

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prof. Salil Vadhan, Computer Science, Cryptography, Exercises, Harvard
Typology: Exercises
1 / 2
This page cannot be seen from the preview
Don't miss anything!


Assigned: Sep. 28, 2006 Due: Oct. 4, 2006 (1:10 PM)
Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit by email to ciocan@eecs (please include source files) or by hardcopy in the CS 120 box in the basement of Maxwell Dworkin.
Problem 1. (Expectations)
Problem 2. (Arbitrary Random Choices from Coin Flips) Often we describe randomized algorithms as making random choices from arbitrary sets, but sometimes it will be convenient to assume that we only make use of fair coin tosses (i.e. random bits). Consider the following methods for generating a random number in the interval { 0 ,... , N − 1 }. In each, we let n = dlog 2 N e be the bit-length of N and let bn− 1 bn− 2 · · · b 0 be the binary representation of N (so bn− 1 = 1).
Output cn− 1 cn− 2 · · · c 0 (interpreted as a binary number).
For each of the above methods, (a) say whether its output is uniformly distributed in { 0 ,... , N − 1 }, and (b) compute the expected number of coin tosses used. Which method would you prefer if N is a ‘typical’ 128-bit number?
Problem 3. (More examples of perfect secrecy)
Problem 4. (Encrypting Random Data) In class, it was asked if it is easier to achieve security if we know that we are encrypting ‘random data’ rather than English text. In this problem, you will see an example illustrating why we need to be very careful even in this setting. Because of security concerns, the system administrator Sid Sysop of the Megaware Corporation suggested that certain confidential communications from the CEO to the employees be encrypted using the one-time pad encryption scheme (G, E, D). The problem, of course, is that the one- time pad can only be used once. So the key for the one-time pad is replaced every hour. To do the key refreshing, the new key kt ←R G at a given time t is sent to each employee e encrypted using a long-term key ke ←R G held by the employee.^1 For example, on a given 8-hour workday, Sid generates independent one-time pads k 1 ,... , k 8 ←RG, and over the course of the day, sends employee Alice the ciphertexts EkA (k 1 ),... , EkA (k 8 ), where E is the one-time pad encryption algorithm. Over the course of the day, the CEO might send up to 8 messages m 1 ,... , m 8 , encrypted as Ek 1 (m 1 ),... , Ek 8 (m 8 ). Given her key kA, Alice can decrypt the ciphertexts from Sid to obtain the keys k 1 ,... , k 8 , which then enable her to decrypt the ciphertexts from the CEO and obtain the messages m 1 ,... , m 8. Notice that the key kA is used multiple times, contrary to the usual warnings about the one-time pad. But, reasons Sid Sysop, it is only used to encrypt messages kt that are chosen uniformly at random. The one-time pad has the property that EkA (kt) = kt ⊕ kA = Ekt (kA), so by the perfect secrecy of the one-time pad, this ciphertext reveals no information about kA when kt is random. Thus, kA should remain a ‘good key’ and be safe to reuse for encrypting kt+1. Show that, despite Sid’s intuition, this system is actually insecure. Specifically, show how one can gain potentially useful information about the messages m 1 ,... , m 8 from observing the ciphertexts EkA (k 1 ),... , EkA (k 8 ), Ek 1 (m 1 ),... , Ek 8 (m 8 ) being sent.
(^1) Each employee has a different key to ensure that they cannot continue to read the communications after they leave the company.