首页
网站开发
桌面应用
管理软件
微信开发
App开发
嵌入式软件
工具软件
数据采集与分析
其他
首页
>
> 详细
Cryptography程序讲解、辅导Java,C++,CS编程语言 调试Matlab程序|讲解Processing
项目预算:
开发周期:
发布时间:
要求地区:
Introduction to Modern Cryptography
Problem Set 2
Tom Shrimpton
Due by 11:59pm on 2/23/2021. Also, please include the last name of at least one of your
group members in the .pdf filename. Thanks.
Problem 1. Let Π = (E, D) be an IV-based encryption scheme, with IV-space V and key-space
K, and with fixed ciphertext stretch s ≥ 0. (Thus |EV
K(M)| = |M| + s whenever EVK(M) 6= ⊥.)
Consider the following notion of security that we will call indistinguishability from random bits
under a chosen-plaintext attack (IND$-CPA). Let A be a nonce-respecting adversary that takes
one oracle, has time complexity t, asks q queries, these totalling µ bits in length. Then define the
Expind$-cpa
IND$-CPA advantage of A against Π to be Advind$-cpa
Π
(A) = 2 · Pr h
Expind$-cpa
Π
(A) = 1i
− 1.
(a) Prove the following statement: if Π is IND$-CPA secure, then Π is nonce-IND-CPA secure.
Summarize the result of your proof in a nice theorem statement.
(b) Prove that the converse of this statement is not true. That is, there exists a scheme Π that is
nonce-IND-CPA but not IND$-CPA. (Hint: you can turn any nonce-IND-CPA secure scheme into
a scheme that remains nonce-IND-CPA secure, but is clearly not IND$-CPA secure.)
(c) We’ve shown that CTR-mode achieves nonce-IND-CPA, and (a) and (b) together imply that
IND$-CPA is a strictly stronger security goal. Argue that CTR-mode actually achieves this stronger
goal, and give the advantage bound that you expect. (Hint: revisit the proof that CTR-mode is
nonce-IND-CPA.)
Problem 2. Consider the following instantation of CTR-mode encryption over a function family
E: {0, 1}
k × {0, 1}
n → {0, 1}
n
. To encrypt, E
V
K(M) is defined exactly as in CTR-mode, except that
the inputs to EK are not V k hii, but rather hV + ii where V is an n-bit integer and addition is
mod 2n
. So to encrypt message M = M1M2 · · · Mb (where |Mi
| = n for all i except perhaps i = b),
one returns the ciphertext blocks Ci ← Mi ⊕ EK(hV + ii). Decryption works in the obvious way.
(a) First, show that this version of CTR-mode is not nonce-IND-CPA secure. That is, give an
adversary that gains advantage close to one in the nonce-IND-CPA game, with small q, σ, t. For
your advantage analysis, assume that EK is replaced by a random function ρ (since a break in this
case implies a break in the “real” case).
(b) Second, argue that this version of CTR-mode is iv-IND-CPA secure. That is, it is secure when
the IV is randomly chosen each time CTR-mode is run.
(c) Finally, using parts (a) and (b), come up with a fix! (And no, changing the inputs back to V khii
is not a fix.) Assume that you are stuck with this implementation, i.e. you can only make a library
call to a function that on input (K, V, M) returns a ciphertext computed as above. Your job is to
wrap some crypto around this, so that the resulting scheme is nonce-IND-CPA, i.e., it is secure
when the IV is just a nonce. Prove that your new scheme is nonce-IND-CPA under the assumption
that E is a good PRF. (Hints: (1)Consider using two keys, using one of them for “preprocessing”
prior to calling this implementation of CTR-mode, and one of them for CTR-mode; (2) if you do
it correctly you can reuse (or just appeal to) the proof we did in class for the “good” version of
CTR-mode.)
Problem 3. Let’s talk about the security of CBC mode...
(a) Show that CBC-mode is not, in general, nonce-IND-CPA secure.
(b) Do you think that CBC-mode is iv-IND-CPA secure, i.e., secure when the IV chosen randomly
for each encryption? If so, estimate the advantage bound one would prove, i.e., a bound on the
iv-IND-CPA advantage of CBC-mode as a function of the PRF-advantage an adversary may gain
against the underlying blockcipher. If you think it is not secure, give an attack.
Problem 4. Let Π = (K, E, D) be an IV-based encryption scheme, with IV-space V, that
is a mode-of-operation over an underlying blockcipher E: {0, 1}k × {0, 1}n → {0, 1}n. On input
N ∈ V and M ∈ ({0, 1}n)+, ENK (M) operates as follows. It parses M into n-bit blocks M1, . . . , M`,
sets C0 ← N, and then for all i ∈ {1, 2, . . . , `} it sets Ci ← Ci−1 ⊕ EK(Mi). Finally, it returns
C1 k C2 k · · · k C` as the ciphertext. (Assume that E
N
K (M) = ⊥ for all M /∈ ({0, 1}
n
)
+.) Decryption
occurs in the obvious way.
You are to prove or disprove this claim: if E is a secure PRF, then Π is iv-IND-CPA secure. (That
is, secure when the IV N is randomly sampled prior to encrypting each message.) To disprove the
claim, give a carefully stated, nicely formatted attack on the iv-IND-CPA security of Π. To prove
the claim, give a convincing proof sketch (at least) that E PRF-secure ⇒ Π iv-IND-CPA secure.
2
软件开发、广告设计客服
QQ:99515681
邮箱:99515681@qq.com
工作时间:8:00-23:00
微信:codinghelp
热点项目
更多
代写dts207tc、sql编程语言代做
2024-12-25
cs209a代做、java程序设计代写
2024-12-25
cs305程序代做、代写python程序...
2024-12-25
代写csc1001、代做python设计程...
2024-12-24
代写practice test preparatio...
2024-12-24
代写bre2031 – environmental...
2024-12-24
代写ece5550: applied kalman ...
2024-12-24
代做conmgnt 7049 – measurem...
2024-12-24
代写ece3700j introduction to...
2024-12-24
代做adad9311 designing the e...
2024-12-24
代做comp5618 - applied cyber...
2024-12-24
代做ece5550: applied kalman ...
2024-12-24
代做cp1402 assignment - netw...
2024-12-24
热点标签
mktg2509
csci 2600
38170
lng302
csse3010
phas3226
77938
arch1162
engn4536/engn6536
acx5903
comp151101
phl245
cse12
comp9312
stat3016/6016
phas0038
comp2140
6qqmb312
xjco3011
rest0005
ematm0051
5qqmn219
lubs5062m
eee8155
cege0100
eap033
artd1109
mat246
etc3430
ecmm462
mis102
inft6800
ddes9903
comp6521
comp9517
comp3331/9331
comp4337
comp6008
comp9414
bu.231.790.81
man00150m
csb352h
math1041
eengm4100
isys1002
08
6057cem
mktg3504
mthm036
mtrx1701
mth3241
eeee3086
cmp-7038b
cmp-7000a
ints4010
econ2151
infs5710
fins5516
fin3309
fins5510
gsoe9340
math2007
math2036
soee5010
mark3088
infs3605
elec9714
comp2271
ma214
comp2211
infs3604
600426
sit254
acct3091
bbt405
msin0116
com107/com113
mark5826
sit120
comp9021
eco2101
eeen40700
cs253
ece3114
ecmm447
chns3000
math377
itd102
comp9444
comp(2041|9044)
econ0060
econ7230
mgt001371
ecs-323
cs6250
mgdi60012
mdia2012
comm221001
comm5000
ma1008
engl642
econ241
com333
math367
mis201
nbs-7041x
meek16104
econ2003
comm1190
mbas902
comp-1027
dpst1091
comp7315
eppd1033
m06
ee3025
msci231
bb113/bbs1063
fc709
comp3425
comp9417
econ42915
cb9101
math1102e
chme0017
fc307
mkt60104
5522usst
litr1-uc6201.200
ee1102
cosc2803
math39512
omp9727
int2067/int5051
bsb151
mgt253
fc021
babs2202
mis2002s
phya21
18-213
cege0012
mdia1002
math38032
mech5125
07
cisc102
mgx3110
cs240
11175
fin3020s
eco3420
ictten622
comp9727
cpt111
de114102d
mgm320h5s
bafi1019
math21112
efim20036
mn-3503
fins5568
110.807
bcpm000028
info6030
bma0092
bcpm0054
math20212
ce335
cs365
cenv6141
ftec5580
math2010
ec3450
comm1170
ecmt1010
csci-ua.0480-003
econ12-200
ib3960
ectb60h3f
cs247—assignment
tk3163
ics3u
ib3j80
comp20008
comp9334
eppd1063
acct2343
cct109
isys1055/3412
math350-real
math2014
eec180
stat141b
econ2101
msinm014/msing014/msing014b
fit2004
comp643
bu1002
cm2030
联系我们
- QQ: 9951568
© 2021
www.rj363.com
软件定制开发网!