Cryptography 2, Exercises - Computer Science, Exercises of Cryptography and System Security

Prof. Salil Vadhan, Computer Science, Cryptography, NP-easy, Statistical Security, Exercises, Harvard

Typology: Exercises

2010/2011

Uploaded on 10/29/2011

thecoral
thecoral 🇺🇸

4.5

(30)

395 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 120/CSCI E-177: Introduction to Cryptography
Problem Set 2
Assigned: Oct. 5, 2006 Due: Oct. 11, 2006 (1:10 PM)
Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit
by email to ciocan@eecs (please include source files) or by hardcopy to Carol Harlow in MD 343.
Problem 1. (Factorization is “NP-easy”)
1. Let L={(x, y)N×N:xhas a factor between 2 and y}. Show that the language Lis in
NP.
2. Show that if Lis in P, then there is a polynomial-time algorithm for integer factorization.
Thus, if P=NP, then factorization is easy.
Problem 2. (Reducing the error of randomized algorithms) Suppose we have randomized
algorithm for computing a function fwhich gives an incorrect answer with probability 1/3, and
we want to reduce its error by repeating it several times and taking a majority vote. Use the
Chernoff Bound to estimate how many repetitions suffice to reduce the error probability to 1/1000.
And to 2k?
Problem 3. (Statistical Security) Recall that (G, E, D) has statistically ε-indistinguishable
encryptions if for every two m1,m2 P and every T C,
|Pr [EK(m1)T]Pr [EK(m2)T]| ε,
where the probabilities are taken over KR
Gand the coin tosses of E.
1. Show that statistical 0-indistinguishability is equivalent to perfect indistinguishability.
For the remaining parts, suppose (G, E, D) has statistically ε-indistinguishable encryptions for
message space P. Below you will prove that the number of keys must be at least (1 ε)· |P|, so
statistical security doesn’t help much to overcome the limitations of perfect secrecy.
2. Call a ciphertext cdecryptable to m P if there is a key ksuch that Dk(c) = m. Prove that
for every two messages m,m0 P ,
Pr [EK(m) is decryptable to m0]1ε,
where the probability is taken over KR
Gand the coin tosses of E.
1
pf2

Partial preview of the text

Download Cryptography 2, Exercises - Computer Science and more Exercises Cryptography and System Security in PDF only on Docsity!

CS 120/CSCI E-177: Introduction to Cryptography

Problem Set 2

Assigned: Oct. 5, 2006 Due: Oct. 11, 2006 (1:10 PM)

Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit by email to ciocan@eecs (please include source files) or by hardcopy to Carol Harlow in MD 343.

Problem 1. (Factorization is “NP-easy”)

  1. Let L = {(x, y) ∈ N × N : x has a factor between 2 and y}. Show that the language L is in NP.
  2. Show that if L is in P, then there is a polynomial-time algorithm for integer factorization. Thus, if P = NP, then factorization is easy.

Problem 2. (Reducing the error of randomized algorithms) Suppose we have randomized algorithm for computing a function f which gives an incorrect answer with probability ≤ 1 /3, and we want to reduce its error by repeating it several times and taking a majority vote. Use the Chernoff Bound to estimate how many repetitions suffice to reduce the error probability to 1/1000. And to 2−k?

Problem 3. (Statistical Security) Recall that (G, E, D) has statistically ε-indistinguishable encryptions if for every two m 1 , m 2 ∈ P and every T ⊆ C,

|Pr [EK (m 1 ) ∈ T ] − Pr [EK (m 2 ) ∈ T ]| ≤ ε,

where the probabilities are taken over K ←R G and the coin tosses of E.

  1. Show that statistical 0-indistinguishability is equivalent to perfect indistinguishability.

For the remaining parts, suppose (G, E, D) has statistically ε-indistinguishable encryptions for message space P. Below you will prove that the number of keys must be at least (1 − ε) · |P|, so statistical security doesn’t help much to overcome the limitations of perfect secrecy.

  1. Call a ciphertext c decryptable to m ∈ P if there is a key k such that Dk(c) = m. Prove that for every two messages m, m′^ ∈ P,

Pr [EK (m) is decryptable to m′] ≥ 1 − ε,

where the probability is taken over K ←R G and the coin tosses of E.

  1. Show that for every message m ∈ P,

E

[

#{m′^ : EK (m) is decryptable to m′

]

≥ (1 − ε) · |P|,

where again the probability is taken over K and the coin tosses of E. (Hint: for each m′, define a random variable Xm′^ that equals 1 if EK (m) is decryptable to m′, and equals 0 otherwise.)

  1. Conclude that the number of keys must be at least (1 − ε) · |P|.
  2. Explain where this proof fails for computational security.