Problem 2.4, 10 points. Assume a public-key encryption scheme for single-bit messages (i.e. the message space is \{0, 1\}). Show that, given a public key $pk$ and a ciphertext $c$ computed by encrypting a random message $m$ under $pk$, it is possible for an unbounded adversary to determine $m$ with probability 1. (That shows that perfectly-secret public-key encryption is impossible.)
Problem 2.5, 10 points. A company suggests the following hash function. Let $p \ge 3$ be a large prime with respect to which the discrete logarithm problem is intractable in $\mathbb{Z}_p^*$. Let $g_1, g_2 \in \mathbb{Z}_p^*$ be two distinct generators of $\mathbb{Z}_p^*$. Define $H: \mathbb{Z}_{p-1} \times \mathbb{Z}_{p-1} \to \mathbb{Z}_p$ as $H(x_1, x_2) = g_1^{x_1} \cdot g_2^{x_2} \mod p$.
The company claims that this hash function is collision-resistant. Show that they are wrong. Namely, present an algorithm $C$ that given any $p, g_1, g_2$ that satisfy the above conditions, very easily (formally, in time polynomial in $|p|$) outputs $(x_1, x_2), (x_1', x_2')$ such that $(x_1, x_2) \in \mathbb{Z}_{p-1} \times \mathbb{Z}_{p-1}$, $(x_1', x_2') \in \mathbb{Z}_{p-1} \times \mathbb{Z}_{p-1}$ and $H(x_1, x_2) = H(x_1', x_2')$, but $(x_1, x_2) \ne (x_1', x_2')$. Briefly justify your answer.
