

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Prof. Salil Vadhan, Computer Science, Cryptography, Merkle Trees, Harvard, Exercises
Typology: Exercises
1 / 2
This page cannot be seen from the preview
Don't miss anything!


Assigned: Dec. 7, 2006 Due: FRI Dec. 15, 2006 (1:10 PM)
Justify all of your answers. See the syllabus for collaboration and lateness policies. You can submit by email to ciocan@eecs (please include source files) or by hardcopy to Carol Harlow in MD 343.
Problem 1. (Authentication + Encryption) Let (GE , E, D) be a private-key encryption scheme secure against chosen plaintext attack and let (GM , M, V ) be a secure message authentica- tion code (i.e. one that is existentially unforgeable under chosen message attack). Alice wants to send Bob a message m in a private and authenticated way. They share a secret key k = (k 1 , k 2 ), where k 1 ←R GE and k 2 ←R GM. Consider her sending each of the following as means to this end. For each, say whether you think it is secure or not, and briefly justify your answer. In analyzing these, you should assume that the primitives have the properties guaranteed by their definitions, but no more. For an option to be good it must work for every choice of secure encryption scheme and secure authentication scheme. Thus, to show that one is not good, you should find a secure encryption scheme and authentication scheme which make the result insecure. For the cases which are good, you don’t need to give a formal proof, just intuition. Out of all the ones you deemed secure, which would you prefer in terms of performance? Note that this question is considered in Katz–Lindell §4.7, except that they use security against chosen ciphertext attack as their notion of security for encryption (both for the initial encryption scheme (GE , E, D) and the combined scheme), which can result in different answers for identical constructions.
Extra credit: Suppose the adversary Eve could determine whether messages corrupted or injected by her are accepted or rejected by Bob. Which of the methods you deemed secure above are still secure?
Problem 2. (Off-line/On-line Signatures) Public-key signatures are quite expensive. The idea of designing off-line/on-line signatures is to split the signing process into two components. The off-line component will prepare some information σ 1 before the message to be signed is known. This component could be a little slow since it is done off-line. The on-line component is performed after the message m arrives. It uses σ 1 together with m and the signing key to produce the “final” signature σ. The on-line signature component should be “fast”. Let (G, S, V ) be a standard secure signature scheme, and let (G′, S′, V ′) be a secure one-time signature scheme. The signing and verification keys of the off-line/on-line signature scheme will just be a pair of keys (sk , pk ) ←R G(1n) for the standard signature scheme. In the off-line phase, we pick the random one-time keys (sk ′, pk ′) ←R G(1n; ) and sign pk ′^ using the standard signing key: σ 1 = Ssk (pk ′). In the on-line phase, we use the one-time signature to produce σ 2 ←R S sk′ ′ (m). The overall signature is σ = (σ 1 , σ 2 , pk ′).
Problem 3. (Merkle Trees)