, you must write your own solutions and list your collaborators/sources for each problem.

1. Do Katz-Lindell Exercise 3.10.

Solution: (a) This F 0 is a PRF. The main observation is that distinct inputs to F 0 map to distinct
(non-repeating) inputs to Fk , so each of the halves of the output appear uniformly random and
independent of each other.
We prove this formally by a reduction. Let D0 be any efficient distinguisher against F 0 ; recall that it
expects access to an oracle O0 (·) that is either Fk0 (·) for a random k, or a random function. Our goal
is to show that D0 must have negligible advantage. We do so by defining a distinguisher D against
F , which has access to an oracle O(·) which is either Fk (·) for a random k, or a random function. D
internally runs D0 . Whenever D0 queries its oracle on some xi ∈ {0, 1}n−1 , D answers the query by
querying its own oracle O(·) on inputs 0kxi , 1kxi , and returning O(0kx)kO(1kx)) to D0 . Finally,
D outputs whatever accept/reject decision D0 outputs.
We now analyze the two cases for O(·). When O = Fk , it’s easy to see that D perfectly simulates
Fk0 to D0 . On the other hand, when O = U : {0, 1}n → {0, 1}n is a random function, then we claim
that D perfectly simulates a random function from {0, 1}n−1 to {0, 1}2n . This is because for distinct
queries x1 , x2 , . . . ∈ {0, 1}n by D0 , all the resulting queries 0kx1 , 1kx, 0kx1 , 1kx2 , . . . ∈ {0, 1}n
to U are distinct, so all the answers U (0kxi )kU (1kxi ) given to D0 are uniform and independent.
From the above it follows that the advantages of D and D0 are identical. Finally, because F is a
pseudorandom function we know that the advantage of D0 is negligible, and F 0 is a PRF, as desired.
(b) Here F 0 is not a PRF; the core problem is that distinct inputs to Fk0 do not necessarily correspond
to distinct inputs to Fk , and this can be used in an attack.
A distinguisher works as follows: given an oracle O(·), which is either Fk0 (for a random key
k ← {0, 1}n ) or a random function, do the following:

1. Query y0 = O(0n−1 ) ∈ {0, 1}2n and y1 = O(0n−2 1) ∈ {0, 1}2n .

2. Accept if the second half of y0 equals the first half of y1 , otherwise reject.

Observe that when O = Fk0 , the distinguisher always accepts, because y0 = Fk (0n )kFk (0n−1 1)
and y1 = Fk (0n−1 1)kFk (0n−2 11). But when O = U is a random function, because the inputs
0n−1 , 0n−2 1 are different, the two outputs y0 , y1 are uniform and independent, so the probability
that the distinguisher accepts is only 2−n . Therefore the distinguisher’s advantage is 1 − 2−n , which
is non-negligible.
Introduction to Cryptography Instructor: Chris Peikert
University of Michigan, Fall 2016 Homework 5 Student: SOLUTIONS

2. In class there was a proposal to define a PRG G with expansion `(n) = (t+1)n using a length-preserving
PRF F as follows: G(s) = F0 (s)kF1 (s)k · · · kFt (s), where the keys 0, 1, . . . , t are represented as |s|-bit
strings.
Explain why G is not necessarily a PRG. (Hint: the PRF security definition says that Fk (·) “looks like”
a random function when the key k ∈ {0, 1}n is uniformly random.)

Solution: This is not necessarily a PRG; the main problem is that the keys i = 0, 1, . . . , t are known
to the attacker, not random and secret as required by the security definition for a PRF. We can use
this to attack G for certain PRFs F .
Specifically, suppose that F is a PRP, so each function Fi (·) is a permutation (bijection) and is
efficiently invertible when i is known. A distinguisher for the case t ≥ 1 then works as follows:
given a string y = y0 ky1 k · · · kyt where each yi ∈ {0, 1}n (and y = G(s) for random s, or y is
uniform), it computes x0 = F0−1 (y0 ) and F1−1 (y1 ), and accepts if x0 = x1 , otherwise it rejects.
It’s easy to verify that this distinguisher always accepts when y = G(s). On the other hand, when
y0 , y1 are uniform and independent, the values x0 , x1 are also uniform and independent because the
functions F0 , F1 are bijections. So the distinguisher accepts only with probability 2−n in this case.
Therefore, the distinguisher has advantage 1 − 2−n , which is certainly non-negligible.
Another way to solve this problem is to let F be any PRF, but modified so that for the all-zeros key,
F0n (x) = 0n for all x. This is not in conflict with the security requirements of a PRF, because the
probability that a random key is all-zeros is only 2−n , which is negligible. But clearly for such an F ,
the output G(s) always begins with 0n and hence is not pseudorandom.

3. Do Katz-Lindell Exercise 3.20.

Solution: We construct the following distinguisher for the left-or-right CPA game:

1. Query the LR oracle on (0n , 0n ), and receive a ciphertext IV kc1 , where c1 = Fk (IV ).

2. Next, query (m0 = IV ⊕ (IV + 1), m1 = 0n ), and receive a ciphertext (IV + 1)kc01 .
(Notice that we are using adaptivity here, since our second query depends on the results of the
first query.)

3. Accept if c1 = c01 , else reject.

We now analyze the attack. In the “left” world, where the oracle encrypts m0 , notice that we have
c01 = Fk (m0 ⊕ (IV + 1)) = Fk (IV ) = c1 , so the distinguisher always accepts. In the “right” world,
where the oracle encrypts m1 = 0n , we have c01 = Fk (IV + 1) 6= c01 because Fk is a permutation,
so the distinguisher always rejects. Therefore, the distinguisher has advantage 1, and the system is
not CPA secure.

4. A variant of counter (CTR) mode encryption using a length-preserving PRF F works as follows:
Enck (m1 k · · · kmt ), where each mi ∈ {0, 1}n does:
Introduction to Cryptography Instructor: Chris Peikert
University of Michigan, Fall 2016 Homework 5 Student: SOLUTIONS

• choose a uniformly random initialization vector IV ∈ {0, 1}n/2 ,

• let ci = mi ⊕ Fk (IV ki) where each i = 1, . . . , t is represented as an (n/2)-bit string,
• output ciphertext c = IV kc1 k · · · kct .

Suppose we use this mode with a PRF having block size (input length) n = 128, like AES. After about
how many encrypted messages is there a significant risk of losing IND-CPA security? Give a realistic
scenario where this would be a problem in practice.

Solution: This is an application of the “birthday paradox.” Observe that if an IV is ever repeated,
then we have a two-time pad situation and security is lost. Let N be the number of encrypted
messages, each of which has a uniformly random 64-bit IV. There are 264 possible IVs, so from the
formula in class we have:
N2
Pr[repeated IV ] ≈ .
2 · 264
If the number of blocks is N ≈ 225 , we have
1
Pr[repeated IV ] = 2−15 = .
32768
This probability is not so small (and it will increase quickly with even more messages).
Notice that N = 225 ≈ 32 million messages is not very many for certain realistic applications. For
example, consider a high-frequency stock-trading application that submits hundreds of orders per
second, or a public email service like Gmail, where a single mail server might send thousands of
emails per second.