COS 433 — Cryptography — Homework 4.

Boaz Barak

Total of 130 points. Due March 3rd, 2010.

Exercise 1 (20+10 points). Recall that in class we gave a construction of a probabilistic CPA-
secure encryption scheme (i.e., the function E used extra randomness in computing the encryption).
A deterministic encryption scheme, is a pair (E, D) such that E is a function of the key and message
only and uses no additional randomness. It of course must satisfy as well that Dk (Ek (x)) = x for
every key k and message x.

1. Prove that a deterministic encryption scheme cannot be CPA secure.

2. Say that an encryption (E,D) is unique message CPA secure if it satisfies the following relaxed
variant of CPA security— we make the same definition as CPA security except we say that Eve
cannot uss for the two challenge messages x1 , x2 of the challenge phase any of the messages
she asked for encryptions to in the attack phase. Give a construction based on the tools
we learned in class (PRG’s, PRF’s, PRP’s) of a unique messages CPA secure deterministic
encryption scheme.

3. Suppose you a broker wants to encrypt his communication, and all of his messages are either
“buy” or “sell”. He wants to ensure that an adversary monitoring on the line, even if it found
out by observing the marker what were the first i messages, will have no non-trivial advantage
in predicting the next message given the ciphertext. Would you recommend the Broker must
use a CPA secure encryption or will a unique message CPA secure scheme suffice?
For 10 extra points, prove that given an encryption scheme with appropriate security, as-
suming that the broker chooses “sell” with probability p and “buy” with probability 1 − p,
such an adversary will not be able to guess the right message with probability better than
max{p, 1 − p} + (n) where  is a negligible function.

Exercise 2 (25 points). Let {pk }k∈{0,1}∗ be a pseudorandom permutation collection, where for
k ∈ {0, 1}n , pk is a permutation over {0, 1}m .

1. Consider the following encryption scheme (E, D): Ek (x) = pk (x) , Dk (y) = p−1
k (y). Prove that
this scheme is not a CPA-secure encryption.

2. Consider the following scheme (E, D) that encrypts m/2-bit messages in the following way: on
input x ∈ {0, 1}m/2 , Ek chooses r ←R {0, 1}m/2 and outputs pk (x, r) (where comma denotes
concatenation), on input y ∈ {0, 1}m/2 , Dk computes (x, r) = p−1
k (y) and outputs x. Prove
that (E, D) is a CPA-secure encryption scheme. See footnote for hint1
1
Hint: Try proving first for partial credit that this scheme satisfies the weaker notion of multiple message security. That is, for every polyno-
mial p = p(n) and x1 , . . . , xp , x01 , . . . , x0p ∈ {0, 1}m/2 the two sequences of random variables hEncK (x1 ), . . . , EK (xp )i and hE0K (x01 ), . . . , E0K (x0p )i
are computationally indistinguishable (where K and K 0 are two independent random variables distributed uniformly over {0, 1}n ).

1
Exercise 3 (25 points). The CBC construction is often used to get an encryption for larger
message size. If p : {0, 1}m → {0, 1}m is a permutation, then CBC` hpi is a permutation from
{0, 1}`·m to {0, 1}`·m defined in the following way: for x1 , . . . , x` ∈ {0, 1}m , let y0 = 0n and define
yi = p(yi−1 ⊕ xi ). Then, CBC` hpi(x1 , . . . , x` ) = (y1 , . . . , y` ).2 Note that the inverse of CBC` hpi can
be computed in a similar way using the inverse of p(·).
Let {pk } be a pseudorandom permutation collection. Determine the CPA-security of the fol-
lowing two encryption schemes which are based on the CBC construction. That is, for each scheme
either prove that it is CPA-secure or give an attack showing that it is not. For simplicity, we
consider only the 3-block variant of the scheme (i.e. ` = 3).

1. (Padding in the end) Given pk : {0, 1}m → {0, 1}m and a message x = x1 , x2 ∈ {0, 1}2m , Ek
chooses r ←R {0, 1}m and outputs CBC3 hpk i(x1 , x2 , r). Decrypting done in the obvious way.

2. (Padding in the start) Given pk : {0, 1}m → {0, 1}m and a message x = x1 , x2 ∈ {0, 1}2m , Ek
chooses r ←R {0, 1}m and outputs CBC3 hpk i(r, x1 , x2 ). Decrypting done in the obvious way.

Exercise 4 (25 points). Prove that the following encryption scheme is CCA secure. Let {pk } be
a collection of pseudorandom permutations mapping {0, 1}3n to {0, 1}3n .

• To encrypt x ∈ {0, 1}n with key k do the following: choose r ←R {0, 1}n , and send pk (xkrk0n )
(were k denotes concatenation).

• To decrypt y ∈ {0, 1}3n , compute xkrkw = p−1 n

k (y). if w 6= 0 then output ⊥. Otherwise,
output x.

Exercise 5 (25 points). Let (E, D) be a CPA secure scheme with key-size=message-size=n, and
let {fk } be a collection of PRFs such that for every k ∈ {0, 1}n , fk : {0, 1}n → {0, 1}n . Consider
the following scheme (E 0 , D0 ):

Key k, k 0 each chosen uniformly and independently from {0, 1}n .

0 (x) = (y, t) where y = E (x) and t = f 0 (y).
Encrypt Ek,k 0 k k

Decrypt Dk,k0 (y, t) = ⊥ if fk0 (y) 6= t and Dk (y) otherwise.

1. Prove that the scheme (E 0 , D0 ) is CCA secure.

2. Let (E 00 , D00 ) be the same scheme except that we reuse the key for the PRFs and encryption.
That is, we set k = k 0 to be the same string chosen at random in {0, 1}n . Prove that this
scheme is not necessarily even CPA secure! That is, show that there exists a CPA secure
(E, D) and a PRF collection {fk } such that if we build (E 00 , D00 ) using these components
then the resulting scheme is not CPA secure. (For partial credit, show that it’s not CCA
secure only.)
This example shows that “reusing” or “recycling” keys in cryptography is a very dangerous
practice.

2
The string y0 is called the initialization vector or IV, and in practice is often chosen to be different than 0m .
However, as long as it’s a fixed public value this doesn’t make any security difference. Note that the KL book
considers a different variant of CBC where the IV is chosen independently at random for each encryption.