PUMaC 2016 · 加试 · 第 5 题

Problem 5.3. (7 points) Prove that the one-time pad cipher (formalized in Problem 4.5) is secure. Problem 5.4. (6 points) (a) (4 points) Recall that x ◦ y denotes the concatenation of x and y (see Section 1). Consider the 8 n 8 following encryption scheme ( G, E, D ) with P = { 0 , 1 } . G generates a key k ∈ { 0 , 1 } n uniformly at random. E encrypts a message m ∈ P by breaking m into 8-bit chunks n m , m , . . . , m and outputting ( m ⊕ k ) ◦ ( m ⊕ k ) ◦ · · · ◦ ( m ⊕ k ). D decrypts a ciphertext c 1 2 n 1 2 n by breaking c into 8-bit chunks c , c , . . . , c and outputting ( c ⊕ k ) ◦ ( c ⊕ k ) ◦ · · · ◦ ( c ⊕ k ). 1 2 n 1 2 n Show that this encryption scheme is insecure. (b) (2 points) Explain why this means that the one-time pad is insecure if the same key is used 14 on multiple messages. 6 Pseudorandom Generators 6.1 What is a Pseudorandom Generator? We’ve discussed why the one-time pad isn’t used much in practice: it is unreasonable to exchange a key that is as long as the message itself (or, in the case of multiple messages, as long as all of the messages put together). In practice, we want our key to be much shorter than the message. So here’s the idea: the one-time pad works by performing a binary xor of the message with as many randomly chosen bits as are in the message. So let’s say our key is in fact a lot shorter than the message. We’re going to give our key as input to some complicated algorithm that will output a longer string than the key itself. But the algorithm is so complicated that the output cannot be realistically distinguished from random bits. If we can accomplish this, then we can simulate a one-time pad and produce a secure encryption scheme. 15 Such an algorithm is called a pseudorandom generator (PRG) and is crucial in creating a secure but feasible encryption scheme. We explore PRGs in this section. 13 It is best to think of this step as a separate algorithm run by A with inputs m , m , and E ( m ). 0 1 k b 14 We haven’t defined security on multiple messages, so your justification need not be rigorous. 15 “Pseudo” is a root word meaning “fake.” This makes sense, because a pseudorandom generator is deterministic, and so it produces an output that looks random but isn’t. PUMaC 2016 Power Round Page 14 ∗ ∗ Definition 6.1.1. H : { 0 , 1 } → { 0 , 1 } is a pseudorandom generator (PRG) if: 16 • H is a polynomial-time algorithm. • There exists a function ` : N → N , called the length extension function of H , such that ` ( n ) > n ∗ for all n and | H ( x ) | = ( | x | ) for all x ∈ { 0 , 1 } . That is, the output of H is longer than the 17 input, and all inputs of the same length have the same output length. • There exists a negligible function neg( n ) such that for all n , for every PPT algorithm D , ∣ [ ]∣ ∣ ∣ Pr [ D ( H ( U )) = 1] − Pr D ( U ) = 1 < neg( n ) , n ( n ) where U denotes a uniformly randomly chosen k -bit string. k Again, let’s try to make sense of this definition. The first idea is that H is an algorithm that takes an input of length n and efficiently and deterministically creates a longer output of length ( n ). But this is easy: H could, for instance, just add a 0 to the end of its input. The crucial component of the definition is thus the third component: there is no efficient way to distinguish the output of H on a random input of length n from a random string of length ( n ). No matter what PPT algorithm D you choose, the probability that it will return 1 given H ( x ) for a random x of length n will be very close to the probability that it will return 1 given a random bit string of length ` ( n ).