E R SIT

UN IV Cryptography, winter term 16/17:

A
S
Sample solution to assignment 4
SA

IS
R
A VIE N S Cornelius Brand, Marc Roth

Exercise 4.1 (Be nice to your tutors and TAs, 1 Bonus Point) Write the name
and matriculation number of every author as well as number, time slot and the name of
the tutor of your tutorial group on the first page of your solution. Furthermore write in
english and staple all sheets of your solution.

Exercise 4.2 (CTR mode, 4 Points) Let Π = (Gen, Enc, Dec) be the CTR mode
encryption scheme and let Π e = (Gen,
g Enc,
g Dec)
g be the encryption scheme obtained from
Π by using a truly random function f instead of a pseudorandom function Fk .1 Show
that there is a negligible function negl, such that for any ppt adversary A, it holds that
 
cpa cpa
Pr[PrivK (n) = 1] − Pr[PrivK (n) = 1] ≤ negl(n)
 
 A,Π A,Πe

Solution 4.2 (CTR mode, 4 Points) The proof goes by reduction (or in plain terms,
by contraposition), along the lines of the argument for the corresponding statement in
the proof of Theorem 3.31: Assume the statement from the exercise were false. That is,
for some ppt adversary A,
 
cpa cpa
Pr[PrivKA,Π (n) = 1] − Pr[PrivK e (n) = 1] > t(n) (1)
 
A,Π

for some non-negligible t(n). We want to show how to construct a ppt distinguisher
D contradicting the requirement from the definition of pseudorandom functions, i.e. it
should hold that
 
Fk (·) n f (·) n 
Pr[D (1 ) − Pr[D (1 )] > t(n) . (2)


We define the working of the distinguisher D as follows, where D is given access to some
oracle O : {0, 1}n → {0, 1}n and receives an input 1n .

(1) Run A(1n ), and when A(1n ) queries its oracle to the encryption function for the i-th
time with a message made up from `i message blocks m1 , . . . , m`i , do the following:
(a) Choose a uniform initial value ctri ∈ {0, 1}m
(b) Query O for j = 1, . . . , `i to obtain yj := O(ctri + j)
(c) Return the ciphertext blocks hctri , c1 , . . . , c`i i := hctri , y1 ⊕ m1 , . . . , y`i ⊕ m`i i to
A

(2) Once A outputs the messages m0 , m1 consisting of `∗ blocks m0,1 , . . . , m0,`∗ , m1,1 , . . . , m1,`∗ ,
respectively, choose a uniform bit b ∈ {0, 1} and do the following:
1 g picks uniformly f ∈ Funcn where Gen picks uniformly k ∈ {0, 1}n , and Enc
That is to say that Gen g
uses f where Enc uses Fk .

1
 (a) Choose a uniform initial value ctr∗ ∈ {0, 1}m
(b) Query O for j = 1, . . . , `∗ to obtain yj∗ := O(ctr∗ + j) Return the challenge
ciphertext blocks hctr∗ , c∗1 , . . . , c∗`∗ i := hctr∗ , y1 ⊕ mb,1 , . . . , y`∗ ⊕ mb,`∗ i to A
(3) Answer queries to the encryption oracle as above, until A produces an output bit b0 .
Then, output 1 if b = b0 , and 0 otherwise

We first argue that D is ppt: Each of the above steps clearly only incurs polynomial
overhead for each of the oracle calls from A, and as a ppt adversary, A may only pose
a polynomial number of queries to the encryption oracle and may itself only run in
polynomial time, hence D also runs in polynomial time.
As to why D is in fact a distinguisher, note that D is essentially just the experiment
PrivKcpa cpa
A,Π or PrivKA,Π e —depending on which oracle D is given—implemented as an al-
gorithm, where the oracle queries of A are spelled out step-by-step, with the first step
of key generation in the experiment being simulated by uniformly choosing k ∈ {0, 1}n
or f ∈ Funcn , respectively. This is equivalent since this is also how Gen and Gen g gene-
rate the keys by definition of CTR. Therefore, by definition of Π and Π, we have that
e
DFk (·) (1n ) and PrivKcpa
A,Π (n) are identically distributed, and D
f (·) (1n ) and PrivKcpa (n)
A,Π
e
are identically distributed, for uniformly chosen f . In other words,
h i h i
Prk←{0,1}n DFk (·) (1n ) = 1 = Pr PrivKcpa A,Π (n) = 1 ,
h i h i
Prf ←Funcn Df (·) (1n ) = 1 = Pr PrivKcpaf (n) = 1 .
A,P i

Thus, (2) follows directly from (1).

Exercise 4.3 (Indistinguishability and CPA-security, 8 Points) Let F be a PRF

and G be a PRG with expansion factor n 7→ n + 1. For each of the following encryption
schemes, decide whether the scheme has indistinguishable encryptions in the presence of
an eavesdropper and whether it is CPA-secure. (In each case, the shared key is a uniform
k ∈ {0, 1}n .) Explain your answer.
(a) To encrypt m ∈ {0, 1}n , output the ciphertext m ⊕ Fk (0n ).
(b) The one-time pad.
(c) To encrypt m ∈ {0, 1}n+1 , choose uniform r ∈ {0, 1}n and output the ciphertext
hr, G(r) ⊕ mi.
(d) To encrypt m ∈ {0, 1}2n , parse m as m1 ||m2 with |m1 | = |m2 | = n, then choose
uniform r ∈ {0, 1}n and output the ciphertext hr, m1 ⊕ Fk (r), m2 ⊕ Fk (r + 1)i.

Solution 4.3 (Indistinguishability and CPA-security, 8 Points)

(a) This scheme has indistinguishable encryptions in the presence of an eavesdropper. To
see this, we observe that Fk (0n ) is pseudorandom. The formal proof is similar to the
proof of Theorem 3.18. The scheme is not CPA-secure as encryption is deterministic.

2
(b) The one-time pad is perfectly indistinguishable which immediately implies that it
has also indistinguishable encryptions in the presence of an eavesdropper. It is not
CPA-secure as encryption is deterministic.

(c) This scheme does not even have indistinguishable encryptions in the presence of an
eavesdropper, as decryption can be done in polynomial time without knowing the
key: On input (r, G(r) ⊕ m), we just compute G(r) and then output G(r) ⊕ (G(r) ⊕
m) = m. Therefore, it can not be CPA-secure as well.

(d) This scheme is CPA-secure. The proof is similar to the correctness proof of CTR
mode with just two blocks. Therefore it has indistinguishable encryptions in the
presence of an eavesdropper as well.

Exercise 4.4 (Birthday paradox, 4 Points) Let k ≤ n. You are in a room with k
people, and everyone is born on one out of n possibly dates, i.e., the typical terrestrial
case asks for n = 365 (ignoring leap years). What is, for arbitrary n and k, the probability
that at least two people have the same birthday, assuming that the dates of birth are
uniformly distributed and independent of each other?
Additionally, for n = 365, what is the smallest number of people k such that this
probability is at least 21 ?

Solution 4.4 (Birthday paradox, 4 Points) We consider the complementary event,

namely that each birthday is unique. Formally, we are dealing with a sample space Ω of
size |nk |, where a single outcome f ∈ Ω is a mapping {1, . . . , k} → {1, . . . , n}, assigning
to each of the k individuals one out of the n birthdays. Let U be the set of such mappings
that are injective, so we want to calculate 1 − Pr[U ]. Since the outcomes are assumed
to be uniformly distributed, this is just 1 − |U | |U |
|Ω| = 1 − nk . To compute |U |, notice that
each f ∈ U is uniquely determined by its image f ([k]) ⊆ [n] and a permutation of [k]
(i.e., a bijection between f ([k]) and [k]), and each such pair
of a subset of [n] and a
permutation of [k] determines a unique f ∈ U . There are nk subsets and k! bijections,
making |U | = nk · k! = (n−k)!
n! n!


, which yields 1 − Pr[U ] = 1 − nk (n−k)! .
As for the case of n = 365, a quick calculation shows that 1 − 364 365 ·
363
365 · · · 344
365 <
1
2 <
364 363
1 − 365 · 365 · · · 343
365 , so the first k for which this happens is k = 23.