0% found this document useful (0 votes)
18 views3 pages

Cryptography HW2

The document presents a homework assignment on cryptography, covering various problems related to pseudorandom permutations (PRP), pseudorandom generators (PRG), and distinguishing attacks. It includes proofs and analyses demonstrating the properties of specific cryptographic functions and their security implications. The assignment highlights the importance of computational indistinguishability in cryptographic constructions.

Uploaded by

ck4057
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
18 views3 pages

Cryptography HW2

The document presents a homework assignment on cryptography, covering various problems related to pseudorandom permutations (PRP), pseudorandom generators (PRG), and distinguishing attacks. It includes proofs and analyses demonstrating the properties of specific cryptographic functions and their security implications. The assignment highlights the importance of computational indistinguishability in cryptographic constructions.

Uploaded by

ck4057
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Intro to Cryptography HW 1

Chaewoon Ki

Mar 19, 2025

Problem 1
Let’s say two round Feistel construction G. Then by definition, with the key k,

Gk (L0 , R0 ) = (f1 (R0 ) ⊕ L0 , R0 ⊕ f2 (f1 (R0 ) ⊕ L0 ))

To say G is a PRP, f1 , f2 must look random when k is unknown, that is, the output of G should
be computationally indistinguishable from a truly random permutation when the key k is un-
known.However, there exists a correlation between specific input pairs (0l/2 , 0l/2 ) and (1l/2 , 0l/2 ),
which allows distinguishing G from a truly random permutation. If we define the output as follows:

(L2 , R2 ) = Fk (0l/2 , 0l/2 ), (L′2 , R2′ ) = Fk (1l/2 , 0l/2 )

then the following holds regardless of key.

L2 ⊕ L′2 = f1 (0l/2 ) ⊕ 0l/2 ⊕ f1 (0l/2 ) ⊕ 1l/2 = 1l/2

This holds for any key k, meaning the function exhibits a deterministic correlation between certain
inputs and outputs, violating the conditions for being a pseudorandom permutation.

Problem 2
Let G : {0, 1}n → {0, 1}2n be a PRG and let m(n) be some polynomial in n.
Prove the following:
(G(X1 ), . . . G(Xm(n) )) ≈ U2n·m(n) ,
where X1 , . . . , Xm(n) are each independently and uniformly distributed over Un (for all n). (What
proof technique should you use?)
Let’s say G′ = G(X1 ), . . . G(Xm(n) )). We want to show that when G is PRG, G’ is also PRG.
We can use the hybrid argument to prove it. We have to show that H0 ≈ Hm(n) when H0 and
Hm(n) is defined as follows:

H0 = G′ (U2n·m(n) ) = (b1 , b2 , b3 , ..., bm(n)

Hm(n) = U2n·m(n) = (bˆ1 , bˆ2 , bˆ3 , ..., b̂m(n) )

1
Each bi is pseudorandom 2n bit number generated by G, and bˆi is random 2n bit number generated
by uniform distribution. Lets define

H1 → (bˆ1 , b2 , b3 , ..., bm(n) )

H2 → (bˆ1 , bˆ2 , b3 , ..., bm(n)) )

Hi → (bˆ1 , ..., bˆi , bi+1 , ..., bm(n) )


If Hi ≈ Hi+1 for every i, H0 ≈ Hm(n) . Hi and Hi+1 only differs by (i+1)th bit, which is bi+1
and b̂i+1 respectively. Since G is a PRG, the distributions of bi+1 and b̂i+1 are computationally
indistinguishable.

Problem 3
I’ll show that fk′ is computationally distinguishable with F (random function). Let’s define distin-
guisher D as follows:

1. First query On any x ∈ {0, 1}n−1 , let y the response of D.

2. Second query x′ = x||0n , let y’ be the response.

3. Checking If y ′ = G0 (y), D outputs 1. Else, it outputs 0

Thus, we have:
1
Pr[DFk (·) (1n ) = 1] = 1, Pr[DF (·) (1n ) = 1] = .
2n
This is because
Fk (x′ ) = Gxn (Fk (x)) = G0 (Fk (x))
(since the last bit of x′ is 0).

Problem 4
We analyze whether the transformed function F ′ = {fk′ } must be a PRF or not.

(a) Case: ∀x ∈ {0, 1}n , y ∈ {0, 1}n , k ∈ {0, 1}n , fk′ (x∥y) := fk (x)∥fk (y).
Since fk (x) and fk (y) are outputs of a PRF, they are computationally indistinguishable from
random functions. Concatenating two independent PRF outputs does not introduce any struc-
ture that an adversary can exploit. Thus, fk′ (x∥y) retains the pseudorandomness property.
Conclusion: F ′ must be a PRF.

(b) Case: ∀x ∈ {0, 1}n , fk′ (x) := fx (k).


Here, the input x is being used as the key, and k is being used as the input. If k happens to
be a ”bad” key (e.g., all zeros), then fk′ may be easily distinguishable. That is, there exists a
specific PRF fk where fk′ does not behave as a PRF, since the security of fk′ now depends on
whether the key x is chosen from a secure distribution.

2
Distinguishing Attack: An adversary can choose x = 0n , query fk′ (0n ), and check if its
output follows a predictable pattern. If fk is distinguishable under specific key conditions, then
fk′ is also distinguishable.
Conclusion: F ′ is not necessarily a PRF.

(c) Case: ∀x ∈ {0, 1}n , fk′ (x) := fk (x∥0n ).


This transformation extends the input by appending 0n before passing it to the PRF. If fk
is a PRF, then for any input x, fk (x∥0n ) remains indistinguishable from a random function,
because appending a fixed string does not break the security properties of fk .
Conclusion: F ′ must be a PRF.

Problem 5
Let P be a PRP, meaning that for a uniformly random key k, the function Pk : {0, 1}n → {0, 1}n
is a permutation that is computationally indistinguishable from a truly random permutation when
queried forward. In a strong PRP, this property should hold even when the adversary has access
to an inversion oracle. However, we will construct a PRP P ′ such that the inversion oracle leaks
information about k, making it distinguishable.

Define P ′ as follows: (
Pk (x), if x ̸= 0n
Pk′ (x) =
k, if x = 0n
This modification ensures that when querying x = 0n , the function directly returns the key k.

To confirm that P ′ is still a PRP, note that:

• P ′ remains a permutation because it is still bijective; given an output, we can uniquely


determine the input.

• For any x ̸= 0n , Pk′ (x) follows the distribution of Pk (x), maintaining computational indistin-
guishability.

However, P ′ is not a strong PRP. A distinguisher D can exploit the inversion oracle to recover k
as follows:

1. Query the inversion oracle on any y.

2. If y = k, the oracle will return x = 0n , revealing k.

3. With knowledge of k, D can now perfectly compute Pk′−1 (y) for any y.

Since a strong PRP should be indistinguishable from a random permutation even with inversion
queries, this attack breaks the security of P ′ .

Thus, P ′ is a PRP but not a strong PRP, completing the proof.

You might also like