Applied Cryptography

Georgia Tech, Fall 2012

Instructor: Chris Peikert

Student: SOLUTIONS

Homework 1

These solutions are being provided for your personal use only. They are not to be shared with, or used
by, anyone outside this class (Fall 2012 section of Georgia Tech CS 6260). Deviating from this policy will be
considered a violation of the GT Honor Code.
0. Collaboration. Read and abide by the collaboration policy in the course syllabus. (Short version: try the
questions yourself first; write your solutions from scratch; list all your collaborators; do not consult any
external sources except those explicitly allowed.)
1. Is perfect secrecy really perfect? Your friend Vernam is skeptical that perfect secrecy protects an
encrypted message from a (hypothetical) attacker who has unlimited time and computational resources.
He argues that such an attacker could just try to decrypt the ciphertext with every possible key, until it
eventually finds the message. Clearly explain the flaw in Vernams argument.
Solution: The essential flaw is that many of the keys may yield valid-looking messages, and there
is no intrinsic way to confirm which key (and corresponding message) is the right one. Take for
example the one-time pad, which is perfectly secret. For any given ciphertext c {0, 1}n , decrypting
it under every possible key k {0, 1}n will yield every possible message m {0, 1}n (because
message m will result from decrypting under key k = m c). So under Vernams attack, every
possible message m will arise, with no way of determining which is the correct one. (In fact, by
the definition of Shannon/perfect secrecy, the attacker will not even gain any additional information
about which of the plaintexts are more or less likely to be correct.)
2. The two-time pad. (For this question, you may use as references the ASCII table and any programming
resources you may need.)
For some time now, Eve has been eavesdropping on the conversations between her friends Alice and
Bob. Unfortunately for Eve, they appear to be using a one-time pad to keep their messages secret. Eve
suspects that the plaintexts are English sentences encoded in the standard ASCII character set, and that
the ciphertexts are generated using bitwise exclusive-or (XOR) with the pad. For example, in ASCII the
character a has hexadecimal value 61 (or 01100001 in binary), which when bitwise-XORed with
the hexadecimal pad value 83 (10000011 in binary) yields the hexadecimal ciphertext e2 (11100010
in binary).
Knowing that the one-time pad is hard to use properly, Eve has been storing every ciphertext that Alice
and Bob send to each other, and XORing pairs of them to look for anomalies. One day she notices that a
pair of ciphertexts XOR to a value (shown below in hexademical) that appears strange. She suspects
that Alice and Bob may have reused part of their pad, and asks you to recover the plaintexts for her.
03
02
0b
52
4c
00

03
45
5a
01
44
49

0b
4e
55
00
42
0a

4f
2a
53
1f
48
11

45
19
28
1c
53
00

5b
0b
05
0a
2b

48
09
4b
4f
51

09
53
0a
15
11

0b
00
55
0b
00

54
3a
01
01
11

54
55
55
1c
06

1b
1f
02
00
00

4f
19
04
1e
43

1d
15
44
0e
54

0d
01
58
44
4f

12
07
4f
42
10

45
45
42
1a
02

57
48
00
08
45

0c
11
07
00
13

54
17
45
17
42

48
17
49
0d
01

00
54
1b
04
1a

(a) Why has Eve been XORing pairs of ciphertexts? What is strange about the XORed value she has
found, and why might it indicate that Alice and Bob have reused part of their pad?

Applied Cryptography
Georgia Tech, Fall 2012

Homework 1

Instructor: Chris Peikert

Student: SOLUTIONS

Solution: Eve is using the property that if two messages m1 , m2 are encrypted with OTP
under the same key k, then the XOR of the ciphertexts c1 = m1 k and c2 = m2 k will be
c1 c2 = m1 m2 . Because the messages are structured (English text in ASCII), the XOR of
two messages will tend to look very non-random. For example, because the characters az
and AZ occupy a small section of the ASCII code, the XOR of any two such characters
will have zeros in two or more of the most-significant bits. By contrast, if two messages are
properly encrypted under independent pads k1 , k2 , then the XOR of their ciphertexts will be
uniformly random.
In the XORed value Eve found, at least two of the most-significant bits from each 8-bit byte are
zero, and bits in other positions are much more likely to be 0 than 1. This would be extremely
unlikely if the OTP were used properly, and indicates that a portion of the pad was probably
reused.
Incidentally, this phenomenon is of significant historical importance. The US National Security
Agencys now-declassified project VENONA collected OTP-encrypted messages from the
Soviet Union during World War 2, and via statistical analysis like the one above, found that
pads were often reused (as much as 49% of the time in some years!). This allowed the messages
to be decrypted, which revealed strategically important facts such as the presence and identities
of Soviet spies in the US. See the Wikipedia page on VENONA for more details and references.
(b) Formulate and describe your approach for recovering the messages. They may be time-sensitive, so
your attack should work as efficiently and quickly as possible. (Hint: use the structure of the ASCII
character set as much as you can.)
Solution: The main observation is that once a character of one message is known with high
confidence, the character in the same position of the other message is also known it is just
the XOR of the known character with the corresponding byte from Eves string. This lets one
unravel the messages by making educated guesses about unknown characters (using context
and other simple tricks) in one message after the other.
For example, one might guess that the messages begin with salutations, such as Hi or Alice.
Or, having determined part of a word, one might guess its completion, and confirm the guess
by checking whether the corresponding characters in the other message make sense. Another
trick to get started is to find likely locations of spaces and punctuation marks in the messages,
by looking for bytes in which more-significant bits are 1. (For example, the 4th, 5th, and 6th
positions in the above data.) This works because in ASCII, spaces and punctuation marks have
very different bit patterns than alphabetic letters.
Using a simple computer program, one can accelerate the guess-and-check process to discover
the messages quite easily.
(c) Give as much of the plaintexts as you can.
Solution: The full plaintexts are:
Bob, when should we have Eves surprise party? Make sure to
use our one-time pad so she doesnt find out about it.

Applied Cryptography
Georgia Tech, Fall 2012

Instructor: Chris Peikert

Student: SOLUTIONS

Homework 1

Alice, lets have it at noon. I might have reused our pad,

but its probably no big deal -- Eve wont ever notice.
3. Let F : {0, 1}` {0, 1}m {0, 1}n be a secure PRF. For each of the following function families F 0 ,
state whether it is always a secure PRF, never a secure PRF, or might not be a secure PRF.
If always, provide a proof via reduction.
If never, describe the simplest attack you can against F 0 (that works for any secure F ), and
analyze it i.e., give its running time, number of queries, and distinguishing advantage.
If might not be, describe a property that F might have, which would not violate its own PRF
security, but which would make F 0 insecure, and describe and analyze an attack on F 0 .
In all of the following, k denotes concatenation of bit strings, denotes bitwise XOR, and x denotes the
bitwise complement of x.
(a) F 0 : {0, 1}` {0, 1}2m {0, 1}n , defined as Fk0 (x1 kx2 ) = Fk (x1 x2 ), where x1 , x2 are both
of length m.
Solution: F 0 is never a secure PRF. Consider an adversary AO that queries its oracle on 02m
and then on xkx for some nonzero x {0, 1}n , and accepts if the two n-bit answers are the
same (otherwise it rejects). Clearly A runs in very little time and makes only two queries.
Now in the real world when O = Fk0 for some random key k, the adversary always accepts.
By contrast, in the ideal world when O is a uniformly random function, the oracles two
answers are uniformly random and independent, and hence equal only with probability 2n , so
prf
A accepts with that probability. So A has advantage AdvF 0 (A) = 1 2n 1/2, which is
too large for F 0 to be considered secure.
(b) F 0 : {0, 1}` {0, 1}m1 {0, 1}2n , defined as Fk0 (x) = Fk (xk0)kFk (xk1).
Solution: F 0 is always a secure PRF, which we prove by reduction. To prove that F 0 is
secure, we need to show that every (t0 , q 0 )-bounded adversary A0 against F 0 (for reasonable
t0 and q 0 ) has small advantage. Letting A0 be any such adversary, below we will construct an
(t t0 , q = 2q 0 )-bounded adversary A which uses A0 as a subroutine, and will prove that
prf

prf

AdvF (A) = AdvF 0 (A0 ).

Because F is (assumed to be) a secure PRF, the advantage of A against F must be bounded by
some small , and therefore so is the advantage of A0 against F 0 , as desired.
Recall that A0 expects oracle access to a function (Fk0 or U 0 ) from {0, 1}m1 to {0, 1}2n , but
that As oracle O is a function (Fk or U ) from {0, 1}m to {0, 1}n . The adversary AO works as
follows:
A runs A0 internally, and uses its own oracle O to answer the oracle queries of A0 as
follows: whenever A0 queries an input xi {0, 1}m1 , A queries O on the two inputs
xi k0, xi k1 {0, 1}m to get yi , yi0 {0, 1}n respectively, and returns yi kyi0 {0, 1}2n
to A0 (as the answer to its query xi ).

Applied Cryptography
Georgia Tech, Fall 2012

Instructor: Chris Peikert

Student: SOLUTIONS

Homework 1

When A0 finally accepts or rejects, A does the same.

prf

We now analyze AdvF (A). First, if As oracle O = Fk for a random key k (i.e., the real
world experiment), then it is easy to see that As method of answering the queries of A0
perfectly simulates oracle access to Fk0 , and therefore
0

Pr[AFk accepts] = Pr[A0Fk accepts].

k

Whereas if O is a uniformly random function U : {0, 1}m {0, 1}n (i.e., the ideal world
experiment), then we claim that A simulates oracle access to a uniformly random function
U 0 : {0, 1}m1 {0, 1}2n for A0 . This is because for distinct queries xi {0, 1}m1 , the
queries xi k0, xi k1 are all distinct as well, and so U (xi k0), U (xi k1) {0, 1}n are uniformly
random and independent from all other oracle answers. Hence their concatenation (a 2n-bit
string) is uniformly random and independent for each distinct query xi . Therefore
0

Pr[AU accepts] = Pr0 [A0U accepts],

U

and so A and A0 have the same advantage, as claimed.

(c) F 0 : {0, 1}` {0, 1}m {0, 1}n , defined as Fk0 (x) = Fk (x).
Solution: F 0 is always a secure PRF. As in the previous part, let A0 be an arbitrary (t0 , q 0 )bounded adversary against F 0 . We will construct a (t t0 , q)-bounded adversary A against F ,
prf
prf
for which AdvF (A) = AdvF 0 (A0 ), which will prove the claim.
The adversary AO works as follows: it internally runs A0 and uses its own oracle O to simulate
the oracle that A0 expects. When A0 queries its oracle on an input xi {0, 1}m , A queries
yi = O(xi ) and returns yi to A0 . When A0 finally accepts or rejects, A does the same.
prf

We now analyze AdvF (A). First, if O = Fk for random key k, then it is clear that A simulates
oracle access to Fk0 for A0 . Whereas if O is a uniformly random function U , then A simulates
oracle access to the function U 0 (x) = U (x). It is easy to see that U 0 is also a uniformly random
function, because for distinct queries xi to U 0 , the queries xi to U are also distinct, so the values
yi = U (xi ) are uniformly random and independent, and hence so are their complements yi .
Therefore A and A0 have the same advantage, as claimed.
(d) Assume ` = m, and let F 0 : {0, 1}` {0, 1}m {0, 1}n be defined as Fk0 (x) = Fx (k).
Solution: F 0 might not be a secure PRF. This is because F might have weak key(s), i.e.,
some very rare key(s) for which Fk behaves very non-randomly (i.e., in a way that is easily
distinguishable from truly random). For example, it could be the case that F0` (x) = 0n for
all x {0, 1}m , but that Fk behaves randomly for other keys k. This would not necessarily
violate the assumption that F is a secure PRF, because the probability of choosing the all-0s key
in the real world game is only 2` , so an attacker in the PRF distinguishing game would have
only an exponentially small 2n chance of being able to exploit the weakness of the all-0s key.

Applied Cryptography
Georgia Tech, Fall 2012

Homework 1

Instructor: Chris Peikert

Student: SOLUTIONS

(Formally, one can prove the following, via an easy reduction: if F is a secure PRF, and F is
defined so that F0` (x) = 0n for all x and Fk (x) = Fk (x) otherwise, then F is also a secure
PRF (which clearly has a weak key as described above). The advantage in distinguishing F
from random is only 2` larger than the advantage in distinguishing F from random. This can
be formally proved by defining a bad event in the real-world experiment, as the event that the
random key k happens to equal 0` . This proves that it is possible to have a weak key and still
be a PRF.)
If F does indeed exhibit the above behavior (F0` (x) = 0n for all x), then there is a very easy
attack A against F 0 : the attacker A just queries its oracle at 0` and accepts if the result is 0n ,
otherwise it rejects.
Let us analyze the attack: in the real world game, O = Fk0 for some random key k {0, 1}` ,
and so O(0` ) = Fk0 (0` ) = F0` (k) = 0n . Therefore, the attack always accepts, i.e.,
Pr

k{0,1}`

[AFk () accepts] = Pr[Fk0 (0` ) = 0n ] = 1.

k

By contrast, in the ideal world game, O = U is a uniformly random function, and so

Pr[AU accepts] = Pr[U (0` ) = 0n ] = 2n .
U

The attack therefore takes only 1 query, a very small amount of time, and has advantage
1 2n 1/2.