Foundations of Cryptography (CS60088)

Tutorial 5

Satrajit Ghosh

February 11, 2024

1. Let F be a length preserving pseudorandom function. Prove or disprove (show an attack) whether
the keyed function F ′ is pseudorandom:
(a) Fk′ (x) = Fk (x)||Fk (x̄), where F ′ : {0, 1}n × {0, 1}n → {0, 1}2n .
(b) Fk′ (x) = Fk (0||x)||Fk (1||x), where F ′ : {0, 1}n × {0, 1}n−1 → {0, 1}2n .
(c) Fk′ (x||y) = Fk (x) ∧ Fk (y), where F ′ : {0, 1}n × {0, 1}2n → {0, 1}n .
2. In PseudoTech Inc. a super employee build a super encryption scheme by encrypting a message
twice to make the security system of his company more secure. He takes a symmetric encryp-
tion scheme Π = {Gen, Enc, Dec} and design Π′ = {Gen, Enc′ , Dec′ }. Where, Enc′ (k, m) =
Enc(k, Enc(k, m)). Suppose PseudoTech Inc. have asked you to audit the encryption scheme. As a
auditor you have the following job:
(a) Describe the decryption algorithm and correctness of Π′ . [1]
(b) Check whether Π′ is IND-CPA secure if Π is IND-CPA secure. If not, propose a solution to
fix that issue. [5]
(c) Check whether Π′ is IND-EAV secure if Π is IND-EAV secure. If not, propose a solution to
fix that issue. [4]
3. Consider two deterministic fixed length MAC schemes Π1 = {MAC1 , Vrfy1 } and Π2 = {MAC2 , Vrfy2 }.
Rumour is that Π1 , which is the current standard for MAC, will not remain secure in a post-
quantum world1 . Thus researchers of MacSafeChip Ltd. have decided to combine Π1 with a
post-quantum secure MAC scheme Π2 by defining Π = {MAC, Vrfy}, where MAC((k1 , k2 ), m) :=
MAC1 (k1 , m) ⊕ MAC2 (k2 , m). The hope is that even if one scheme breaks down in a post-quantum
world, the other should be able to provide meaningful security. Show that Π is existential unforge-
able if either Π1 or Π2 is existential unforgeable against chosen message attack.[5]
4. Consider IND-CCA secure symmetric key encryption scheme Π = {Gen, Enc, Dec}. Consider the
following derived encryption scheme:
(
Dec(k, c1 ) if c1 = c2
Enc1 (k, m) := (Enc(k, m), Enc(k, m)); Dec1 (k, (c1 , c2 )) :=
reject otherwise

Discuss IND-CCA security of Π1 = {Gen, Enc1 , Dec1 }; either provide a security proof via an
explicit reduction or show an attack. [5]
1
A World with quantum computers.

1
5. Consider Left-or-Right security game (IND-LOR), where the adversary has access to either left
encryption oracle or right encryption oracle. That means, each oracle query on any pair of messages
{m0 , m1 } returns a ciphertext of mb for a fixed b ∈ {0, 1}. The adversary, however, has no idea
whether it is dealing with the left oracle or the right oracle. At the end the adversary wants to decide
which of the two oracles is given to it. Let q be the maximum number of queries allowed on chosen
message pairs. The game in this case is called an IND-LOR-q game. The encryption scheme is
called IND-LOR-q secure if no PPT adversary can win the IND-LOR-q game with non-negligible
advantage.
Prove that an encryption scheme is IND-LOR-1 secure if and only if it is IND-EAV secure. [10]