629 字
3 分钟
数据安全与密码学基础 Cheatsheet & Homework
2024-10-16

Reference & Analysis#

Cheatsheet#

我最后尝试画一个知识树

Crypto fundation#

Secure Multi-Party Computation#

Shannon/Perfect Privacy#

One Time pad#

One-way function#

PRG#

PRFs#

PRP#

密码学作业#

第一次作业 One Time Pad & OWF & PRG#

Question 1: A Flawed One-Time Pad#

Description

Consider a variant of the one-time pad with message space {0,1}n\{0, 1\}^n, where nn is an odd integer, and the secret key space is restricted to all nn-bit strings with an even number of 1’s. Construct an efficient adversary that compromises perfect secrecy.

Answer:

Let the key set be denoted by KK: K=i=0n1(ni)=2n1|K|=\sum _{i=0}^{n-1}\binom{n}{i}=2^{n-1}

For any m1m_1 with an odd number of 1’s and any m2m_2 with an even number of 1’s, since nn is odd, we have

Prsk[m1sk=c]={12n1if pop_count(c)≢0mod20if pop_count(c)0mod2\Pr_{sk}[m_1 \oplus sk = c] = \begin{cases} \frac{1}{2^{n-1}} & \text{if } \text{pop\_count}(c) \not\equiv 0 \mod 2\\ 0 & \text{if } \text{pop\_count}(c) \equiv 0 \mod 2 \end{cases}

Similarly,

Prsk[m2sk=c]={12n1if pop_count(c)0mod20if pop_count(c)≢0mod2\Pr_{sk}[m_2 \oplus sk = c] = \begin{cases} \frac{1}{2^{n-1}} & \text{if } \text{pop\_count}(c) \equiv 0 \mod 2\\ 0 & \text{if } \text{pop\_count}(c) \not\equiv 0 \mod 2 \end{cases}

Thus, an adversary can determine the parity (odd or even) of the number of 1’s in the original message by examining the ciphertext cc. This additional information compromises perfect secrecy.

Idea:

The original One-Time Pad encryption and decryption processes are defined as follows:

M={0,1}n=KGen()sk,sk$KEnc(sk,m)=skmDec(sk,c)=skcM = \{0,1\}^n = K \\ \text{Gen}(\cdot) \to sk, sk \overset{\$}{\leftarrow} K\\ \text{Enc}(sk, m) = sk \oplus m \\ \text{Dec}(sk, c) = sk \oplus c

Under the condition that sksk is uniformly random, the probability of encrypting m1m_1 and m2m_2 to the same ciphertext cc is equal, i.e.,

Prsk[m1sk=c]=Prsk[m2sk=c]\Pr_{sk}[m_1 \oplus sk = c] = \Pr_{sk}[m_2 \oplus sk = c]

However, the modification to the definition of KK leads to the issue where

Prsk[m1sk=c]Prsk[m2sk=c] if pop_count(m1)≢pop_count(m2)mod2\Pr_{sk}[m_1 \oplus sk = c] \neq \Pr_{sk}[m_2 \oplus sk = c] \text{ if } \text{pop\_count}(m_1) \not\equiv \text{pop\_count}(m_2) \mod 2

Question 2: One Way Functions vs Pseudorandom Generators#

2.1#

Description

Let GG be a PRG that maps nn bits to 2n2n bits, prove that GG is a (strong) one-way function.

Solution:

The definition of a PRG is that for any algorithm AA, the probability that AA can distinguish between the output of G:{0,1}n{0,1}l(n)G:\{0,1\}^n\to \{0,1\}^{l(n)} (in this problem, l(n)=2nl(n)=2n) on a random input and a truly random string is negligible. Formally,

Prs{0,1}n,rG(s)[A(r)=1]PrrR{0,1}l(n)[A(r)=1]negl(n)|\Pr_{s \leftarrow \{0,1\}^n, r \leftarrow G(s)}[\mathcal A(r)=1]-\Pr_{r \xleftarrow{\mathbb{R}}\{0,1\}^{l(n)}}[\mathcal A(r)=1]| \leq \mathtt{negl}(n)

If GG is not a one-way function, there exists an efficient algorithm A\mathcal A that can invert GG.

Idea:

Assume GPRG[{0,1}n{0,1}2n]G \in \text{PRG}[\{0,1\}^n \to \{0,1\}^{2n}] is not a one-way function, then there exists A0\mathcal A_0 such that

Prx[f(A0(G(x))=G(x)]1poly(n)\Pr_{x}[f(\mathcal A_0(G(x))=G(x)] \geqslant \frac{1}{\text{poly}(n)}

(GG here is essentially the function ff in the definition).

In this scenario, consider

A:{0,1}2n{0,1}A(r)=[G(A0(r))=r]\mathcal A':\{0,1\}^{2n}\to \{0,1\} \mid \mathcal A'(r)=[G(\mathcal A_0(r))=r]

Then,

Prs{0,1}n,rG(s)[A(r)=1]=Prs{0,1}n[G(A0(G(s)))=G(s)]1poly(n)\Pr_{s \leftarrow \{0,1\}^n, r \leftarrow G(s)}[\mathcal A'(r)=1] = \Pr_{s\leftarrow \{0,1\}^n}[G(\mathcal A_0(G(s)))=G(s)] \geqslant \frac{1}{\text{poly}(n)}

and

PrrR{0,1}2n[A(r)=1]PrrR{0,1}2n[s{0,1}n,G(s)=r]=2n22n=12n\Pr_{r \xleftarrow{\mathbb{R}}\{0,1\}^{2n}}[\mathcal A'(r)=1] \leq \Pr_{r\xleftarrow{\mathbb R}\{0,1\}^{2n}}[\exists s\in \{0,1\}^n,G(s)=r] = \frac{2^n}{2^{2n}} = \frac{1}{2^n}

Thus,

Prs{0,1}n,rG(s)[A(r)=1]PrrR{0,1}2n[A(r)=1]1poly(n)12n1poly’(n)\left|\Pr_{s \leftarrow \{0,1\}^n, r \leftarrow G(s)}[\mathcal A'(r)=1]-\Pr_{r \xleftarrow{\mathbb{R}}\{0,1\}^{2n}}[\mathcal A'(r)=1]\right| \geq \left|\frac{1}{\text{poly}(n)}-\frac{1}{2^n}\right| \geq \frac{1}{\text{poly'}(n)}

Since 1poly’(n)negl(n)\frac{1}{\text{poly'}(n)} \neq \mathtt{negl}(n), this contradicts the initial assumption. Therefore, GG is a one-way function.

2.2#

Description

Given that FF is a one-way function, construct a function GG such that:

  • GG is a one-way function.
  • GG is not a pseudorandom generator (PRG).

Solution:

Directly provide the construction: Let

F:{0,1}n{0,1}l(n)F:\{0,1\}^n\to \{0,1\}^{l(n)}

Construct

G:{0,1}n{0,1}l(n)+1G(r)=concat(F(r),{1})G:\{0,1\}^n\to \{0,1\}^{l(n)+1} \mid G(r)=\text{concat}(F(r),\{\mathtt{1}\})

Here, concat\text{concat} denotes the sequential concatenation of two binary sequences. In other words, GG appends a 11 to the end of FF‘s output.

Proof for OWF:

Since FF satisfies

A:{0,1}l(n){0,1}n,PrxR{0,1}n[F(A(F(x)))=F(x)]negl(x)\forall \mathcal A:\{0,1\}^{l(n)}\to \{0,1\}^n, \Pr_{x \xleftarrow{\mathbb R}{} \{0,1\}^{n} }[F(\mathcal A(F(x)))=F(x)] \leqslant \mathtt{negl}(x)

If GG is not OWF, then there exists A0:{0,1}l(n)+1{0,1}n,poly()\mathcal A_0:\{0,1\}^{l(n)+1}\to \{0,1\}^n,\text{poly}(\cdot) such that

PrxR{0,1}n[G(A0(G(x)))=G(x)]1poly(n)\Pr_{x \xleftarrow{\mathbb R}{} \{0,1\}^n}[G(\mathcal A_0(G(x)))=G(x)] \geqslant \frac{1}{\text{poly}(n)}

Then we construct A0:0,1l(n)0,1nA0(r)=A0(concat(r,1))\mathcal A'_0:{0,1}^{l(n)}\to {0,1}^{n} \mid \mathcal {A}'_0(r)=\mathcal A_0(\text{concat}(r,{\mathtt{1}}))

A0\mathcal A_0' satisfies

PrxR{0,1}n[F(A0(F(x)))=F(x)]1poly(n)\Pr_{x \xleftarrow{\mathbb R}{} \{0,1\}^n}[F(\mathcal A_0'(F(x)))=F(x)] \geqslant \frac{1}{\text{poly}(n)}

This contradicts the fact that FF is an OWF.

Proof for not PRG:

Construct

A:{0,1}l(n)+1{0,1}{1rl(n)+1=10rl(n)+1=0\mathcal A'':\{0,1\}^{l(n)+1}\to \{0,1\} \mid \begin{cases}1 & r_{l(n)+1}=1\\ 0 & r_{l(n)+1}=0\end{cases}

Then

Prs{0,1}n,rG(s)[A(r)=1]PrrR{0,1}l(n)+1[A(r)=1]=112=12|\Pr_{s \leftarrow \{0,1\}^n, r \leftarrow G(s)}[\mathcal A(r)=1]-\Pr_{r \xleftarrow{\mathbb{R}}\{0,1\}^{l(n)+1}}[\mathcal A(r)=1]| = 1-\frac{1}{2} = \frac{1}{2}

Clearly, this contradicts the requirement for the PRG definition of being negligible.

In summary, the constructed GG is a One-Way Function but not a PRG.br

数据安全与密码学基础 Cheatsheet & Homework
https://zzw4257.cn/posts/is-pro/密码学/
作者
zzw4257
发布于
2024-10-16
许可协议
CC BY-NC-SA 4.0