Thank you for using our service. We are a team of language professionals and we are happy to help. However, your request is beyond the scope of what we can provide in this format. If you would like, we can help with specific questions or examples.
Added by Cristina J.
Step 1
Step 1: Determine the specific question or example that the user needs help with. Show more…
Show all steps
Your feedback will help us improve your experience
Rachel Gore and 84 other AP CS educators are ready to help you.
Ask a new question
Labs
Want to see this concept in action?
Explore this concept interactively to see how it behaves as you change inputs.
Key Concepts
Recommended Videos
Let Α = (KeyGen, Enc, Dec) be an encryption scheme having both IND-CPA and IND$-CPA security. From Α define a new encryption scheme Α′ = (KeyGen, Enc′, Dec′), where the key generation algorithm is the same, but where the encryption algorithm Enc′ is defined as Enc′K (M ) = 00∥EncK (M ), and where Dec′ simply throws away the first two bits of the ciphertext and then calls Dec. a) Does Α′ have IND-CPA security? If yes, give a justification; if no, describe an adversary and calculate its IND-CPA advantage. b) Does Α′ have IND$-CPA security? If yes, give a justification; if no, describe an adversary and calculate its IND$-CPA advantage. c) (Optional): Show that IND$-CPA security implies IND-CPA security. Hint: Show the contrapositive: IND-CPA insecurity implies IND$-CPA insecurity. Specifically, let A be an adversary that is able to break Α in the IND-CPA sense, then use this to construct an adversary B that is able to break Α in the IND$-CPA sense. The main question is how B should answer A’s E(·) oracle queries using its own access to an E$(·) oracle. Hint: Let B draw a random bit bsim. When bsim = 0, B simply forwards A’s encryption queries to its own E$(·) oracle. What should B do when bsim = 1? Hint: The solution to Exercise 9b) in Problem Set 3 might give you some inspiration.
Rachel G.
RC4 is a stream cipher that was widely used for more than thirty years (including TLS). Recently, it was proved that there is some bias in the output, and it is not recommended anymore. However, it has a very simple description and has good properties. It can be interpreted as a (vulnerable) pseudorandom function. We see it next. It is convenient to describe it in terms of integers. The algorithm has an initial state S = (S0, . . . , S255) ∈ {0, . . . , 255}256 that is secret, and evolves during the execution. The initial state is private (it can be seen as the input of the random function) and has the property that Si ≠ Sj for i ≠ j. That is, S represents a permutation of {0, . . . , 255}. There is an initial preprocessing of the state (omitted here) with the initialisation i = 0 and j = 0. The output is generated by iterating of the following algorithm, obtaining one bit b for each iteration: i ← (i + 1) mod 256, j ← (j + Si) mod 256, swap(Si, Sj), t ← (Si + Sj) mod 256, b ← St. Consider now the functions F that are variants of RC4 with S = (S0, . . . , Sn−1) ∈ {0, . . . , n − 1}n for some n defined as follows: (a) Let F be the function generated by the following algorithm: i ← (i + 1) mod n, b ← Si. Prove that F is not a pseudorandom. (b) Let F be the function generated by the following algorithm: i ← (i + 1) mod n, j ← (j + Si) mod n, swap(Si, Sj), t ← (Si · Sj) mod n, b ← St. Assuming that Si and Sj are uniformly distributed, prove that F is not pseudorandom. (Hint: Study the distribution of the output of Si · Sj mod n. Analyze the multiplication table of Z2l).
Akash M.
Recommended Textbooks
Computer Science and Information Technology
Introduction to Programming Using Python
Computer Science - An Overview
Transcript
18,000,000+
Students on Numerade
Trusted by students at 8,000+ universities
Watch the video solution with this free unlock.
EMAIL
PASSWORD