

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prof. Salil Vadhan, Computer Science, Cryptography, Separating Passive and Active Security, Attacks on Round-Reduced AES, Harvard, Exercises
Typology: Exercises
1 / 2
This page cannot be seen from the preview
Don't miss anything!


Assigned: Nov. 9, 2006 Due: FRI Nov. 17, 2006 (1:10 PM)
Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit by email to ciocan@eecs (please include source files) or by hardcopy Carol Harlow in MD 343.
Problem 1. (Separating Passive and Active Security) In class, we saw that every encryp- tion scheme that satisfies indistinguishability under chosen plaintext attack also satisfies multiple- message indistinguishability. In this problem, you’ll see that the converse is false. Let {fk : { 0 , 1 }n^ → { 0 , 1 }n}k∈{ 0 , 1 }n^ be a family of pseudorandom functions (for security parameter n). Con- sider a probabilistic encryption scheme over message space { 0 , 1 }n^ where
Ek(m) =
(r, fk(r) ⊕ m, fk(0n)) if m 6 = fk(0n) (r, fk(r) ⊕ m, k) if m = fk(0n)
where r ← {R 0 , 1 }n^ is chosen randomly for each encryption. Prove that this encryption scheme satisfies multiple-message indistinguishability, but is insecure against chosen-plaintext attack.
Problem 2. (Secure Identification) Consider the setting where a user needs to log on to a server, and the user and server share a secret key k R ← { 0 , 1 }n^ that was selected when the user’s account was first created. To avoid having to remember k, the user stores it on a PDA or smartcard, which can also perform computations for the user. The traditional way for the user to identify herself to the server is by sending k to the server, which can then verify that it received the correct key. However, an adversary listening in on the communication would learn k and could later impersonate the user. Using pseudorandom functions, design a protocol for identification that does not have this difficulty. That is, even after watching the user identify herself many times, a polynomial-time ad- versary should not be able to successfully impersonate the user (except with negligible probability). Justify the security of your scheme using the definition of pseudorandom functions.
Problem 3. (Modes of Operation) Recall that block ciphers (like AES or DES) are used for encryption via various modes of operation. Certain modes of operation are insecure regardless of the properties of the underlying block cipher.
Problem 4. (Attacks on Round-Reduced AES) In this problem, you will show that AES with a very small number of rounds is insecure. The high-level structure of AES as described in class should suffice for this problem; in particular, the solution does not require an understanding of arithmetic over finite fields. You may find it helpful to read the attacks on round-reduced substitution-permutation networks in KL §5.1. (Note that these attacks refer to the structure shown in Figure 5.1, not 5.2, and that AES does not exactly fit this structure.)