CS783: Theoretical Foundations of Cryptography Fall 2024

Assignment 3
September 9, 2024
Instructor: Chethan Kamath

Exercise 1 (MAC and verify oracle). Recall the definition of EU-CMA security for
MAC from Lecture 7 (Definition 2). Now, let’s consider a stronger definition, Definition
2′ where Tam is given access (in addition to the Tag(k, ·) oracle) to a “verify oracle”
Ver(k, ·, ·), which Tam can query on tag and message of her choice. Come up with a
MAC that is secure with respect to Definition 2, but not Definition 2′ .
Exercise 2 (One-way PKE). Recall the definition of IND-CPA for PKE from Lecture 8.
Now consider one-way (OW) CPA , an alternative notion of secrecy for PKEs defined as
follows for a PKE Π = (Gen, Enc, Dec):
ˆ Eve is given pk, generated as (pk, sk) ← Gen(1n ).
ˆ For m ← Mn , Eve is given c ← Enc(pk, m) as the challenge ciphertext.
ˆ Eve outputs m′ and breaks if m′ = m.
A PKE Π is OW-CPA-secure if for all PPT eavesdroppers Eve, the probability with which
Eve breaks Π as above is negligible. Now answer the following questions about IND-CPA
and OW-CPA.
1. Show formally that IND-CPA implies OW-CPA. That is, any PKE that is IND-
CPA-secure is also OW-CPA-secure.
2. What about the opposite direction? Show either that
(a) OW-CPA implies IND-CPA; or
(b) Come up with a counterexample, i.e., a PKE Π that is OW-CPA-secure but
not IND-CPA-secure.
Exercise 3 (Amplification via random self-reducibility (RSR)). In Lecture 8 we saw how
RSR can be exploited beat the hybrid argument. In this exercise, we exploit RSR of DDH
(Lecture 8, Assumption 2) and QR (Lecture 9, Assumption 3) to amplify distinguishing
advantage.
1. Consider the following seemingly stronger variant of DDH, named Assumption 2′
where we require the distinguishing advantage for every PPT adversaries to be
exponentially-close to 0: The DDH assumption holds in G w.r.to S if for all PPT
distinguishers D (and large enough n)

Pr [D(g a , g b , g ab ) = 0] − Pr [D(g a , g b , g r ) = 0] ≤ 1/2n

(G,ℓ,g)←S(1n ) (G,ℓ,g)←S(1n )
a,b←Zℓ a,b,r←Zℓ

Show that Assumption 2′ implies Assumption 2. (Hint: invoke the distinguisher for
standard DDH multiple times and use Chernoff bound for analysis.)

CS783 Page 1 of 2 Assignment 3

 2. Define the corresponding Assumption 3′ for QR, and show that Assumption 3′ im-
plies Assumption 3.
Exercise 4 (Gap Diffie-Hellman (DH) Groups). Recall the definition of DDH and CDH
from Lecture 8. A group G (w.r.to a sampler S) is said to be a gap DH group if DDH is
easy but CDH is hard in G. Note that DH key exchange is insecure in gap DH groups.
In the following two groups, CDH is believed to hold. Show that DDH is easy for both
groups and hence they constitute gap DH groups.
1. Z×
p , the multiplicative group modulo prime p. (Hint: Analyse what happens to
“squareness” in the real world and random world.)
2. A (prime-order) group G equipped with a bilinear pairing, i.e., an efficiently com-
putable function e : G × G → GT for some “target group” GT such that:
(a) Bilinear: for every g1 , g2 ∈ G and a, b ∈ Zp , e(g1a , g2b ) = e(g1 , g2 )ab .
(b) Non-degenerate: If g is a generator for G then e(g, g) is a generator for GT .
Exercise 5 (Understanding LWE). In this exercise, we will try to develop a better un-
derstanding of the LWE assumption.
1. Recall the definition of DLWE (Assumption 2) from Lecture 10. Now consider the
following “worst-case” version of the assumption, which we will denote Assumption
2′ . The (n, m, p, E)-DLWE assumption holds with respect to worst-case secrets s̄ if
for all QPT distinguishers D and all s̄ ∈ Znp the following is negligible

δ(n) := Prn×m [D(Ā, s̄⊤ Ā + ē⊤ ) = 0] − Prn×m [D(Ā, r̄⊤ ) = 0] .

Ā←Zp Ā←Zp
ē←Em r̄←Zm
p

Show that Assumption 2′ implies Assumption 2. (Hint: exploit linearity)

2. Consider the short integer solution (SIS) problem:
ˆ Input: Ā ← Zn×m
p , with m ≥ ⌈n log(p)⌉
ˆ Solution: non-zero vector x̄ ∈ {0, ±1}m in Ā’s kernel, i.e., Āx̄ = 0̄ mod p
Now answer the following questions:
(a) A solution is guaranteed to exist. Why?
(b) Show that LWE reduces to SIS.
Exercise 6 (Strong signatures). As discussed in Lecture 11, a signature scheme Σ is
strongly EU-CMA-secure if we relax the requirement for forgery in EU-CMA (Definition
2) from “signature on fresh message” to “fresh signature on any message”.
1. Formally write down the security definition for strong EU-CMA.
2. Show that Lamport’s signature is not strongly one-time EU-CMA-secure. (Hint:
you need to come up with the right OWF.)
3. How can you make Lamport’s signature strongly one-time EU-CMA-secure? Give
a formal proof for your construction. (Hint: use a different primitive in place of
OWF.)

CS783 Page 2 of 2 Assignment 3