diff --git a/src/eplcommon.sty b/src/eplcommon.sty
index fda9247359d5c0c350018a25aa3d43f563a79b88..5306f713c80e301583b84405aac9ff2149171fba 100644
--- a/src/eplcommon.sty
+++ b/src/eplcommon.sty
@@ -34,8 +34,8 @@
\newcommand{\imagj}{\mathrm{j}\mkern1mu} % Imaginary unit but with 100% more engineering
% Norm & absolute value, because ||x|| is ugly
-\newcommand{\norm}[1]{\left\lVert#1\right\rVert}
-\newcommand{\abs}[1]{\left\lvert#1\right\lvert}
+\newcommand{\norm}[1]{{\left\lVert#1\right\rVert}}
+\newcommand{\abs}[1]{{\left\lvert#1\right\lvert}}
% Floor and ceil
\newcommand{\ceil}[1]{\left\lceil#1\right\rceil}
diff --git a/src/q7/crypto-MAT2450/eplcrypto.sty b/src/q7/crypto-MAT2450/eplcrypto.sty
new file mode 100644
index 0000000000000000000000000000000000000000..8f50f9ea7f995b61e5346281fab6810f2fe1874a
--- /dev/null
+++ b/src/q7/crypto-MAT2450/eplcrypto.sty
@@ -0,0 +1,53 @@
+\NeedsTeXFormat{LaTeX2e}[1994/06/01]
+\ProvidesPackage{eplcrypto}[2020/01/16 EPL crypto package for cryptography-related courses]
+
+\RequirePackage{mathtools}
+% Encryption
+\newcommand{\A}{\mathcal{A}}
+\newcommand{\Adv}{\ensuremath{\mathcal{A}}}
+\renewcommand{\K}{\mathcal{K}}
+\renewcommand{\C}{\mathcal{C}}
+\newcommand{\M}{\mathcal{M}}
+\newcommand{\D}{\mathcal{D}}
+\renewcommand{\O}{\mathcal{O}}
+\newcommand{\G}{\mathcal{G}}
+\DeclareMathOperator{\Gen}{\mathsf{Gen}}
+\DeclareMathOperator{\Enc}{\mathsf{Enc}}
+\DeclareMathOperator{\Dec}{\mathsf{Dec}}
+\DeclareMathOperator{\Mac}{\mathsf{Mac}}
+\DeclareMathOperator{\Vrfy}{\mathsf{Vrfy}}
+\DeclareMathOperator{\Com}{\mathsf{Com}}
+\DeclareMathOperator{\Open}{\mathsf{Open}}
+\DeclareMathOperator{\Sign}{\mathsf{Sign}}
+\DeclareMathOperator{\Sig}{\mathsf{Sig}}
+\DeclareMathOperator{\PRG}{\mathsf{PRG}}
+\DeclareMathOperator{\F}{\mathsf{F}}
+\DeclareMathOperator{\f}{\mathsf{f}}
+\DeclareMathOperator{\sprp}{\mathsf{sprp}}
+\DeclareMathOperator{\adv}{\mathsf{adv}}
+\DeclareMathOperator{\Gr}{\mathsf{Gr}}
+\DeclareMathOperator{\Ima}{\mathsf{Im}}
+
+
+% Experiments
+\newcommand{\PrivK}{\mathsf{PrivK}}
+\newcommand{\PrivKeav}[1][\A,\Pi]{\PrivK_{#1}^\mathsf{eav}}
+\newcommand{\PrivKmult}[1][\A,\Pi]{\PrivK_{#1}^\mathsf{mult}}
+\newcommand{\PrivKcpa}[1][\A,\Pi]{\PrivK_{#1}^\mathsf{cpa}}
+\newcommand{\PrivKcca}[1][\A,\Pi]{\PrivK_{#1}^\mathsf{cca}}
+\newcommand{\MacForge}{\mathsf{MacForge}}
+\newcommand{\EncForge}{\mathsf{EncForge}}
+\newcommand{\Sigforge}{\mathsf{Sig-forge}}
+
+% Functions
+\newcommand{\negl}{\ensuremath{\epsilon}}
+\newcommand{\define}{\coloneqq}
+\newcommand{\pick}{\ensuremath{\leftarrow}}
+\newcommand{\sample}{\ensuremath{\stackrel{\,{\scriptscriptstyle R}}}{\leftarrow}}
+\newcommand{\bset}{\{0, 1\}}
+
+\newcommand{\Invert}{\mathsf{Invert}}
+\newcommand{\DDH}{\mathsf{DDH}}
+\newcommand{\DLog}{\mathsf{DLog}}
+
+\endinput
\ No newline at end of file
diff --git a/src/q7/crypto-MAT2450/exercises/README.md b/src/q7/crypto-MAT2450/exercises/README.md
deleted file mode 100644
index 2356d39065ab4bbb94dbf085d9fa08bc2f1b89cf..0000000000000000000000000000000000000000
--- a/src/q7/crypto-MAT2450/exercises/README.md
+++ /dev/null
@@ -1,19 +0,0 @@
-Description
-===========
-
-Solutions for the exercises of LMAT2450 at EPL.
-The pdf are available at [EPL-Backup](https://www.dropbox.com/sh/5a1dfg8e17bbgkw/bgVWq1icjf)
-in `Q7/Crypto/APE`.
-
-You can also compile from source.
-In order to do that, clone the repo and run
-
- make all
-`make release` requires
-[`smartcp`](https://github.com/blegat/smartcp)
-but is not mandatory.
-
-If you do not know Git,
-read the part *Utilisation linéaire de Git* of
-[this tutorial](http://sites.uclouvain.be/SystInfo/notes/Outils/html/git.html)
-written by Benoît Legat.
diff --git a/src/q7/crypto-MAT2450/exercises/biblio.bib b/src/q7/crypto-MAT2450/exercises/biblio.bib
index 77ff81111f674f6db08bdc0842d57e88dbe8de47..5be1e25f5f1e31946a6c5bd0b162a484afdedfe1 100644
--- a/src/q7/crypto-MAT2450/exercises/biblio.bib
+++ b/src/q7/crypto-MAT2450/exercises/biblio.bib
@@ -1,6 +1,7 @@
@book{katz2007introduction,
title={Introduction to modern cryptography: principles and protocols},
author={Katz, Jonathan and Lindell, Yehuda},
- year={2007},
- publisher={CRC Press}
+ year={2014},
+ publisher={CRC Press},
+ edition={2}
}
diff --git a/src/q7/crypto-MAT2450/exercises/boxes.tex b/src/q7/crypto-MAT2450/exercises/boxes.tex
deleted file mode 100644
index ec7cbf15ee7250b6ef5ddf8ca467d065095f81ff..0000000000000000000000000000000000000000
--- a/src/q7/crypto-MAT2450/exercises/boxes.tex
+++ /dev/null
@@ -1,26 +0,0 @@
-%http://tex.stackexchange.com/questions/107191/indented-box-that-split-in-multiple-pages
-\mdfdefinestyle{mysquare}{%
- leftmargin=0pt,
- rightmargin={\dimexpr4pt+2ex\relax},
- innertopmargin=2\baselineskip,
- skipabove={\dimexpr0.5\baselineskip+\topskip\relax},
- skipbelow={\dimexpr0.5\baselineskip+\topskip\relax},
- singleextra={% Single extra applies when it fits in a single page
- \path let \p1=(P), \p2=(O)
- in node[font=\bfseries] at ([yshift=-2ex]0.5*\x1-\x2,\y1) {Solution};
- \fill[black] ([xshift=2pt,yshift=2pt]P) rectangle ++(1ex,1ex);
- \fill[black] ([xshift=-2pt,yshift=-2pt]O) rectangle ++(-1ex,-1ex);
- \fill[black] ([xshift=-2pt,yshift=2pt]O|-P) rectangle ++(-1ex,1ex);
- \fill[black] ([xshift=2pt,yshift=-2pt]O-|P) rectangle ++(1ex,-1ex);
- },
- firstextra={% First extra applies on the first page when it doesn't fit in one page
- \path let \p1=(P), \p2=(O)
- in node[font=\bfseries] at ([yshift=-2ex]0.5*\x1-\x2,\y1) {Solution};
- \fill[fill=black] ([xshift=2pt,yshift=2pt]P) rectangle ++(1ex,1ex);
- \fill[black] ([xshift=-2pt,yshift=2pt]O|-P) rectangle ++(-1ex,1ex);
- },
- secondextra={% First extra applies on the last page when it doesn't fit in one page
- \fill[fill=black] ([xshift=2pt,yshift=-2pt]O-|P) rectangle ++(1ex,-1ex);
- \fill[black] ([xshift=-2pt,yshift=-2pt]O) rectangle ++(-1ex,-1ex);
- }
-}
diff --git a/src/q7/crypto-MAT2450/exercises/crypto-MAT2450-exercises.tex b/src/q7/crypto-MAT2450/exercises/crypto-MAT2450-exercises.tex
index 52b6ae8f5c2ee9eccf226839a90f8c10919a030a..8b632ccee15871cd82ad93e4b2936d00c96b3413 100644
--- a/src/q7/crypto-MAT2450/exercises/crypto-MAT2450-exercises.tex
+++ b/src/q7/crypto-MAT2450/exercises/crypto-MAT2450-exercises.tex
@@ -1,5 +1,7 @@
\PassOptionsToPackage{shortlabels}{enumitem}
\documentclass[en,license=none]{../../../eplexercises}
+\usepackage{../eplcrypto}
+\usepackage{tikz}
\usepackage{qtree}
\usepackage[]{algorithm2e}
@@ -7,58 +9,20 @@
\usetikzlibrary{patterns}
\usetikzlibrary{shapes}
-% Encryption
-\renewcommand{\K}{\mathcal{K}}
-\renewcommand{\C}{\mathcal{C}}
-\newcommand{\M}{\mathcal{M}}
-\newcommand{\D}{\mathcal{D}}
-\renewcommand{\O}{\mathcal{O}}
-\newcommand{\G}{\mathcal{G}}
-\DeclareMathOperator{\Gen}{\mathsf{Gen}}
-\DeclareMathOperator{\Enc}{\mathsf{Enc}}
-\DeclareMathOperator{\Dec}{\mathsf{Dec}}
-\DeclareMathOperator{\Mac}{\mathsf{Mac}}
-\DeclareMathOperator{\Vrfy}{\mathsf{Vrfy}}
-\DeclareMathOperator{\Com}{\mathsf{Com}}
-\DeclareMathOperator{\Open}{\mathsf{Open}}
-\DeclareMathOperator{\Sign}{\mathsf{Sign}}
-\DeclareMathOperator{\Sig}{\mathsf{Sig}}
-\DeclareMathOperator{\PRG}{\mathsf{PRG}}
-\DeclareMathOperator{\F}{\mathsf{F}}
-\DeclareMathOperator{\f}{\mathsf{f}}
-\DeclareMathOperator{\sprp}{\mathsf{sprp}}
-\DeclareMathOperator{\adv}{\mathsf{adv}}
-\DeclareMathOperator{\Gr}{\mathsf{Gr}}
-\DeclareMathOperator{\Ima}{\mathsf{Im}}
-
-
-% Experiments
-\newcommand{\PrivKeav}{\mathsf{PrivK}_{\A, \Pi}^{\mathsf{eav}}}
-\newcommand{\PrivKmult}{\mathsf{PrivK}_{\A,\Pi}^\mathsf{mult}}
-\newcommand{\PrivKcpa}{\mathsf{PrivK}_{\A,\Pi}^\mathsf{cpa}}
-\newcommand{\PrivKcca}{\mathsf{PrivK}_{\A,\Pi}^\mathsf{cca}}
-
-% Functions
-\newcommand{\negl}{\ensuremath{\epsilon}}
-
-% Adversary
-\newcommand{\A}{\mathcal{A}}
-\newcommand{\Adv}{\ensuremath{\mathcal{A}}}
-
+\newcommand{\PrivKmultcpa}[1][\A,\Pi]{\PrivK_{#1}^\mathsf{multcpa}}
% Arithmetic
\newcommand{\modn}{\, (\text{mod } n)}
-
+\newcommand{\dset}[2]{\{#1,\dots, #2\}}
+\newcommand{\MAC}{\mathsf{MAC}}
+\DeclareMathOperator{\ord}{\mathsf{ord}}
+\newcommand{\PubK}{\mathsf{PubK}}
+\newcommand{\PubKcpa}[1][\A,\Pi]{\PubK^\mathsf{cpa}_{#1}}
+\newcommand{\ComHide}{\mathsf{Com}^\mathsf{hide}}
+\newcommand{\ComBind}{\mathsf{Com}^\mathsf{bind}}
+\newcommand{\HashColl}{\mathsf{HashColl}}
\newcommand{\xor}{\oplus}
\newcommand{\st}{\text{ s.t. }}
-\renewcommand{\Z}{\mathbb{Z}}
-\DeclareMathOperator{\PrivK}{PrivK}
-\DeclareMathOperator{\MacForge}{MacForge}
-\DeclareMathOperator{\Sigforge}{Sig-forge}
-\DeclareMathOperator{\Invert}{Invert}
-\DeclareMathOperator{\DDH}{DDH}
-\DeclareMathOperator{\DLog}{DLog}
-\newcommand{\PrivKmultcpa}{\PrivK^{\text{multcpa}}}
\newcommand{\Sigforgeone}{\Sigforge^{\text{1-time}}}
% New commands
@@ -79,13 +43,15 @@
{\subsection}[hang]{\bfseries\Large}{\thesubsection: }{0.5ex}{}
\hypertitle{Cryptography}{7}{MAT}{2450}
-{Benoît Legat \and Luis Tascon Gutierrez \and Guillaume Gheysen \and Olivier Leblanc}
+{Benoît Legat \and Guillaume Gheysen \and Olivier Leblanc \and Luis Tascon Gutierrez \and Jean-Martin Vlaeminck}
{François Koeune and Olivier Pereira}
\newpage
Special thanks to the assistants Francesco Berti (francesco.berti@uclouvain.be) and Pierrick M\'eaux (pierrick.meaux@uclouvain.be) who gave us the \LaTeX\ code of the statements of the exercises.
Note: I (Luis Tascon Gutierrez) had to merge the \LaTeX\ code of the solution we have written and the code the assistants sent to me and it means that there might still be some typo errors due to commands that were not the same between the two documents.
+Note: the distribution of the exercises changes from year to year. Here, the distribution of the year 2019--2020 is indicated.
+
\input{tp/tp1.tex}
\newpage
\input{tp/tp2.tex}
@@ -99,8 +65,13 @@ Note: I (Luis Tascon Gutierrez) had to merge the \LaTeX\ code of the solution we
\input{tp/tp6.tex}
\newpage
\input{tp/tp7.tex}
-
\newpage
+\input{tp/tp8.tex}
+\newpage
+\input{tp/tp9.tex}
+\newpage
+\input{tp/tp10.tex}
+
\bibliographystyle{plain}
\bibliography{biblio}
diff --git a/src/q7/crypto-MAT2450/exercises/greyarrow.tex b/src/q7/crypto-MAT2450/exercises/greyarrow.tex
deleted file mode 100644
index 8327ae46bc5170a1ea0ecd8f296865d8d250b7ff..0000000000000000000000000000000000000000
--- a/src/q7/crypto-MAT2450/exercises/greyarrow.tex
+++ /dev/null
@@ -1,50 +0,0 @@
-%http://tex.stackexchange.com/questions/50877/excursus-environment-using-mdframed-issue-with-page-breaks
-\tikzset{
- excursus arrow/.style={%
- line width=2pt,
- draw=gray!40,
- rounded corners=2ex,
- },
- excursus head/.style={
- fill=white,
- font=\bfseries\sffamily,
- text=gray!80,
- anchor=base west,
- },
-}
-
-\mdfdefinestyle{mysquare}{%
- singleextra={%
- \path let \p1=(P), \p2=(O) in (\x2,\y1) coordinate (Q);%
- \path let \p1=(Q), \p2=(O) in (\x1,{(\y1-\y2)/2}) coordinate (M);%
- \path [excursus arrow, round cap-to]%
- ($(O)+(5em,0ex)$) -| (M) |- %
- ($(Q)+(12em,0ex)$) .. controls +(0:16em) and +(185:6em) .. %
- ++(23em,2ex);%
- \node [excursus head] at ($(Q)+(2.5em,-0.75pt)$) {Solution to Exercise~\theExo};},
- firstextra={%
- \path let \p1=(P), \p2=(O) in (\x2,\y1) coordinate (Q);
- \path [excursus arrow,-to]
- (O) |- %
- ($(Q)+(12em,0ex)$) .. controls +(0:16em) and +(185:6em) .. %
- ++(23em,2ex);
- \node [excursus head] at ($(Q)+(2.5em,-2pt)$) {Solution to Exercise~\theExo};
- },
- secondextra={%
- \path let \p1=(P), \p2=(O) in (\x2,\y1) coordinate (Q);
- \path [excursus arrow,round cap-]
- ($(O)+(5em,0ex)$) -| (Q);
- },
- middleextra={%
- \path let \p1=(P), \p2=(O) in (\x2,\y1) coordinate (Q);
- \path [excursus arrow](O) -- (Q);
- },
- middlelinewidth=2.5em,middlelinecolor=white,
- hidealllines=true,topline=true,
- innertopmargin=0.5ex,
- innerbottommargin=2.5ex,
- innerrightmargin=2pt,
- innerleftmargin=2ex,
- skipabove=0.87\baselineskip,
- skipbelow=0.62\baselineskip,
-}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp1.tex b/src/q7/crypto-MAT2450/exercises/tp/tp1.tex
index 8a6a019a3c40f58e50769411db7bc842d01eae68..469f0bb9c9ab5d4a052feec8bafd072d837cc163 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp1.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp1.tex
@@ -1,33 +1,73 @@
+
+
\section{}
-\subsection{Exercise 1 (Perfect secrecy.)}
+
+\subsection{Exercise 1 (Vigenère)}
+
+You saw in the class the Vigenère encryption scheme.
+Write it formally as $\Pi=(\Gen, \Enc, \Dec)$, with a key of length $t$, with $4 \le t \le 20$.
+
+
+\begin{solution}
+ \begin{itemize}
+ \item $\Gen$: on input $1^t$, pick $t \pick \{4, \dots, 20\}$,
+ then pick $k \pick \dset{0}{25}^t$ and output it as the key.
+ Note that the usual $n$ is here written $t$, as it is the length of the key.
+
+ \item $\Enc$: on input a key $k\in \dset{0}{25}^t$ and a message $m\in \dset{0}{25}^*$ of length $|m|$, construct the ciphertext
+ \[ c = [(m_i + k_{i \mod t}) \mod 26]_{0 \le i \le |m|-1} \]
+ This array-like notation means that we build each character of the ciphertext $c_i$ by adding (modulo $26$) the corresponding character of the plaintext $m_i$ with the component $i \mod t$ of the key.
+ All sequences (the message, the key and the ciphertext) are zero-indexed.
+
+ A more ``mathematical'' approach:
+
+ For $i=1, \dots, \lceil \frac{|m|}{t} \rceil$ do:
+
+ \hspace{20pt}For $j=1, \dots, t$ do:
+
+ \hspace{20pt}\hspace{20pt}$c_{t(i-1)+j} = m_{t(i-1)+j} + k_j \mod 26$
+
+ Return $c_1 || c_2 || \dots || c_{|m|}$.
+
+ This time, the sequences are 1-indexed.
+
+ \item $\Dec$: do the inverse: on input key $k \in \dset{0}{25}^t$ and message $m\in\dset{0}{25}^*$, construct the message
+ \[ m = [(c_i - k_{i \mod t}) \mod 26]_{0 \le i \le |c|-1} \]
+ \end{itemize}
+\end{solution}
+
+
+
+\subsection{Exercise 2 (Perfect secrecy.)}
+
We define the following encryption scheme for messages, keys and
-ciphertexts in $\mathbb{Z}_n$, where $\mathbb{Z}_n$ is essentially
+ciphertexts in $\Z_n$, where $\Z_n$ is essentially
the integers in the interval $[0,n[$
-(in fact $(\mathbb{Z}_n,+)$ forms a group):
-\smallskip
+(in fact $(\Z_n,+)$ forms a group):
\begin{itemize}
\item $\Gen$ outputs a key $k \in \K$ selected uniformly at random.
- \item $\Enc_k(m) := k+m \mod n$
- \item $\Dec_k(c) := c-k \mod n$
+ \item $\Enc_k(m) \define k+m \mod n$
+ \item $\Dec_k(c) \define c-k \mod n$
\end{itemize}
-\smallskip
+
Suppose messages are drawn from $\M$ according to the binomial
distribution. More precisely $M\sim \mathrm{Bi}(n-1,p)$ for some probability $p$
which means that $\forall m\in \M: \Pr[M=m]=\binom{n-1}{m}p^{m}(1-p)^{n-1-m}$.
-\smallskip
+
\begin{enumerate}
\item Show that the encryption scheme above is perfectly secret.
\item Evaluate $\Pr[C=c]$ for every $c \in \C$.
- \item Evaluate $\Pr[K=k|C=c]$ for every $k\in \K$ and $c\in \C$.
+ \item Evaluate $\Pr[K=k|C=c]$ for every $k\in \K$ and $c\in \C$.
\end{enumerate}
+
\begin{solution}
\begin{enumerate}
\item
- We have secret privacy if : $Pr[C = c | M = m_0] = Pr[C = c | M = m_1] $ for every $m_0, m_1 \in \M$ and $c \in \C$.
+ We have perfect secrecy if: $\Pr[C = c | M = m_0] = \Pr[C = c | M = m_1] $ for every $m_0, m_1 \in \M$ and $c \in \C$.
Let $c \in \C$ and $m\in \M$.
- We have :
+ We have:
\begin{align*}
\Pr[C = c | M = m]
& = \Pr[M + K = c \pmod{n} | M = m]\\
@@ -40,15 +80,16 @@ which means that $\forall m\in \M: \Pr[M=m]=\binom{n-1}{m}p^{m}(1-p)^{n-1-m}$.
\[
\Pr[C = c | M = m_1] = \Pr[C = c | M = m_2]
\]
- for every $c \in \C$ and $m_1,m_2 \in \M$. \\
+ for every $c \in \C$ and $m_1,m_2 \in \M$.
+
Which means we have perfect secrecy.
\item
- Using the the result obtained at last exercice and the equivalent definitions about private secrecy, we can obtain :
+ Using the the result obtained at last exercice and the equivalent definitions about perfect secrecy, we can obtain:
\begin{align*}
\Pr[C = c] & = \Pr[C = c | M = m] \text{ for every } m \in \M \\
& = \frac{1}{n}
\end{align*}
- Other way to solve it (thanks to Benoît Legat) :
+ Other way to solve it (thanks to Benoît Legat):
\begin{align*}
\Pr[C = c]
& = \sum_{m \in \M} \Pr[\Enc_K(M) = c | M = m] \Pr[M = m]\\
@@ -67,12 +108,16 @@ which means that $\forall m\in \M: \Pr[M=m]=\binom{n-1}{m}p^{m}(1-p)^{n-1-m}$.
\end{solution}
-\subsection{Exercise 2 (Negligible functions.)}
+
+\subsection{Exercise 4 (Negligible functions.)}
+
\begin{enumerate}
\item Let $f$ be a negligible function in $n$. Show that $g: n \mapsto
1000\cdot f(n)$ is negligible too.
\item Show that the function $n \mapsto n^{-\log(n)}$ is negligible in $n$.
\end{enumerate}
+
+
\begin{solution}
\begin{enumerate}
\item Let $p$ be a polynomial,
@@ -99,329 +144,59 @@ which means that $\forall m\in \M: \Pr[M=m]=\binom{n-1}{m}p^{m}(1-p)^{n-1-m}$.
which is a second order polynomial in $\log(n)$.
Let $r_1,r_2$ be its roots.
We can take $N = \max(N_1,1,2^{r_1},2^{r_2})$.
-
- \textbf{There is an other way to show this}. We know that, f is negligible iff for all positive polynomial p, there exist an N such that for all n$\geq$ N : $ f(n) \leq \frac{1}{p(n)}$.
-
- In our case we have $f(n) = n^{-log(n)}$ and we represent any polynomial as $n^c$. Then :
- $$n^{-log(n)} \leq n^{-c}$$
- $$log(n^{-log(n)}) \leq log(n^{-c})$$
- $$log(n) \geq c $$
- If we take N = exp(c), then our relation will be respected. As there exist an N where n$\leq$ N in wich the relation is respected, then the function is negligible.
+
+ \textbf{There is another way to show this}. We know that, f is negligible iff for all positive polynomial p, there exist an N such that for all $n\geq N$: $ f(n) \leq \frac{1}{p(n)}$.
+
+ In our case we have $f(n) = n^{-log(n)}$ and we represent any polynomial as $n^c$. Then:
+ \begin{align*}
+ n^{-\log(n)} \leq n^{-c}
+ \log(n^{-\log(n)}) \leq \log(n^{-c})
+ \log(n) \geq c
+ \end{align*}
+ If we take $N = \exp(c)$, then our relation will be respected. As there exist an N where $n\leq N$ in wich the relation is respected, then the function is negligible.
\end{enumerate}
\end{solution}
-\subsection{Exercise 3 (Efficiency.)}
+
+\subsection{Exercise 5 (Efficiency.)}
+
Explain why the function that maps $n$ on a sequence of ``$1$'' of length
$\lfloor \sqrt{n}\rfloor$ cannot be evaluated by any efficient algorithm.
An example of such algorithm is given in Algorithm~\ref{alg1}.
-\begin{algorithm}
+\begin{algorithm}
\begin{algorithmic}
\REQUIRE $n \geq 0$
\ENSURE A sequence of $\sqrt{n}$ ``$1$''
\FOR{$i=0$ to $\lfloor\sqrt{n}\rfloor$}
\STATE Print `1'
\ENDFOR
-\end{algorithmic}
+\end{algorithmic}
\caption{example of algorithm}
\label{alg1}
\end{algorithm}
-Hint: see $n$ as a power of $2$.
-\begin{solution}
- An algorithm A is efficient if there exist a PPT p such that :
- $$ A(x) \leq p(|x|) $$
- As we can see from the exercise :
- $$A(n) \ = \ \sqrt{n} $$
- $$ |n| \ = \ log_2(n) \ \textbf{because n is encoded as a binary number} $$
- But for all PPT p,
- \[ \sqrt{n} > p(\log_2(n)) \]
- So the algorithm is not efficient.
-
- \textbf{P.S.} : It would have been efficient if we write the input as $1^n$.
-
- \textbf{Other more intuitive approach : }
- The input $n$ can be expressed under binary form as: $$n = 2^{|n|}$$
- Let's say that $k = |n|$. We know that the algorithm has to do at least $\sqrt{n}$ steps.
- $$\sqrt{n} = \sqrt{2^k} = 2^{\frac{k}{2}}$$
- Which is not polynomial.
-\end{solution}
+Hint: see $n$ as a power of $2$.
-\subsection{Exercise 4 (Security model.)}
-Let $\negl$ denote a negligible function.
-Remember that $\Pi:=\langle \Gen, \Enc, \Dec \rangle$ has \emph{indistinguishable
-multiple encryption in the presence of eavesdroppers} if $\forall$
-PPT $\A$, $\exists$ $\negl$ :
- $$\Pr[\PrivKmult(n)=1]\leq\frac12+\negl(n) \,,$$
-where $\PrivKmult(n)$ is defined as follows.
-%
-\smallskip
-\begin{enumerate}
-\item $\A$ outputs $M_0=(m_0^1,\ldots,m_0^t),
-M_1=(m_1^1,\ldots,m_1^t)$
-\item Choose $k \leftarrow \G(1^n)$ and $b \leftarrow \{0,1\}$, and send
- $(\Enc_k(m_b^1),\ldots,\Enc_k(m_b^t))$ to $\A$
-\item $\A$ outputs $b'$
-\item Define $\PrivKmult(n):=1$ iff $b=b'$
-\end{enumerate}
-%
-\smallskip
-Also remember that $\Pi:=\langle \Gen, \Enc, \Dec \rangle$ has \emph{indistinguishable
-encryption under a chosen-plaintext attack} if $\forall$ PPT $\A$,
-$\exists$ $\negl$ :
- $$\Pr[\PrivKcpa(n)=1]\leq\frac12+\negl(n) \,,$$
-where $\PrivKcpa(n)$ is defined as follows.
-\smallskip
-\begin{enumerate}
- \item Choose $k\leftarrow \Gen(1^n)$
- \item \textbf{$\A$ is given oracle access to $\Enc_k(\cdot)$}
- \item $\A$ outputs $m_0, m_1 \in \M$
- \item Choose $b\leftarrow\{0,1\}$ and send $\Enc_k(m_b)$ to $\A$
- \item \textbf{$\A$ is again given oracle access to $\Enc_k(\cdot)$}
- \item $\A$ outputs $b'$
- \item Define $\PrivKcpa(n):=1$ iff $b=b'$
-\end{enumerate}
-\smallskip
-
-Define the concept of indistinguishable \emph{multiple} encryption under a chosen-plaintext attack.
-
-\begin{solution}
-%Sending it once (in a vector) or with a loop is exactly the same, so I think only one definition is sufficient...
- Two definition can be proposed.
- The first one is the one given in the reference \cite[p.~84]{katz2007introduction}.
-
- Both are equally good since it can be proven they are equivalent to the definition of indistinguishably of a \emph{single} encryption
- under CPA.
- Proving that if $\Pi$ has indistinguishable \emph{multiple} encryption under CPA then it also has indistinguishable \emph{single} encryption
- is trivial.
- The other way is quite tricky.
- However in public key cryptosystems, CPA is the same than EAV since $\A$ has the public key and can therefore oracle access to $\Enc$.
- There is therefore the same property in asymmetric crypto for EAV than for symmetric crypto with CPA.
- This is stated by the \cite[theorem~10.10]{katz2007introduction} which is proven.
- The proof is very similar to the proof we have to make to show the equivalence so if you are in doubt, just check it out.
-
- \begin{enumerate}
-
- \item
- $\Pi := \langle\Gen, \Enc, \Dec\rangle$ has indistinguishable \emph{multiple} encryption under a chosen-plaintext attack
- if $\forall$ PPT $\A$, $\exists \epsilon$:
- \[ \Pr[\PrivKmultcpa_{\A,\Pi}(n) = 1] \leq \frac{1}{2} + \epsilon(n), \]
- where $\PrivKmultcpa_{\A,\Pi}(n)$ is defined as follows.
- \begin{enumerate}
- \item Choose $k \leftarrow \Gen(1^n)$
- \item $\A$ is given oracle access to $\Enc_k(\cdot)$
- \item $\A$ outputs $M_0 = (m_0^1, \ldots, m_0^t)$, $M_1 = (m_1^1, \ldots, m_1^t)$
- \item Choose $b \leftarrow \{0,1\}$, and send $(\Enc_k(m_b^1), \ldots, \Enc_k(m_b^t))$ to $\A$
- \item $\A$ is again given oracle access to $\Enc_k(\cdot)$
- \item $\A$ outputs $b'$
- \item Define $\PrivKmultcpa_{\A,\Pi}(n) := 1$ iff $b = b'$
- \end{enumerate}
-
-
- \item
- $\Pi := \langle\Gen, \Enc, \Dec\rangle$ has indistinguishable \emph{multiple} encryption under a chosen-plaintext attack
- if $\forall$ PPT $\A$, $\exists \epsilon$:
- \[ \Pr[\PrivKmultcpa_{\A,\Pi}(n) = 1] \leq \frac{1}{2} + \epsilon(n), \]
- where $\PrivKmultcpa_{\A,\Pi}(n)$ is defined as follows.
-
- \begin{enumerate}
- \item Choose $k \leftarrow \Gen(1^n)$
- \item $\A$ is given oracle access to $\Enc_k(\cdot)$
- \item Choose $b \leftarrow \{0,1\}$
- \item For $k' \in \{1, \ldots, t\}$
- \begin{enumerate}
- \item $\A$ outputs $(m_0^{k'}, m_1^{k'})$
- \item Send $\Enc_k(m_b^{k'})$ to $\A$
- \item $\A$ is again given oracle access to $\Enc_k(\cdot)$
- \end{enumerate}
- \item $\A$ outputs $b'$
- \item Define $\PrivKmultcpa_{\A,\Pi}(n) := 1$ iff $b = b'$
- \end{enumerate}
- \end{enumerate}
-\end{solution}
-
-
-\subsection{Exercise 5 (Pseudorandomness.)}
-Let $F: \{0,1\}^* \times \{0,1\}^* \rightarrow \{0,1\}^*$ be a
-(length-preserving) pseudorandom function, that is, if $k$ is selected
-uniformly at random in $\{0,1\}^n$, then $F_k(\cdot)$ is
-computationnaly indistinguishable from a function $f$ selected randomly in the set of
-functions from $\{0,1\}^n$ to $\{0,1\}^n$. More formally, $\forall$ PPT $D$, $\exists$ negl. $\negl$:
-$$\left|\Pr[D^{F_k(\cdot)}(1^n)=1]-\Pr[D^{f(\cdot)}(1^n)=1]\right|\leq\negl(n)$$
-
-Show that F cannot seem random in front of an adversary who has an unbounded computational power,
-in the sense that she can distinguish it from a random function.
-\begin{solution}
- There are $|\{0,1\}^n|^{|\{0,1\}|^n} = {2^n}^{2^n}$ function from $\{0,1\}^n$ to $\{0,1\}^n$.
- However, since there are only $2^n$ different $k$, $F_k$ can only be $2^n$ different functions.
- If the distinguisher $D^g$ is unbounded, he can just check the output of $g$ for every possible input and for all $k \in \{0,1\}^n$, he can check if it has the same output of $g$.
- If it has the same output of $F_k$ for at least one $k$, then $D^g(1^n) = 1$, else $D^g(1^n) = 0$.
- More formally
- \[
- D^g(1^n) \overset{\Delta}{=}
- \left\{ \begin{array}{rl}
- 1 & \mbox{if }\exists k \in \{0,1\}^n, \forall m \in \{0,1\}^n, F_k(m) = g(m)\\
- 0 & \mbox{otherwise.}\\
- \end{array} \right.
- \]
- We can see that
- \[ \Pr[D^{F_k}(1^n) = 1] = 1 \]
- for all $k \in \{0,1\}^n$.
- Since there could be $k_1,k_2$ such that $F_{k_1}(m) = F_{k_2}(m)$ for all $m \in \{0,1\}^n$,
- \[ |\{f : \{0,1\}^n \to \{0,1\}^n | \exists k \in \{0,1\}^n, \forall m \in \{0,1\}^n f(m) = F_k(m) \}| \leq 2^n. \]
- Therefore
- \[ \Pr[D^{f}(1^n) = 1] \leq \frac{2^n}{{2^n}^{2^n}} = {2^n}^{(1-2^n)}. \]
-\end{solution}
-
-
-\subsection{Exercise 6 (Reduction.)}
-Let $\Pi=\langle \Gen,\Enc,\Dec\rangle$ be an encryption scheme having
-indistinguishable encryption under a chosen plaintext attack. Suppose we
-define a new scheme $\Pi':=\langle \Gen',\Enc',\Dec'\rangle$ as follows.
-\smallskip
-\begin{itemize}
- \item $\Gen':=\Gen$
- \item $\Enc_k'(m):=\Enc_k(m)||1$ (i.e. a `1' bit is appended to the ciphertext)
- \item $\Dec_k'(c):=\Dec_k(c_1)$, where $c_1$ is obtained by discarding the last bit of $c$.
-\end{itemize}
-\smallskip
-Is $\Pi'$ also a CPA secure encryption scheme? Provide either an (efficient) attack/adversary
-or a (polynomial) reduction, depending on your claim.
-
\begin{solution}
- $\Pi$ is a secure encryption scheme under CPA. $\Pi$ is public, only the key is hidden from $\A$. Adding a 1 at the end will just give no information to $\A$.
+ An algorithm A is efficient if there exist a PPT p such that:
+ \[ A(x) \leq p(|x|) \]
+ As we can see from the exercise:
+ \[A(n) \ = \ \sqrt{n} \]
+ \[ |n| \ = \ \log_2(n) \textbf{ because n is encoded as a binary number} \]
+ (Here, the vertical bars don't represent the absolute value, but the ``length'' of the number.)
+ But for all PPT p,
+ \[ \sqrt{n} > p(\log_2(n)) \]
+ So the algorithm is not efficient.
- %To prove it rigorously, we can prove that ``if $\Pi'$ is insecure then $\Pi$ is insecure'' since it is the contraposition of ``if $\Pi$ is secure then $\Pi'$ is secure''. % Perso je trouve la formulation rend confus
- This proof methodology is called ``reduction''.
-
- %TODO define more clearly the interface with the adversary and with the oracle
- Let $\C$ be the challenger trying to break $\Pi$ and an efficient adversary $\A$ that can break $\Pi'$ with a non-negligible probability. $\O$ is the oracle that gives the challenge to break the scheme $\Pi$.
- \begin{enumerate}
- \item $\O$ is given $1^n$ as input as $\C$ that will transmit it to $\A$.
- \item First query phase:
- \begin{itemize}
- \item $\A$ outputs $m_i$ as message to $\C$.
- \item $\C$ outputs $m_i$ as message to $\O$.
- \item $\O$ outputs $c_i = Enc_k(m_i)$ as message to $\C$.
- \item $\C$ sends back $c_i||1$ to $\A$.
- \end{itemize}
- \item Challenge phase:
- \begin{itemize}
- \item $\A$ outputs $m_0^\ast, m_1^\ast$ to $\C$.
- \item $\C$ outputs $m_0^\ast, m_1^\ast$ as message to $\O$.
- \item $\O$ choose randomly $b \leftarrow \{0,1\}$.
- \item $\O$ outputs $c^\ast = Enc_k(m_b^\ast)$ to $\C$.
- \item $\C$ sends back $c^\ast||1$ to $\A$.
- \end{itemize}
- \item Second query phase: same as the first one.
- \item $\A$ outputs $b'$ to $\C$.
- \item $\C$ outputs $b'$.
- \end{enumerate}
- We have:
- $$Pr[b'=b] = Pr[\A \text{ wins over } \Pi']$$
- If $\A$ has a non-negligible probability to win against the $\Pi'$ scheme then $\C$ has also a non negligible probability to win against the $\Pi$ scheme. We can conclude that $\Pi'$ is also a secure scheme.
-\end{solution}
-
-\subsection{Exercise 7 (Reduction and/or attacks.)}
-Let $\Pi_1=\langle \Gen^1,\Enc^1,\Dec^1\rangle$ and $\Pi^2=\langle \Gen^2,\Enc^2,\Dec^2\rangle$ be an encryption scheme with $\Enc^1:\mathcal{K}\times \mathcal{M}^1 \longmapsto \mathcal{C}^1$ and $\Enc^2:\mathcal{K}\times \mathcal{M}^2 \longmapsto \mathcal{C}^2$
-\begin{enumerate}
-\item[a] If $\mathcal{C}^1 = \mathcal{M}^2$, let $\Pi=\langle \Gen,\Enc,\Dec\rangle$ with
-\begin{itemize}
- \item $\Gen:=(\Gen_1,\Gen_2)$ (that is, we obtain two different keys $(k_1,k_2)$
- \item $\Enc_{(k_1,k_2)}(m):=\Enc_{k_2}^2(\Enc^1_{k_1}(m))$
- \item $\Dec_{(k_1,k_2)}(c):=\Dec^1_{k_1}(\Dec^2_{k_2}(c))$
-\end{itemize}
-\smallskip
-\item If $\Pi^1$ is CPA secure, is it $\Pi$ CPA secure?
-\item If $\Pi^2$ is CPA secure, is it $\Pi$ CPA secure?
-\item If $\Pi$ is CPA secure, is it $\Pi^1$ CPA secure?
-\item If $\Pi$ is CPA secure, is it $\Pi^2$ CPA secure?
-\item[b] If $\mathcal{M}^1 = \mathcal{M}^2$ and $\mathcal{C}^1 = \mathcal{C}^2$. let $\Pi'=\langle \Gen',\Enc',\Dec'\rangle$ with
-\begin{itemize}
- \item $\Gen':=(\Gen^1,\Gen^2)$ (that is, we obtain two different keys $(k_1,k_2)$
- \item $\Enc'_{(k_1,k_2)}(m):=(c_1,c_2)$ with $c_1=\Enc^1_{k_1}(m),~c_2=\Enc^2_{k_2}(m))$
- \item $\Dec'_{(k_1,k_2)}(c):=\Dec_{k_1}(c_1)$ with $c=c_1\|c_2$ ($c_1$ is the first half of $c$)
-\end{itemize}
-\smallskip
-\item If $\Pi^1$ is CPA secure, is it $\Pi'$ CPA secure?
-\item If $\Pi^2$ is CPA secure, is it $\Pi'$ CPA secure?
-\item If $\Pi'$ is CPA secure, is it $\Pi^1$ CPA secure?
-\item If $\Pi'$ is CPA secure, is it $\Pi^2$ CPA secure?
-\end{enumerate}
-\begin{solution}
-\begin{enumerate}
- \item Let's assume $\Pi$ is not CPA secure: There exist an adversary A.\\
- We build an adversary $A^1$ for $\Pi_1$
- $$\begin{aligned}
- Pr[b''=b;b''\leftarrow a^1] &= Pr[b'=b;b'\leftarrow a]\\
- Pr[b''=b] &= Pr[b'=b] \le 1/2+\varepsilon
- \end{aligned}$$
-
- \item \textbf{If $\Pi^2$ is CPA secure, is it $\Pi$ CPA secure?}\\
- We ($D$) define an oracle ($O(\Pi^2)$) that can securely encode a message with $\Pi^2$ and instantiate an Attacker ($A$). As we have to challenge the $\Pi$ scheme knowing the $\Pi^2$ is CPA secure we will proceed as follow.
- \begin{description}
- \item[First learning phase:] We begin by encrypting the messages from the attacker with $\Pi^1$ to send them to the oracle. The oracle responds by encrypting the message received with $\Pi^2$ and we just pass this response to the attacker.
- \item[Challenge phase:] The attacker choose two messages and we transmit the two messages with the first encryption. The oracle will choose witch message to encrypt and will respond with one of the two messages encrypted that we will send back to the attacker.
- \item[Second learning phase:] Same as the first one.
- \end{description}
- \begin{center}
- \begin{tikzpicture}[scale=0.8]
- %structure
- \draw[rounded corners=10pt,thick] (0,0) rectangle (5,10);
- \draw[rounded corners=10pt,thick] (0.5,0.5) rectangle (2,8.5);
- \draw[rounded corners=10pt,thick] (13,0) rectangle (17,10);
- \node[above right] at (0,10) {$D$};
- \node[above right] at (0.5,8.5) {$A$};
- \node[above left] at (17,10) {$O(\Pi^2)$};
- \node[below left] at (5,10) {$k_1 \leftarrow gen^1(1^n)$};
- \node[below left] at (17,10) {$k_2 \leftarrow gen^2(1^n)$};
-
- %train phase
- \flect (2,8) -- (4,8) \mess {$m_i$};
- \flect (4,7) -- (2,7) \mess {$c_i$};
- \flect (5,8) -- (13,8) \mess {$m_i':=Enc_{k_1}^1(m_i)$};
- \flect (13,7) -- (5,7) \mess {$c_i:=Enc_{k_2}^2(m_i')$};
-
- %challenge phase
- \flecc (2,5.5) -- (4,5.5) \mess {$m^{\ast}_0,m^{\ast}_1$};
- \flecc (4,4.5) -- (2,4.5) \mess {$c^\ast$};
- \flecc (5,5.5) -- (13,5.5) \mess {$m
- _0^{\ast\prime}:=Enc_{k_1}^{1}(m_0^\ast),m_1^{\ast\prime}:=Enc_{k_1}^{1}(m_1^{\ast})$};
- \flecc (13,4.5) -- (5,4.5) \mess {$c^\ast:=Enc_{k_2}^{2}(m_b^{\ast\prime})$};
- \node[below right] at (13,5.5) {$b \leftarrow \{0,1\}$};
-
- %train phase
- \flect (2,3) -- (4,3) \mess {$m_i$};
- \flect (4,2) -- (2,2) \mess {$c_i$};
- \flect (5,3) -- (13,3) \mess {$m_i':=Enc_{k_1}^1(m_i)$};
- \flect (13,2) -- (5,2) \mess {$c_i:=Enc_{k_2}^2(m_i')$};
-
- % output
- \flec (2,1) -- (3,1) node[pos=1,right] {$b'$};
- \flec (5,1) -- (6,1) node[pos=1,right] {$b''=b'$};
- \end{tikzpicture}
- \end{center}
- As we can see in every case, the distinguisher will have the same probability to find the message encrypted by the oracle than the attacker to break the scheme. As the attacker can only have a probability of $1/2 + \varepsilon$ to succeed the distinguisher will have the same probability. So, the scheme $\Pi$ is secure.
-
- \item As seen in the previous development, if $\Pi^2$ is CPA secure, $\Pi$ is CPA secure. There is no restriction on $\Pi^1$ in that case. Therefore $\Pi^1$ could be such that $Enc^1_{k_1}(m):=m$ which is obviously not CPA secure. So the proposition is false.
-
- \item Idem
-
- \item \textbf{If $\Pi^1$ is CPA secure, is it $\Pi'$ CPA secure?}\\
- The $\Pi'$ scheme is CPA secure if and only if $\Pi^2$ is also CPA secure.
-
- For example, if $Enc_{k_2}^2(m) = m$ then the scheme $\Pi'$ is not CPA secure.
-
- TO DEVELOP. (solution of the teaching assistant?)
-
- \item TODO
-
- \item TODO
-
- \item TODO
-\end{enumerate}
+ \textbf{P.S.}: It would have been efficient if we write the input as $1^n$, because then the algorithm would have received an input of size $n$ as an $n$-bit number.
+ \textbf{Other more intuitive approach : }
+ The input $n$ can be expressed under binary form as: \[n = 2^{|n|}\]
+ Let's say that $k = |n|$. We know that the algorithm has to do at least $\sqrt{n}$ steps.
+ \[\sqrt{n} = \sqrt{2^k} = 2^{\frac{k}{2}}\]
+ Which is not polynomial.
\end{solution}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp10.tex b/src/q7/crypto-MAT2450/exercises/tp/tp10.tex
new file mode 100644
index 0000000000000000000000000000000000000000..874f99586172ce755abc738bbc888cb4b10c3fde
--- /dev/null
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp10.tex
@@ -0,0 +1,128 @@
+
+\section{}
+
+% From TP4
+\subsection{Exercise 1 (Authenticated encryption, or not; August Exam)}
+
+Let $\Pi \define \langle \Gen, \Enc, \Dec\rangle$ be an authenticated encryption
+scheme such that $\Enc$ encrypts messages of $n$ bits.
+%
+Do the following systems provide authenticated encryption? For those
+that do, briefly explain why. For those that do not, present an
+attack that breaks one of the security properties of an authenticated
+encryption scheme.
+
+\begin{enumerate}
+ \item $\Pi' \define \langle \Gen, \Enc', \Dec'\rangle$ with
+ $\Enc'_k(m) = (\Enc_k(m), \Enc_k(m \oplus (0^{n-1}\|1)))$ and
+ $\Dec'_k(c_1, c_2) = \Dec_k(c_1)$ if
+ $\Dec_k(c_1) \oplus \Dec_k(c_2) = 0^{n-1}\|1$ and $\bot$ otherwise.
+
+ \item $\Pi' \define \langle \Gen, \Enc', \Dec'\rangle$ with
+ $\Enc'_k(m) = (\Enc_k(m), \Mac_k(m))$ and $\Dec'_k(c_1, c_2) = \Dec_k(c_1)$
+
+ if $\Vrfy_k(\Dec_k(c_1), c_2)=1$ and $\bot$ otherwise. Here, $\Mac$
+ and $\Vrfy$ are deterministic algorithms that are part of a secure
+ MAC scheme that is compatible with $\Gen$.
+\end{enumerate}
+
+\begin{solution}
+ $\Pi \define \langle \text{Gen, Enc, Dec} \rangle$ is an authenticated encryption scheme (AE) if it is CCA-secure and unforgeable.
+ \begin{enumerate}
+ \item The system $\Pi'$ is not AE because it is \textbf{forgeable} and we can show it with this example. If the adversary A asks for the message $m$ ($m'$ corresponds to the message m with the last bit changed) to the oracle access, he will receive the cipher text $(c_1, c_2)$, where $c_1 = \Enc_k(m)$ and $c_2 = \Enc_k(m\xor 0^{n-1}||1) = \Enc_k(m')$.
+
+ If $\A$ outputs the pair (m',$(c_2, c_1)$), this is a forgery.
+
+ $\Dec_k'(c_2,c_1) = \Dec_k(c_2) = \Dec_k(\Enc_k(m')) = m' \neq \bot $ because $\Dec_k(c_2) \oplus \Dec_k(c_1) = m' \oplus m = m \oplus 0^{n-1}||1 \oplus m = 0^{n-1}||1 $.
+ And $m'$ has not been requested before.
+
+ Then we have EncForge$_{A, \Pi'}$(n) = 1 and Pr[EncForge$_{A, \Pi'}$(n)] = 1. $\Pi'$ is then forgeable and it is not an AE.
+
+ With the same technique, an adversary can break the CCA-security of this scheme by querying two different messages $m_1$ and $m_2$, obtaining their encryption, sending \newline
+ ($m'_1,m'_2$) = ($m_1 \oplus 0^{n-1}||1, m_2 \oplus 0^{n-1}||1$) for the challenge, and compare the encryption of $m'_b$ with the two previously received ciphertexts.
+
+ Note that this doesn't break CPA-security; indeed, the scheme is still CPA-secure.
+
+ \item The sytem $\Pi'$ is not AE because it is not \textbf{CCA-secure} and we can show it because $Mac_k(m)$ does not assure any security (only authentication). So if We use as Mac:
+ \[ \Mac_k(m) = m||\Mac'_k(m) \]
+ It is a good mac but it is trivial to show that it is not CCA-Secure. $\Pi'$ is then not an AE.
+
+ \strong{Stronger argument}:
+
+ The adversary can send two different messages $m_0$ and $m_1$ to the encryption oracle to get $(\Enc_k(m_0), \Mac_k(m_0))$ and $(\Enc_k(m_1), \Mac_k(m_1))$.
+
+ We then output the same $m_0$ and $m_1$, and receive $(\Enc_k(m_b), \Mac_k(m_b))$.
+
+ As $\Pi$ is an athenticated encryption scheme, we know that $\Enc$ is probabilistic and secure.
+ However, $\MAC$ is said to be deterministic, and this causes $\Mac_k(m_b)$ to be the same as one of the $\Mac_k(m_0)$, $\Mac_k(m_1)$ received earlier.
+ We can thus just compare the tags, and output the corresponding $b'$.
+
+ The probability of success is $\Pr[b'=b] = \Pr[\Mac_k(m0) \neq \Mac_k(m_1)]=1-\negl(n)$ which is clearly well above what it should be.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 2 (Derandomizing signatures)}
+
+Let $S=(\Gen, \Sign, \Vrfy)$ be an EUF-CMA signature scheme defined over $(M, \Sigma)$, where the signing algorithm $\Sign$ is probabilistic.
+In particular, algorithm $\Sign$ uses randomness chosen from a space $R$.
+We let $\mathsf{S}(sk, m; r)$ denote the execution of algorithm $\mathsf{S}$ with randomness $r$.
+Let $F$ be a secure PRF defined over $(K, M, R)$.
+Show that the following signature scheme with deterministic signing $S'=(\Gen', \Sign', \Vrfy)$ is EUF-CMA:
+\[ \mathsf{G}'(1^n) \define \left\{ (pk, sk) \pick \G(1^n), \qquad k \pick K, \qquad sk' \define (sk, k), \qquad \text{output } (pk, sk') \right\}; \]
+\[ \Sign'((sk, k), m) \define \left\{ r \pick F_k(m), \qquad \sigma \pick \mathsf{S}(sk, m; r), \qquad \text{output } \sigma \right\}. \]
+
+\emph{(Hint: Define $S''$ which is like $S'$ byt uses a perfect random function. Make a reduction of the security of $S''$ to the security of $S$, then build a PRF distinguisher based on a adversary against the signature. Finally, compute the link of the advantages of three relevant games.)}
+
+
+\begin{solution}
+ We will prove this in two steps.
+ \begin{itemize}
+ \item The first step defines $S''$ so that the PRF is replaced by a true random function.
+ We will show that in this case, if $S$ is secure, then $S''$ is secure.
+ \item The second step proves by reduction that if $S''$ is secure and $F$ is a secure PRF, then $S'$ is secure.
+ The reduction proceeds by constructing an adversary $\A_{PRF}$ against the PRF, able to distinguish between the PRF and a random function, given an adversary $\A_{S'}$ against $S'$.
+ \end{itemize}
+
+ First, let's define $S''$.
+ The only change is that
+ \[ \Sign''((sk, k), m) \define \{ r \define f(m), \quad \sigma \define \mathsf{S}''(sk, m), \quad \text{output } \sigma \} \]
+ where $\mathsf{S}''(sk, m) = \mathsf{S}(sk, m; f(m))$.
+
+ If we have an adversary against $S''$, we can build an adversary against $S$, simply by relaying oracle calls to $\mathsf{S}_f''(sk, m)$ to our oracle $\mathsf{S}(sk, m; f(m))$.
+ As $f$ is a random function, $S$ sees the same randomness as with an $r$, so nothing changes.
+ The probabilities are exactly the same:
+ \[ \Pr[\Sigforge_{S''}=1] = \Pr[\Sigforge_{S}=1] = \negl(n) \]
+ for some $\negl$ negligible.
+
+ Now, let's do the reduction from $F$ to $S'$.
+ So, we have an adversary $\A_{S'}$ against $S'$, and we build an adversary against the PRF $\A_F$ as follows:
+ \begin{enumerate}
+ \item The oracle for the PRF problem $\O_F$ picks $k \pick \K$, kept secret.
+ \item $\O_F$ picks $b \pick \bset$, kept secret.
+ The oracle defines a challenge function $g=F_k$ if $b=1$, $g=f$ a random function if $b=0$.
+ \item $\A_F$ runs $\Gen'$ to create a public key $pk$ and a secret key $sk'=(sk, k)$.
+ It discards $k$ as it is not used by $\A_{S'}$ and is defined by $\O_F$.
+ It keeps $sk$ secret and sends $pk$ to $\A_{S'}$.
+ \item When $\A_{S'}$ asks for $\Sign'((sk, k), m)$, we ask the oracle for $w=g(m)$.
+ $w=F_k(m)$ if $b=1$, or $w=f(m)$ with $f$ a random function, if $b=0$.
+ We then run $\mathsf{S}(sk, m; r)$ and return the result to $\A_{S'}$.
+ \item When $\A_{S'}$ outputs $(m, \sigma)$, its forgery, we outputs $b'=1$ iff $(m, sigma)$ is a valid forgery (we can verify it using $\Vrfy_{pk}$), $b'=0$ otherwise.
+ \end{enumerate}
+ If $b=0$, we're playing against a true random function, and so we're actually running the scheme $S''$.
+ As $\A_{S'}$ is not designed to handle this scheme, its security is the same as the one of $S''$, which is the same as the one of $S$.
+
+ If $b=1$, we're playing the true game for $\A_{S'}$, and so its advantage $\negl'(n)$ is active.
+
+ Then, the difference in probabilities for the distinguishing is:
+ \[ |\Pr[\A_F^{F_k}(n)] - \Pr[\A_F^{f}(n)]| = |\negl'(n) - \frac12 \negl(n)| \ge \negl'(n)-\negl(n) \]
+ As this difference has to be negligible, as $F$ is a PRF, and $\negl$ is negligible, then $\negl'$ is negligible, and thus the scheme $S'$ is secure.
+\end{solution}
+
+
+
+\subsection{Exercise 3 (Jan 11 evaluation)}
+
+\copypaste{9}{1}
+
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp2.tex b/src/q7/crypto-MAT2450/exercises/tp/tp2.tex
index 2d8b3652385ef20e36a4b19c12f39c24fa48dff6..499b795d693d059430668db19774dc94dd29e500 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp2.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp2.tex
@@ -1,472 +1,322 @@
+
+
\section{}
-\subsection{Exercise 0 (Reduction and/or attacks)}
-\copypaste{1}{7}
-
-\subsection{Exercise 1 (Variable-length MAC)}
-Considering a known hash function $h^s:\{0,1\}^{2l}\rightarrow\{0,1\}^{l}$,
-let's note by $H^s$ the corresponding Merkle-Damg{\aa}rd transform hash function,
-\emph{i.e.}
-
-\begin{center}
-\begin{tikzpicture}[scale=0.5]
-\tikzstyle{every node}=[text centered, inner sep = 2pt]
-
- \trapeze{$h^s$}{\position}
- \draw [->] \position +(-3,0) node [left] {$IV$} -- +(-1,0);
- \draw [<-] \position + (-1,1) -| ++(-2,3) node [above] {\mylabel};
- \draw \position + (1,0) -- +(2,0) node {};
- \renewcommand{\position}{(4,0)}
- \renewcommand{\mylabel}{$x_2$}
- \trapeze{$h^s$}{\position}
- \draw [->] \position +(-2,0) node [below] {} -- +(-1,0);
- \draw [<-] \position + (-1,1) -| ++(-2,3) node [above] {\mylabel};
- \draw [->]\position + (1,0) -- +(2,0) node [right] {$\ldots$};
- \renewcommand{\position}{(9.5,0)}
- \renewcommand{\mylabel}{$x_n$}
- \trapeze{$h^s$}{\position}
- \draw [->] \position +(-2.2,0) node [below] {} -- +(-1,0);
- \draw [<-] \position + (-1,1) -| ++(-2,3) node [above] {\mylabel};
- \draw \position + (1,0) -- +(2,0) node {};
- \renewcommand{\position}{(13.5,0)}
- \renewcommand{\mylabel}{$\left|x\right|$}
- \trapeze{$h^s$}{\position}
- \draw [->] \position +(-2,0) node [below] {} -- +(-1,0);
- \draw [<-] \position + (-1,1) -| ++(-2,2.95) node [above] {\mylabel};
- \draw [->] \position + (1,0) -- +(2,0) node [right] {$H^s(x)$};
-\end{tikzpicture}
-\end{center}
-%
-when $x=x_1||\cdots||x_n$ for some integer $n$ and when the $x_i$'s are
-$l$-bit strings.
-
-Show why, with a private key $k$ of length $l$, the MAC scheme
-$$t:=H^s(k||m),$$
-is \emph{not} existentially unforgeable under an adaptive chosen-message attack.
-
-
-\medskip
-\begin{solution}
- If we have the tag of $p$, which is (let's consider that $k$ and $p$ are $l$ bits long for simplicity)
- \[ t_p = H^s(k\|p) = h^s(h^s(h^s(IV \| k) \| p) \| 2l) \]
- we can find the tag of $p\|2l\|w$ (where $w$ is $l$ bits long for simplicity)
- without knowing $k$ since we know $h^s$.
- It is
- \begin{align*}
- H^s(k\|p\|2l\|w)
- & = h^s(h^s(h^s(h^s(h^s(IV \| k) \| p) \| 2l) \| w) \| 4l)\\
- & = h^s(h^s(H^s(k \| p) \| w) \| 4l)\\
- & = h^s(h^s(t_p \| w) \| 4l)
- \end{align*}
- Since $p\|2l\|w \neq p$, this gives us an existential forgery.
-\end{solution}
+\subsection{Exercise 1 (Security model.)}
-\subsection{Exercise 2 (Fixed-length MAC)}
-Consider the fixed-length MAC $\Pi:=\langle\Gen,\Mac,\Vrfy\rangle$
-defined as follows:
-\medskip
-\begin{itemize}
- \item $\Gen$: choose random $k\leftarrow \{0,1\}^n$ \smallskip
- \item $\Mac$: on input $m,k \in\{0,1\}^n$, output $t:=F_k(m)$ \smallskip
- \item $\Vrfy$: on input $k, m, t \in \{0,1\}^n$ output 1 iff $t=F_k(m)$
-\end{itemize}
-\medskip
-%
-Prove that, if $F$ is a PRF, $\Pi$ is existentially unforgeable under
-an adaptive chosen-message attack. Hint:
-\medskip
-%
+Let $\negl$ denote a negligible function.
+Remember that $\Pi \define \langle \Gen, \Enc, \Dec \rangle$ has \emph{indistinguishable
+multiple encryption in the presence of eavesdroppers} if $\forall$
+PPT $\A$, $\exists$ $\negl$:
+ \[\Pr[\PrivKmult(n)=1]\leq\frac12+\negl(n) \,,\]
+where $\PrivKmult(n)$ is defined as follows.
\begin{enumerate}
- \item Consider the scheme $\Pi'$ defined as $\Pi$ except that a truly
- random function is used instead of a pseudo-random one. Show that
- $\Pi'$ is existentially unforgeable under an adaptive chosen-message
- attack. \smallskip
- \item Consider a PPT adversary who can produce an adaptive forgery on
- $\Pi$ with non negligible probability $\epsilon(n)$. Using this
- adversary, show that $F$ cannot be a PRF.
+\item $\A$ outputs $M_0=(m_0^1,\ldots,m_0^t),
+M_1=(m_1^1,\ldots,m_1^t)$
+\item Choose $k \leftarrow \G(1^n)$ and $b \leftarrow \{0,1\}$, and send
+ $(\Enc_k(m_b^1),\ldots,\Enc_k(m_b^t))$ to $\A$
+\item $\A$ outputs $b'$
+\item Define $\PrivKmult(n) \define 1$ iff $b=b'$
\end{enumerate}
-% homework 2 of Dan Boneh, Winter 2011, Problem 2
-\begin{solution}
- \begin{itemize}
- \item
- Let $\tilde{\Pi} = \langle \tilde{\Gen}, \tilde{\Mac}, \tilde{\Vrfy} \rangle$, defined as:
- \begin{itemize}
- \item $\tilde{\Gen}$: chooses a random $f$.
- \item $\tilde{\Mac}$: on input $m$, outputs $f(m)$.
- \item $\tilde{\Vrfy}$: on input $(m,t)$, outputs $1$ iff $f(m) = t$.
- \end{itemize}
+Also remember that $\Pi \define \langle \Gen, \Enc, \Dec \rangle$ has \emph{indistinguishable
+encryption under a chosen-plaintext attack} if $\forall$ PPT $\A$,
+$\exists$ $\negl$:
+ \[\Pr[\PrivKcpa(n)=1]\leq\frac12+\negl(n) \,,\]
+where $\PrivKcpa(n)$ is defined as follows.
- Let's analyse the maximum value of $\Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]$ for an adversary $\mathcal{A}$.
- If after $q$ different queries (it gains no info doing the same query twice),
- $m_1, \ldots, m_q$, $\A$ outputs $(m, t)$, what are its chances of success ?
- Let $f:\{0,1\}^n \to \{0,1\}^n$.
- There are $(2^n)^{2^n}$ different $f$ and we pick a random one uniformly.
- However, there are only $(2^n)^{2^n-q}$ experiments such that $\A$ have received $(m_i,t_i)$ for $i = 1, \ldots, q$ because
- there are $(2^n)^{2^n-q}$ $f$ such that $f(m_i) = t_i$ for $i = 1, \ldots, q$.
- We could be in any of them.
- Among them, only $(2^n)^{2^n-(q+1)}$ are such that $f(m) = t$.
- Since $f$ is selected uniformly, we have
-
- \begin{align*}
- \Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]
- & = \Pr[f(m) = t | f(m_i) = t_i, \forall i = 1, \ldots, q]\\
- & = \frac{\Pr[f(m) = t, f(m_i) = t_i, \forall i = 1, \ldots, q]}{\Pr[f(m_i) = t_i, \forall i = 1, \ldots, q]}\\
- & = \frac{\frac{(2^n)^{2^n-(q+1)}}{(2^n)^{2^n}}}{\frac{(2^n)^{2^n-q}}{(2^n)^{2^n}}}\\
- & = \frac{(2^n)^{2^n-(q+1)}}{(2^n)^{2^n-q}}\\
- & = \frac{1}{2^n}.
- \end{align*}
- A shortcut would have been to argued that since, $f(m)$ is independent of the $f(m_i)$ so
-
- \begin{align*}
- \Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]
- & = \Pr[f(m) = t | f(m_i) = t_i, \forall i = 1, \ldots, q]\\
- & = \Pr[f(m) = t]\\
- & = \frac{(2^n)^{2^n-1}}{(2^n)^{2^n}}\\
- & = \frac{1}{2^n}.
- \end{align*}
-
- It is quite surprising that instead of a upper bound
- on $\Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]$
- depending on $\A$ (and reached for $\A$ super smart),
- it is actually independent of $\A$.
- \item
- Let's now suppose that we have an adversary $\A$
- that win with non-negligible probability against a PRF $F$
- and show that under this assumption we can build
- a distinguisher $\D$ for $F$.
-
- $\D$ will simply take a function $g$ as input
- and run $\A$ using $g$ to create the tags.
- He has $g$ so he can see if $\A$ wins or lose.
- If $\A$ wins, $\D$ outputs $1$, otherwise, it outputs $0$.
-
- We know that if $g$ is a pseudo random function,
- $\Pr[\MacForge_{\A, \Pi_g} = 1] = \frac{1}{2^n}$
- and if $g$ is a PRF
- $\Pr[\MacForge_{\A, \Pi_g} = 1] = \eta(n)$
- where $\eta$ is non-negligible.
- We have therefore
- \[
- |\Pr[\D^{F_k}(1^n) = 1] - \Pr[\D^{f}(1^n) = 1]|
- = \left|\eta(n) - \frac{1}{2^n}\right|
- \]
- which is non-negligible.
-
- % Not sure it works
-% \item
-% Another simpler solution is possible. Using the first Hint, we can say that if $F_k$ is a PRF, it has a maximum of $2^n$ possible outputs
-% where a truly random function has exactly $2^n$ outputs. So if we suppose $\Pi$ secure with a PRF, then $\tilde{\Pi}$ is also secure because
-% $\epsilon_{\tilde{\Pi}} = \frac{1}{2^n} \geq \epsilon_{\Pi}$. We then can play the PRF game to prove the security of $\Pi$ with the second hint.
- \end{itemize}
+\begin{enumerate}
+ \item Choose $k\leftarrow \Gen(1^n)$
+ \item \textbf{$\A$ is given oracle access to $\Enc_k(\cdot)$}
+ \item $\A$ outputs $m_0, m_1 \in \M$
+ \item Choose $b\pick \bset$ and send $\Enc_k(m_b)$ to $\A$
+ \item \textbf{$\A$ is again given oracle access to $\Enc_k(\cdot)$}
+ \item $\A$ outputs $b'$
+ \item Define $\PrivKcpa(n) \define 1$ iff $b=b'$
+\end{enumerate}
-\end{solution}
+Define the concept of indistinguishable \emph{multiple} encryption under a chosen-plaintext attack.
-\subsection{Exercise 3 (Hash functions from\ldots hash functions)}
-Let $H_2:\{0,1\}^{2l}\rightarrow\{0,1\}^{l}$ and $H_3:\{0,1\}^{3l}\rightarrow\{0,1\}^{l}$ be
-collision resistant hash functions. For $2l$-bit strings $x_i$'s, consider the following two constructions.
-\medskip
-\begin{itemize}
- \item $H_4:\{0,1\}^{4l}\rightarrow\{0,1\}^{l}$ ;
- $x=x_1||x_2\rightarrow H_2\left(H_2(x_1)||H_2(x_1\oplus x_2)\right)$
- \smallskip
- \item $H_6:\{0,1\}^{6l}\rightarrow\{0,1\}^{l}$ ;
- $x=x_1||x_2||x_3\rightarrow H_3\left(H_2(x_1\oplus x_2)||H_2(x_2\oplus x_3)||H_2(x_3\oplus x_1)\right)$
-\end{itemize}
-\medskip
-Determine whether these hash functions are still collision resistant or not.
\begin{solution}
- \begin{itemize}
- \item
- Let's show that from a collision of $H_4$, we generate a collision for $H_2$
- which prove that $H_4$ is collision resistant since $H_2$ is so.
- Let's suppose that we have $x_1\|x_2 \neq y_1\|y_2$ are such that $H_4(x_1\|x_2) = H_4(y_1\|y_2)$.
- \begin{itemize}
- \item
- If $H_2(x_1) \| H_2(x_1 \xor x_2) \neq H_2(y_1) \| H_2(y_1 \xor y_2)$,
- we have a collision for $H_2$ since their image by $H_2$ is identical.
- \item
- If $H_2(x_1) \| H_2(x_1 \xor x_2) = H_2(y_1) \| H_2(y_1 \xor y_2)$,
- we have $H_2(x_1) = H_2(y_1)$ \emph{and} $H_2(x_1 \xor x_2) = H_2(y_1 \xor y_2)$.
- \begin{itemize}
- \item If $x_1 \neq y_1$, we have a collision for $x_2$ since $H_2(x_1) = H_2(y_1)$.
- \item If $x_1 = y_1$, then $x_2 \neq y_2$ since $x_1\|x_2 \neq y_1\|y_2$.
- Therefore $x_1 \xor x_2 \neq y_1 \xor y_2$ and we have collision on $H_2$.
- \end{itemize}
- \end{itemize}
- \item
- $H_6$ is not collision resistant since $H_6(x_1\|x_2\|x_3) = H_6((x_1 \xor w)\|(x_2 \xor w)\|(x_3 \xor w))$
- for all $w$ (collision if $w\neq 0^{2l}$).
- Indeed, since $\xor$ is associative and commutative,
- \begin{align*}
- & = H_6((x_1 \xor w)\|(x_2 \xor w)\|(x_3 \xor w))\\
- & = H_3(H_2((x_1 \xor w) \xor (x_2 \xor w))\|H_2((x_2 \xor w) \xor (x_3 \xor w))\|H_2((x_3 \xor w) \xor (x_1 \xor w)))\\
- & = H_3(H_2(x_1 \xor (w \xor w) \xor x_2)\|H_2(x_2 \xor (w \xor w) \xor x_3)\|H_2(x_3 \xor (w \xor w) \xor x_1)))\\
- & = H_3(H_2(x_1 \xor x_2)\|H_2(x_2 \xor x_3)\|H_2(x_3 \xor x_1)))\\
- & = H_6(x_1\|x_2\|x_3).
- \end{align*}
- \end{itemize}
+%Sending it once (in a vector) or with a loop is exactly the same, so I think only one definition is sufficient...
+ Two definition can be proposed.
+ The first one is the one given in the reference \cite[p.~84]{katz2007introduction}.
+
+ $\Pi \define \langle\Gen, \Enc, \Dec\rangle$ has indistinguishable \emph{multiple} encryption under a chosen-plaintext attack
+ if $\forall$ PPT $\A$, $\exists$ negl. $\epsilon$:
+ \[ \Pr[\PrivKmultcpa(n) = 1] \leq \frac{1}{2} + \epsilon(n), \]
+ where $\PrivKmultcpa(n)$ is defined as follows. This is the challenger's viewpoint.
+ \begin{enumerate}
+ \item Choose $k \leftarrow \Gen(1^n)$
+ \item $\A$ is given oracle access to $\Enc_k(\cdot)$
+ \item $\A$ outputs $M_0 = (m_0^1, \ldots, m_0^t)$, $M_1 = (m_1^1, \ldots, m_1^t)$
+ \item Choose $b \leftarrow \{0,1\}$, and send $(\Enc_k(m_b^1), \ldots, \Enc_k(m_b^t))$ to $\A$
+ \item $\A$ is again given oracle access to $\Enc_k(\cdot)$
+ \item $\A$ outputs $b'$
+ \item Define $\PrivKmultcpa(n) \define 1$ iff $b = b'$
+ \end{enumerate}
+
+ An additional definition can be found in the reference book \cite[p.~75]{katz2007introduction}.
+ Both are equally good since it can be proven they are equivalent to the definition of indistinguishably of a \emph{single} encryption
+ under CPA.
+ Proving that, if $\Pi$ has indistinguishable \emph{multiple} encryption under CPA then it also has indistinguishable \emph{single} encryption,
+ is trivial.
+ The other way is quite tricky.
+ However in public key cryptosystems, CPA is the same as EAV since $\A$ has the public key and therefore oracle access to $\Enc_k$.
+ There is therefore the same property in asymmetric crypto for EAV than for symmetric crypto with CPA:
+ equivalence of single- and multiple-message security.
+ This is stated by \cite[theorem~11.6]{katz2007introduction} where it is proven.
+ The proof is very similar to the proof needed to show the equivalence of single-message CPA and multiple-message CPA so if you are in doubt, just check it out.
\end{solution}
-\subsection{Exercise 4 (Hash-MAC)}
-Suppose $H_0$ and $H_1$ are compression functions but only one is beleived to be collision resistant.
-Besides, suppose $\textsc{Mac}_0$ and $\textsc{Mac}_1$ are message authentication codes but only one
-of the both schemes is known to be unforgeable. Is it possible to build a secure ''hash-MAC'' from these
-inputs? Justify your answer.
-%Homework 2 of Dan Boneh, Winter 2011, Problem 5 (DVD security)
-\begin{solution}
- We build $H(m) = H_0(m)\|H_1(m)$.
- If we have $m_1 \neq m_2$ such that $H(m_1) = H(m_2)$ then $H_0(m_1) = H_0(m_2)$ and
- $H_1(m_1) = H_1(m_2)$ so the collision resistant hash function has a collision whichever it is.
- However, $H$ is no more a compression function and we cannot use Merkle-Damg\aa{}rd.
- The input of $H$ therefore cannot have arbitrary length but its output is twice the length of the output of $H_0$ and $H_1$ so it is twice the size of a tag.
+\subsection{Exercise 2 (Pseudorandomness.)}
+
+Let $F\colon \bset^* \times \bset^* \mapsto \bset^*$ be a
+(length-preserving) pseudorandom function, that is, if $k$ is selected
+uniformly at random in $\bset^n$, then $F_k(\cdot)$ is
+computationnaly indistinguishable from a function $f$ selected randomly in the set of
+functions from $\bset^n$ to $\bset^n$. More formally, $\forall$ PPT $\D$, $\exists$ negl. $\negl$:
+\[\left|\Pr[\D^{F_k(\cdot)}(1^n)=1]-\Pr[\D^{f(\cdot)}(1^n)=1]\right|\leq\negl(n)\]
- The output of $\Mac_0$ and $\Mac_1$ are the size of a tag so we can use the tag
- $H(\Mac_0(k,m)\|\Mac_1(k,m))$ for our Hash-MAC scheme.
- If we are able to output an existential forgery $(m, t)$, since $H$ is collision resistant, that means that we have found $\Mac_0(k,m)\|\Mac_1(k,m)$ and therefore we have found an existential forgery for both $\Mac_0$ \emph{and} $\Mac_1$ which is absurd since one of them is believed to be unforgeable.
+Show that $F$ cannot seem random in front of an adversary who has an unbounded computational power,
+in the sense that she can distinguish it from a random function.
- Our Hash-MAC scheme is therefore unforgeable.
+
+\begin{solution}
+ There are $|\bset^n|^{|\bset|^n} = {2^n}^{2^n}$ function from $\bset^n$ to $\bset^n$.
+ However, since there are only $2^n$ different $k$, $F_k$ can only be $2^n$ different functions.
+ If the distinguisher $D^g$ is unbounded, he can just check the output of $g$ for every possible input and for all $k \in \bset^n$, he can check if it has the same output of $g$.
+ If it has the same output of $F_k$ for at least one $k$, then $D^g(1^n) = 1$, else $D^g(1^n) = 0$.
+ More formally
+ \[
+ D^g(1^n) \overset{\Delta}{=}
+ \left\{ \begin{array}{rl}
+ 1 & \mbox{if }\exists k \in \{0,1\}^n, \forall m \in \bset^n, F_k(m) = g(m)\\
+ 0 & \mbox{otherwise.}\\
+ \end{array} \right.
+ \]
+ If $g$ is indeed a pseurorandom function, we can see that
+ \[ \Pr[D^{F_k}(1^n) = 1] = 1 \]
+ for all $k \in \bset^n$: we are guaranteed to detect it as we enumerate all possible $F_k$.
+
+ If $g$ is a true random function, then the only case where we may be wrong is if the random function ``mimics'' one of the pseudorandom function, that is $\exists k\colon \forall m \in \bset^n \colon f(m)=F_k(m)$. Let's evaluate the probability that it happens:
+ \[ |\{f \colon \{0,1\}^n \mapsto \{0,1\}^n \suchthat \exists k \in \bset^n, \forall m \in \bset^n f(m) = F_k(m) \}| \leq 2^n. \]
+ (the inequality is there to represent the fact that there could be $k_1,k_2$ such that $F_{k_1}(m) = F_{k_2}(m)$ for all $m \in \{0,1\}^n$.)
+ Therefore
+ \[ \Pr[D^{f}(1^n) = 1] \leq \frac{2^n}{{2^n}^{2^n}} = \frac{1}{2^{n(2^n-1)}}. \]
+ Then, the difference between the probabilities is
+ \[ \abs{\Pr[D^{F_k}(1^n)=1] - \Pr[D^f(1^n)=1]} = 1-\frac{1}{2^{n(2^n-1)}} \approx 1 \text{ for large values of } n \]
+ which is clearly non-negligible.
+
+ (Note that there is a slight chance that the distinguisher makes a mistake, but this probability decreases more than exponentially when $n$ increases.)
\end{solution}
-\subsection{Exercise 5 (MAC length extension)}
-Let $\Pi':=\langle\Gen',\Mac',\Vrfy'\rangle$ be a secure fixed-length MAC. We define a variable-length MAC $\Pi:=\langle\Gen,\Mac,\Vrfy\rangle$ as follows:
+
+\subsection{Exercise 3 (Reduction.)}
+
+Let $\Pi \define \langle \Gen,\Enc,\Dec\rangle$ be an encryption scheme having
+indistinguishable encryption under a chosen plaintext attack. Suppose we
+define a new scheme $\Pi' \define \langle \Gen',\Enc',\Dec'\rangle$ as follows.
+\smallskip
\begin{itemize}
-%
-\item $\Gen$: choose random $k\leftarrow \{0,1\}^n$
-\item $\Mac$: on input $k \in\{0,1\}^n$ and $m \in \{0,1\}^*$ of length $l<2^\frac n4$
-\begin{itemize}
-\item Parse $m$ into blocks $m_1,\ldots,m_d$ of length $\frac n4$ each (pad with 0's if necessary)
-\item Choose random $r\leftarrow \{0,1\}^\frac n4$
-\item Compute $t_i:=\Mac_k(r||l||i||m_i)$ for $1\leq i\leq d$, with $|r|=|l|=|i|=\frac n4$
-\item Output $t:=\langle r,t_1,\ldots,t_d\rangle$
-\end{itemize}
-\item $\Vrfy$: on input $k, m, t=\langle r,t_1,\ldots,t_{d'}\rangle$,
-\begin{itemize}
-\item Parse $m$ into blocks $m_1,\ldots,m_d$ of length $\frac n4$ each
-\item Output 1 iff $d=d'$ and, $\forall 1\leq i\leq d$, $\Vrfy'_k(r||l||i||m_i,t_i)=1$
+ \item $\Gen' \define \Gen$
+ \item $\Enc_k'(m) \define \Enc_k(m)||1$ (i.e. a `1' bit is appended to the ciphertext)
+ \item $\Dec_k'(c) \define \Dec_k(c_1)$, where $c_1$ is obtained by discarding the last bit of $c$.
\end{itemize}
-%
-\end{itemize}
-
-The goal of this exercise is to prove by reduction that $\Pi$ is existentially unforgeable. Let $\A$ (resp. $\A'$) be an adversary attacking the unforgeability of $\Pi$ (resp. $\Pi'$) and let $\epsilon = \textsc{MacForge}_{\A,\Pi}(n)$ (resp. $\epsilon' = \textsc{MacForge}_{\A',\Pi'}(n)$) denotes its advantage.
+\smallskip
+Is $\Pi'$ also a CPA secure encryption scheme? Provide either an (efficient) attack/adversary
+or a (polynomial) reduction, depending on your claim.
-\begin{enumerate}
- \item Make a quick draw sketching the proof.
- \item Describe formally how $\A'$ should react to a query $\textsc{Mac}_k(m)$.
- \item Define what is a mac forgery for the scheme $\Pi$. Does it necessarily implie a forgery on the scheme $\Pi'$ (justify your answer).
- \item Express $\epsilon$ in function of $\epsilon'$ and conclude.
-\end{enumerate}
\begin{solution}
- (Interesting demonstration on the security of this scheme assuming F is a PRF : See reference book p117-118).
+ $\Pi$ is a secure encryption scheme under CPA. $\Pi$ is public, only the key is hidden from $\A$. Adding a 1 at the end will just give no information to $\A$.
+
+ %To prove it rigorously, we can prove that ``if $\Pi'$ is insecure then $\Pi$ is insecure'' since it is the contraposition of ``if $\Pi$ is secure then $\Pi'$ is secure''. % Perso je trouve la formulation rend confus
+ This proof methodology is called ``reduction''.
+
+ %TODO define more clearly the interface with the adversary and with the oracle
+ Let $\C$ be the adversary trying to break $\Pi$ and an efficient adversary $\A$ that can break $\Pi'$ with a non-negligible probability. $\O$ is the oracle that gives $\C$ the challenge to break the scheme $\Pi$.
\begin{enumerate}
- \item TODO
- \item $\A'$ should pick a random $r\leftarrow \{0,1\}^{\frac{n}{4}}$, parse m into d blocks $m_1,...,m_d$ and send to its oracle $d$ queries $r\|l\|i\|m_i$ for $i = 1, \ldots, d$.
- After the $d$ queries made to its oracle $O'$, $\A'$ computes $\langle r, t_1, \ldots, t_d \rangle$ where $t_i$ is the answer of the oracle to its $i$th query. He then sends it as an answer to $\A$s query.
- \item For $\Pi$, a forgery is a pair $(m, \langle r, t_1, \ldots, t_d \rangle)$ where $m$ has not been queried before
- and $t_i = \Mac'_k(r\|l\|i\|m_i)$ for $i = 1, \ldots, d$ where $l$ is the length of $m$ and $m = m_1\| \cdots \|m_d$.
+ \item $\O$ is given $1^n$ as input as $\C$ that will transmit it to $\A$.
+ \item First query phase:
+ \begin{itemize}
+ \item $\A$ outputs $m_i$ as message to $\C$.
+ \item $\C$ outputs $m_i$ as message to $\O$.
+ \item $\O$ outputs $c_i = Enc_k(m_i)$ as message to $\C$.
+ \item $\C$ sends back $c_i||1$ to $\A$.
+ \end{itemize}
+ \item Challenge phase:
\begin{itemize}
- \item
- If none of its previous query has the same $r$ and $l$, $r\|l\|1\|m_1$ cannot be a query made by $\A'$ and
- $(r\|l\|1\|m_1, t_1)$ is an existential forgery for $\Pi'$ that $\A'$ can output.
- \item
- If 2 previous queries have both $r$ and $l$, then we do not necessarily have an existential forgery.
- However, since $r$ is picked at random ($\A'$ could cheat and make sure that the same $r$ is not picked twice)
- the probability (birthday paradox) of this to happen (if all $m$ have the same $l$ which is the worst case) is approximately
- $\frac{q(n)^2}{2 \cdot 2^n}$ where $q(n)$ is the number of queries made by $\A$.
- \item
- If one unique previous query $m^j$ has this $r$ and $l$, since $m$ is not one of the previous query, there must be $i$
- such that $m_i \neq m_i^j$.
- We know therefore that $r\|l\|j\|m_j$ has never been queried by $\A'$ so $(r\|l\|j\|m_j, t_j)$ is an existential forgery for $\Pi$.
+ \item $\A$ outputs $m_0^\ast, m_1^\ast$ to $\C$.
+ \item $\C$ outputs $m_0^\ast, m_1^\ast$ as message to $\O$.
+ \item $\O$ choose randomly $b \leftarrow \{0,1\}$.
+ \item $\O$ outputs $c^\ast = Enc_k(m_b^\ast)$ to $\C$.
+ \item $\C$ sends back $c^\ast||1$ to $\A$.
\end{itemize}
- \item In conclusion, we have
- \begin{align*}
- \Pr[\MacForge_{\A,\Pi}(n) = 1]
- & \leq \Pr[\MacForge_{\A',\Pi'}(n) = 1] + \frac{q(n)}{2^{n+1}}\\
- \epsilon(n)
- & \leq \epsilon'(n) + \frac{q(n)}{2^{n+1}}
- \end{align*}
- so since $\epsilon'(n)$ and $\frac{q(n)}{2^{n+1}}$ are negligible,
- $\epsilon(n)$ is negligible.
+ \item Second query phase: same as the first one.
+ \item $\A$ outputs $b'$ to $\C$.
+ \item $\C$ outputs $b'$.
\end{enumerate}
+ We have:
+ \[\Pr[b'=b] = \Pr[\A \text{ wins over } \Pi']\]
+ If $\A$ has a non-negligible probability to win against the $\Pi'$ scheme then $\C$ has also a non negligible probability to win against the $\Pi$ scheme. We can conclude that $\Pi'$ is also a secure scheme.
\end{solution}
-\subsection{Exercise 6 (Block-cipher based hash function)}
-Considering a block cipher
-$E:\mathcal{K}\times\mathcal{M}\rightarrow\mathcal{C}$; $(k,m)\rightarrow E(k,m)=Enc_k(m)$
-with $\mathcal{K}=\mathcal{M}=\mathcal{C}=\left\{0,1\right\}^l$, one may try to construct
-a collision resistant compression function from $\left\{0,1\right\}^{2l}$ to $\left\{0,1\right\}^{l}$.
-Show that the following methods do not work :
-$$ f_1(x,y)=E(y,x)\oplus y \quad\mbox{ and }\quad f_2(x,y)=E(x,x)\oplus y $$
-That is, show an efficient algorithm for constructing collisions for $f_1$ and $f_2$.
-Recall that the block cipher E and the corresponding decryption algorithm D are both
-known to you (and they are bijective functions).
-\begin{solution}
- We will give 2 collisions for $f_1$ and $f_2$.
-
- We know that $E(k, \cdot)$ is surjective because it must be injective and $\M = \C$.
- Therefore the decryption exists for all $c \in \C$ ! We will use it for the second collision of $f_1$.
-
- For $f_1$, we have the 2 following collisions
-
- \begin{align*}
- f_1(D(E(y,x),y), E(y,x))
- & = E(E(y,x), D(E(y,x), y)) \xor E(y,x)\\
- & = y \xor E(y,x)\\
- & = E(y,x) \xor y\\
- & = f_1(x, y)\\
- f_1(D(0, E(y,x) \xor y), 0)
- & = E(0, D(0, E(y, x) \xor y)) \xor 0\\
- & = E(y, x) \xor y\\
- & = f_1(x, y).
- \end{align*}
- and for $f_2$ we have
-
- \begin{align*}
- f_2(x, E(x,x)) & = E(x,x) \xor E(x,x)\\
- & = 0 & \forall x \in \{0,1\}^l\\
- f_2(y, E(x,x)) & = E(y,y) \xor E(x,x)\\
- & = E(x,x) \xor E(y,y)\\
- & = f_2(x, E(y,y)).
- \end{align*}
- \\
- \textbf{Other approach:}\\
- For $f_1$ : Let's define $k_1$ and $k_2$ such that $k_2$ is equal to $k_1$ except for the last bit which is flipped. Let's now take an arbitrary $x_1$ for which we ask the encryption $T_{x_1} = E(k_1,x_1)$. Now let's flip the last bit of $T_{x_1}$ and call the result $T_{x_2}$. We can now ask for the decryption of $T_{x_2}$ given $k_2$ as input key, which we know exists since D is bijective and $\C = \{0,l\}^{l}$. We then obtain $x_2$. We can now observe that:
- \begin{align*}
- f_1(x_1, k_1) & = E(k_1,x_1) \xor k_1\\
- & = T_{x_1} \xor k_1\\
- f_1(x_2, k_2) & = E(k_2,x_2) \xor k_2\\
- & = T_{x_2} \xor k_2\\
- & = (T_{x_1} \xor 0^{l-1}||1 )\:\xor\: (k_1 \xor 0^{l-1}||1)\\
- & = T_{x_1} \xor k_1\\
- \end{align*}
- For $f_2$ : We can ask for $T_x \:= \:E(x,x)$ and $T_y\: =\: E(y,y)$ for two arbitrary (but different) x and y. We can see that:
- \begin{align*}
- f_2(y, T_x) & = E(y,y) \xor T_x\\
- & = T_y \xor T_x\\
- f_2(x, T_y) & = E(x,x) \xor T_y\\
- & = T_x \xor T_y\\
- \end{align*}
- Which are both equal with different input, this is a collision
-
-\end{solution}
-\subsection{Exercise 7 (Blue-ray security)}
-The movie industry wants to protect digital content distributed on DVD's. We study
-one possible approach. Suppose there are at most a total of $n$ DVD players in the world (e.g.
-$n=2^{32}$). We view these n players as the leaves of a binary tree of height $\log_2 n$.
-Each node $\nu_j$ in this binary tree contains an AES key $K_j$ such that
-$\mathrm{Enc}_{K_j}:\{0,1\}^l\rightarrow\{0,1\}^l$ is assumed to be a \emph{secure} encryption.
-These keys are kept secret from consumers and are fixed for all time.
-At manufacturing time each DVD player is assigned a serial number $i\in\left[0,n-1\right]$.
-Consider the set $S_i$ of $\log_2(n+1)$ nodes along the path from the root to leaf number
-$i$ in the binary tree. The manufacturer of the DVD player embeds in player number $i$ the
-$\log_2(n+1)$ keys associated with the nodes in $S_i$. In this way each DVD player ships with
-$\log_2(n+1)$ keys embedded in it (these keys are supposedly inaccessible to consumers).
-\begin{enumerate}
- \item Since all DVD players have the key \emph{root} (noted $K_{root}$),
- find a way to protect the content $M\in\{0,1\}^l$ of a DVD such that all players can decrypt
- the movie (and then read it).
- \item Now suppose that a hacker has been able to extract the key $K_{root}$ embedded in his
- DVD player and has published it on the Internet.
- Show how the movie industry can encrypt the contents of a new DVD $M\in\{0,1\}^l$ such that only
- the owners of a DVD player can read it.
- Note that the movie indutry does not want to produce several encryptions of the
- same content $M$ \emph{i.e.} there will be a single manner to protect the DVD.
- \item Suppose the $\log_2n$ keys embedded in DVD player number $r$ are exposed by hackers
- and published on the Internet. Show that when the movie industry is about to
- distribute a new DVD movie they can encrypt the contents of the DVD using a
- ciphertext of size $l\!\cdot\!(1+\log_2n)$ so that all DVD players can decrypt the movie except
- for player number $r$. In effect, the movie industry disables player number $r$.
- \\
- \emph{Hint: the DVD will contain $\log_2n$ ciphertexts where each ciphertext is the
- encryption of a unique K under certain $\log_2n$ keys from the binary tree.}
+\subsection{Exercise 4 (Reduction and/or attacks.)}
+
+Let $\Pi_1=\langle \Gen^1,\Enc^1,\Dec^1\rangle$ and $\Pi^2=\langle \Gen^2,\Enc^2,\Dec^2\rangle$ be an encryption scheme with $\Enc^1 \colon \K\times \M^1 \mapsto \C^1$ and $\Enc^2 \colon \K\times \M^2 \mapsto \C^2$
+\begin{enumerate}[label=\alph*.]
+\item If $\C^1 = \M^2$, let $\Pi=\langle \Gen,\Enc,\Dec\rangle$ with
+\begin{itemize}
+ \item $\Gen\define(\Gen_1,\Gen_2)$ (that is, we obtain two different keys $(k_1,k_2)$
+ \item $\Enc_{(k_1,k_2)}(m)\define\Enc_{k_2}^2(\Enc^1_{k_1}(m))$
+ \item $\Dec_{(k_1,k_2)}(c)\define\Dec^1_{k_1}(\Dec^2_{k_2}(c))$
+\end{itemize}
+
+\begin{enumerate}[label=\arabic*.]
+\item If $\Pi^1$ is CPA secure, is it $\Pi$ CPA secure?
+\item If $\Pi^2$ is CPA secure, is it $\Pi$ CPA secure?
+\item If $\Pi$ is CPA secure, is it $\Pi^1$ CPA secure?
+\item If $\Pi$ is CPA secure, is it $\Pi^2$ CPA secure?
\end{enumerate}
+\item If $\M^1 = \M^2$ and $\C^1 = \C^2$. let $\Pi'=\langle \Gen',\Enc',\Dec'\rangle$ with
+\begin{itemize}
+ \item $\Gen' \define (\Gen^1,\Gen^2)$ (that is, we obtain two different keys $(k_1,k_2)$
+ \item $\Enc'_{(k_1,k_2)}(m) \define (c_1,c_2)$ with $c_1=\Enc^1_{k_1}(m),~c_2=\Enc^2_{k_2}(m))$
+ \item $\Dec'_{(k_1,k_2)}(c) \define \Dec_{k_1}(c_1)$ with $c=c_1\|c_2$ ($c_1$ is the first half of $c$)
+\end{itemize}
+
+\begin{enumerate}[resume*]
+\item If $\Pi^1$ is CPA secure, is it $\Pi'$ CPA secure?
+\item If $\Pi^2$ is CPA secure, is it $\Pi'$ CPA secure?
+\item If $\Pi'$ is CPA secure, is it $\Pi^1$ CPA secure?
+\item If $\Pi'$ is CPA secure, is it $\Pi^2$ CPA secure?
+\end{enumerate}
+\end{enumerate}
+
+
\begin{solution}
- \begin{enumerate}
- \item Encrypt all the DVDs with $K_\text{root}$, i.e. build the ciphertext : $c_{root}=Enc_{K_{root}}(M)$
- \item At the beginning of the DVD, encrypt a random key $K$ twice (using $K_2$ and then $K_3$): $Enc_{K_2}(K)$ and $Enc_{K_3}(K)$.
-
- We then encrypt all the content $M$ of the DVD using $K$. (We suppose $K_1$ is $K_{\text{root}}$)
- $K_2$ and $K_3$ are the keys associated to the 2 childs of the root. \\
- \textbf{Other possibility}
- \\
- Simply encrypt the contents of the new DVD M as : $Enc_{K2}(M)||Enc_{K3}(M)$. This way, each DVD player is still able to decrypt the content, but nobody that only has $K_{root}$.
- \item
- For every node $i$ on the path from the root to $r$, we must add an encryption of $K$ with the key of its child that is not in the path.
- For example, if $r = 10$ and $n = 16$, we must include the bold keys,
- so we will include the encryption of $K_7$ in a DVD which is quite something.
- \\
- \textbf{Expressed differently}
- \\
- If we want to disable the DVD player 11 for example, we can create a new ciphertext as : $c_{disable} = Enc_{K_2}(M)||Enc_{K_7}(M)||Enc_{K_{12}}(M)||Enc_{K_{player10}}(M)$
-
- \begin{center}
- \Tree [.{$K_{\text{root}} = K_1$}
- [.{$\mathbf{K_2}$}
- [.{$K_4$}
- [.{$K_8$}
- [.{0} ]
- [.{1} ]
- ]
- [.{$K_9$}
- [.{2} ]
- [.{3} ]
- ]
- ]
- [.{$K_5$}
- [.{$K_{10}$}
- [.{4} ]
- [.{5} ]
- ]
- [.{$K_{11}$}
- [.{6} ]
- [.{7} ]
- ]
- ]
- ]
- [.{$K_3$}
- [.{$K_6$}
- [.{$\mathbf{K_{12}}$}
- [.{8} ]
- [.{9} ]
- ]
- [.{$K_{13}$}
- [.{\textbf{10}} ]
- [.{11} ]
- ]
- ]
- [.{$\mathbf{K_7}$}
- [.{$K_{14}$}
- [.{12} ]
- [.{13} ]
- ]
- [.{$K_{15}$}
- [.{14} ]
- [.{15} ]
- ]
- ]
- ]
- ]
- \end{center}
- \end{enumerate}
+\begin{enumerate}
+ \item Let's assume $\Pi$ is not CPA secure: There exist an adversary A.\\
+ We build an adversary $A^1$ for $\Pi_1$
+ \begin{align*}
+ \Pr[b''=b;b''\leftarrow a^1] &= \Pr[b'=b;b'\leftarrow a]\\
+ \Pr[b''=b] &= \Pr[b'=b] \le 1/2+\negl
+ \end{align*}
+ We will prove this by reduction.
+ Let's assume we have a PPT adversary $\A_\Pi$ against $\Pi$ with advantage $\negl$.
+ We build an adversary $\A^1 \define \A_{\Pi^1}$ against $\Pi'$, running $\A_\Pi$ inside.
+ $\A_{\Pi^1}$ has oracle access to $\O_{\Pi^1}$.
+ We then run the following experiment (viewpoint of the adversary $\A_{\Pi^1}$):
+ \begin{enumerate}[label=(\arabic*)]
+ \item The challenger-oracle chooses $k_1 \pick \K$.
+ \item We, the adversary $\A_{\Pi^1}$, choose $k_2 \pick \K$.
+ \item Query phase: for every request for encryption of message $m\in\M_1$ made by $\A_\Pi$ to an ``oracle'' $\O_\Pi$ (played by us), we redirect this request to our oracle $\O_{\Pi^1}$ and receive $c=\Enc^1_{k_1}(m)$. We then compute $c'=\Enc^2_{k_2}(c)=\Enc^2_{k_2}(\Enc^1_{k_1}(m))=\Enc_{(k_1,k_2)}(m)$ and forward it to the ``emulated'' adversary $\A_\Pi$.
+ \item Challenge phase: the adversary $\A_\Pi$ outputs two messages $m_0$ and $m_1 \in \M^1$, we output both to the challenger-oracle.
+ \item The challenger-oracle chooses $b \pick \{0,1\}$ and sends $c^*=\Enc^1_{k_1}(m_b)$ to us. We compute $c^{*'}=\Enc^2_{k_2}(c^*)=\Enc_{(k_1,k_2)}(m_b)$ and send it to $\A_\Pi$.
+ \item Second query phase, similar to the first one.
+ \item $\A_\Pi$ outputs its guess $b'$. We output $b'' \define b'$.
+ \end{enumerate}
+ From the point of view of $\A_\Pi$, it has discuted with an oracle and challenger for $\Pi$: it has thus executed in the correct conditions and so, its advantage is $\negl$. In addition, our constructed adversary $\A_{\Pi^1}$ has only executed PPT algorithms in addition to $\A_\Pi$, so the overall adversary is PPT.
+ We can then compute the probability of success of our adversary $\A_{\Pi^1}$:
+ \[ \Pr[\PrivKcpa[\A_{\Pi^1}, \Pi^1](n)=1] = \Pr[b''=b] = \Pr[b'=b] = \Pr[\PrivKcpa(n)=1] = \frac12 + \negl(n), \]
+ the same probability as $\A_\Pi$. As we know that $\Pi^1$ is CPA-secure, then it means that $\negl(n)$ is negligible, and so $\Pi$ is also CPA-secure.
+
+ \item The proof is similar to the above, but we send $m'=\Enc^1_{k_1}(m)$ to our oracle for $\O_{\Pi^2}$ and directly get $c=\Enc^2_{k_2}(\Enc^1_{k_1}(m))=\Enc_{(k_1,k_2)}(m)$.
+
+ \textbf{If $\Pi^2$ is CPA secure, is it $\Pi$ CPA secure?}
+
+ We ($\D$) define an oracle ($O(\Pi^2)$) that can securely encode a message with $\Pi^2$ and instantiate an Attacker ($\A$). As we have to challenge the $\Pi$ scheme knowing the $\Pi^2$ is CPA secure we will proceed as follow.
+ \begin{description}
+ \item[First learning phase:] We begin by encrypting the messages from the attacker with $\Pi^1$ to send them to the oracle. The oracle responds by encrypting the message received with $\Pi^2$ and we just pass this response to the attacker.
+ \item[Challenge phase:] The attacker choose two messages and we transmit the two messages with the first encryption. The oracle will choose witch message to encrypt and will respond with one of the two messages encrypted that we will send back to the attacker.
+ \item[Second learning phase:] Same as the first one.
+ \end{description}
+ \begin{center}
+ \begin{tikzpicture}[scale=0.8]
+ %structure
+ \draw[rounded corners=10pt,thick] (0,0) rectangle (5,10);
+ \draw[rounded corners=10pt,thick] (0.5,0.5) rectangle (2,8.5);
+ \draw[rounded corners=10pt,thick] (13,0) rectangle (17,10);
+ \node[above right] at (0,10) {$\D$};
+ \node[above right] at (0.5,8.5) {$\A$};
+ \node[above left] at (17,10) {$O(\Pi^2)$};
+ \node[below left] at (5,10) {$k_1 \pick \Gen^1(1^n)$};
+ \node[below left] at (17,10) {$k_2 \pick \Gen^2(1^n)$};
+
+ %train phase
+ \flect (2,8) -- (4,8) \mess {$m_i$};
+ \flect (4,7) -- (2,7) \mess {$c_i$};
+ \flect (5,8) -- (13,8) \mess {$m_i' \define \Enc_{k_1}^1(m_i)$};
+ \flect (13,7) -- (5,7) \mess {$c_i \define \Enc_{k_2}^2(m_i')$};
+
+ %challenge phase
+ \flecc (2,5.5) -- (4,5.5) \mess {$m^{\ast}_0,m^{\ast}_1$};
+ \flecc (4,4.5) -- (2,4.5) \mess {$c^\ast$};
+ \flecc (5,5.5) -- (13,5.5) \mess {$m
+ _0^{\ast\prime} \define \Enc_{k_1}^{1}(m_0^\ast), m_1^{\ast\prime} \define \Enc_{k_1}^{1}(m_1^{\ast})$};
+ \flecc (13,4.5) -- (5,4.5) \mess {$c^\ast \define \Enc_{k_2}^{2}(m_b^{\ast\prime})$};
+ \node[below right] at (13,5.5) {$b \pick \bset$};
+
+ %train phase
+ \flect (2,3) -- (4,3) \mess {$m_i$};
+ \flect (4,2) -- (2,2) \mess {$c_i$};
+ \flect (5,3) -- (13,3) \mess {$m_i' \define \Enc_{k_1}^1(m_i)$};
+ \flect (13,2) -- (5,2) \mess {$c_i \define \Enc_{k_2}^2(m_i')$};
+
+ % output
+ \flec (2,1) -- (3,1) node[pos=1,right] {$b'$};
+ \flec (5,1) -- (6,1) node[pos=1,right] {$b''=b'$};
+ \end{tikzpicture}
+ \end{center}
+ As we can see in every case, the distinguisher will have the same probability to find the message encrypted by the oracle than the attacker to break the scheme. As the attacker can only have a probability of $1/2 + \negl$ to succeed the distinguisher will have the same probability. So, the scheme $\Pi$ is secure.
+
+ \item As seen in the previous development, if $\Pi^2$ is CPA secure, $\Pi$ is CPA secure. There is no restriction on $\Pi^1$ in that case. Therefore $\Pi^1$ could be such that $\Enc^1_{k_1}(m)\define m$ which is obviously not CPA secure. So the proposition is false.
+
+ \item Idem
+
+ \item The $\Pi'$ scheme is CPA secure if and only if $\Pi^2$ is also CPA secure. For example, if $\Enc_{k_2}^2(m) = m$ then the scheme $\Pi'$ is obviously not CPA secure.
+
+ More formally: Let's define the following experiment (the viewpoint is that of the adversary $\A$):
+ \begin{enumerate}[label=(\arabic*)]
+ \item The challenger chooses $k_1, k_2 \pick \K \times \K$.
+ \item No query phase takes place
+ \item We output $m_0=0^\abs{\M_1}$ and $m_1=1^\abs{\M_2}$ to the challenger.
+ \item The challenger chooses $b \pick \bset$ and returns $c=(\Enc^1_{k_1}(m_b), m_b)$ (recall that $\Enc^2_{k_2}(\cdot)$ is the identity here).
+ \item We output $b'=$ last bit of $c$.
+ \end{enumerate}
+ Then it is clear that $\Pr[\PrivKcpa[\A, \Pi'](1^n)=1] = \Pr[b'=b] = 1$.
+
+ \item Similar to the previous one: assume $\Enc^1$ is the identity.
+
+ \item We will proof this by reduction. Again, let's suppose we have a PPT adversary $\A_{\Pi^1}$ for $\Pi^1$ with advantage $\negl$, and let's build another PPT adversary $\A_{\Pi'}$ against $\Pi'$. The adversary $\A_{\Pi'}$ has access to an oracle $\O_{\Pi'}$ for $\Pi'$, and runs the adversary $\A_{\Pi^1}$ inside. We then run the following experiment (viewpoint of $\A_{\Pi'}$):
+ \begin{enumerate}[label=(\arabic*)]
+ \item $\A_{\Pi^1}$ chooses the security parameter $n$, sends it to $\A_{\Pi'}$, which sends it to the oracle. \emph{(Note: I'm not entirely sure of this one.)}
+ \item The oracle chooses $k_1, k_2 \pick \K \times \K$.
+ \item First query phase: When $\A_{\Pi^1}$ sends a query for encryption of message $m$ to its ``oracle'' $\O_{\Pi^1}$ (played by us), we forward it to our oracle $\O_{\Pi'}$, which sends us back an encryption $c=\Enc'_{(k_1, k_2)}(m)=(c_1, c_2)=(\Enc^1_{k_1}(m), \Enc^2_{k_2}(m))$. We forward $c_1$ to $\A_{\Pi^1}$.
+ \item Challenge phase: $\A_{\Pi^1}$ outputs two messages $m_0, m_1 \in \M^1$. We output them to the challenger-oracle.
+ \item The challenger-oracle chooses $b \pick \{0, 1\}$ and returns $c^*=\Enc'_{(k_1, k_2)}(m_b)=(c^*_1, c^*_2)=(\Enc^1_{k_1}(m_b), \Enc^2_{k_2}(m_b))$ with $c_1$ and $c_2$ of equal length.
+ \item We return $c^*_1$ to $\A_{\Pi^1}$ as the challenge of the ``oracle'' $\O_{\Pi^1}$.
+ \item Second query phase, similar to the first one.
+ \item $\A_{\Pi^1}$ outputs its guess $b'$. We output $b'' \define b'$ to the challenger.
+ \end{enumerate}
+ From the point of view of $\A_{\Pi^1}$, it has communicated with an oracle for $\Pi^1$,
+ and so it has executed in the correct conditions and its advantage in guessing $b$ is $\negl$.
+ As our adversary $\A_{\Pi'}$ only executes PPT algorithms, it is PPT too.
+ We can compute the probability of success of $\A_{\Pi'}$:
+ \[ \Pr[\PrivKcpa[\A_{\Pi'}, \Pi'](n)=1] = \Pr[b''=b] = \Pr[b'=b] = \Pr[\PrivKcpa[\A_{\Pi^1}, \Pi^1](n)=1] = \frac12 + \negl \]
+ As we know that $\Pi'$ is CPA-secure, then $\negl$ must be negligible, and so $\Pi^1$ is also CPA-secure.
+
+ Intuition: $\Pi'$ effectively executes the two encryption schemes in parallel, with no communication between the two. If one of the two encryption scheme was not CPA-secure, then we could just focus on this scheme to break the whole $\Pi'$.
+
+ \item Similar to the previous one; the only difference is that we send $c_2$ instead of $c_1$.
+\end{enumerate}
+
\end{solution}
-\subsection{Exercise 9 (Mode of operation)}
-Show formally that ECB-mode encryption does not have indistinguishable encryptions in the presence of an eavesdropper.
-\begin{solution}
- Let say we have to split the message into $m$ messages of $n$ bits.
- Choosing $m_0 = M_0 \| M_0 \| \cdots \| M_0$ and $m_1 = M_1 \| M_2 \| \cdots \| M_m$ with $M_i \neq M_j$ for $i \neq j$,
- if $b = 0$, $\A$ will get $c = C_0 \| C_0 \| \cdots \| C_0$ for some $C_0 \in \C$. But if b=1, $\A$ will get $c = C_1 \| C_2 \| \cdots \| C_m$ for some $C_i \in \C$.
-
- An adversary $\A$ can output $b = 0$ iff all the $C_i$s are equals.
- We have
- $$ \Pr[\PrivK^{\text{eav}}_{\A,\text{ECB}}(nm)] = \frac{1}{2} + \frac{1}{2} = 1 $$
- since the $C_i$ cannot be equal if $b = 1$ since we use a PRP.
- If two different $M_i$ were encrypted as same $C_i$, decryption wouldn't be possible.
-\end{solution}
\ No newline at end of file
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp3.tex b/src/q7/crypto-MAT2450/exercises/tp/tp3.tex
index 51c814f6b3a92d75fb9d3849c2cc3be326ad1fdf..29134f909556e7a4ab76a45ede8f56576aea50f2 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp3.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp3.tex
@@ -1,259 +1,637 @@
+
\section{}
-\subsection{Exercise 1 (Blue-ray security)}
-\copypaste{2}{7}
-\subsection{Exercise 2 (Authenticated encryption)}
-Let $\Pi = \langle \Gen, \Enc, \Dec\rangle$ be an authenticated encryption
-scheme such that $\Enc$ encrypts messages of $n$ bits.
-%
-Do the following systems provide authenticated encryption? For those
-that do, briefly explain why. For those that do not, present an
-attack that breaks one of the security properties of an authenticated
-encryption scheme.
+% OK
+\subsection{Exercise 0 (Simple attacks)}
+Let $\MAC = (\Gen, \Mac, \Vrfy)$ be existentially unforgeable under an adaptive chosen-message attack and let $\Pi=(\Gen, \Enc, \Dec)$ be a CCA-secure scheme. Consider the following schemes $\MAC'=(\Gen', \Mac', \Vrfy')$ (resp. $\Pi'=(\Gen', \Enc', \Dec')$) based on $\Mac$ with $\Gen'=\Gen$ and $\Mac'$ (resp. $\Gen=\Gen'$ and $\Enc'$) defined as follow:
\begin{enumerate}
- \item $\Pi' = \langle \Gen, \Enc', \Dec'\rangle$ with
- $\Enc'_k(m) = (\Enc_k(m), \Enc_k(m \oplus (0^{n-1}\|1)))$ and
- $\Dec'_k(c_1, c_2) = \Dec_k(c_1)$ if
- $\Dec_k(c_1) \oplus \Dec_k(c_2) = 0^{n-1}\|1$ and $\bot$ otherwise.
-
- \item $\Pi' = \langle \Gen, \Enc', \Dec'\rangle$ with
- $\Enc'_k(m) = (\Enc_k(m), \Mac_k(m))$ and $\Dec'_k(c_1, c_2) = \Dec_k(c_1)$
-
- if $\Vrfy_k(\Dec_k(c_1), c_2)=1$ and $\bot$ otherwise. Here, $\Mac$
- and $\Vrfy$ are deterministic algorithms that are part of a secure
- MAC scheme that is compatible with $\Gen$.
-
+ \item $\Mac'_k(m) \define (\Mac_k(m), \Mac_k(m\xor 0\dots01))$
+ \item $\Mac'_k(m) \define \Mac_k\left(\bigoplus_{i=1}^l m_i \right)$
+ \item $\Mac'_k(m) \define (\Mac_k(m_1), \dots, \Mac_k(m_l))$
+ \item $\Mac'_k(m) \define (\Mac_k(m_1), \Mac_k(m_1||m_2), \dots, \Mac_k(m_1||\dots||m_l))$
+ \item $\Enc'_k(m) \define \left(\Enc_k(m), \Enc_k\left(\bigoplus_{i=1}^l m_i\right)\right)$
+ \item $\Enc'_k(m) \define \left(\Enc_k(m), \bigoplus_{i=1}^l m_i\right) $
+ \item $\Enc'_k(m) \define (\Enc_k(m), \Enc_k(m \oplus 110\dots0))$
+ \item $\Enc'_k(m) \define (\Enc_k(m||0), \Enc_k(m))$
\end{enumerate}
+Break all $\MAC'$ and $\Pi'$.
+
+(In some cases $m$ is parsed in $m_1,\dots,m_l$ with $|m_1|=\dots=|m_{l-1}|=n$, $|m_l| \le n$ and $m_1||\dots||m_l=m$ ($||$ is the concatenation) where $n$ is the security parameter.)
+
\begin{solution}
-$\Pi := \langle \text{Gen, Enc, Dec} \rangle$ is an authenticated encryption scheme (AE) if it is CCA-secure and unforgeable.
-\begin{enumerate}
- \item The system $\Pi'$ is not AE because it is \textbf{forgeable} and we can show it with this example. If the adversary A asks for the message $m$ ($m'$ corresponds to the message m with the last bit changed) to the oracle access, he will receive the cipher text $(c_1, c_2)$, where $c_1 = Enc_k(m)$ and $c_2 = Enc_k(m\xor 0^{n-1}||1) = Enc_k(m')$ .
-
- If $\A$ outputs the pair (m',$(c_2, c_1)$), this is a forgery.
-
- $Dec_k'(c_2,c_1) = Dec_k(c_2) = Dec_k(Enc_k(m')) = m' \neq \perp $ because $Dec_k(c_2) \oplus Dec_k(c_1) = m' \oplus m = m \oplus 0^{n-1}||1 \oplus m = 0^{n-1}||1 $. And $m'$ has not been requested before.
-
- Then we have EncForge$_{A, \Pi'}$(n) = 1 and Pr[EncForge$_{A, \Pi'}$(n)] = 1. $\Pi'$ is then forgeable and it is not an AE.
- \newline
- With the same technique, an adversary can break the CCA-security of this scheme by querying two different messages $m_1$ and $m_2$, obtaining their encryption, sending \newline
- ($m'_1,m'_2$) = ($m_1 \oplus 0^{n-1}||1, m_2 \oplus 0^{n-1}||1$) for the challenge, and compare the encryption of $m'_b$ with the two previously received ciphertexts.
- \item The sytem $\Pi'$ is not AE because it is not \textbf{CCA-secure} and we can show it because $Mac_k(m)$ does not assure any security (only authentication). So if We use as Mac :
- $$ Mac_k(m) = m||Mac'_k(m) $$
- It is a good mac but it is trivial to show that is does not hold $CCA-Secure$. $\Pi'$ is then not an AE.
-\end{enumerate}
+ The following are sketches of the attacks that need to be performed; a correct answer needs to define the setting of the attack, in a manner similar to the reduction proofs.
+ \begin{enumerate}
+ \item Let's build an adversary $\A$ that can break the $\MAC'$ scheme. Let's define the following experiment $\MacForge_{\A,\Pi'}(n)$ (in the viewpoint of the adversary):
+ \begin{enumerate}[label=(\arabic*)]
+ \item The oracle-challenger chooses $k \pick \K$.
+ \item We are given access to an oracle for $\Mac'_k(\cdot)$; this oracle records all requested messages in $Q$. With $m \define 0\dots0$, we ask for $t \define \Mac'_k(m)$ and receive $t=(t_1, t_2)$ with $t_1=\Mac_k(m)$ and $t_2=\Mac_k(m \oplus 0\dots01))$.
+ \item We output $m^*=0\dots01$ and $t^*=(t_2, t_1)$.
+ \item Define $\MacForge_{\A,\Pi'} \define 1$ iff $\Vrfy'_k(m^*, t^*) = 1$.
+ \end{enumerate}
+ Observe that
+ \begin{align*}
+ \Mac'_k(m^*) &= (\Mac_k(m^*), \Mac_k(m^* \oplus 0\dots01)) = (\Mac_k(0\dots01), \Mac_k(0\dots01 \oplus 0\dots01)) \\
+ &= (\Mac_k(0\dots01), \Mac_k(0\dots0)) = (t_2, t_1)
+ \end{align*}
+ and so, the pair $(m^*, t^*)$ is indeed a valid tag. In addition, the message $m^*$ is different from $m$ and so $m^*\not\in Q$.
+ Thus, $\Pr[\MacForge_{\A,\Pi'}=1] = 1$ which is clearly not negligible.
+
+ \item We ask $m=0\dots0||0\dots01$ to the oracle as a message consisting of two blocks of length $l$, and receive the tag $t=\Mac'_k(m)=\Mac_k(0\dots0 \oplus 0\dots01) = \Mac_k(0\dots01)$.
+
+ Then, we output $m^* \define 0\dots01||0\dots0$ and $t^* \define t$. Observe that $\Mac'_k(m^*)=\Mac_k(0\dots01 \oplus 0\dots0)=\Mac_k(0\dots01)=t=t^*$ and thus is a valid tag for a message not asked to the oracle.
+
+ \item We send to the oracle $m=0\dots0||0\dots01$ as a two-blocks message and receive $t=\Mac'_k(m)=(\Mac_k(0\dots0), \Mac_k(0\dots01))=(t_1, t_2)$. We output $m^*=0\dots01||0\dots0$ and $t^*=(t_2, t_1)$. Observe that $\Mac'_k(m^*)=(\Mac_k(0\dots01), \Mac_k(0\dots0))=(t_2, t_1)=t^*$, and $m^*$ was not asked to the oracle, so this is a valid pair.
+
+ \item We send $m=m_1||m_2$ for some message blocks $m_1, m_2 \pick \bset^n$ (they don't matter) and receive $t=\Mac'_k(m)=(\Mac_k(m_1), \Mac_k(m_1||m_2))=(t_1, t_2)$. We output $m^*=m_1$ and $t^*=(t_1)$. Note that this requires $\Mac_k(\cdot)$ and $\Mac'_k(\cdot)$ to accept arbitrary-length messages, and $\Mac'_k(\cdot)$ to output arbitrary-length tags.
+
+ \item We ask the oracle to encrypt $m=0\dots01 || 0\dots01$, a two-blocks message and receive $c=(c_1, c_2)=(\Enc_k(m), \Enc_k(0\dots01 \oplus 0\dots01))=(\Enc_k(m), \Enc_k(0\dots0))$.
+ We then output $m_0=0\dots0||0\dots0$ and $m_1=1\dots1||1\dots1$.
+ Observe that $\bigoplus_{i=1}^l m_{0,i} = \bigoplus_{i=1}^l m_{1,i} = \bigoplus_{i=1}^l m_{i}=0\dots0$.
+ We receive $c=(c^*_1, c^*_2)=(\Enc_k(m_b), \Enc_k(\bigoplus_{i=1}^l m_{b,i}))=(\Enc_k(m_b), \Enc_k(00\dots00))$.
+ We then ask to decrypt $c^*=(c^*_1, c_2)$ and will receive $m_b$.
+
+ This assumes that the two encryptions that take place in $\Enc'$ are independent (e.g., use different $r$) so that we can combine the two parts in arbitrary ways.
+ Also, there is a slight chance that $c_2=c^*_2$ (if both encryptions used the same random values) as they encrypt the same message. If $n$ is the number of bits of the random values used in the encryption (e.g., the number of bits of $r$), then this probability is $\frac{1}{2^n}$ which is negligible.
+
+ \item We output $m_0=0\dots0$ and $m_1=0\dots01$ with length $n$ (so that the messages are not split). Then, receiving $c=(\Enc_k(m_b), \bigoplus_{i=1}{l}m_b)=(\Enc_k(m_b), m_b)$, we answer $0$ if $m_b=m_0$ and $1$ otherwise.
+
+ \item We output $m_0=0\dots0$ and $m_1=1\dots1$, and receive $c=(\Enc_k(m_b), \Enc_k(m_b\oplus 110\dots0))=(c_1, c_2)$. We then ask the oracle to decrypt $c^*=(c_2, c_1)$ (this is not $c$) and receive $m^*=m_b\oplus 110\dots0$. We then just have to compute $m'=m^*\oplus 110\dots0$ and compare with $m_0$ and $m_1$ to identify it. For this attack to work, we need a decryption oracle, and so need to play the CCA security game.
+
+ \item We output $m_0=0\dots0$ and $m_1=1\dots1$ and receive $c=(\Enc_k(m_b||0), \Enc_k(m_b))=(c_1, c_2)$. We ask the oracle to decrypt $c^*=(c_2, c_1)$ and should receive $m_b||0$ or $m_b$.
+
+ Note: this attack looks wrong, as it requires $\Dec'$ to ignore the fact that, in theory, the first part of the ciphertext encrypts the same message as the second part, with a $0$ appended. In practice, decrypting such malformed messages should result in an error. But it was the ``official'' answer.
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 3 (Euclidean algorithm for gcd)}
-Let $a,b \in \mathbb{Z}$ , $b \neq 0$, consider the following algorithm, presented in Algorithm~\ref{algo:gcd}. ($r=a \% b$ means that $a=qb+r$ where $q$ is the quotient and $r$ is the remainder).
-Prove that $x$, the value returned by Algorithm~\ref{algo:gcd}, is $\mathsf{gcd} (a,b)$.
-Hint:
+% OK
+\subsection{Exercise 1 (Fixed-length MAC)}
+
+Consider the fixed-length MAC $\Pi \define \langle\Gen,\Mac,\Vrfy\rangle$
+defined as follows:
\begin{itemize}
-\item Prove that $x$ divides $ \mathsf{gcd} (a,b)$
-\item Prove that $ \mathsf{gcd} (a,b)$ divides $x$
+ \item $\Gen$: choose random $k\leftarrow \bset^n$
+ \item $\Mac$: on input $m,k \in\bset^n$, output $t \define F_k(m)$
+ \item $\Vrfy$: on input $k, m, t \in \bset^n$ output 1 iff $t=F_k(m)$
\end{itemize}
-\begin{algorithm}
- \KwIn{$a$, $b$}
- \KwOut{$\mathsf{gcd}(a,b)$}
-
- \While{ $b\neq 0$}
- {
- $r \leftarrow a\%b$\;
-
- $a \leftarrow b$\;
-
- $b \leftarrow r$\;
- }
- \Return($a$)
-
-\caption{The Euclidean $\mathsf{gcd}$ algorithm.}\label{algo:gcd}
-\end{algorithm}
-\begin{solution}
-According to the algorithm, we will have as successive value for the different remainder :
-$$ (r_2 = r_0 \% r_1, r_3 = r_1 \% r_2, \ r_4 = r_2 \% r_3, \ ... \ , r_n = r_{n-2} \% r_{n-1})$$
-Where $r_0 = a$, $r_1 = b$ and $r_n$ is the last non null remainder. Then we have the property that :
-$$ gcd(r_{i}, r_{i+1}) = gcd(r_{i+1}, r_{i+2}) \ \forall i : \ 0 \leq i \leq n - 2 $$
-Otherwise if it was not the case, $\exists i < n $ such that $r_i = 0$. But as $r_n$ is the last non null remainder, we prove by contradiction this property.
-
-As $gcd(r_{n-1}, r_n) = r_n $ because $r_n | r_{n-1}$ (since $r_{n+1} = r_{n-1} \% r_n = 0$), we can conclude that
-$$ gcd(r_0, r_1) = gcd(a, b) = gcd(r_{n-2}, r_{n-1}) = r_n$$
-We have proved the value returned by the algorithm is the $gcd(a,b)$
-\end{solution}
+Prove that, if $F$ is a PRF, $\Pi$ is existentially unforgeable under
+an adaptive chosen-message attack. Hint:
-\subsection{Exercise 4}
-Consider the group $\mathbb{Z}^{\ast}_{17}$.
\begin{enumerate}
-\item Compute $5^{-1}$.
-\item Compute $3^2$, $3^3$ and $3^4$.
-\item Does $3$ generate the group?
-\item Find $\log_{7}(11)$.
+ \item Consider the scheme $\Pi'$ defined as $\Pi$ except that a truly
+ random function is used instead of a pseudo-random one. Show that
+ $\Pi'$ is existentially unforgeable under an adaptive chosen-message
+ attack.
+ \item Consider a PPT adversary who can produce an adaptive forgery on
+ $\Pi$ with non negligible probability $\negl(n)$. Using this
+ adversary, show that $F$ cannot be a PRF.
\end{enumerate}
+
+
+% homework 2 of Dan Boneh, Winter 2011, Problem 2
\begin{solution}
-Here because p is not too big, it is possible to evaluate "quickly" and "intuitively" the solutions. If it is too hard, there is an algorithm in the slides.
+ \begin{itemize}
+ \item
+ Let $\tilde{\Pi} = \langle \tilde{\Gen}, \tilde{\Mac}, \tilde{\Vrfy} \rangle$, defined as:
+ \begin{itemize}
+ \item $\tilde{\Gen}$: chooses a random $f$.
+ \item $\tilde{\Mac}$: on input $m$, outputs $f(m)$.
+ \item $\tilde{\Vrfy}$: on input $(m,t)$, outputs $1$ iff $f(m) = t$.
+ \end{itemize}
+
+ Let's analyse the maximum value of $\Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]$ for an adversary $\A$.
+ If after $q$ different queries (it gains no info doing the same query twice),
+ $m_1, \dots, m_q$, $\A$ outputs $(m, t)$, what are its chances of success ?
+ Let $f \colon \bset^n \mapsto \bset^n$.
+ There are $(2^n)^{2^n}$ different $f$ and we pick a random one uniformly.
+ However, there are only $(2^n)^{2^n-q}$ experiments such that $\A$ could have received $(m_i,t_i)$ for $i = 1, \ldots, q$ because
+ there are $(2^n)^{2^n-q}$ $f$ such that $f(m_i) = t_i$ for $i = 1, \ldots, q$.
+ We could be in any of them.
+ Among them, only $(2^n)^{2^n-(q+1)}$ are such that $f(m) = t$.
+ Since $f$ is selected uniformly, we have
+ \begin{align*}
+ \Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]
+ & = \Pr[f(m) = t | f(m_i) = t_i, \forall i = 1, \ldots, q]\\
+ & = \frac{\Pr[f(m) = t, f(m_i) = t_i, \forall i = 1, \ldots, q]}{\Pr[f(m_i) = t_i, \forall i = 1, \ldots, q]}\\
+ & = \frac{\frac{(2^n)^{2^n-(q+1)}}{(2^n)^{2^n}}}{\frac{(2^n)^{2^n-q}}{(2^n)^{2^n}}}
+ = \frac{(2^n)^{2^n-(q+1)}}{(2^n)^{2^n-q}}
+ = \frac{1}{2^n}.
+ \end{align*}
+ A shortcut would have been to say that, since $f(m)$ is independent of the $f(m_i)$, we have
+ \begin{align*}
+ \Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]
+ & = \Pr[f(m) = t | f(m_i) = t_i, \forall i = 1, \ldots, q]\\
+ & = \Pr[f(m) = t]
+ = \frac{(2^n)^{2^n-1}}{(2^n)^{2^n}}
+ = \frac{1}{2^n}.
+ \end{align*}
+ Another way of saying it: as $f$ is random, each $f(m_i)$ is random too and independent of each other and of $m$, so $\A$ doesn't get any information from the query phase. And, because $f$ is random, the correct tag $t^*$ for $m$ is random too, and so the adversary only has $\Pr[t=t^*]=\frac{1}{2^n}$ to find the correct one.
+
+ It is quite surprising that instead of a upper bound
+ on $\Pr[\MacForge_{\A, \tilde{\Pi}}(n) = 1]$
+ depending on $\A$ (and reached for $\A$ super smart),
+ it is actually independent of $\A$.
+ \item
+ Let's now suppose that we have an adversary $\A$
+ that win with non-negligible probability against the MAC $\Pi$
+ and show that under this assumption we can build
+ a distinguisher $\D$ for $F$.
+
+ $\D$ will simply take a function $g$ as input
+ and run $\A$ using $g$ to create the tags.
+ He has $g$ so he can see if $\A$ wins or lose.
+ If $\A$ wins, $\D$ outputs $1$, otherwise, it outputs $0$.
+
+ We know that if $g$ is a pseudo random function,
+ $\Pr[\MacForge_{\A, \Pi_g} = 1] = \frac{1}{2^n}$
+ (we prove that in the previous point)
+ and if $g$ is a PRF
+ $\Pr[\MacForge_{\A, \Pi_g} = 1] = \eta(n)$
+ where $\eta$ is non-negligible
+ ($\A$ is exactly in the correct conditions he expects to work correctly and to win with non-negligible probability).
+ We have therefore
+ \[
+ |\Pr[\D^{F_k}(1^n) = 1] - \Pr[\D^{f}(1^n) = 1]|
+ = \left|\eta(n) - \frac{1}{2^n}\right| \ge \eta(n) - \frac{1}{2^n}
+ \]
+ which is non-negligible due to $\eta(n)$. Conversely, as we assume that $F$ is a PRF, then it must be that the probability on the left-hand side is negligible, and so the probability on the right-hand side must be negligible too, which forces $\eta(n)$ to be negligible.
+
+ % Not sure it works
+% \item
+% Another simpler solution is possible. Using the first Hint, we can say that if $F_k$ is a PRF, it has a maximum of $2^n$ possible outputs
+% where a truly random function has exactly $2^n$ outputs. So if we suppose $\Pi$ secure with a PRF, then $\tilde{\Pi}$ is also secure because
+% $\epsilon_{\tilde{\Pi}} = \frac{1}{2^n} \geq \epsilon_{\Pi}$. We then can play the PRF game to prove the security of $\Pi$ with the second hint.
+ \end{itemize}
+
+\end{solution}
+
+
+
+\subsection{Exercise 2 (MAC length extension)}
+
+Let $\Pi' \define \langle\Gen',\Mac',\Vrfy'\rangle$ be a secure fixed-length MAC. We define a variable-length MAC $\Pi \define \langle\Gen,\Mac,\Vrfy\rangle$ as follows:
+
+\begin{itemize}
+ %
+ \item $\Gen$: choose random $k \pick \bset^n$
+ \item $\Mac$: on input $k \in\bset^n$ and $m \in \bset^*$ of length $l<2^\frac n4$
+ \begin{itemize}
+ \item Parse $m$ into blocks $m_1,\dots,m_d$ of length $\frac n4$ each (pad with 0's if necessary)
+ \item Choose random $r \pick \bset^\frac n4$
+ \item Compute $t_i \define \Mac_k(r||l||i||m_i)$ for $1\leq i\leq d$, with $|r|=|l|=|i|=\frac n4$
+ \item Output $t \define \langle r,t_1,\dots,t_d\rangle$
+ \end{itemize}
+ \item $\Vrfy$: on input $k, m, t=\langle r,t_1,\ldots,t_{d'}\rangle$,
+ \begin{itemize}
+ \item Parse $m$ into blocks $m_1,\ldots,m_d$ of length $\frac n4$ each
+ \item Output 1 iff $d=d'$ and, $\forall 1\leq i\leq d$, $\Vrfy'_k(r||l||i||m_i,t_i)=1$
+ \end{itemize}
+ %
+\end{itemize}
+
+The goal of this exercise is to prove by reduction that $\Pi$ is existentially unforgeable. Let $\A$ (resp. $\A'$) be an adversary attacking the unforgeability of $\Pi$ (resp. $\Pi'$) and let $\epsilon = \textsc{MacForge}_{\A,\Pi}(n)$ (resp. $\epsilon' = \textsc{MacForge}_{\A',\Pi'}(n)$) denotes its advantage.
+
\begin{enumerate}
- \item Because 35 mod 17 = 1, and $5 \cdot 7 = 35$. \newline Then $5^{-1} = 7$. ($5 \cdot 7 = 1 \text{ (mod 17)}$)
- \item \begin{itemize}
- \item $3^2 = 9 \text{ (mod 17)}$
- \item $3^3 = 3^2 \cdot 3 = 27 \text{ (mod 17)} = 10 \text{ (mod 17)}$
- \item $3^3 = 3^3 \cdot 3 = 30 \text{ (mod 17)} = 13 \text{ (mod 17)}$
- \end{itemize}
- \item According to \textit{Fermat's little theorem}, if ord(g) = i then if $i|m = |G|$, where G is the commutative group. To see if 3 generate the group, we have to check if $3^i \neq 1$ where $i$ are the divisor of $(p-1) = 16$ (except 16 of course !).
- \begin{itemize}
- \item $3^1$ = 3 mod 17 (trivial)
- \item $3^2$ = 9 mod 17 (evaluated previously)
- \item $3^4$ = 13 mod 17 (evaluated previously)
- \item $3^8$ = $(3^4)^2$ = $(13)^2 \text{ (mod 17)}$ = $(-4)^2 \text{ (mod 17)}$ = 16 mod 17
- \end{itemize}
- We can see that 3 is a generator of the group.
-
- \textbf{P.S.} : The trick here is to remember the property of the modulo operation here in a $Z^*_p$:
- $$ x = -(p - x) \text{ (mod p)} $$
- It can make a lot of computing easier (it can become a real pain in the ass).
- \item Here we have to find x such that :
- $$ 7^x = 11 \text{ (mod 17)} $$
- After (boring) computations, we have here :
- \begin{itemize}
- \item $7^1$ = 7 mod 17
- \item $7^2$ = 15 mod 17 = -2 mod 17
- \item $7^3$ = -14 mod 17 = 3 mod 17
- \item $7^4$ = 4 mod 17
- \item $7^5$ = 11 mod 17 (Bingo)
- \end{itemize}
- Then $log_7(11)$ = 5
+ \item Make a quick draw sketching the proof.
+ \item Describe formally how $\A'$ should react to a query $\textsc{Mac}_k(m)$.
+ \item Define what is a mac forgery for the scheme $\Pi$. Does it necessarily implie a forgery on the scheme $\Pi'$ (justify your answer).
+ \item Express $\epsilon$ in function of $\epsilon'$ and conclude.
\end{enumerate}
+
+
+\begin{solution}
+ (See~\cite[pp.~120--122]{katz2007introduction} for the ``official'' proof).
+ \begin{enumerate}
+ \item
+ \begin{tikzpicture}[x=1cm, y=0.8cm]
+ \draw[rounded corners=0.5cm] (-0.5, 0) rectangle (7, 3.5);
+ \draw[rounded corners=0.5cm] (0.5, 1) rectangle (3, 3);
+ \draw[dashed] (5.5, 2) ellipse (0.5 and 1);
+ \draw (10, 2) ellipse (0.8 and 1.3);
+ \draw[-stealth] (3, 2.5) to[bend left=10] node[midway, above] {$m$} (5, 2.5);
+ \draw[-stealth]
+ (7, 2.4) edge[bend left=10] (9.2, 2.4)
+ (7, 2.3) edge[bend left=10] (9.2, 2.3)
+ (7, 2.2) to[bend left=10] node[midway, below, draw, circle, inner sep=2pt] {1} (9.2, 2.2)
+ ;
+ \draw[-stealth]
+ (1.5, 1) edge node[midway, right] {$(m^*, t^*)$} (1.5, 0.2)
+ (2, 0) -- node[midway, right] {$(m', t')$} (2, -0.8)
+ ;
+ \draw
+ (1, 2.5) node {$\A_\Pi$}
+ (0, 3) node {$A_{\Pi'}$}
+ (5.5, 2.1) node[above] {$\O_\Pi$}
+ (5.5, 1.8) node[below] {$Q$}
+ (10, 2.5) node {$\O_{\Pi'}$}
+ (10, 2) node {$k$}
+ (10, 1.5) node {$Q'$}
+ (7.5, 0) node[draw, circle, inner sep=2pt] {1} ++(0.5, 0) node[right] {described in the text}
+ ;
+ \end{tikzpicture}
+ \item $\A'$ should pick a random $r\leftarrow \{0,1\}^{\frac{n}{4}}$, parse m into d blocks $m_1,...,m_d$ and send to its oracle $d$ queries $r\|l\|i\|m_i$ for $i = 1, \ldots, d$.
+ After the $d$ queries made to its oracle $O'$, $\A'$ computes $\langle r, t_1, \ldots, t_d \rangle$ where $t_i$ is the answer of the oracle to its $i$th query. He then sends it as an answer to $\A$s query.
+ \item For $\Pi$, a forgery is a pair $(m, \langle r, t_1, \ldots, t_d \rangle)$ where $m$ has not been queried before
+ and $t_i = \Mac'_k(r\|l\|i\|m_i)$ for $i = 1, \ldots, d$ where $l$ is the length of $m$ and $m = m_1\| \cdots \|m_d$.
+ \begin{itemize}
+ \item
+ If none of its previous query has the same $r$ and $l$, $r\|l\|1\|m_1$ cannot be a query made by $\A'$ and
+ $(r\|l\|1\|m_1, t_1)$ is an existential forgery for $\Pi'$ that $\A'$ can output.
+ \item
+ If 2 previous queries have both $r$ and $l$, then we do not necessarily have an existential forgery.
+ However, since $r$ is picked at random ($\A'$ could cheat and make sure that the same $r$ is not picked twice)
+ the probability (birthday paradox) of this to happen (if all $m$ have the same $l$ which is the worst case) is approximately
+ $\frac{q(n)^2}{2 \cdot 2^n}$ where $q(n)$ is the number of queries made by $\A$.
+ \item
+ If one unique previous query $m^j$ has this $r$ and $l$, since $m$ is not one of the previous query, there must be $i$
+ such that $m_i \neq m_i^j$.
+ We know therefore that $r\|l\|j\|m_j$ has never been queried by $\A'$ so $(r\|l\|j\|m_j, t_j)$ is an existential forgery for $\Pi$.
+ \end{itemize}
+ \item In conclusion, we have
+ \begin{align*}
+ \Pr[\MacForge_{\A,\Pi}(n) = 1]
+ & \leq \Pr[\MacForge_{\A',\Pi'}(n) = 1] + \frac{q(n)}{2^{n+1}}\\
+ \epsilon(n)
+ & \leq \epsilon'(n) + \frac{q(n)}{2^{n+1}}
+ \end{align*}
+ so since $\epsilon'(n)$ and $\frac{q(n)}{2^{n+1}}$ are negligible,
+ $\epsilon(n)$ is negligible.
+ \end{enumerate}
+
+ Alternative answer:
+ \begin{enumerate}[start=2]
+ \item When $\A_\Pi$ asks for $\Mac_k(m)$, we ($\A_{\Pi'}$) should parse $m=m_1||m_2||\dots||m_d$ with $|m_i|=\frac{n}{4} \, \forall 1\le i \le d=\lceil \frac{l}{n/4}\rceil$ and with the message zero-padded.
+
+ Pick $r \pick \bset^{n/4}$.
+
+ Then, do $d$ requests to $\O_{\Pi'}$ to build $t_i \define \Mac'_k(r||l||i||m_i) \, \forall 1 \le i \le d$.
+
+ Finally, send $t=\langle r, t_1, \dots, t_d\rangle$ to $\A_\Pi$.
+
+ An important question to answer is whether this operation keeps $\A_{\Pi'}$ PPT, with so much requests. To prove this, observe that 1) the message $m$ is generated by a PPT adversary so 2) its length must be polynomial and 3) there is thus at most a polynomial number of blocks and thus 4) we only do a polynomial number of requests to $\O_{\Pi'}$ when $\A_\Pi$ does a request to $\O_\Pi$. So, we are still PPT.
+
+ \item When $\A_\Pi$ outputs $(m^*, t^*)$, we have $t^*=\langle r, t_1, \dots, t_d\rangle$ with $t_i=\Mac'_k(r||l||i|m_i^*)$.
+
+ By hypothesis, there is a chance of $\negl(n)$ that $(m^*, t^*)$ is valid and $m^*$ has never been requested to $\O_\Pi$, i.e., us. Now, we need to extract a valid $(m', t')$ for $\Pi'$. There are three cases:
+ \begin{itemize}
+ \item If the pair $(r, l)$ has never been used in any of our requests, then $r||l||i||m_i^*$ has never been queried to $\O_{\Pi'}$, and we have our forgery: take any of $(r||l||i||m_i^*, t_i)$.
+ \item If $(r, l)$ has been used before, then we need to distinguish between two cases. The first case is if $r$ has been used two or more times before: as $r$ is picked randomly, this event happens with probability $\frac{q(n)}{2^{n/4}}$. In that case, for correct $l$, $\A_\Pi$ could have just rearranged blocks from two previous messages $m^1$ and $m^2$ to build a new message $m^*$. For him, this is an existential forgery against $\Pi$. But for us, all those blocks $r||l||i||m_i^{1, 2}$ have been queried to our oracle before, and so none of them are fresh, and this is not a forgery against $\Pi'$.
+ \item If $(r, l)$ has been used before and $r$ has only been used once, then there is a past message $m^1$ whose tag used this $r$. Let's compare the two messages:
+ \begin{align*}
+ m^1 &\rightarrow m_1^1||m_2^1||\dots||m_d^1 \rightarrow \langle r, \Mac'_k(r||l||1||m_1^1), \dots\rangle \\
+ m^* &\rightarrow m_1^*||m_2^*||\dots||m_d^* \rightarrow \langle r, \Mac'_k(r||l||1||m_1^*), \dots\rangle
+ \end{align*}
+ As $m^*$ is a forgery against $\Pi$, $m^1 \neq m^*$, so $\exists j \suchthat m_j^1 \neq m_j^*$. For this $i$, the corresponding $(r||l||j||m_j^*, t_j)$ is a forgery against $\Pi'$.
+ \end{itemize}
+ If now we compute it,
+ \begin{align*}
+ \negl'(n) = \Pr[\MacForge_{\A_{\Pi'},\Pi'}(n)=1] &\ge \Pr[\MacForge_{\A_\Pi,\Pi}(n)=1 \\
+ &\quad \wedge \text{ We can build a forgery from it}] \\
+ &\ge \Pr[\MacForge_{\A_\Pi,\Pi}(n)=1] \cdot \left(1-\frac{q(n)}{2^{n/4}}\right) \\
+ &= \negl(n) \left(1-\frac{q(n)}{2^{n/4}}\right)
+ \end{align*}
+ As we know that $\Pi'$ is EUF-CMA, then $\negl'(n)$ must be negligible, so the whole right-hand side must be negligible too, and so $\negl(n)$ must be negligible.
+
+ Other said, if $\negl(n)$ is non-negligible, then the right-hand side is non-negligible (the term in parenthesis is negligibly close to $1$), and so $\negl'(n)$ must be non-negligible too.
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 5 (Group order)}
-In this exercise we consider the group $\mathbb{Z}_{59}^*$.
+
+\subsection{Exercise 3 (Authenticated encryption and sPRP)}
+
+\copypaste{4}{2}
+
+
+
+\subsection{Exercise 4 (Authenticated encryption)}
+
+Let $\Pi=(\Gen, \Enc, \Dec)$ be an authenticated encryption scheme where $0\not\in \C$ (that is, the string ``0'' is not a possible ciphertext for $\Pi$). Consider the following scheme $\Pi' \define (\Gen', \Enc', \Dec')$ with:
+\begin{itemize}
+ \item $\Gen'=\Gen$
+ \item $\Enc'=\Enc$
+ \item $\forall k: \Dec'(c) = \begin{cases} \Dec(c) \text{ if } c\neq 0, \\ 0 \text{ if } c=0. \end{cases}$
+\end{itemize}
\begin{enumerate}
- \item What is the order of $58$?
- \item What are the possible orders of an element of this group?
- \item Find an element of order more than $20$.
-
+ \item Is $\Pi'$ unforgeable?
+ \item Is $\Pi'$ CCA secure?
\end{enumerate}
+
+
\begin{solution}
-The order of $g \in \mathbb{Z}^*_{59}$ is the smallest $i$ where $g^i = 1$
+ \begin{enumerate}
+ \item It is not unforgeable. To see this, simply build the following adversary $\A$:
+ \begin{enumerate}[label=(\arabic*)]
+ \item The oracle-challenger chooses $k \pick \K$.
+ \item We have no query to do to the oracle.
+ \item Output $c=0$.
+ \end{enumerate}
+ By definition, $\Dec'_k(0)=0 \, \forall k$, so it is a valid message. So $\Pr[\EncForge_{\A, \Pi'}(n)=1]=1$.
+ \item It is CCA-secure (sure at 95\%). To show this, let's do a reduction. If we have a PPT adversary $\A_{\Pi'}$ against $\Pi'$, we can build an adversary $\A_\Pi$ against $\Pi$ and run the following experiment (from the viewpoint of $\A_\Pi$):
+ \begin{enumerate}[label=(\arabic*)]
+ \item The oracle-challenger chooses $k \pick \K$.
+
+ \item First query phase:
+ \begin{itemize}
+ \item When $\A_{\Pi'}$ asks for $\Enc'_k(m)$ of a message $m$, we simply forward the request to $\O_\Pi$, receive $c=\Enc_k(m)$, and return it to $\A_{\Pi'}$
+ \item When $\A_{\Pi'}$ asks for $\Dec'_k(c)$ of a ciphertext $c$, if $c=0$, then we return $0$, and if $c\neq 0$, we forward the request to $\O_\Pi$, receive $m=\Dec_k(c)$ and return it to $\A_{\Pi'}$.
+ \end{itemize}
+
+ \item $\A_{\Pi'}$ outputs its messages $m_0, m_1$. We output them.
+
+ \item The challenger-oracle picks $b\pick \bset$, returns $c^*=\Enc_k(m_b)$, sends that to us, and we forward it to $\A_{\Pi'}$.
+
+ \item Second query phase, similar to the first one, with the exception that $\A_{\Pi'}$ cannot ask for $\Dec'_k(c^*)$.
+
+ \item $\A_{\Pi'}$ outputs its guess $b'$, and we output $b''=b'$.
+ \end{enumerate}
+ The adversary $\A_{\Pi'}$ is exactly in the correct conditions, our adversary $\A_\Pi$ is PPT, and we output the same value, so $\Pr[\PrivKcca[\A_\Pi, \Pi](n)=1]=\Pr[\PrivKcca[\A_{\Pi'}, \Pi'](n)=1]=\Pr[b'=b]=\Pr[b''=b]=\negl$
+ and, as we know that $\Pi$ is CCA-secure, then we have that $\Pi'$ is CCA-secure. This ``zero-filling'' has no impact on the CCA-security, only on the unforgeability.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 5}
+% This practical session was entirely corrected by the teaching assistants so, there is no need to correct the solutions.
+
+Let $F$ be a PRF. Below, we describe three \textit{insecure} \emph{variable-length} message authentication codes (\textit{a.k.a.} MACs), $\Pi_1$, $\Pi_2$ and $\Pi_3$, which all use the same key generation algorithm $\G$. The message space is \emph{any (non negative) number} of message blocks in $\{0,1\}^n$, where $n$ is the security parameter.
+%
+\begin{description}
+ \item[$\G(1^n)$] outputs a random key $k\gets\bset^n$.
+\end{description}
+%
+The scheme $\Pi_3$ is built from $\Pi_2$ which is itself built from $\Pi_1$ as an (unsuccessful) attempt to ``patch'' the previous scheme:
+%
+\begin{description}
+ \item[$\Pi_1=(\Gen,\Mac^1,\Vrfy^1)$:]
+ \emph{``Deterministic MAC -- Chaining PRFs''}
+
+ $\Mac^1_k(m_1,\ldots,m_\ell)$ computes $t_1=F_k(m_1)$ as well as
+ $t_i=F_k(m_i\oplus t_{i-1})$, for $i=2$ to $\ell$, and returns $t \define t_\ell$ (note that only the last block is returned).
+
+ $\Vrfy^1_k((m_1,\ldots,m_{\ell}),t)$ outputs $1$ if
+ $\Mac^1_k(m_1,\ldots,m_{\ell})=t$, and 0 otherwise.
+ \item[$\Pi_2=(\Gen,\Mac^2,\Vrfy^2)$:]
+ \emph{``Padding a random message block in the end''}
+
+ $\Mac^2_k(m_1,\ldots,m_\ell)$ first picks a random $r\gets\{0,1\}^n$ and
+ then runs $t=\Mac_k^1(m_1,\ldots,m_\ell,r)$ and outputs $(r,t)$.
+
+ $\Vrfy^2_k((m_1,\ldots,m_{\ell}),(r,t))$ outputs $1$ if
+ $\Mac^1_k(m_1,\ldots,m_{\ell},r)=t$, and 0 otherwise.
+
+ \item[$\Pi_3=(\Gen,\Mac^3,\Vrfy^3)$:]
+ \emph{``Padding a random message block in the beginning''}
+
+ $\Mac^3_k(m_1,\ldots,m_\ell)$ first picks a random $s\gets\{0,1\}^n$ and
+ then runs $(r,t)=\Mac_k^2(s,m_1,\ldots,m_\ell)$ and outputs $(r,s,t)$.
+
+ $\Vrfy^3_k((m_1,\ldots,m_{\ell}),(r,s,t))$ outputs $1$ if
+ $\Mac^1_k(s,m_1,\ldots,m_{\ell},r)=t$, and 0 otherwise.
+\end{description}
+
\begin{enumerate}
- \item ord(58) = 2 because :
- \begin{itemize}
- \item $58^1$ = 58 mod 59 = -1 mod 59
- \item $58^2$ = -58 mod 59 = 1 mod 59
- \end{itemize}
- \item According to \textit{Fermat's little theorem}, the possible orders of a group $\mathbb{Z}^*_{p}$ are the divisor of p-1. Then, the possible orders are :
- \begin{itemize}
- \item 1
- \item 2
- \item 29
- \item 58
- \end{itemize}
- \item The best strategy here is to find a number g where
- $$ ord(g) > 2 $$
- (To assure you this is correct, just look at the possible ordrers). \newline
- 2 is a correct candidate.
+ \item Describe $\Mac_k^3(m_1,\ldots,m_\ell)$ explicitly in term of computations
+ of $F_k$ (and $\oplus$ of course).
+ \item Show the correctness of $\Pi_3$.
+ \item Mount a forgery attack on these MACs.
\end{enumerate}
+
+\begin{solution}
+ \begin{enumerate}
+ \item For random $r,s\leftarrow \{0,1\}^n$,
+ $\Mac^3_k(m_1,\ldots,m_\ell)$ computes $t_0=F_k(s)$, then $t_i=F_k(m_i \oplus t_{i-1})$ for $i=1$ to $\ell$, and finally
+ $t_{\ell+1}=F_k(r\oplus t_\ell)$.
+ It outputs $(r,s,t)$ where $t \define t_{\ell+1}$.
+
+ \item Using the description of $\Mac^1_k$, on inputs $(s,m_1,\ldots,m_\ell,r)$ it gives $t'_1=F_k(s)$, for $i=1$ to $\ell$, $t'_{i+1}=F_k(m_i \oplus t'_i)$, and $t'_{\ell+2}=F_k(r \oplus t'_{\ell+1})$. $t'_{\ell+2}$ is the output, or equivalently:
+ \begin{align*}
+ F_k(r \oplus t'_{\ell+1}) &= F_k \bigg(r \oplus F_k \Big(m_\ell \oplus F_k \big( m_{\ell-1} \oplus \dots F_k(m_1\oplus F_k(s)) \dots \big)\Big)\bigg)\\
+ &=t.
+ \end{align*}
+
+ \item These MACs are not even one-time secure:
+ \begin{description}
+ \item $\Pi_1$: (1) query $\Mac^1_k(m)$ on any $m\in\bset^n$ and get the tag $t=F_k(m)$;
+
+ (2) output $((m,m\oplus t),t)$.
+
+ $t_1=F_k(m)$, $t_2=F_k(m\oplus t \oplus t_1)= F_k(m \oplus 0)=t$.
+
+ \item $\Pi_2$: (1) query $\Mac^2_k(m)$ on any $m\in\{0,1\}^n$ and get the tag $(r,t)$, where $t=F_k(F_k(m)\oplus r)$;
+
+ (2) output $((m,r,m\oplus t),(r,t))$.
+
+ $t_1=F_k(m)$, $t_2=F_k(F_k(m)\oplus r)=t$, $t_3=F_k(t\oplus m \oplus t)=F_k(m)$, $t_4=F_k(F_k(m)\oplus r)=t$.
+
+ \item $\Pi_3$: (1) query $\Mac^3_k(m)$ on any $m\in\{0,1\}^n$ and get the tag $(r,s,t)$, where $t=F_k( F_k(F_k(s) \oplus m) \oplus r)$
+
+ (2) output $((m,r,s\oplus t,m),(r,s,t))$.
+
+ $t_1=F_k(s)$, $t_2=F_k(F_k(s) \oplus m)$, $t_3=F_k(F_k(F_k(s) \oplus m) \oplus r)=t$, $t_4=F_k(t \oplus s \oplus t)= F_k(s)$, $t_5=F_k(F_k(s)\oplus m)$, $t_6=F_k( F_k(F_k(s) \oplus m) \oplus r)=t$.
+ \end{description}
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 6 (Decisional Diffie-Hellman and \texorpdfstring{$\mathbb{Z}_p^\ast$}{Zp*})}
-\label{subsec:4.6}
-The goal of this exercise is to show that in some groups DDH and CDH assumptions are conjectured not equivalent, as DDH is easy whereas CDH is conjectured to be hard.
+
+
+\subsection{Exercise 6}
+% This practical session was entirely corrected by the teaching assistants so, there is no need to correct the solutions.
+
+Let $F$ be a pseudorandom function, $G$ be a pseudorandom permutation, $T$ be a public $n$-bit constant, $k$ be a $n$-bit secret key, $m$ be a $n$-bit message, $IV$ be a $n$-bit random value chosen by the party computing the encryption (resp.~MAC) before each operation. Among the following constructions, determine the ones that would be acceptable and justify your answer. (Your justifications can rely on results that have been presented during the class.)
\begin{enumerate}
- \item For all element $a$ of $\mathbb{Z}_{11}^*$, compute $a^2 \mod 11$.
-
- For a prime number $p$, we denote $QR_p$ the set $\{x \in \mathbb{Z}_{p}^* \; | \; \exists a\in \mathbb{Z}_{p}^*, a^2=x\}$, such $x$ are called quadratic residues modulo $p$. Show that if $p$ is odd then $|QR_p|=\frac{p-1}{2}$.
-
- \item For all element $a$ of $\mathbb{Z}_{11}^*$, compute $a^5 \mod 11$. Show that for any odd prime $p$, $x \in QR_p \Leftrightarrow x^{\frac{p-1}{2}}= 1 \mod p$, and that $x \not \in QR_p \Leftrightarrow x^{\frac{p-1}{2}}= -1 \mod p$.
-
- \item Show that $2$ is a generator of $\mathbb{Z}_{11}^*$. For the following pairs $(a,b)$, compute $g^a, g^b$ and $g^{ab}$ in $\mathbb{Z}_{11}^*$ where $g=2$:
- \begin{itemize}
- \item $(2,8)$,
- \item $(1,4)$,
- \item $(3,5)$.
- \end{itemize}
- Show that for $p$ an odd prime, $g^{ab} \not \in QR_p \Leftrightarrow g^a \not \in QR_p \text{ and } g^b \not \in QR_p$.
-
- \item Show that DDH does not hold in $\mathbb{Z}_{p}^*$ with $p$ an odd prime.
+ \item $\Enc_k(m) \define F_k(m \oplus T)$ as an encryption scheme secure against
+ eavesdropping.
+
+ \item $\Enc_k(m) \define G_k(m \oplus T)$ as an encryption scheme secure against eavesdropping.
+
+ \item $\Enc_k(m) \define G_k(m \oplus T)$ as an encryption scheme secure against a CPA-adversary.
+
+ \item $\Enc_k(m) \define (IV,G_k(m \oplus T \oplus IV))$ as an encryption scheme secure against a CPA-adversary.
+
+ \item $\Mac_k(m) \define F_k(m \oplus T)$ as a MAC scheme existentially unforgeable under an
+ adaptive chosen-message attack.
+
+ \item $\Mac_k(m) \define (IV,G_k(m\oplus IV \oplus T))$ as a MAC scheme
+ existentially unforgeable under an adaptive chosen-message attack.
\end{enumerate}
+
+
\begin{solution}
-For this exercise we will work with $\Z_{11}^* = \{1,2,3,4,5,6,7,8,9,10\}$
+ \begin{enumerate}
+ \item No, decryption does not work in general, as we do not
+ necessarily know how to invert a PRF.
+
+ \item Yes, it is secure. The reduction to the PRP security can work as follows:
+ the reduction gets $m_0$ and $m_1$ from the eavesdropper
+ adversary, picks a random bit $b$, sends $m_b \oplus T$ to the
+ challenger and receives a value $c$ that it sends back to the eavesdropper
+ adversary. This adversary has a probability exactly $1/2$ to
+ guess $b$ if $c$ comes from a random permutation, and a
+ probability $1/2 + \negl$ to guess $b$ if $c$ comes from a
+ pseudorandom permutation. The reduction can therefore claim that
+ it sees a PRP every time the adversary makes a successful
+ guess. The difference between the two probabilities is $\negl$.
+ So, if $F$ is a PRP, $\epsilon$ must be negligible.
+
+ \item No: it is not probabilistic. CPA security is not achievable with deterministic encryption.
+
+ \item We first observe that the $\oplus T$ does not matter:
+ since $T$ is public, the adversary has the possibility to adapt
+ its choice of $m$ in order to cancel it. Now, if we abstract
+ from $T$, this is exactly the CBC encryption mode, which we know
+ to be CPA-secure.
+
+ \item Again, we observe that the $\oplus T$ does not matter: since
+ $T$ is public, the adversary has the possibility to choose exactly
+ on which value $F_k$ will be applied. Now, if we abstract from $T$,
+ this is exactly the basic MAC scheme from the class, which is secure.
+
+ \item This is insecure. Given one tag $(IV, t)$ on a message
+ $m$, the adversary can produce a valid tag $(IV', t)$ on the
+ message $m' = m \oplus IV \oplus IV'$ for any $IV'$.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 7 (Blue-ray security)}
+
+The movie industry wants to protect digital content distributed on DVD's. We study
+one possible approach. Suppose there are at most a total of $n$ DVD players in the world (e.g.
+$n=2^{32}$). We view these n players as the leaves of a binary tree of height $\log_2 n$.
+Each node $\nu_j$ in this binary tree contains an AES key $K_j$ such that
+$\mathrm{Enc}_{K_j}:\{0,1\}^l\rightarrow\{0,1\}^l$ is assumed to be a \emph{secure} encryption.
+These keys are kept secret from consumers and are fixed for all time.
+At manufacturing time each DVD player is assigned a serial number $i\in\left[0,n-1\right]$.
+Consider the set $S_i$ of $\log_2(n+1)$ nodes along the path from the root to leaf number
+$i$ in the binary tree. The manufacturer of the DVD player embeds in player number $i$ the
+$\log_2(n+1)$ keys associated with the nodes in $S_i$. In this way each DVD player ships with
+$\log_2(n+1)$ keys embedded in it (these keys are supposedly inaccessible to consumers).
+
\begin{enumerate}
- \item
- For all element $a$ of $\Z_{11}^*$, I've calculated $a^2$ mod $11$.
- $$1^2 = 1 \quad 2^2 = 4 \quad 3^2 = 9 \quad 4^2 = 5 \quad 5^2 = 3 \quad 6^2 = 3 \quad 7^2 = 5 \quad 8^2 = 9 \quad 9^2 = 4 \quad 10^2 = 1$$
- We see that with $p$ odd, we have $\left|QR_p\right| = \frac{p-1}{2}$. We can show it with this development:
-
- \item
- For all element $a$ of $\Z_{11}^*$, I've calculated $a^5$ mod $11$.
- $$1^5 = 3^5 = 4^5 = 5^5 = 9^5 = 1 \qquad 2^5 = 6^5 = 7^5 = 8^5 = 10^5 = 10$$
- We can see that for $p$ prime, we have $x \in QR_p \Leftrightarrow x^{\frac{p-1}{2}} = 1 \mod p$ and $x \notin QR_p \Leftrightarrow x^{\frac{p-1}{2}} = p-1 \mod p$.
- \begin{itemize}
- \item $x \in QR_p \Leftrightarrow x^{\frac{p-1}{2}} = 1 \mod p$:\\
- We know that $$x \in QR_p \Leftrightarrow \exists a \st x = a^2 \mod p$$
- So we have now $$x = a^2 \mod p \Leftrightarrow x^{\frac{p-1}{2}} = 1 \mod p$$
- If we replace $x$ by $a$ we obtain $a^{2^{(\frac{p-1}{2})}} = 1 \mod p$.\\
- But also more simply $a^{p-1} = 1 \mod p$ which is true by the group theory.
- \item $x \notin QR_p \Leftrightarrow x^{\frac{p-1}{2}} = p-1 \mod p$:\\
- We know that $$x \notin QR_p \Leftrightarrow \exists a \st x = a^{1+2n} \mod p$$
- So we have now $$x = a^{1+2n} \mod p \Leftrightarrow x^{\frac{p-1}{2}} = -1 \mod p$$
- We replace $x$ by $a$ and we get $$a^{\frac{p-1}{2}} a^{n(p-1)} \mod p = -1 \mod p$$
- We know that $ a^{n(p-1)} \mod p = 1$, thus we simplify the equation like $$a^{\frac{p-1}{2}} \mod p = -1 \mod p$$
- We know that $g = a^{\frac{p-1}{2}} \mod p \ne 1 \mod p$ but $g^2 = a^{p-1} = 1 \mod p$. The only solution of these two equations is $g = -1 \mod p$ which is equivalent to $$x^{\frac{p-1}{2}} = p-1 \mod p$$
- \end{itemize}
-
- \item
- The number $2$ is a generator of $\Z_{11}^*$, because ord($2$) $= 10$. In fact, we have $2^1 = 2$, $2^2 = 4$, $2^5 = 10$ and $2^10 = 1$. (Fermat's little theorem)
- We have $g = 2$ so:
- \begin{itemize}
- \item $(2,8):\quad g^2 = 4$, $g^8 = 3$ and $g^{16} = -2$
- \item $(1,4):\quad g^1 = 2$, $g^4 = 5$ and $g^{4} = 5$
- \item $(3,5):\quad g^3 = -3$, $g^5 = -1$ and $g^{15} = -1$ TODO
- \end{itemize}
- We have to show that $g^{ab} \notin QR_p \Leftrightarrow g^a \notin QR_p \text{ and } g^b \notin QR_p$.\\
- We know by the definition of the $QR_p$ set that
- $$g^n \notin QR_p \Leftrightarrow \exists m \st n = 2m+1$$
- We can thus extract from $g^{ab} \notin QR_p$ that $\exists m \st ab = 2m+1$.
-
- % not necessary
- %We can do a proof by contradiction:\newline
- %If $a = 2v$ then $ab = 2bv$ and can not be equal to $2m + 1$.\\
- %If $b = 2v$ then $ab = 2av$ and can not be equal to $2m + 1$.\\
-
- So we are assured that $a$ and $b$ are not pairs, so we have the relation $g^a \notin QR_p \text{ and } g^b \notin QR_p$ if and only if $ab = 2m+1$ which is equivalent to $g^{ab} \notin QR_p$. That was what we had to proof.
-
- \item
- We have to show that DDH does not hold in $\Z_p^*$ with p an odd prime number.
-
- We define an attacker that can see $p$, $g$, $g^a$, $g^b$ and receive $h_b = g^{ab}$ or $g^z$.\\
- The attitude of the attacker will be this one:
- \begin{itemize}
- \item It receives $g^a \notin QR_p$ and $g^b \notin QR_p$:\\
- It will answer in function of $h_b$:
- \begin{itemize}
- \item $h_b \notin QR_p$:\\
- It answers $h_b = g^{ab}$
- \item $h_b \in QR_p$:\\
- It answers $h_b = g^z$
- \end{itemize}
- \item It receives $g^a \in QR_p$ or $g^b \in QR_p$:\\
- It answers randomly.
- \end{itemize}
- We can identify four cases with their chances of success and appearance (we already know that $\left|QR_p\right|$ is of size $\frac{p-1}{2}$):
- \begin{enumerate}[a)]
- \item $g^a \in QR_p$ or $g^b \in QR_p$ appears $3/4$ of the time with success = $1/2$.
- \item $g^a \notin QR_p$ and $g^b \notin QR_p$ with $h_b = g^{ab}$ appears $1/8$ of the time with success = $1$.
- \item $g^a \notin QR_p$ and $g^b \notin QR_p$ with $h_b = g^z$ and $g^z \in QR_p$ appears $1/16$ of the time with success = $1$.
- \item $g^a \notin QR_p$ and $g^b \notin QR_p$ with $h_b = g^z$ and $g^z \notin QR_p$ appears $1/16$ of the time with success = $0$.
- \end{enumerate}
- We can now recalculate the expected value of success of our attacker:
- $$\begin{array}{rcl}
- \mathbb{E}(success) &=& \frac{3}{4}\cdot \frac{1}{2} + \frac{1}{8}\cdot 1 + \frac{1}{16}\cdot 1 + \frac{1}{16}\cdot 0\\
- &=& \frac{1}{2} + \frac{1}{16}
- \end{array}$$
- This attacker has one sixteenth of probability more than one half which is not a negligible function (in fact it is a constant function). It is not DDH secure.
+ \item Since all DVD players have the key \emph{root} (noted $K_{root}$),
+ find a way to protect the content $M\in\{0,1\}^l$ of a DVD such that all players can decrypt
+ the movie (and then read it).
+ \item Now suppose that a hacker has been able to extract the key $K_{root}$ embedded in his
+ DVD player and has published it on the Internet.
+ Show how the movie industry can encrypt the contents of a new DVD $M\in\{0,1\}^l$ such that only
+ the owners of a DVD player can read it.
+ Note that the movie indutry does not want to produce several encryptions of the
+ same content $M$ \emph{i.e.} there will be a single manner to protect the DVD.
+ \item Suppose the $\log_2n$ keys embedded in DVD player number $r$ are exposed by hackers
+ and published on the Internet. Show that when the movie industry is about to
+ distribute a new DVD movie they can encrypt the contents of the DVD using a
+ ciphertext of size $l\!\cdot\!(1+\log_2n)$ so that all DVD players can decrypt the movie except
+ for player number $r$. In effect, the movie industry disables player number $r$.
+
+ \emph{Hint: the DVD will contain $\log_2n$ ciphertexts where each ciphertext is the
+ encryption of a unique K under certain $\log_2n$ keys from the binary tree.}
\end{enumerate}
-\end{solution}
\ No newline at end of file
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item Encrypt all the DVDs with $K_\text{root}$, i.e. build the ciphertext: $c_{root}=Enc_{K_{root}}(M)$
+ \item At the beginning of the DVD, encrypt a random key $K$ twice (using $K_2$ and then $K_3$): $Enc_{K_2}(K)$ and $Enc_{K_3}(K)$.
+
+ We then encrypt all the content $M$ of the DVD using $K$. (We suppose $K_1$ is $K_{\text{root}}$)
+ $K_2$ and $K_3$ are the keys associated to the 2 childs of the root.
+
+ \textbf{Other possibility}
+
+ Simply encrypt the contents of the new DVD M as: $Enc_{K2}(M)||Enc_{K3}(M)$. This way, each DVD player is still able to decrypt the content, but nobody that only has $K_{root}$.
+ \item
+ For every node $i$ on the path from the root to $r$, we must add an encryption of $K$ with the key of its child that is not in the path.
+ For example, if $r = 10$ and $n = 16$, we must include the bold keys,
+ so we will include the encryption of $K_7$ in a DVD which is quite something.
+
+ \textbf{Expressed differently}
+
+ If we want to disable the DVD player 11 for example, we can create a new ciphertext as: $c_{disable} = Enc_{K_2}(M)||Enc_{K_7}(M)||Enc_{K_{12}}(M)||Enc_{K_{player10}}(M)$
+
+ \begin{center}
+ \Tree [.{$K_{\text{root}} = K_1$}
+ [.{$\mathbf{K_2}$}
+ [.{$K_4$}
+ [.{$K_8$}
+ [.{0} ]
+ [.{1} ]
+ ]
+ [.{$K_9$}
+ [.{2} ]
+ [.{3} ]
+ ]
+ ]
+ [.{$K_5$}
+ [.{$K_{10}$}
+ [.{4} ]
+ [.{5} ]
+ ]
+ [.{$K_{11}$}
+ [.{6} ]
+ [.{7} ]
+ ]
+ ]
+ ]
+ [.{$K_3$}
+ [.{$K_6$}
+ [.{$\mathbf{K_{12}}$}
+ [.{8} ]
+ [.{9} ]
+ ]
+ [.{$K_{13}$}
+ [.{\textbf{10}} ]
+ [.{11} ]
+ ]
+ ]
+ [.{$\mathbf{K_7}$}
+ [.{$K_{14}$}
+ [.{12} ]
+ [.{13} ]
+ ]
+ [.{$K_{15}$}
+ [.{14} ]
+ [.{15} ]
+ ]
+ ]
+ ]
+ ]
+ \end{center}
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 8 (Authenticated encryption, or not)}
+
+\copypaste{10}{1}
+
+
+
+\subsection{Exercise 9 (Authenticated encryption)}
+
+\copypaste{4}{1}
+
+
+
+% TODO
+\subsection{Exercise X (Mode of operation)}
+Show formally that ECB-mode encryption does not have indistinguishable encryptions in the presence of an eavesdropper.
+\begin{solution}
+ Let say we have to split the message into $m$ messages of $n$ bits.
+ Choosing $m_0 = M_0 \| M_0 \| \cdots \| M_0$ and $m_1 = M_1 \| M_2 \| \cdots \| M_m$ with $M_i \neq M_j$ for $i \neq j$,
+ if $b = 0$, $\A$ will get $c = C_0 \| C_0 \| \cdots \| C_0$ for some $C_0 \in \C$. But if b=1, $\A$ will get $c = C_1 \| C_2 \| \cdots \| C_m$ for some $C_i \in \C$.
+
+ An adversary $\A$ can output $b = 0$ iff all the $C_i$s are equals.
+ We have
+ \[ \Pr[\PrivK^{\text{eav}}_{\A,\text{ECB}}(nm)] = \frac{1}{2} + \frac{1}{2} = 1 \]
+ since the $C_i$ cannot be equal if $b = 1$ since we use a PRP.
+ If two different $M_i$ were encrypted as same $C_i$, decryption wouldn't be possible.
+\end{solution}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp4.tex b/src/q7/crypto-MAT2450/exercises/tp/tp4.tex
index 651f8d0fd78e550ecb651d8c606db992d4f63668..7d48e1ad4e41f214fafec049ea577fd706f638b5 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp4.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp4.tex
@@ -1,275 +1,411 @@
\section{}
-\subsection{Exercise 0 (Group order)}
-\copypaste{3}{5}
+\subsection{Exercise 1 (Authenticated encryption, August 2019 exam)}
-\subsection{Exercise 1 (ElGamal Public Key Encryption and CCA Security)}
\begin{enumerate}
- \item Write the security definition of CCA security for a public key encryption scheme.
- \item Let $(c_1,c_2)$ and $(c_1',c_2')$ be two ElGamal ciphertexts, of plaintext $m$ and $m'$ respectively. Can $(c_1 c_1',c_2 c_2')$ be a ciphertext relatively to this scheme?
- \item From $(c_1,c_2)$ a ciphertext of $m$, can you build another ciphertext valid for $m$ (remember that the public key is $(\mathbb{G},g,q,h=g^x)$)? If yes, what is its decryption?
+ \item Let $F\colon \K \times \bset^n \mapsto \bset^n$ be a PRF. Consider the following Authenticated Encryption scheme $\Pi=(\Gen, \Enc, \Dec)$ as follow:
+ \begin{itemize}
+ \item $\Gen$: pick a key uniformly at random in $\K$;
+ \item $\Enc$: on input $m$ and $k$:
+ \begin{itemize}
+ \item Parse $m$ in $l$ blocks $m_1,\dots,m_l$ with $|m_1|=\dots=|m_l|=n$
+ \item Pick $r$ uniformly at random in $\bset^{\frac{n}{2}}$
+ \item For $i=1,\dots,l$:
- \item Show that ElGamal Public Key Encryption is not CCA secure.
-\end{enumerate}
-\begin{solution}
-\begin{enumerate}
- \item
- Given $\Pi := \langle$ Gen, Enc, Dec$\rangle$, and adversary $A$, define the following experiment $\text{ PrivK}^{cca}_{A, \Pi}$ :
- \begin{enumerate}
- \item Gen probabilistically selects ($pk$, $sk$) $\leftarrow$ Gen(1$^n$). $pk / sk$ are the public/private key.
- \item $A$ is given oracle access to $Dec_{sk}(\cdot)$.
- \item $A$ outputs $m_0, m_1$ of same length.
- \item Choose $b \leftarrow$ \{0, 1\}, and send $c := Enc_{pk}(m_b)$ to $A$.
- \item $A$ is again given access to $Dec_{sk}(\cdot)$ but he cannot ask $Dec_{sk}(c)$.
- \item $A$ outputs $b'$.
- \item Define $\text{PrivK}^{cca}_{A, \Pi}(n) := 1$ iff $b=b'$
- \end{enumerate}
- $\Pi := \langle$ Gen, Enc, Dec$\rangle$ is CCA-secure for a public key encryption scheme if $\forall$ PPT $A, \exists \epsilon$ :
- $$ Pr[\text{ PrivK}^{cca}_{A, \Pi}(n)] \leq \frac{1}{2} + \epsilon(n) $$
-
- \item (c$_1$c$_1$', c$_2$c$_2$') is a valid ciphertext for the message : m $\cdot$ m'. \newline
- We can prove this like :
- $$Dec_{sk}(c_1c_1',c_2c_2') = \frac{c_2c_2'}{c_1^xc_1'^x} = \frac{mh^{y_1}m'h^{y_2}}{g^{xy_1}g^{xy_2}} = m \cdot m'$$
-
- \item Yes, if we think about this property : $m \cdot 1 = m$ and we combine it with the property found last exercise : $Dec_{sk}(c_1c_1',c_2c_2') = m \cdot m'$, it is easy to produce a new valid ciphertext. \newline
- If we compute $Enc_{pk}(1) := (c_1', c_2')$ (we can do it since we are in a \textbf{public key encryption scheme}), the ciphertext (c$_1$c$_1$', c$_2$c$_2$') will be a valid ciphertext and its decryption will give : m.
- \newline
- \textbf{Other possibility} \newline
- We can also simply choose $y' \leftarrow \mathbb{Z}_q$ and build the ciphertext $(c_1.g^{y'},c_2.h^{y'})=(g^{y+y'},m.g^{x(y+y')})$. The decryption gives m.
-
- \item Now, we are able to see why ElGamal does not hold CCA-security with the 2 properties found. \newline
- If the adversary $A$, after received $c := (c_1, c_2)$, compute $Enc_{pk}(1) := (c_1', c_2')$ and make the following oracle access $Dec_{sk}(c_1c_1',c_2c_2') := m_x$, he will now be able to (really) easily determine b from $m_x$. Then we can say that :
- $$ Pr[\text{ PubK}^{cca}_{A, ElGamal}(n)] = 1$$
- Which means ElGamal does not hold CCA-security with public key encryption.
- \newline
- \textbf{Other possibility} \newline
- We build an attacker A as follows :
- \begin{enumerate}
- \item A outputs $m_0$, $m_1$ $\in M$.
- \item A receives $(c_1,c_2)=Enc_{pk}(m_b)=(g^y,m_b.g^{xy})$
- \item A queries the decryption of the transformed ciphertext $(c_1.g^{y'},c_2.h^{y'})$ for some arbitrary chosen y' from $\mathbb{Z}_q$, and receives directly $m_b$ as a response from his oracle.
- \end{enumerate}
-\end{enumerate}
-\end{solution}
+ \hspace{1cm} $c_i=F_k(r||i) \oplus m_i$
+ \item $c_{l+1}=F_k(r||l+1) \oplus \left(\oplus_{i=1}^l m_i\right)$
+ \item Return $(r, c)$ with $c=(c_1,\dots,c_l,c_{l+1})$.
+ \end{itemize}
+ \item $\Dec$ consequently.
+ \end{itemize}
+ [For simplicity we suppose that for every message all blocks are \emph{full}, that is, when parsed the last block has length $n$ (i.e., $|m_l|=n$).
-\subsection{Exercise 2 (ElGamal in \texorpdfstring{$QR_p$}{QRp})}
-Let $p=2q+1$ with $q$ prime, let $\mathbb{G}=QR_p$ the group of squares modulo $p$, and $g$ be a generator of $\mathbb{G}$.
-We define ElGamal encryption scheme in this group: The private key is $(\mathbb{G},g,q,x)$, the public key is $(\mathbb{G},g,q,h=g^x)$
-where $x \in \mathbb{Z}_{q}^*$ is chosen uniformly. To encrypt a message $m$ $\in \mathbb{Z}_{q}$, choose a uniform $r \in \mathbb{Z}_{q}$, compute $c_1=g^r \mod p$ and $c_2=h^r+m \mod p$ and let the ciphertext be $(c_1,c_2)$.
+ When we write r||i we mean that the number $i$ is written in binary notation putting as many zeros on the left as necessary.]
-\begin{enumerate}
- \item What is the order of $g$?
- \item Is this scheme CPA-secure?
+ \begin{enumerate}
+ \item Is $\Pi$ unforgeable? Prove or confute\footnote{*refute}.
+ \item Is $\Pi$ CCA-secure? Prove or confute with an attack. [Hint: the previous answer may be useful\dots]
+ \end{enumerate}
-
+ \item Let $\Pi'=(\Gen', \Enc', \Dec')$ be an authenticated encryption scheme with binary messages of length $n$. For two binary vectors of length $n$ we denote $\oplus$ the coordinate-wise XOR. $1_n$ denotes the all-$1$ vector of length $n$. Consider the following schemes:
+ \begin{itemize}
+ \item $\Pi^1 \define (\Gen^1, \Enc^1, \Dec^1)$:
+ \begin{itemize}
+ \item $\Gen^1 \define \Gen'$,
+ \item $\Enc^1_k(m) \define (c_1, c_2) = (\Enc'_k(m), \Enc'_k(m\oplus 1_n))$,
+ \item $\Dec^1_k((c_1, c_2)) \define \Dec'_k(c_1)$ if $\Dec'_k(c_1)\oplus \Dec'_k(c_2)=1_n$, $\bot$ otherwise.
+ \end{itemize}
+ \item $\Pi^2 \define (\Gen^2, \Enc^2, \Dec^2)$:
+ \begin{itemize}
+ \item $\Gen^2 \define \Gen'$,
+ \item $\Enc^2_k(m) \define \Enc'_k(m \oplus 1_n)$,
+ \item $\Dec^2_k(c) \define 1_n$ if $\Dec'_k(c)=\bot$, $\Dec'_k(c)\oplus 1_n$ otherwise.
+ \end{itemize}
+ \end{itemize}
+ \begin{enumerate}
+ \item Is $\Pi^1$ an authenticated encryption scheme? If not, explain which property you can break and how.
+ \item Is $\Pi^2$ an authenticated encryption scheme? If not, explain which property you can break and how.
+ \end{enumerate}
\end{enumerate}
+
+% TODO
\begin{solution}
-\begin{enumerate}
- \item As g is a generator of $\mathbb{G}$, then ord(g)=$|\mathbb{G}|$. According to \ref{subsec:4.6} and given the fact that $\mathbb{G}$ := $QR_p$, then $|\mathbb{G}| = \frac{p - 1}{2} = q =$ ord(g).
- \item The scheme is CPA-Secure and we gonna prove it by assuming that $QR_p$ holds in DDH. \newline
- Let's build a PPT adversary $\A$ which can solve $ElGamal$ in $QR_p$ with an advantage $\eta$. It works like this :
- \begin{enumerate}
- \item We send pk to $\A$ where pk = ($\mathbb{G}$, g, q, h = $g^x$).
- \item $\A$ does q(n) queries to its oracle.
- \item $\A$ is then doing the challenge : it outputs $m^*_0$, $m^*_1$ and send it to its $ElGamal$ oracle.
- \item The $ElGamal$ oracle picks a random $b \in \{0, 1\}$ and sends back $Enc_{pk}(m_b) = (c_1^b, c^b_2)$ to $\A$
- \item $\A$ then outputs $b'$.
- \end{enumerate}
- We will use $\A$ to build a distinguisher $\D$ able to solve $DDH_{\D, \mathbb{G}}(n)$ :
- \begin{enumerate}
- \item Run $\mathbb{G}$(n) to obtain ($\mathbb{G}$, q, g).
- \item We choose (x, y, z) $\xleftarrow{R} \mathbb{Z}^3_q$.
- \item We set $h_1 = g^{x \cdot y}$, $h_0 = g^{z}$ and $b'' \leftarrow \{0, 1\}$. We forward then $((\mathbb{G}, q, g), (g^x, g^y, h_{b''}))$ to $\D$.
- \item $\D$ will then build $pk = (\mathbb{G}, q, g, g^x)$ and will forward $pk$ to $\A$.
- \item $\A$ will then output its challenge queries $m^*_0$, $m^*_1$. $\D$ will pick $b \leftarrow \{0, 1\}$, and produce $c_b = (c_1^b, c^b_2) = (g^y, h_{b''} + m_b \text{ mod p})$. It will then forward $c_b$ to $\A$.
- \item $\A$ will output $b'$.
- \item $\D$ will output $ 1 \Leftrightarrow b = b'$.
- \end{enumerate}
- We analyse the chance of success to determine $Priv^{cpa}_{\A, ElGamal}$ :
- \begin{itemize}
- \item if $b'' = 0$, then Pr[$\D$ outputs 1] = $\frac{1}{2}$.
- \item if $b'' = 1$, then Pr[$\D$ outputs 1] = $\frac{1}{2}$ + $\eta(n)$.
- \end{itemize}
- It means that $\D$ will only has advantage $\eta(n)$ to solve DDH. But as it is assumed as hard, we can conclude that $\eta(n)$ is negligible. Therefore, $$Priv^{cpa}_{\A, ElGamal}(n) = \frac{1}{2} + negl(n) $$
- By reduction, we just proved that this scheme is CPA-secure under DDH hardness assumption.
-\end{enumerate}
-\end{solution}
+ Note: in the following adversary descriptions, we skip the description of the unused phases of the security games.
+ \begin{enumerate}
+ \item Notice that there is a constraint on the size of $l+1$: $|l+1| \le \frac{n}{2} \implies l < 2^{n/2}-1$ and thus $|m|=n\cdot l < n\cdot (2^{n/2}-1)$.
+ This constraint doesn't play a role in the proofs however.
+ \begin{enumerate}
+ \item Obviously, for two messages of the same length $m$ and $m'$, we have that \[\forall 1 \le i \le l\colon c'_i = m'_i \oplus F_k(r||i) = (m_i\oplus m'_i) \oplus m_i \oplus F_k(r||i) = (m_i\oplus m'_i) \oplus c_i.\]
+ And,
+ \begin{align*}
+ c'_{l+1} &= F_k(r||l+1) \oplus (\oplus_{i=1}^l m'_i) = F_k(r||l+1) \oplus (\oplus_{i=1}^l m_i) \oplus \left((\oplus_{i=1}^l m_i) \oplus (\oplus_{i=1}^l m'_i)\right) \\
+ &= c_{l+1} \oplus \oplus_{i=1}^l (m_i\oplus m'_i).
+ \end{align*}
+ So, we can build a forgery as follows:
+ \begin{enumerate}
+ \item Ask to the oracle for the encryption of a message, say, $m=0_n$ ($n$ times the bit $0$) so that it consists of only one block, and receive the answer $(r, c)$.
+ \item Output $(r, c^*)$ with $c^* = c \oplus (0_n \oplus 1_n) = c \oplus 1_n = c \oplus m^*$, which is the encryption of message $m^*=1_n$.
+ \end{enumerate}
+ By construction, it is a forgery with probability 1. So, the scheme is not unforgeable.
-\subsection{Exercise 3 (A Variation of ElGamal in \texorpdfstring{$PKE$}{PKE})}
-\label{subsec:varia-elgamal-pke}
-Let consider ElGamal public encryption scheme with Encryption algorithm modified in the following way, where $\mathcal{M}=\{0,1\}$:
-\begin{itemize}
- \item If $b=0$ then choose a uniform $y\in \mathbb{Z}_{q}$ set $c_1=g^y$, $c_2=h^y$, and the ciphertext is $(c_1,c_2)$.
- \item If $b=1$ then choose independent uniform $y,z \in \mathbb{Z}_{q}$ set $c_1=g^y$, $c_2=g^z$, and the ciphertext is $(c_1,c_2)$.
-\end{itemize}
+ It is also possible to build a forgery by using a message such that $m_{l}=\oplus_{i=1}^{l-1} m_i$;
+ then, $c_{l+1}=F_k(r||l+1) \oplus 0^n$, while $c_l=F_k(r||(l-1)+1)\oplus \oplus_{i=1}^{l-1} m_i$,
+ and so we can send $(r, c^*)$ with $c^*=(c_1, c_2, \dots, c_{l})$: we drop the last $c_{l+1}$.
-\begin{enumerate}
- \item How is it possible to decrypt correctly such ciphertexts with the private key?
- \item Show that this scheme is CPA secure if DDH holds in $\mathbb{G}$.
-\end{enumerate}
-\begin{solution}
-\begin{enumerate}
- \item We can define $Dec_{x}(c_1, c_2)$ as : $\begin{cases}
- 1 \textsc{ if } c_2 \neq c_1^x \\
- 0 \textsc{ if } c_2 = c_1^x\\
-\end{cases}$
-
- We observe that Pr[$Dec_{x}(c_1, c_2)$ = 0 $|$ $(c_1, c_2) \leftarrow Enc(0)$] = 1 because the decryption is always correct.
-
- On the other hand, we observe that Pr[$ Dec_{x}(c_1, c_2) \neq 1$ $|$ $(c_1, c_2) \leftarrow Enc(1)$] = Pr[$ z = xy $] = $\frac{1}{|\mathbb{G}|}$ is negligible, then we conclude that the decryption is correct
-
- \item Assuming the DDH problem is hard in $\mathbb{G}$. \newline
- Assume it exists a PPT adversary $\mathcal{A}$ for $\Pi$, we build a distinguisher D able to break DDH with non negligible probability as follows :
- \begin{enumerate}
- \item Run $(\mathbb{G},g,q) \leftarrow \mathcal{G}(1^n)$\\
- Define $n:=|q|$\\
- Choose uniformly at random $(x,y,z) \leftarrow \mathbb{Z}^3_q$\\
- Choose at random $b\leftarrow\{0,1\}$\\
- Compute $h_1:=g^{xy}\;h_0:=g^z$ and send $(\mathbb{G},g,q,g^x,g^y,h_b)$ to $\mathcal{A}'$
-
- \item $D$ defines $pk = (\mathbb{G},g,q,g^x)$ and sends it to $\mathcal{A}$
- \item $\mathcal{A}$ sends $(m_0,m_1) = (0,1)$ to $D$
- \item $D$ sends $c=(g^y,h_b)$ to $\mathcal{A}$
- \item \textcolor{red}{Olivier : Pas d'accord à partir de là . C'est la probabilité de l'output b' qui varie en fonction de $h_b$ autrement dit b", je mets ma proposition en dessous.} $\mathcal{A}$ outputs $b'$
- \begin{itemize}
- \item if $b'=0\Rightarrow h_b=g^{xy}$
- \item if $b'=1\Rightarrow h_b=g^z$
- \end{itemize}
- $D$ outputs $b''=\Bar{b'}$
- \item Define : $$\text{PubK}^\text{cpa}_{\mathcal{A},\Pi}(n) = 1 \Leftrightarrow b'\neq b$$ $$\text{DDH}_{\mathcal{A}',\mathcal{G}}(n) = 1 \Leftrightarrow b''=b$$
- \end{enumerate}
- If we run the experiment, we have :
- \begin{align*}
- \text{Pr}[\text{PubK}^\text{cpa}_{\mathcal{A},\Pi}(n) = 1] &= \frac{1}{2}+\epsilon(n)\\
- &= \text{Pr}[b'\neq b]\\
- &= \text{Pr}[b''=b]\\
- &= \text{Pr}[\text{DDH}_{\mathcal{A}',\mathcal{G}}(n) = 1]
- \end{align*}
- If $\epsilon(n)$ is non negligible, $\mathcal{A}'$ is a PPT adversary that can break DDH with non negligible probability, which contradicts the assumption. Therefore $\mathcal{A}$ is CPA secure if DDH is hard in $\mathbb{G}$.
-\end{enumerate}
+ \item In a similar manner, we can build an adversary winning against the CCA game (adversary's viewpoint):
+ \begin{enumerate}
+ \item The challenger-oracle picks $k \define \Gen(1^n) \pick \bset^n$ uniformly at random.
+ \item Output the messages\footnote{We use the notation $m^0$ instead of $m_0$ to differenciate between a message and a message block.}
+ $m^0=0_n$ and $m^1=1_n$, and get the challenge ciphertext $(r, c)=\Enc_k(m_b)=(r, c_1, c_2)=(r, F_k(r||1)\oplus m_b, F_k(r||2)\oplus m_b)$.
+ \item Ask to the oracle the decryption of $(r, c^*)$ where $c^*=(c_1\oplus 0_{n-1}||1, c_2\oplus 0_{n-1}||1)$. We get its answer as $m^*$. This is of course not the same ciphertext as $c$.
+ \item If $m^*=0_{n-1}||1$, output $0$, else ($m^*=1_{n-1}||0$), output $1$.
+ \end{enumerate}
+ By construction, in building $c^*$ we have constructed the encryption of $m_b\oplus 0_{n-1}||1$, so we flipped the last bit of the encrypted message, allowing us to decrypt it.
+ So the probability $\Pr[\PrivKcca(n)=1]=1$, the adversary is PPT, and we have broken CCA security.
-\textcolor{red}{Solution}
+ Could we also break CPA security? No (90\% sure), and we can proof it by reduction (distinguisher of $g$ between PRF $F_k$ and random function $f$, based on adversary $A_\Pi$ against $\Pi$).
+ Remark that, in the case that the ``PRF'' is a true random function, then each of the $g(r||i)$ are independent random values, and thus the $c_i$ are also independent random value, and so no relation can be found between them in a single message (the ciphertext is just purely random), and the only attack is to hope for a reused $r$.
-\begin{enumerate}
- \item D outputs 1 $\Leftrightarrow b'=1$.
- \item We observe : \newline
- If $b=0 \Rightarrow Pr[D outputs 1]=\frac{1}{2}$ (as $g^z$ looks random in $\mathbb{G}$) \newline
- If $b=1 \Rightarrow Pr[D outputs 1]=\frac{1}{2}+\eta(n)$.
- \item We thus have D distinguishing between $g^z$ and $g^{xy}$ with advantage $\eta(n)$. As we assume that DDH holds in $\mathbb{G}$, $\eta(n)$ must be negligible and this scheme is CPA-secure.
-\end{enumerate}
+ Note that the fact that $c_{l+1}$ uses $F_k(r||l+1)$ and not $F_k(r||l)$ is important, because otherwise there would be a reuse of argument, and we can build an attack that even breaks eavesdropper security.
+ \end{enumerate}
+ \item \begin{enumerate}
+ \item $\Pi^1$ is not CCA-secure, and so is not an authenticated encryption scheme; our PPT adversary $\A$:
+ \begin{enumerate}
+ \item Key generation, as always.
+ \item Output $m_0=0_n$ and $m_1=1_n$.
+
+ Receive the challenge $c=(c_1, c_2)=(\Enc'_k(m_b), \Enc'_k(m_b\oplus 1_n))$.
+ \item Ask for the decryption of $c'=(c_2, c_1)\neq c$ and receive $m'$. Observe that
+ \begin{align*}
+ c' &= (\Enc'_k(m_b\oplus 1_n), \Enc'_k(m_b)) = (\Enc'_k(m_b\oplus 1_n), \Enc'_k((m_b\oplus 1_n)\oplus 1_n)) \\
+ &= \Enc^1_k(m_b\oplus 1_n) = \Enc^1_k(m_{1-b}).
+ \end{align*}
+ \item Output $0$ if $m'=m_1$, otherwise $1$ ($m'=m_0$).
+ \end{enumerate}
+ By construction, $\Pr[\PrivKcca[\A, \Pi^1](n)=1]=1$, which is a non-negligible advantage.
+
+ The scheme is also forgeable, in the same way: simply ask for encryption of $m_0$, receive $c$, then build $c'$ as above: this is a valid ciphertext.
+
+ \item $\Pi^2$ is forgeable, and so it not an authenticated encryption scheme; our PPT adversary $\A$:
+ \begin{enumerate}
+ \item Key generation, as usual.
+ \item Output a random ciphertext $c$.
+ \end{enumerate}
+ There are two cases:
+ \begin{itemize}
+ \item either $c$ is the encryption of some message $m$ by $\Enc'_k(\cdot)$, and so $\Dec^2_k(c)=m\oplus 1_n$, and thus it is a valid ciphertext;
+ \item or $c$ is not a valid ciphertext for $\Pi'$, in which case $\Dec'_k(c)=\bot$, and thus $\Dec_k(c)=1_n$, which means that $c$ is also a valid ciphertext for $\Pi^2$.
+ \end{itemize}
+ Thus, in both cases, this random $c$ is a valid ciphertext, and so $\Pr[\EncForge_{\A, \Pi^2}(n)=1]=1$: the scheme is forgeable.
+ The fact that, when $\Dec'_k(c)=\bot$, we return $1_n$ instead of a more correct $\bot$, allows us to break the unforgeability.
+
+ Is the scheme CCA-secure?
+ Other than this issue, $\Enc^2$ is the same as $\Enc$, and the only exploitable change in behaviour between $\Pi'$ and $\Pi^2$ is the fact that, on $\Pi'$ invalid encryptions, $\Pi^2$ returns $1_n$.
+ The only way an adversary could use this particularity would be if he asks for the decryption of an invalid ciphertext (generated at random by him, or by flipping a bit in a valid ciphertext), and he would always get the same $1_n$ answer, not very helpful.
+ So the scheme is CCA-secure, and we can further prove it by doing a proof by reduction.
+ % TODO do the proof by reduction; 95% sure it works
+ \end{enumerate}
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 4 (Authenticated Encryption)}
-Consider the following scheme $\Pi=(\Gen,\Enc,\Dec)$ based on the strong pseudorandom permutation $\F:\mathcal{K} \times \lbrace 0,1 \rbrace^n$, defined as follow:
+
+
+% OK
+% FIXME has been moved from TP5
+% Note : this is from TP5 2018-2019, but TP4 2019-2020.
+\subsection{Exercise 2 (Authenticated Encryption and sPRP)}
+
+Consider the following scheme $\Pi=(\Gen,\Enc,\Dec)$ based on the strong pseudorandom permutation $\F \colon \K \times \lbrace 0,1 \rbrace^n$, defined as follow:
\begin{itemize}
-\item $\mathcal{M}=\lbrace 0,1\rbrace^{\frac{n}{2}}$ (the message space)
-\item $\Gen$ picks a random key $k \in \mathcal{K}$
-\item $\Enc_k(m)$ picks a random value $r \in \lbrace 0,1\rbrace^{\frac{n}{2}}$, and computes $c \leftarrow \F_k(m \| r)$
-\item $\Dec_k(c)$ computes $(m\|r)=\F^{-1}_k(c)$ and outputs $m$ (the first half).
+ \item $\M=\bset^{\frac{n}{2}}$ (the message space)
+ \item $\Gen$ picks a random key $k \in \K$
+ \item $\Enc_k(m)$ picks a random value $r \in \bset^{\frac{n}{2}}$, and computes $c \define \F_k(m \| r)$
+ \item $\Dec_k(c)$ computes $(m\|r)=\F^{-1}_k(c)$ and outputs $m$ (the first half).
\end{itemize}
Answers the following questions:
\begin{itemize}
-\item is $\Pi$ unforgeable?
-\item is $\Pi$ CCA-secure? (\emph{To do at home})
-\item is $\Pi$ an authenticated encryption scheme? (\emph{To do at home})
+ \item is $\Pi$ unforgeable?
+ \item is $\Pi$ CCA-secure? (\emph{To do at home})
+ \item is $\Pi$ an authenticated encryption scheme? (\emph{To do at home})
\end{itemize}
-
-
\paragraph{Definition 1} \label{def: sprp} (\emph{Strong PseudoRandom Permutation})
-A function $\F:\mathcal{K} \times \mathcal{M} \longmapsto \mathcal{M}$ is a $(q,t,\varepsilon)$-\emph{ strong pseudorandom permutation} ($\sprp$) if for any $(q,t)$-bounded adversary, the advantage:
-$$ \mathsf{Adv}^{\sprp}_{\adv}:=
+A function $\F \colon \K \times \M \mapsto \M$ is a $(q,t,\negl)$-\emph{ strong pseudorandom permutation} ($\sprp$) if for any $(q,t)$-bounded adversary, the advantage:
+\[ \mathsf{Adv}^{\sprp}_{\adv}\define
\left| \Pr\left[ \adv^{\F_k(\cdot),\F_k^{-1}(\cdot)}\Rightarrow 1 \right] -
- \Pr\left[ \adv^{\f(\cdot,\cdot),\f^{-1}(\cdot,\cdot)}\Rightarrow 1 \right] \right|
-\leq \varepsilon $$
-with $k$ and $\f$ picked uniformly at random from their domains, respectively $\mathcal{K}$ and the set of permutations $\mathcal{M} \rightarrow \mathcal{M}$.
+\Pr\left[ \adv^{\f(\cdot,\cdot),\f^{-1}(\cdot,\cdot)}\Rightarrow 1 \right] \right|
+\leq \negl \]
+with $k$ and $\f$ picked uniformly at random from their domains, respectively $\K$ and the set of permutations $\M \mapsto \M$.
+
+
\begin{solution}
-\begin{enumerate}
- \item It is not unforgeable because since $F_k$ is a PRP, it is bijective.
- \newline Then $\forall u \in \{0, 1\}, F_k^{-1}(u) = (u_1 || u_2)$ and $EncForge_{\A, \Pi} = 1$.
- \item It is CCA-secure and we will prove it by assuming that the PRP F is strong.
- If we build the distinguisher $\D$ using the PPT adversary $\A$ capable of breaking the scheme $\Pi$ with advantage $\eta(n)$. At the start of the game, a random key k and a random bit b are picked by the oracle.
- \begin{enumerate}
- \item When $\A$ asks for the encryption of message $m_i$, $\D$ picks a random $r_i \leftarrow \{0, 1\}^{\frac{n}{2}}$ and queries its oracle on input ($m_i || r_i$) obtaining, if b=0 $c_i = f(m_i || r_i)$, else $c_i = F_k(m_i || r_i)$.
- $\D$ forwards $c_i$ to $\A$. This is repeated for each message $m_i$ issued for the first query phase.
- \newline Also, when $\A$ asks for the decryption of ciphertext $c_i'$, $\D$ queries its oracle on input $c_i'$ obtaining, if b=0 $(m_i'||r_i') = f^{-1}(c_i')$, else $(m_i'||r_i') = F^{-1}_k(c_i')$, which $\D$ forwards to $\A$. This is repeated for each ciphertext $c_i'$ issued for the first query phase
- \item When $\A$ does the challenge query on output $m^*_0$, $m^*_1$ with $|m^*_0| = |m^*_1|=\frac{n}{2}$ and $m^*_0 \neq m^*_1$, $\D$ picks a random $r^* \leftarrow \{0, 1\}^{\frac{n}{2}}$ and a random $b'\leftarrow \{0, 1\}$. $\D$ queries then its oracle on input ($m^*_b || r^*$) obtaining, if b=0, $c^* = f(m^*_b || r^*)$, else $c^* = F_k(m^*_b || r^*)$. $\D$ forwards $c^*$ to $\A$.
- \item When $\A$ asks for the encryption of message $m_i$, $\D$ picks a random $r_i \leftarrow \{0, 1\}^{\frac{n}{2}}$ and queries its oracle on input ($m_i || r_i$) obtaining, if b=0 $c_i = f(m_i || r_i)$, else $c_i = F_k(m_i || r_i)$.
- $\D$ forwards $c_i$ to $\A$. This is repeated for each message $m_i$ issued for the second query phase.
- \newline Also, when $\A$ asks for the decryption of ciphertext $c_i'$, $\D$ queries its oracle on input $c_i'$ obtaining, if b=0 $(m_i'||r_i') = f^{-1}(c_i')$, else $(m_i'||r_i') = F^{-1}_k(c_i')$, which $\D$ forwards to $\A$. This is repeated for each ciphertext $c_i' \neq c$ issued for the second query phase
- \item At the end of the game, $\A$ outputs a bit b''. $\D$ outputs a bit $1 \Leftrightarrow b'' = b'$.
- \end{enumerate}
- Now, Pr[$\D$] will depend on b :
- \begin{itemize}
- \item if b = 0, Pr[$\D$ outputs 1] = $\frac{1}{2} + \frac{q(n)}{2^{\frac{n}{2}}}$ ($m||r$ found twice !)
- \item if b = 1, Pr[$\D$ outputs 1] $\leq \frac{1}{2} + \eta(n)$
- \end{itemize}
- We can see that if $F_k(m)$ is replaced by a true random function $f(m)$, the scheme is CCA-secure (since $\frac{q(n)}{2^{\frac{n}{2}}}$ is negligible).
-
- So now we check if the scheme is insecure, we can distinguish $F_k(m)$ from a true random function. $|Pr[\D^{F_k(\cdot),F_k^{-1}(\cdot)}(1^n)=1]-Pr[\D^{f(\cdot),f^{-1}(\cdot)}(1^n)=1]| \leq \eta(n) - \frac{q(n)}{2^{n/2}}$. Since $F_k(\cdot)$ is a strong PRP, then $\eta(n)$ is negligible and the scheme $\Pi$ is CCA-secure.
- \item Since the scheme $\Pi$ is CCA-Secure but not unforgeable, then it is not an authenticated encryption
-\end{enumerate}
+ \begin{enumerate}
+ \item It is not unforgeable because since $F_k$ is a PRP, it is bijective (i.e., every image has a pre-image). Then
+ \[ \forall c \in \bset, \exists m, r \colon F_k^{-1}(c) = (m || r) \]
+ and $\Pr[\EncForge_{\A, \Pi}(n)=1] = 1$.
+
+ \item It is CCA-secure and we will prove it by reduction, assuming that the PRP $F$ is strong.
+ Thus, assume we have a PPT adversary $\A$ against the scheme $\Pi$ with advantage $\negl_\A(n)$. Then, we can build a PPT distinguisher $\D$ between a sPRP and a random function, which plays the sPRP game as follows:
+ \begin{enumerate}
+ \item The challenger-oracle picks $k \define \Gen(1^n) \in \K$, and $b \pick \bset$. If $b=0$, then the challenger uses a true random function $f$ for $g$, if $b=1$, the challenger uses the sPRP $F_k(\cdot)$ for $g$.
+ \item First query phase:
+
+ When $\A$ asks for the encryption of a message $m$, $\D$ picks $r \pick \bset^{\frac{n}{2}}$ uniformly at random and queries its oracle on input $m || r$ obtaining, $c = g(m || r)$. $\D$ then forwards $c$ to $\A$.
+
+ When $\A$ asks for the decryption of ciphertext $c$, $\D$ queries its oracle on input $c$ obtaining $m||r=g^{-1}(c)$, and $\D$ answers $m$ to $\A$.
+
+ \item When $\A$ does the challenge query and outputs $m^*_0$, $m^*_1$ with $|m^*_0| = |m^*_1|=\frac{n}{2}$ and $m^*_0 \neq m^*_1$,
+ $\D$ picks $r^* \pick \bset^{\frac{n}{2}}$ uniformly at random, and $b' \pick \bset$ uniformly at random too.
+ $\D$ queries then its oracle on input $m^*_{b'} || r^*$ obtaining $c^*=g(m^*_{b'}||r^*)$. $\D$ forwards $c^*$ to $\A$.
+
+ \item Second query phase, like the first one, except that $\A$ cannot ask for $\Dec_k(c^*)$.
+
+ \item At the end of the game, $\A$ outputs its guess $b''$. $\D$ outputs $1$ iff $b''=b'$, $0$ otherwise: did the adversary $\A$ guess our correct pick of $b'$?.
+ \end{enumerate}
+ Let's compute the probability of success for $\D$:
+ \begin{itemize}
+ \item If $b=0$, then $g=f$, a random function, and so, each ciphertext generated by $g$ and each decrypted message generated by $g^{-1}$ is a random number, independent of each other. In this condition, the best thing the adversary $\A$ can do is wait for a collision on $m||r$ and thus $\Pr[\D \text{ outputs } 1 | b=0]=\Pr[b''=b']=\Pr[\PrivKcca(n)=1]=\frac12 + \frac{q(n)}{2^{n/2}}$.
+ \item If $b=1$, then $g=F_k$, and $\A$ is in the right conditions (its interface is respected) to have the advantage $\negl_\A$: $\Pr[\D \text{ outputs } 1 | b=1]=\Pr[b''=b']=\Pr[\PrivKcca(n)=1]=\frac12 + \negl_\A$.
+ \end{itemize}
+ Thus, the difference between the probabilities is
+ \[ \negl_\D(n) = \abs{ \Pr[\D^{F_k(\cdot), F^{-1}_k(\cdot)}(1^n)=1] - \Pr[\D^{f(\cdot), f^{-1}(\cdot)}(1^n)=1] } = \abs{ \negl_\A(n) - \frac{q(n)}{2^{n/2}} } \]
+ As we assume that $\F$ is a strong PRP, that the whole construction above is PPT, then $\negl_\D(n)$ must be negligible, and thus the right-hand side must be negligible, and thus $\negl_\A$ must be negligible. The scheme is thus CCA-secure.
+
+ \item Since the scheme $\Pi$ is CCA-Secure but not unforgeable, it is not an authenticated encryption
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 5 (Authenticated Encryption)}
-Let $\Pi=(\Gen,\Enc,\Dec)$ be an authenticated encryption scheme where $ 0 \not \in \mathcal{C}$ (that is, the string $``0"$ is not a possible ciphertext for $\Pi$). Consider the following scheme $\Pi':=(\Gen',\Enc',\Dec')$ with:
+\subsection{Exercise 3 (Hash functions from\ldots hash functions)}
+
+Let $H_2\colon\bset^{2l}\mapsto\bset^{l}$ and $H_3\colon\bset^{3l}\mapsto\bset^{l}$ be
+collision resistant hash functions. For $2l$-bit strings $x_i$'s, consider the following two constructions.
\begin{itemize}
-\item $\Gen'=\Gen$
-\item $\Enc'=\Enc$
-\item $ \forall k: \left\{ \begin{array}{l l}
-\Dec'(c)=\Dec(c) &\quad \text{ if } c \neq 0,\\
- 0 &\quad \text{ if } c = 0.
-\end{array} \right. $
-%\item $\Dec'(c)=\Dec(c)$ if $c \neq 0$, if $c=0$ $c \neq 0 ~ \forall$ key $k$.
+ \item $H_4\colon\bset^{4l}\mapsto\bset^{l}$;
+ $x=x_1||x_2\rightarrow H_2\left(H_2(x_1)||H_2(x_1\oplus x_2)\right)$
+ \smallskip
+ \item $H_6\colon\bset^{6l}\mapsto\bset^{l}$;
+ $x=x_1||x_2||x_3\rightarrow H_3\left(H_2(x_1\oplus x_2)||H_2(x_2\oplus x_3)||H_2(x_3\oplus x_1)\right)$
\end{itemize}
+Determine whether these hash functions are still collision resistant or not.
+
-\begin{enumerate}
-\item Is $\Pi'$ unforgeable?
-\item Is $\Pi'$ CCA secure?
-\end{enumerate}
\begin{solution}
- \begin{enumerate}
- \item This is CCA-secure, since $\Pi$ is CCA-secure. (Insert proof here but it is 100\% sure it is CCA-secure).
- \item This is not unforgeable. We can forge a new valid ciphertext if the PPT adversary $\A$ outputs 0, then this ciphertext will be considered as valid and Pr[EncForge$_{\A, \Pi'}$(n) = 1] = 1.
- \end{enumerate}
+ \begin{itemize}
+ \item
+ Let's show that from a collision of $H_4$, we generate a collision for $H_2$
+ which prove that $H_4$ is collision resistant since $H_2$ is so.
+ Let's suppose that we have $x_1\|x_2 \neq y_1\|y_2$ are such that $H_4(x_1\|x_2) = H_4(y_1\|y_2)$.
+ \begin{itemize}
+ \item
+ If $H_2(x_1) \| H_2(x_1 \xor x_2) \neq H_2(y_1) \| H_2(y_1 \xor y_2)$,
+ we have a collision for $H_2$ since their image by $H_2$ is identical.
+ \item
+ If $H_2(x_1) \| H_2(x_1 \xor x_2) = H_2(y_1) \| H_2(y_1 \xor y_2)$,
+ we have $H_2(x_1) = H_2(y_1)$ \emph{and} $H_2(x_1 \xor x_2) = H_2(y_1 \xor y_2)$.
+ \begin{itemize}
+ \item If $x_1 \neq y_1$, we have a collision for $x_2$ since $H_2(x_1) = H_2(y_1)$.
+ \item If $x_1 = y_1$, then $x_2 \neq y_2$ since $x_1\|x_2 \neq y_1\|y_2$.
+ Therefore $x_1 \xor x_2 \neq y_1 \xor y_2$ and we have collision on $H_2$.
+ \end{itemize}
+ \end{itemize}
+ \item
+ $H_6$ is not collision resistant since $H_6(x_1\|x_2\|x_3) = H_6((x_1 \xor w)\|(x_2 \xor w)\|(x_3 \xor w))$
+ for all $w$ (collision if $w\neq 0^{2l}$).
+ Indeed, since $\xor$ is associative and commutative,
+ \begin{align*}
+ & = H_6((x_1 \xor w)\|(x_2 \xor w)\|(x_3 \xor w))\\
+ & = H_3(H_2((x_1 \xor w) \xor (x_2 \xor w))\|H_2((x_2 \xor w) \xor (x_3 \xor w))\|H_2((x_3 \xor w) \xor (x_1 \xor w)))\\
+ & = H_3(H_2(x_1 \xor (w \xor w) \xor x_2)\|H_2(x_2 \xor (w \xor w) \xor x_3)\|H_2(x_3 \xor (w \xor w) \xor x_1)))\\
+ & = H_3(H_2(x_1 \xor x_2)\|H_2(x_2 \xor x_3)\|H_2(x_3 \xor x_1)))\\
+ & = H_6(x_1\|x_2\|x_3).
+ \end{align*}
+ \end{itemize}
\end{solution}
-\subsection{Exercise 6 (Commitment scheme)}
-\label{subsec:commit-scheme}
-Define the bit-commitment scheme $\langle \G, \Com, \Open \rangle$ with the following PPT
-algorithms :
-\begin{itemize}
-\item $\Gen(1^n)$ sets $pk$ as $(\PRG,R)$, where
- \begin{itemize}
- \item $\PRG$ is a random generator $\lbrace 0,1 \rbrace^n \longmapsto \lbrace 0,1\rbrace^{3n}$
- \item $R$ is a random $3n$-bit string
- \end{itemize}
-\item $\Com_{pk}(b)$ with $b\in\{0,1\}$ provides $(c,d)$ where:
- \begin{itemize}
- \item $Y$ is an $n$-bit string
- \item if $b=0$ $c=\PRG(Y)$
- \item if $b=1$, $c=\PRG(Y) \oplus R$
- \item $d=(b,Y)$
- \end{itemize}
-\item $\Open_{pk}(c,d)$ outputs $b$ if it can recompute $c$ from $d$ and $pk$, or $\bot$ otherwise
-\end{itemize}
-\begin{enumerate}
- \item Is this scheme perfectly hiding?
- \item Is this scheme computationaly binding?
- \item If the committer choose $R$ is the scheme secure?
-\end{enumerate}
+
+\subsection{Exercise 4 (Block-cipher based hash function)}
+
+Considering a block cipher
+$E\colon\K\times\M\mapsto\C$; $(k,m)\rightarrow E(k,m)=\Enc_k(m)$
+with $\K=\M=\C=\bset^l$, one may try to construct
+a collision resistant compression function from $\bset^{2l}$ to $\bset^{l}$.
+Show that the following methods do not work :
+\[ f_1(x,y)=E(y,x)\oplus y \quad\text{ and }\quad f_2(x,y)=E(x,x)\oplus y \]
+That is, show an efficient algorithm for constructing collisions for $f_1$ and $f_2$.
+Recall that the block cipher $E$ and the corresponding decryption algorithm $D$ are both
+known to you (and they are bijective functions).
+
\begin{solution}
-\begin{enumerate}
- \item To break the hiding property, an adversary would need to enumerate all possible outputs of G (requires $2^n$ steps) if $G(Y) \oplus R \notin \{x | \forall u : x = G(u)\}$. But this kind of event has a negligible chance of probability (Pr = $\frac{|G(Y)|}{|G(Y) \oplus R|} = \frac{2^n}{2^{3n}} = \frac{1}{2^{2n}} \in negl(n)$) so an adversary with an unbounded power of calculation can easily break the property of perfectly hiding.
- \item It is computationally binding because :
- $$Pr[G(Y) = G(Y') \oplus R] = \frac{2^n\cdot2^n}{2^{3n}} = \frac{1}{2^n} \in negl(n)$$
- Then we have Pr[Com$^{bind}_{\mathrm{A}, \Pi}$] $\leq \epsilon$, and the scheme is computationally secure.
- \item Not secure, because if $R = G(Y)$, then the opposite player can easily deduce the value of b. If c = 0, b = 1, else b = 0.
-\end{enumerate}
-\end{solution}
\ No newline at end of file
+ We will give 2 collisions for $f_1$ and $f_2$.
+
+ We know that $E(k, \cdot)$ is surjective because it must be injective and $\M = \C$.
+ Therefore the decryption exists for all $c \in \C$! We will use it for the second collision of $f_1$.
+
+ For $f_1$, we have the 2 following collisions
+ \begin{align*}
+ f_1(D(E(y,x),y), E(y,x))
+ & = E(E(y,x), D(E(y,x), y)) \xor E(y,x)\\
+ & = y \xor E(y,x)\\
+ & = E(y,x) \xor y\\
+ & = f_1(x, y)\\
+ f_1(D(0, E(y,x) \xor y), 0)
+ & = E(0, D(0, E(y, x) \xor y)) \xor 0\\
+ & = E(y, x) \xor y\\
+ & = f_1(x, y).
+ \end{align*}
+ and for $f_2$ we have
+ \begin{align*}
+ f_2(x, E(x,x)) & = E(x,x) \xor E(x,x)\\
+ & = 0 & \forall x \in \{0,1\}^l\\
+ f_2(y, E(x,x)) & = E(y,y) \xor E(x,x)\\
+ & = E(x,x) \xor E(y,y)\\
+ & = f_2(x, E(y,y)).
+ \end{align*}
+
+ \textbf{Other approach:}
+
+ For $f_1$: Let's define $k_1$ and $k_2$ such that $k_2$ is equal to $k_1$ except for the last bit which is flipped. Let's now take an arbitrary $x_1$ for which we ask the encryption $T_{x_1} = E(k_1,x_1)$. Now let's flip the last bit of $T_{x_1}$ and call the result $T_{x_2}$. We can now ask for the decryption of $T_{x_2}$ given $k_2$ as input key, which we know exists since D is bijective and $\C = \bset^{l}$. We then obtain $x_2$. We can now observe that:
+ \begin{align*}
+ f_1(x_1, k_1) & = E(k_1,x_1) \xor k_1\\
+ & = T_{x_1} \xor k_1\\
+ f_1(x_2, k_2) & = E(k_2,x_2) \xor k_2\\
+ & = T_{x_2} \xor k_2\\
+ & = (T_{x_1} \xor 0^{l-1}||1 )\:\xor\: (k_1 \xor 0^{l-1}||1)\\
+ & = T_{x_1} \xor k_1
+ \end{align*}
+ For $f_2$: We can ask for $T_x = \:E(x,x)$ and $T_y = E(y,y)$ for two arbitrary (but different) $x$ and $y$. We can see that:
+ \begin{align*}
+ f_2(y, T_x) & = E(y,y) \xor T_x\\
+ & = T_y \xor T_x\\
+ f_2(x, T_y) & = E(x,x) \xor T_y\\
+ & = T_x \xor T_y
+ \end{align*}
+ Which are both equal with different input, this is a collision.
+\end{solution}
+
+
+
+% OK
+\subsection{Exercise 5 (Authenticated encryption, or not)}
+
+\copypaste{10}{1}
+
+
+
+\subsection{Exercise 6 (Variable-length MAC)}
+
+Considering a known hash function $h^s\colon\bset^{2l}\mapsto\bset^{l}$,
+let's note by $H^s$ the corresponding Merkle-Damg{\aa}rd transform hash function,
+\emph{i.e.}
+
+\begin{center}
+ \begin{tikzpicture}[scale=0.5]
+ \tikzstyle{every node}=[text centered, inner sep = 2pt]
+
+ \trapeze{$h^s$}{\position}
+ \draw [->] \position +(-3,0) node [left] {$IV$} -- +(-1,0);
+ \draw [<-] \position + (-1,1) -| ++(-2,3) node [above] {\mylabel};
+ \draw \position + (1,0) -- +(2,0) node {};
+ \renewcommand{\position}{(4,0)}
+ \renewcommand{\mylabel}{$x_2$}
+ \trapeze{$h^s$}{\position}
+ \draw [->] \position +(-2,0) node [below] {} -- +(-1,0);
+ \draw [<-] \position + (-1,1) -| ++(-2,3) node [above] {\mylabel};
+ \draw [->]\position + (1,0) -- +(2,0) node [right] {$\ldots$};
+ \renewcommand{\position}{(9.5,0)}
+ \renewcommand{\mylabel}{$x_n$}
+ \trapeze{$h^s$}{\position}
+ \draw [->] \position +(-2.2,0) node [below] {} -- +(-1,0);
+ \draw [<-] \position + (-1,1) -| ++(-2,3) node [above] {\mylabel};
+ \draw \position + (1,0) -- +(2,0) node {};
+ \renewcommand{\position}{(13.5,0)}
+ \renewcommand{\mylabel}{$\left|x\right|$}
+ \trapeze{$h^s$}{\position}
+ \draw [->] \position +(-2,0) node [below] {} -- +(-1,0);
+ \draw [<-] \position + (-1,1) -| ++(-2,2.95) node [above] {\mylabel};
+ \draw [->] \position + (1,0) -- +(2,0) node [right] {$H^s(x)$};
+ \end{tikzpicture}
+\end{center}
+%
+when $x=x_1||\cdots||x_n$ for some integer $n$ and when the $x_i$'s are
+$l$-bit strings.
+
+Show why, with a private key $k$ of length $l$, the MAC scheme
+\[t \define H^s(k||m),\]
+is \emph{not} existentially unforgeable under an adaptive chosen-message attack.
+
+
+\begin{solution}
+ If we have the tag of $p$, which is (let's consider that $k$ and $p$ are $l$ bits long for simplicity)
+ \[ t_p = H^s(k\|p) = h^s(h^s(h^s(IV \| k) \| p) \| 2l) \]
+ we can find the tag of $p\|2l\|w$ (where $w$ is $l$ bits long for simplicity)
+ without knowing $k$ since we know $h^s$ (it is public knowledge, only the secret $k$ is secret and requires an oracle).
+ It is
+ \begin{align*}
+ H^s(k\|p\|2l\|w)
+ & = h^s(h^s(h^s(h^s(h^s(IV \| k) \| p) \| 2l) \| w) \| 4l)\\
+ & = h^s(h^s(H^s(k \| p) \| w) \| 4l)\\
+ & = h^s(h^s(t_p \| w) \| 4l)
+ \end{align*}
+ Since $p\|2l\|w \neq p$, this gives us an existential forgery.
+\end{solution}
+
+
+
+% OK
+\subsection{Exercise 7 (Hash-MAC)}
+
+Suppose $H_0$ and $H_1$ are compression functions but only one is believed to be collision resistant.
+Besides, suppose $\textsc{Mac}_0$ and $\textsc{Mac}_1$ are message authentication codes but only one
+of the both schemes is known to be unforgeable. Is it possible to build a secure ''hash-MAC'' from these
+inputs? Justify your answer.
+
+%Homework 2 of Dan Boneh, Winter 2011, Problem 5 (DVD security)
+\begin{solution}
+ We build $H(m) = H_0(m)\|H_1(m)$.
+ If we have $m_1 \neq m_2$ such that $H(m_1) = H(m_2)$ then $H_0(m_1) = H_0(m_2)$ and
+ $H_1(m_1) = H_1(m_2)$ so the collision resistant hash function has a collision whichever it is.
+ However, $H$ is no more a compression function and we cannot use Merkle-Damg\aa{}rd.
+
+ The fact that we don't know the compressive factor also prevents us from building (simply) Merkle-Damg\aa{}rd or sponge constructions based on each of the functions.
+
+ The input of $H$ therefore cannot have arbitrary length but its output is twice the length of the output of $H_0$ and $H_1$ so it is twice the size of a tag.
+
+ The output of $\Mac_0$ and $\Mac_1$ are the size of a tag so we can use the tag
+ $H(\Mac_0(k,m)\|\Mac_1(k,m))$ for our Hash-MAC scheme.
+ If we are able to output an existential forgery $(m, t)$, since $H$ is collision resistant, that means that we have found $\Mac_0(k,m)\|\Mac_1(k,m)$ and therefore we have found an existential forgery for both $\Mac_0$ \emph{and} $\Mac_1$ which is absurd since one of them is believed to be unforgeable.
+
+ Our Hash-MAC scheme is therefore unforgeable.
+\end{solution}
+
+
+
+\subsection{Exercise 8 (Blue-ray security)}
+
+\copypaste{3}{7}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp5.tex b/src/q7/crypto-MAT2450/exercises/tp/tp5.tex
index 9ca40fcc04333328737ea9727e5ccf00b9e58920..1d9bfa3ff7cdb5c7456feb138bf84519521a4af0 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp5.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp5.tex
@@ -1,229 +1,138 @@
-
\section{}
-\subsection{Exercise 0 (A variation of ElGamal in \texorpdfstring{$PKE$}{PKE})}
-\copypaste{4}{4}
-
-\subsection{Exercise 1 (Commitment scheme)}
-\copypaste{4}{7}
-
-\subsection{Exercise 2}
-By design secure public-key encryption schemes are perfectly binding commitment schemes (which are also computationally hiding, why?).
-Then, if perfect hiding property is not a concern, do commitment schemes really consist of a new usefull cryptographic building block?
-This exercise aims to build a perfectly hiding commitment scheme which supports a \emph{batching} property that encryption schemes
-cannot achieve. \medskip \\
-Let $p$ be a prime and let $g \in QR(p)$ be an element of prime order $q>2^l$.
-We let $G$ denote the group generated by $g$ and we let $I$ denote the set of integers $\{1,\dots, q\}$.
-Fix $n$ random values $g_1,\dots, g_n \in G$ and define the commitment function $\Com : I^n \rightarrow G$ by
-$$\Com(x_1,\dots, x_n\,; r) = g^r g_1^{x_1}g_2^{x_2}\cdots g_n^{x_n}$$
-\begin{enumerate}
- \item Describe formally the commitment scheme. Discuss its efficiency and its correctness.
- \item Show that the scheme is computationally binding assuming that DLog is intractable in $G$.
- That is, show that an adversary computing two openings of a commitment $c$ for random
- $g,g_1,\dots, g_n \in G$ can be used to compute discrete-log in $G$.\\
- \emph{Hint:} given a pair $g, h \in G$ your goal is to find an $\alpha \in \mathbb{Z}_q$ such that $g^\alpha = h \mod p$.
- Choose $g_1,\dots, g_n \in G$ so that two valid openings will reveal $\alpha$.
- \item Show that the scheme results in a perfectly hiding commitment on several messages. Compare the size of the construction
- with respect to an encryption (viewed as a commitment) of all these messages.
-\end{enumerate}
+The TP5 of 2019-2020 reviewed the basics of number theory and group theory for this course. As they are not really useful for the exam and are fairly trivial (once the basics are know, that is), they are skipped in this document.
-\begin{solution}
- \begin{enumerate}
- \item
- We define $\langle \Gen, \Com, \Open \rangle$ as:
- \begin{itemize}
- \item $\Gen(1^n, 1^l)$ sets $pk$ as $(p,q,g)$ where $q > 2^l$ ang $g$ has order $q$ modulo $p$ (since $\phi(p)$ is even, that means that $g \in QR(p)$).
- \item $\Com_{pk}(x_1, \ldots, x_n)$ provides $(c,d)$ where:
- \begin{itemize}
- \item $c := g^r g_1^{x_1} g_2^{x_2} \cdots g_n^{x_n}$ (for a random $r \in \mathrm{Z}_q$)
- \item $d := r,x_1,...,x_n$
- \end{itemize}
- \item $\Open_{pk}(c,d)$ outputs $x_1, \ldots, x_n$ if it can recompute $c$ from $d$ and $pk$,
- or $\perp$ otherwise.
- \end{itemize}
- We can see that there are different possible $x_1, \ldots, x_n$ that are valid.
- If we fix $x_2, \ldots, x_n$,
- there is an $x_1$ such that $g_1^{x_1} = c / (g^r g_2^{x_2} \cdots g_n^{x_n})$
- so there is $q^n$ possible opening.
- However, it is not easy to find for a PPT algorithm.
-
- I should maybe have defined $d := (r, x_1, \ldots, x_n)$ because here it is weird because $\Open$ can have different outputs.
- \item %\textcolor{red}{Olivier : pas trop d'accord avec ce qu'ils disent.}
-
- For a random $\alpha$, we need to find it from $g^\alpha$.
-
- Pick a random $i^*$ and set $g_{i^*} = g^\alpha$ and for $i \neq i^*$, random $\alpha_i$ and $g_i = g^{\alpha_i}$.
- From $g^rg_1^{x_1} \cdots g_n^{x_n} = g^{r'}g_1^{x_1'} \cdots g_n^{x_n'}$ we get
- \[ r + \alpha_1 x_1 + \cdots + \alpha_n x_n \equiv r' + \alpha_1 x_1' + \cdots + \alpha_n x_n' \pmod{q} \]
- so we get
- \[ (x_{i^*} - x_{i^*}') \alpha \equiv r' - r + \sum_{i \neq i^*}^n (x_i' - x_i) \alpha_i \pmod{q} \]
- We know that at least one $x_i \neq x_i'$ so we have at least one chance out of $q$ that $x_{i^*} \not\equiv x_{i^*}' \pmod{q}$.
- If this is the case, we can find the inverse of $(x_{i^*} - x_{i^*}')$ and solve the $\DLog$ problem.
- \item
- As r is randomly selected in $\mathrm{Z}_q$ and g generates G, $g^rg_1^{x_1}...g_n^{x_n}$ could be any element of G, whatever the values of ($g_1,...,g_n$) and ($x_1,...,x_n$) so the commitment looks random and is thus perfectly hiding.
-
- The size is $n$ times smaller.
- \end{enumerate}
-\end{solution}
+Below are the exercises of last year pertaining to groups and number theory.
+
+
+
+\subsection{Exercise 0 (Group order)}
+
+\copypaste{3}{5}
-\subsection{Exercise 3 (Zero knowledge Petersen)}
-The Schnorr protocol, used to prove the knowledge of discrete
-logarithm, is (honest-verifier) zero-knowledge. However, the value
-$y=g^x \pmod{p}$ (for a safe prime $p=2q+1$) leaks some information
-about the discrete logarithm $x$ (since for a given generator $g$ of
-order $q$ there is exactly one such $x$ in $\mathbb{Z}_q$). On the
-other hand, the Pedersen commitment is perfectly hiding and thus does
-not reveal information about the committed value. The following
-protocol attempts to merge the both properties i.e., to prove the
-knowledge of a commited value under the Pedersen commitment scheme in
-a zero-knowledge manner.
-\\
-\indent \emph{The protocol.} The public inputs of the proof are the prime $p$,
-the Pedersen public key $(g, h)$, a security parameter $k$ and a
-(hypothetic) commitment $c\in QR(p)$. The prover's private intputs are
-$x$ and $r$ in $\mathbb{Z}_q$ s.t. $c=g^xh^r$ (mod $p$). The protocol executes as follows.
+
+
+\subsection{Exercise 3 (Euclidean algorithm for gcd)}
+
+Let $a,b \in \mathbb{Z}$ , $b \neq 0$, consider the following algorithm, presented in Algorithm~\ref{algo:gcd}. ($r=a \% b$ means that $a=qb+r$ where $q$ is the quotient and $r$ is the remainder).
+
+Prove that $x$, the value returned by Algorithm~\ref{algo:gcd}, is $\mathsf{gcd} (a,b)$.
+
+Hint:
\begin{itemize}
- \item The prover randomly chooses $y,s \in_R \mathbb{Z}_q$ and sends $d=g^yh^s \pmod{p}$ to the verifier.
- \item The verifier randomly chooses $e\in_R \{0,1\}^k$ and sends it to the prover.
- \item The prover computes $z=y-ex$ and $t=s-er$ modulo $q$ and sends it to the verifier.
- \item The verifier accepts the proof iff $d = c^e g^zh^t
- \pmod{p}$.
+ \item Prove that $x$ divides $ \mathsf{gcd} (a,b)$
+ \item Prove that $ \mathsf{gcd} (a,b)$ divides $x$
\end{itemize}
-If the verifier accepts the proof, we say that the conversation $\langle d,e,(z,t) \rangle$ is valid.
-%
-\begin{enumerate}
- \item Prove the correctness property of this construction.
- \item Assume you are able to ``rewind'' an adversarial prover
- who tries to build a valid conversation. How can you use
- this faculty to extract an opening of $c$. Which property
- did you break ? Briefly discuss the soundness property of
- the protocol.
-
- \item Show how a valid conversation $\langle
- d,e,(z,t) \rangle$ can be simulated from $c$, without the use of any
- private inputs. (Assume that the valid conversation involves
- honest parties.)
- \item Generalize the process to prove the knowledge of an opening to
- a multi-Pedersen commitment as in exercise 2.
-\end{enumerate}
+
+\begin{algorithm}
+ \KwIn{$a$, $b$}
+ \KwOut{$\mathsf{gcd}(a,b)$}
+
+ \While{ $b\neq 0$}
+ {
+ $r \leftarrow a\%b$\;
+
+ $a \leftarrow b$\;
+
+ $b \leftarrow r$\;
+ }
+ \Return($a$)
+
+ \caption{The Euclidean $\mathsf{gcd}$ algorithm.}\label{algo:gcd}
+\end{algorithm}
+
\begin{solution}
- \begin{enumerate}
- \item The conversation is correct if Pr[$d \neq c^eg^zh^t$] $\leq \epsilon(n)$. Let's evaluate this probability :
- $$Pr[d \neq c^eg^zh^t] = Pr[g^yh^s \neq g^{xe+z}h^{re+t}] = Pr[g^yh^s \neq g^{xe+z}h^{re+t}] = 0$$
- Then our construction is correct.
- \item When we get the conversation (d, e, (z,t)), we can "rewind" the conversation to submit another e' and get new z' and t'. Therefore we can obtain the private key (x,r) by doing those calculations :
- $$\begin{cases} z = y - ex \\ z' = y - e'x \end{cases} \Rightarrow x = \frac{z-z'}{e'-e}
- $$
- $$\begin{cases} t = s - er \\ t' = s - e'r \end{cases} \Rightarrow r = \frac{t-t'}{e'-e}
- $$
- We broke the zero-knowledge property since the verifier can extract the private key using such power. \newline
- According to the assistants, since it is not zero-knowledge, there is no point of discussing the soundness property.
- \item It is easy to show, with honest parties, how we can simulate from $c$ a new valid conversation :
- \begin{enumerate}
- \item We pick e
- \item We pick z and t
- \item We evaluate d as : $d = c^ez^zh^t$
- \end{enumerate}
- \item To generalize the process, we have :
- \begin{itemize}
- \item pk = $g^x_1$, ..., $g^x_n$, h
- \item sk = $x_1$, ..., $x_n$, r
- \item c = $g^x_1 \cdot ... \cdot g^x_n \cdot h^r$
- \end{itemize}
- \end{enumerate}
+ According to the algorithm, we will have as successive value for the different remainder:
+ \[(r_2 = r_0 \% r_1, r_3 = r_1 \% r_2, \ r_4 = r_2 \% r_3, \ ... \ , r_n = r_{n-2} \% r_{n-1})\]
+ Where $r_0 = a$, $r_1 = b$ and $r_n$ is the last non null remainder. Then we have the property that :
+ \[ gcd(r_{i}, r_{i+1}) = gcd(r_{i+1}, r_{i+2}) \ \forall i : \ 0 \leq i \leq n - 2 \]
+ Otherwise if it was not the case, $\exists i < n $ such that $r_i = 0$. But as $r_n$ is the last non null remainder, we prove by contradiction this property.
+
+ As $gcd(r_{n-1}, r_n) = r_n $ because $r_n | r_{n-1}$ (since $r_{n+1} = r_{n-1} \% r_n = 0$), we can conclude that
+ \[ gcd(r_0, r_1) = gcd(a, b) = gcd(r_{n-2}, r_{n-1}) = r_n\]
+ We have proved the value returned by the algorithm is the $gcd(a,b)$
\end{solution}
+
+
\subsection{Exercise 4}
-\label{subsec:4b.4}
-Let $f$ be a one-way permutation on $\{0,\,1\}^\lambda$.
-Consider the following signature scheme for messages in the set
-$\{1,\ldots,\,n\}$, where $n\in\mathsf{poly}(\lambda)$: \vspace{3mm}
+Consider the group $\mathbb{Z}^{\ast}_{17}$.
\begin{enumerate}
- \item[\textbullet] To generate keys, choose $x\leftarrow \{0,\,1\}^\lambda$ at random
- and set $y:=f^n(x)$. The public key is $y$ and the private key is $x$.
- \item[\textbullet] To sign message $i\in\{1,\ldots,\,n\}$, output $f^{n-i}(x)$
- (where $f^0(x)\stackrel{\mbox{\small def}}{=}x$).
- \item[\textbullet] To verify signature $\sigma$ on message $i$ with respect to
- public key $y$, check whether $y\stackrel{?}{=}f^i(\sigma)$.
+ \item Compute $5^{-1}$.
+ \item Compute $3^2$, $3^3$ and $3^4$.
+ \item Does $3$ generate the group?
+ \item Find $\log_{7}(11)$.
\end{enumerate}
-\begin{enumerate}
- \item Show that the above is not a one-time signature scheme. Given
- a signature on a message $i$, for what messages $j$ can an
- adversary output a forgery?
- \item Prove that no \texttt{PPT} adversary given a signature on $i$
- can output a forgery on any message $j>i$ except with negligible
- probability.
- \item Suggest how to modify the scheme so as to obtain a one-time
- signature scheme. \\
- \emph{Hint: include two values $y,\,y'$ in the public key.}
-\end{enumerate}
+
\begin{solution}
- \begin{enumerate}
- \item
- A has $(i, \sigma(i))$ with $\sigma (i) = f^{n-i} (x)$. We know (because $f$ is a permutation function) that:
- $$f(\sigma(i)) = f^{n-i+1}(x) = f^{n-(i-1)}(x) = \sigma(i-1)$$
- Then it's possible to compute a valid forgery for every $j < i$. The scheme is then not a one time-signature.
- \item
- Need schema drawn at TP !! It's a lot simpler with it...
-
- $\Pr[Success (\A_\sigma)] = \epsilon(\lambda)$, $\Pr[Abort] = \frac{n-k}{n}$, $\Pr[Success] = \frac{n-k}{n-m-1}$ then:
- $$ \Pr[Success(\A_{owf})] = \epsilon(\lambda) \frac{n-k}{n} \frac{n-k}{n-m-1}$$
-
- If $\epsilon(\lambda)$ is not negligible, then the probability of success is not negligible.
- \item
- We have $s_k = (x, x')$, $p_k = (f^n(x), f^n(x'))$.
- Then $m \rightarrow \sigma = (f^{n-m}(x), f^m(x'))$.
-
- \end{enumerate}
+ Here because p is not too big, it is possible to evaluate "quickly" and "intuitively" the solutions. If it is too hard, there is an algorithm in the slides.
+ \begin{enumerate}
+ \item Because 35 mod 17 = 1, and $5 \cdot 7 = 35$. \newline Then $5^{-1} = 7$. ($5 \cdot 7 = 1 \text{ (mod 17)}$)
+ \item \begin{itemize}
+ \item $3^2 = 9 \text{ (mod 17)}$
+ \item $3^3 = 3^2 \cdot 3 = 27 \text{ (mod 17)} = 10 \text{ (mod 17)}$
+ \item $3^3 = 3^3 \cdot 3 = 30 \text{ (mod 17)} = 13 \text{ (mod 17)}$
+ \end{itemize}
+ \item According to \textit{Fermat's little theorem}, if ord(g) = i then if $i|m = |G|$, where G is the commutative group. To see if 3 generate the group, we have to check if $3^i \neq 1$ where $i$ are the divisor of $(p-1) = 16$ (except 16 of course !).
+ \begin{itemize}
+ \item $3^1$ = 3 mod 17 (trivial)
+ \item $3^2$ = 9 mod 17 (evaluated previously)
+ \item $3^4$ = 13 mod 17 (evaluated previously)
+ \item $3^8$ = $(3^4)^2$ = $(13)^2 \text{ (mod 17)}$ = $(-4)^2 \text{ (mod 17)}$ = 16 mod 17
+ \end{itemize}
+ We can see that 3 is a generator of the group.
+
+ \textbf{P.S.} : The trick here is to remember the property of the modulo operation here in a $Z^*_p$:
+ \[ x = -(p - x) \text{ (mod p)} \]
+ It can make a lot of computing easier (it can become a real pain in the ass).
+ \item Here we have to find x such that:
+ \[ 7^x = 11 \text{ (mod 17)} \]
+ After (boring) computations, we have here :
+ \begin{itemize}
+ \item $7^1$ = 7 mod 17
+ \item $7^2$ = 15 mod 17 = -2 mod 17
+ \item $7^3$ = -14 mod 17 = 3 mod 17
+ \item $7^4$ = 4 mod 17
+ \item $7^5$ = 11 mod 17 (Bingo)
+ \end{itemize}
+ Then $log_7(11)$ = 5
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 5 (Jan 2011 evaluation)}
-\label{subsec:4b.5}
-Consider the following one-time signature scheme $\Pi:=\langle \Gen,
-\mathsf{Sign}, \Vrfy\rangle$, parameterized by a PPT function $f: \{0,1\}^*
-\rightarrow \{0,1\}^*$.
-\begin{itemize}
-\item $\Gen$: on input $1^n$, select $(x_0,x_1) \leftarrow
- \{0,1\}^n\times \{0,1\}^n$ uniformly at random, compute $(y_0,y_1) :=
- (f(x_0),f(x_1))$ and output the pair $(pk,sk):=
- ((y_0,y_1),(x_0,x_1))$.
-\item $\mathsf{Sign}$: the signature $\sigma$ of the bit $m$ is $x_m$.
-\item $\Vrfy$: on input $(m,\sigma)$, output 1 iff $y_m = f(\sigma)$.
-\end{itemize}
-Show that if $\Pi$ is existentially unforgeable under a single-message
-attack, then $f$ is a one-way function.
+\subsection{Exercise 5 (Group order)}
+
+In this exercise we consider the group $\Z_{59}^*$.
+
+\begin{enumerate}
+ \item What is the order of $58$?
+ \item What are the possible orders of an element of this group?
+ \item Find an element of order more than $20$.
+\end{enumerate}
+
+
\begin{solution}
- Two solution have been proposed. (Actually they are the same but with a different explanation)
- \begin{itemize}
- \item
- Let's show that if $f$ is not one way, then $\Pi$ is not existentially unforgeable.
- Let $\A$ be the inverter of $f$, we will build $\A'$ that builds an existential forgery with non-negligible probability.
-
- \begin{itemize}
- \item $\A'$ receives $pk = (y_0, y_1)$
- \item $\A'$ ask the signature of 0 and gets $\sigma$, he does not really care about it
- \item $\A'$ gives $y_0$ (or $y_1$) to $\A$ which outputs $x_0$ (or $x_1$) with non-negligible probability.
- \item $\A'$ outputs $(0,x_0)$ (or $(1, x_1)$)
- \end{itemize}
- Since $y_1$ is the image of a random $x_1$, we are exactly in the inverting experiment so $f(x_1') = y_1$
- with probability $\Pr[\Invert_{\A,f}(n) = 1]$.
-
- We know that
- \[
- \Pr[\Sigforgeone_{\A',\Pi}(n) = 1] = \Pr[\Invert_{\A,f}(n) = 1]
- \]
- \item
- Let assume that $f$ is not one way function $y = f(x)$.
- Then, we can recover $x$ with a non negligible probability $\epsilon_x (n)$.
-
- So, $(y_0, y_1) \Rightarrow (x_0, x_1)$ with probabilities $(\epsilon_{x_0} (n), \epsilon_{x_1} (n))$.
- We cannot compute a pre-image by asking the oracle. So I output $(0, x_0)$ and $(1, x_1)$ as a forgery.
-
- The probability $\Pr[\Sigforge_{\A,\Pi}(n)=1]= \Pr[f^{-1}(\cdot)_{Inv,f(\cdot)}(n)=1] \leq \epsilon(n)$. As $\Pi$ is supposed to be existentially unforgeable under a single-message attack, then $\epsilon(n)$ is negligible and this implies that f is a one-way function.
- \end{itemize}
-\end{solution}
\ No newline at end of file
+ The order of $g \in \Z^*_{59}$ is the smallest $i$ where $g^i = 1$
+ \begin{enumerate}
+ \item ord(58) = 2 because:
+ \begin{itemize}
+ \item $58^1$ = 58 mod 59 = -1 mod 59
+ \item $58^2$ = -58 mod 59 = 1 mod 59
+ \end{itemize}
+ \item According to \textit{Fermat's little theorem}, the possible orders of a group $\mathbb{Z}^*_{p}$ are the divisor of p-1. Then, the possible orders are:
+ \begin{itemize}
+ \item 1
+ \item 2
+ \item 29
+ \item 58
+ \end{itemize}
+ \item The best strategy here is to find a number g where
+ \[ ord(g) > 2 \]
+ (To assure you this is correct, just look at the possible ordrers). \newline
+ 2 is a correct candidate.
+ \end{enumerate}
+\end{solution}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp6.tex b/src/q7/crypto-MAT2450/exercises/tp/tp6.tex
index 06666f5ac793a4b534943d862b9d8d05886769e5..91fd64582d8ab36bcd8d64a399f2d2f19c3cc072 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp6.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp6.tex
@@ -1,125 +1,324 @@
+
\section{}
-\subsection{Exercise 0}
-Same as exercise \ref{subsec:4b.4}
-\copypaste{5}{4}
-
-\subsection{Exercise 1}
-Same as exercise \ref{subsec:4b.5}
-\copypaste{5}{5}
-
-\subsection{Exercise 2 (Jan 2011 evaluation)}
-The Digital Signature Standard (DSS, also often called DSA) is one of
-the most commonly used signature algorithms. Its three algorithms
-$\Gen$, $\mathsf{Sign}$ and $\Vrfy$ work as follows.
+
+\subsection{Exercise 1 (ElGamal Public Key Encryption and CCA Security)}
+
+\begin{enumerate}
+ \item Write the security definition of CCA security for a public key encryption scheme.
+ \item Let $(c_1,c_2)$ and $(c_1',c_2')$ be two ElGamal ciphertexts, of plaintext $m$ and $m'$ respectively. Can $(c_1 c_1',c_2 c_2')$ be a ciphertext relatively to this scheme?
+ \item From $(c_1,c_2)$ a ciphertext of $m$, can you build another ciphertext valid for $m$ (remember that the public key is $(\mathbb{G},g,q,h=g^x)$)? If yes, what is its decryption?
+ \item Show that ElGamal Public Key Encryption is not CCA secure.
+\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item
+ Given $\Pi \define \langle \Gen, \Enc, \Dec\rangle$, and adversary $\A$, define the following experiment $\PubK^\mathsf{cca}_{\A, \Pi}$:
+ \begin{enumerate}
+ \item $\Gen$ probabilistically selects $(pk, sk) \pick \Gen(1^n)$. $pk$ / $sk$ are the public/private key.
+ \item $\A$ is given oracle access to $\Dec_{sk}(\cdot)$.
+ \item $\A$ outputs $m_0, m_1$ of same length.
+ \item Choose $b \pick \bset$, and send $c \define \Enc_{pk}(m_b)$ to $\A$.
+ \item $\A$ is again given access to $\Dec_{sk}(\cdot)$ but he cannot ask $\Dec_{sk}(c)$.
+ \item $\A$ outputs $b'$.
+ \item Define $\PubK^\mathsf{cca}_{\A, \Pi}(n) \define 1$ iff $b=b'$
+ \end{enumerate}
+ $\Pi \define \langle \Gen, \Enc, \Dec \rangle$ is CCA-secure for a public key encryption scheme if $\forall$ PPT $\A, \exists \negl$:
+ \[ \Pr[\PubK^\mathsf{cca}_{\A, \Pi}(n)=1] \leq \frac{1}{2} + \negl(n) \]
+
+ \item $(c_1c_1', c_2c_2')$ is a valid ciphertext for the message $m \cdot m'$.
+ Indeed, $\Enc_{pk}(m\cdot m')=(g^{y''}, m\cdot m' \cdot h^{y''})$. If we set $y''=y+y'$, then $=(g^y \cdot g^{y'}, m \cdot h^y \cdot m' \cdot h^{y'})=(c_1 c_1', c_2 c_2')$.
+ This is what we call an homomorphic encryption scheme: some operations on the ciphertexts have analogous operations on the encrypted plaintexts.
+
+ \item Yes. We have that $m = m \cdot 1$.
+ To encrypt message $1$, simply do $\Enc_{pk}(1)=(c_1', c_2')=(g^{y'}, 1\cdot h^{y'})$ for some $y'$ chosen randomly (do-able since this is a public encryption scheme), so that $c_1'\neq 1$ (simply don't take $0$ as exponent).
+ Then, by using the property proven before, we have that $(c_1^*, c_2^*)=(c_1c_1', c_2c_2')$ is a valid ciphertext for message $m$ too.
+
+ \item Now, we are able to see why ElGamal does not hold CCA-security with the 2 properties found.
+
+ If the adversary $A$, after received $c \define (c_1, c_2)$, compute $\Enc_{pk}(1) \define (c_1', c_2')$ and make the following oracle access $\Dec_{sk}(c_1c_1',c_2c_2') \define m_x$, he will now be able to (really) easily determine b from $m_x$. Then we can say that:
+ \[ \Pr[\PubK^\mathsf{cca}_{\A, \text{ElGamal}}(n)] = 1 \]
+ Which means ElGamal does not have CCA-security with public key encryption.
+
+ \textbf{Other solution:}
+ We build an attacker A as follows :
+ \begin{enumerate}
+ \item A outputs $m_0, m_1 \in M$.
+ \item A receives $(c_1,c_2)=\Enc_{pk}(m_b)=(g^y,m_b \cdot g^{xy})$
+ \item A queries the decryption of the transformed ciphertext $(c_1 \cdot g^{y'},c_2 \cdot h^{y'})$ for some arbitrary chosen y' from $\Z_q$, and receives directly $m_b$ as a response from his oracle.
+ \end{enumerate}
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 2 (A Variation of ElGamal in \texorpdfstring{$PKE$}{PKE})}
+
+Let consider ElGamal public encryption scheme with Encryption algorithm modified in the following way, where $\M=\bset$:
\begin{itemize}
- \item $\Gen$: on input $1^n$, select prime integers $p$ and $q$ such
- that $|q|=n$, $q | (p-1)$ and $q^2 \not | \, (p-1)$, together with an
- integer $g$ that generates the subgroup of $\mathbb{Z}_p^*$ of prime
- order $q$. Also choose a hash function $H : \{0,1\}^* \rightarrow
- \mathbb{Z}_q$. Then, select $x \leftarrow \mathbb{Z}_q$ uniformly at
- random, and compute $y:= g^x \mod p$. The public key is $\langle H,
- p, q, g, y\rangle$, and the private key is $\langle x\rangle$.
- \item $\mathsf{Sign}$: in order to sign the message $m \in \{0,1\}^*$, choose
- $k \leftarrow \mathbb{Z}_q^*$ uniformly at random and set $r:= [g^k
- \mod p] \mod q$. Then, compute $s:= (H(m) + xr) \cdot k^{-1} \mod
- q$, and output the signature $(r,s)$.
- \item $\Vrfy$: compute $u_1 := H(m)\cdot s^{-1} \mod q$ and $u_2 := r
- \cdot s^{-1} \mod q$, and output 1 if and only if $r = [g^{u_1} y^{u_2} \mod p] \mod q$.
+ \item If $b=0$ then choose a uniform $y\in \Z_{q}$ set $c_1=g^y$, $c_2=h^y$, and the ciphertext is $(c_1,c_2)$.
+ \item If $b=1$ then choose independent uniform $y,z \in \Z_{q}$ set $c_1=g^y$, $c_2=g^z$, and the ciphertext is $(c_1,c_2)$.
\end{itemize}
\begin{enumerate}
- \item Show the correctness of the DSS algorithm.
- \item
- As randomness is an expensive resource, it is proposed to select
- the random value $k$ once and for all, and to sign all messages
- using that value of $k$. Is this variant of DSS secure? \\
- \emph{(Hint: see what you can deduce from the signature of two
- different messages.)}
+ \item How is it possible to decrypt correctly such ciphertexts with the private key?
+ \item Show that this scheme is CPA secure if $\DDH$ holds in $\mathbb{G}$.
+\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item We set:
+ \[ \Dec_{sk}(c_1, c_2)=\begin{cases} 0 \text{ if } c_2 = c_1^x \\ 1 \text{ if } c_2 \neq c_1^x \end{cases} \]
+ If $b=0$, then $(c_1, c_2)$ is simply the ElGamal encryption of the message $m=1$.
+ In that case, $c_1^x=c_2$, ElGamal decryption always succeeds, and so $\Pr[\Dec_{sk}(c_1, c_2)=0 | (c_1, c_2) \define \Enc_{pk}(0)] = 1$.
+
+ If $b=1$, then $(c_1, c_2)$ is the encryption of a message $\frac{c_2}{c_1^x}$.
+ We have that
+ \[ \Pr[\Dec_{sk}(c_1, c_2) = 0 | (c_1, c_2) = \Enc_{pk}(1)] = \Pr[c_2 = c_1^x | c_2 = g^z, c_1 = g^y] = \Pr[g^z=g^{xy}] = \frac{1}{|\mathbb{G}|=q} \]
+ and in contrast, $\Pr[\Dec_{sk}(c_1, c_2)=1 | (c_1, c_2) \define \Enc_{pk}(1)]=1-\frac{1}{q}$.
+ Overall, probability of correct decryption is
+ \[ \Pr[\Dec_{sk}(\Enc_{pk}(b))=b] = \frac{1}{2}\cdot 1 + \frac{1}{2}\cdot (1-\frac{1}{q}) = 1-\frac{1}{2q} \ge 1-\frac{1}{2^{n+1}}. \]
+ So, there is a negligible probability of failure to decrypt correctly.
+ This is allowed by the definition of a public-key encryption scheme, so decryption is OK.
+
+ \item We assume that $\DDH$ is difficult in $\mathbb{G}$.
+ We can prove that the scheme is CPA-secure by reduction.
+ We assume that we have a PPT adversary $\A$ against $\Pi$ with advantage $\negl$, and we build a distinguisher $\D$ as follows:
+ \begin{enumerate}[label=(\arabic*)]
+ \item Run $(\mathbb{G},g,q) \pick \mathcal{G}(1^n)$, such that $|q|=n$. \\
+ Choose uniformly at random $(x,y,z) \pick \Z_q^3$. \\
+ Choose at random $b\pick \bset$. \\
+ Set $h_0 \define g^z$, $h_1 \define g^{xy}$. \\
+ Send $(\mathbb{G}, q, g, (g^x, g^y, h_b))$ to $\D$.
+
+ \item $\D$ defines $pk = (\mathbb{G},g,q,g^x)$ and sends it to $\A$
+
+ \item $\A$ sends its challenge $m_0$, $m_1$ to $\D$. We assume w.l.o.g that $m_0=0$ and $m_1=1$.
+
+ \item $\D$ sends $c=(g^y,h_b)$ to $\A$
+
+ \item $\A$ outputs its guess $b'$. Then $\D$ outputs $b''=1-b'$.
+
+ \item Define $\DDH_{\A, \mathcal{G}}(n)=1$ iff $b=b''$, and $\PubKcpa(n)=1$ iff $b'$ is equal to the selected message.
+ %\item \textcolor{red}{Olivier : Pas d'accord à partir de là . C'est la probabilité de l'output b' qui varie en fonction de $h_b$ autrement dit b", je mets ma proposition en dessous.} $\mathcal{A}$ outputs $b'$
+ %\begin{itemize}
+ % \item if $b'=0\Rightarrow h_b=g^{xy}$
+ % \item if $b'=1\Rightarrow h_b=g^z$
+ %\end{itemize}
+ %$D$ outputs $b''=\Bar{b'}$
+ %\item Define : $$\text{PubK}^\text{cpa}_{\mathcal{A},\Pi}(n) = 1 \Leftrightarrow b'\neq b$$ $$\text{DDH}_{\mathcal{A}',\mathcal{G}}(n) = 1 \Leftrightarrow b''=b$$
+ \end{enumerate}
+ We can observe that if $b=0$, then message $m_1=1$ was sent to $\A$ as we sent $h_0=g^z$, and if $b=1$, then message $m_0=1$ was sent to $\A$, as we sent $h_1=g^{xy}$.
+
+ If we run the experiment, we have:
+ \begin{align*}
+ \Pr[\PubKcpa(n) = 1] &= \frac{1}{2}+\negl(n)\\
+ &= \Pr[b'\neq b]\\
+ &= \Pr[b''=b]\\
+ &= \Pr[\DDH_{\A',\mathcal{G}}(n) = 1]
+ \end{align*}
+ If $\negl(n)$ is non negligible, $\A'$ is a PPT adversary that can break $\DDH$ with non negligible probability, which contradicts the assumption. Therefore $\A$ is CPA secure if $\DDH$ is hard in $\mathbb{G}$.
+
+ \textbf{Note: there are a few problems in the computation of the probabilities; any fix / comment is welcome!}
+ \end{enumerate}
+
+ \textbf{Another solution}:
+
+ \begin{enumerate}
+ \item D outputs 1 $\Leftrightarrow b'=1$.
+ \item We observe:
+
+ If $b=0 \Rightarrow \Pr[D \text{ outputs } 1]=\frac{1}{2}$ (as $g^z$ looks random in $\mathbb{G}$)
+
+ If $b=1 \Rightarrow \Pr[D\text{ outputs }1]=\frac{1}{2}+\eta(n)$.
+ \item We thus have D distinguishing between $g^z$ and $g^{xy}$ with advantage $\eta(n)$. As we assume that $\DDH$ holds in $\mathbb{G}$, $\eta(n)$ must be negligible and this scheme is CPA-secure.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 3 (Decisional Diffie-Hellman, \texorpdfstring{$\Z^*_p$}{Zp}, and \texorpdfstring{$QR_p$}{QRp})}
+%\subsection{Exercise 3 (Decisional Diffie-Hellman, $\Z^*_p$, and $QR_p$)}
+
+\copypaste{7}{4}
+
+
+
+\subsection{Exercise 4 (A variation of ElGamal in \texorpdfstring{$QR_p$}{QRp})}
+
+Let $p=2q+1$ with $q$ prime, let $\mathbb{G}=QR_p$ the group of squares modulo $p$, and $g$ be a generator of $\mathbb{G}$.
+We define ElGamal encryption scheme in this group: The private key is $(\mathbb{G},g,q,x)$, the public key is $(\mathbb{G},g,q,h=g^x)$
+where $x \in \Z_{q}^*$ is chosen uniformly. To encrypt a message $m$ $\in \Z_{q}$, choose a uniform $r \in \Z_{q}$, compute $c_1=g^r \mod p$ and $c_2=h^r+m \mod p$ and let the ciphertext be $(c_1,c_2)$.
+
+\begin{enumerate}
+ \item What is the order of $g$?
+ \item Is this scheme CPA-secure?
\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item As $g$ is a generator of $\mathbb{G}$, then $\ord(g)=|\mathbb{G}|$.
+ According to the previous exercise and given the fact that $\mathbb{G} \define QR_p$, then $|\mathbb{G}| = \frac{p - 1}{2} = q = \ord(g)$.
+
+ \item The scheme is CPA-Secure and we will prove it by assuming that $QR_p$ holds in $\DDH$.
+
+ Suppose that we have a PPT adversary $\A$ which can solve ElGamal in $QR_p$ with an advantage $\negl$. It works like this:
+ \begin{enumerate}
+ \item We send $pk$ to $\A$ where pk = $(\mathbb{G}, g, q, h = g^x)$.
+ \item $\A$ outputs $m_0$, $m_1$.
+ \item The ElGamal challenger-oracle picks a random $b \pick \bset$ and sends back $\Enc_{pk}(m_b) = (c_1, c_2)$ to $\A$.
+ \item $\A$ then outputs $b''$. He wins if $b=b''$.
+ \end{enumerate}
+ We will use $\A$ to build a distinguisher $\D$ able to solve $\DDH_{\D, \mathbb{G}}(n)$:
+ \begin{enumerate}
+ \item Run $\mathbb{G}(n)$ to obtain $(\mathbb{G}, q, g)$.
+ \item We choose $(x, y, z) \pick \mathbb{Z}^3_q$.
+ \item We set $h_1 = g^{xy}$, $h_0 = g^{z}$ and $b \pick \bset$.
+ We forward then $((\mathbb{G}, q, g), (g^x, g^y, h_{b}))$ to $\D$.
+ \item $\D$ will then build $pk = (\mathbb{G}, q, g, h_x \define g^x)$ and will forward $pk$ to $\A$.
+ \item $\A$ will then output its challenge queries $m_0$, $m_1$.
+ $\D$ will pick $b' \pick \bset$, and produce $c = (c_1, c_2) = (g^y, h_{b} + m_b \pmod p$.
+ We use $r \define y$ and use $h_b$ as our value for $h_x^y=g^{xy}$.
+ $\D$ sends $c$ to $\A$.
+ \item $\A$ will output $b''$.
+ \item $\D$ will output $ b''' \define 1 \Leftrightarrow b'' = b'$. We define $\DDH_{\D, \mathbb{G}}(n)=1$ iff $b'''=b$.
+ \end{enumerate}
+ We analyse the chance of success to determine $\DDH_{\D, \mathbb{G}}(n)$:
+ \begin{itemize}
+ \item if $b = 0$, then $\Pr[\DDH_{\D, \mathbb{G}}(n)=1] = \frac{1}{2}$: $\A$ is faced with random values, so he is not in the correct conditions.
+ \item if $b = 1$, then $\Pr[\DDH_{\D, \mathbb{G}}(n)=1] = \frac{1}{2} + \negl(n)$: $\A$ operates correctly and its advantage is available.
+ \end{itemize}
+ Overall, we have
+ \[ \Pr[\DDH_{\D, \mathbb{G}}(n)=1] = \frac12 + \frac{\negl(n)}{2} \]
+ As we assume that $\DDH$ is hard in $QR_p$, then it means that this probability should have a negligible advantage, and so $\negl(n)$ should be negligible: thus, the scheme that was attacked by $\A$ is CPA-secure.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 5 (DDH PRG)}
+
+Let $\mathbb{G}$ be a cyclic group of prime order $q$ generated by $g \in \mathbb{G}$.
+Consider the following PRG defined over $(\Z^2-q, \mathbb{G}^3)$:
+$G(\alpha, \beta) \define (g^\alpha, g^\beta, g^{\alpha\beta})$.
+Define what it means for a PRG over $(\Z^2-q, \mathbb{G}^3)$ to be secure and show that $G$ is a secure PRG assuming $\DDH$ holds in $\mathbb{G}$.
+
+
\begin{solution}
- \begin{enumerate}
- \item
- $(r, s) = ([g^k \pmod{p}] \pmod{q}, [H(m) + xr]k^{-1} \pmod{q})$, then:
- $u_1 = H(m)s^{-1} \pmod{q}$, $u_2 = rs^{-1} \pmod{q}$, $r = [g^{u_1} g^{u_2} \pmod{p}] \pmod{q}$, $y = g^x$
-
- $$\Rightarrow g^{u_1 + xu_2} = g^{s^{-1}(H(m) + rx)} = [g^k \pmod{p}] \pmod{q} = r$$
- \item
- $s = (H(m) + xr)k^{-1} \pmod{q}$, $s' = (H(m') + xr)k^{-1} \pmod{q}$ ($s \neq s'$ otherwise we have a collision).
- $s - s' = (H(m) - H(m'))k^{-1} \pmod{q}$, $k = \frac{H(m) - H(m')}{s - s'}$.
- $s = (H(m) + xr)k^{-1}$ so $\frac{sk - H(m)}{r} = x$ where x is the secret.
- \end{enumerate}
+ Taking the definition, $G\colon \Q_q^2 \mapsto \mathbb{G}^3$ is a secure PRG over $\mathbb{G}$ if $\forall n$, $\forall$ PPT distinguisher $\D$, $\exists$ negl. $\negl$ such that:
+ \[ | \Pr[D(x, y, z)=1] - \Pr[D(G(\alpha, \beta))=1] | \le \negl(n) \]
+ where $(x, y, z) \pick \mathbb{G}^3$ and $(\alpha, \beta) \pick \Z_q^2$, all randomly and uniformly and independent picked.
+
+ The other property of expansion is trivially verified by the definition itself (as $|\Z_q|=|\mathbb{G}|=q$).
+
+ We will proof the proposition by reduction.
+
+ Assume that we have a PPT adversary $\D$ that can distinguish between the PRG $G$ as defined above and a random triplet of values with advantage $\negl$.
+ That is,
+ \[ | \Pr[\D(x, y, z)=1] - \Pr[\D(G(\alpha, \beta))=1] | \le \negl(n) \]
+ Without loss of generality, we will assume that $\D$ outputs $1$ when he identifies that he is in front of the PRG.
+ If that's not the case, simply reverse its output, and take $1-$ the probabilities above as the new probabilities of output, and the difference will be the same. Then, we can assume that
+ \[ \Pr[\D(x, y, z)=1] = \Pr[\D \text{ outputs } 1 | \text{ 3 random values}] = k \]
+ and
+ \[ \Pr[\D(G(\alpha, \beta))=1] = \Pr[\D \text{ outputs } 1 | \text{in front of PRG}] = k + \negl(n) \]
+ This is just a rewriting of the above condition. $k$ is some value between $0$ and $1$, and we don't care what it is: we're just interested in the difference between the probabilities.
+
+ Then, let's build our PPT adversary $\A$ against $\DDH$ in $\mathbb{G}$. He will play the experiment $\DDH_{\A, \mathcal{G}}(n)$:
+ \begin{enumerate}
+ \item Run $\mathcal{G}(1^n)$ to generate $(\mathbb{G}, q, g)$ with $g$ generator of $\mathbb{G}$ or order $q$ and $|q|=n$.
+
+ Choose $(x, y, z) \pick \Z_q^3$, $b \pick \bset$. Define $h_0=g^z$, $h_1=g^{xy}$.
+
+ Send $(\mathbb{G}, q, g, h_x \define g^x, h_y \define g^y, h_b)$ to $\A$.
+
+ \item Send to $\D(\mathbb{G}, q, g)$ the following ``challenge'': $w \define (h_x, h_y, h_b)$.
+
+ If $b=0$, this is $(g^x, g^y, g^z)$, a triplet of pure random numbers.
+
+ If $b=1$, this is $(g^x, g^y, g^{xy})$, the output of $G(x, y)$.
+
+ \item $\D$ outputs $b'$. Then, $\A$ outputs $b''=b'$. Define $\DDH_{\A, \mathcal{G}}(n)=1$ iff $b''=b$.
+ \end{enumerate}
+ Then, we just have to compute:
+ \begin{align*}
+ \Pr[\DDH_{\A, \mathcal{G}}(n)=1] &= \Pr[b''=b] \\
+ &= \Pr[b'=b] \\
+ &= \Pr[b'=1 | b=1] \cdot \Pr[b=1] + \Pr[b'=0 | b=0] \cdot \Pr[b=0] \\
+ &= (k + \negl(n)) \cdot \frac12 + (1-k) \cdot \frac12 \\
+ &= \frac12 + \frac12 \negl(n) \le \frac12 + \negl'(n).
+ \end{align*}
+ As we assume that $\DDH$ is hard in $\mathbb{G}$, we assume that $\negl'$ is negligible, and so $\negl$ must be negligible too.
+ This implies that $\D$ cannot distinguish between the PRG and random numbers efficiently, and thus that our PRG is secure.
\end{solution}
-\subsection{Exercise 3 (RSA permutation with modulus 221)}
-Suppose we decide to use an RSA permutation with modulus $221$, we consider RSA encryption scheme, and RSA signature.
+
+
+% TODO move
+\subsection{Exercise X (A variant of ElGamal Encryption.)}
+% This practical session was entirely corrected by the teaching assistants so, there is no need to correct the solutions.
+
+Let us consider the following variant of ElGamal encryption. Let
+\begin{itemize}
+ \item $\Gen$ output a pair
+ $\langle pk, sk \rangle \define \langle(\Gr, q, g, h), (\Gr, q, g, x)
+ \rangle$ as in traditional ElGamal encryption, except that $x$ is selected in $\Z_q - \{0\}$;
+ \item $\Enc_{pk}(m) \define \langle m\cdot g^y, h^y\rangle$ with $y \leftarrow \Z_q$ and $m \in \Gr$.
+\end{itemize}
+
\begin{enumerate}
- \item What is the smallest non trivial public exponent $e$ than can be
- chosen?
- \item Can we choose $e=11$? What is the corresponding private exponent $d$? Give the public and private key of the corresponding RSA encryption scheme.
- \item Compute $c := 219^e \pmod{221}$.
- \item Verify that $c^d = 219 \pmod{221}$ as expected.
- \item How Alice (owning the private key) could sign a message $m$? Sign the message $m=3$ (hint: $22^7= 61 \pmod{221}$).
- \item Is $160$ a valid signature for $m=218$?
- % \emph{Hint: use the square and multiply algorithm.}
+ \item Define the corresponding decryption operation.
+ \item Why did we exclude ``0'' from the set in which $x$ is selected?
+ \item Prove that this variant of ElGamal is CPA-secure if the DDH
+ problem is hard with respect to the group key generation algorithm $\Gr$.
\end{enumerate}
+
+
\begin{solution}
-We suggest you to use a calculator to do this exercise, the assistants said we could (pour faire taire les rageux).
- \begin{enumerate}
- \item \textbf{What is the smallest non trivial public exponent $e$ that can be chosen ?}
-
- First we have to find $\phi$(221). As 221 is not a prime, we must find $p$ and $q$ such that $221 = pq$. After a few try, we find $p = 13$ and $q = 17$. Wet get then $\phi(221) = (p-1)(q-1) = 192$. \newline
- The searched smallest $e$ should respect the condition $gcd(192, e) = 1$. Again, after a few try, we find $e = 5$.
- \item \textbf{Could we choose $e = 11$ ?}
-
- Yeah, since 11 is a prime, then $gcd(192, 11) = 1$.
-
- \textbf{What is the corresponding private exponent d ?}
- $$ ed = 1 \text{ mod 192}$$ $$11d = 1 \text{ mod 192}$$ $$d = \frac{192k + 1}{11}$$
- If we take k=2, we find $d = 35$.
-
- \textbf{Give the public and private key of the corresponding RSA encryption scheme} \newline
- pk = $(221, 11)$
- sk = $(221, 35)$
- \item \textbf{Compute c := $219^e$}(boring calculations)
- \begin{itemize}
- \item $219^{1} = -2 $
- \item $219^{2} = 4 $
- \item $219^{4} = 16 $
- \item $219^{5} = -32$
- \item $219^{10} = 140$
- \item $219^{11} = 162$
- \end{itemize}
- \item \textbf{Verify that $c^d = 219$}
- \begin{itemize}
- \item $162^{1} = -59 $
- \item $162^{2} = -55 $
- \item $162^{4} = -69 $
- \item $162^{5} = 93 $
- \item $162^{6} = 38 $
- \item $162^{7} = -32 $
- \item $162^{35} = -2 = 219 $
- \end{itemize}
- \item \textbf{How Alice could sign a messsage m ?}
-
- According the scheme described in the slides, $Sign_{(N, d)}(m) := [m^d mod N]$
-
- \textbf{Sign the message m = 3}
- \begin{itemize}
- \item $3^{1} = 3 $
- \item $3^{2} = 9 $
- \item $3^{4} = 81 $
- \item $3^{5} = 22 $
- \item $3^{35} = 61 $ (using the hint given)
- \end{itemize}
- \item \textbf{Is 160 a valid signature for m = 218}
- Let's calculate (yipie)
- \begin{itemize}
- \item $218^{1} = -3 $
- \item $218^{2} = 9 $
- \item $218^{4} = 81 $
- \item $218^{5} = -22 $
- \item $218^{35} = -61 = 160$
- \end{itemize}
- Yes it is a valid signature
- \end{enumerate}
-\end{solution}
\ No newline at end of file
+ \begin{enumerate}
+ \item $\D_{sk}(c_1, c_2) = \frac{c_1}{c_2^{1/x}}$, where $1/x$ is the inverse of $x \bmod q$.
+ \item We exclude ``0'' as $0 \not \in \Z_q^*$, so it has no inverse mod $q$.
+ \item The reduction $A'$ proceeds as follows, using an attacker $A$ of
+ the modified ElGamal scheme:
+ \begin{enumerate}
+ \item $A'$ starts an instance of $A$ and gets
+ $\mathbb{G}, q, g, g^x, g^y, g^z$ from the DDH challenger (where $z$
+ is or is not $xy$)
+ \item $A'$ checks if $g^x = 1$ (that is, if $x=0$). If it is the
+ case, it claims that it received a DDH tuple if $g^y = g^z$ (by
+ returning 1) and a random tuple otherwise (by returning 0) and
+ stops. The claim will be always correct, but this event will only
+ happen with probability $1/q$.
+ \item $A'$ forwards $(\mathbb{G},q, g, g^x)$ as ElGamal public key
+ to $A'$.
+ \item When $A'$ outputs two messages $m_0, m_1$, $A'$ flips a coin
+ $b$ and returns $(m_b g^y, g^z)$.
+ \item When $A$ outputs its guess $b'$, $A'$ claims that it received
+ a DDH tuple if and only if $b = b'$, and returns ``1'' in this case.
+ \end{enumerate}
+ If $A$ runs in PPT, then so does $A'$ (its extra operations are
+ clearly PPT).
+ Let $X$ be the event that $A'$ outputs 1 when receiving a DDH tuple,
+ and $Y$ be the event that $A'$ outputs 1 when receiving a random
+ tuple.
+ %Since DDH is hard, we know that $|\Pr[X] - \Pr[Y]|$ is a negligible quantity.
+ Let us assume that $A$ wins the CPA
+ game with probability $\frac 1 2 + \negl(n)$.
+
+ We can see that
+ $\Pr[X] = \Pr[X \wedge (x=0)] + \Pr[X \wedge (x\neq 0)] = \frac 1 q +
+ \frac{q-1}{q}(\frac 1 2 + \negl(n))$.
+ Indeed, when $x \neq 0$, $A$ exactly sees inputs that are
+ distributed exactly as he expects them. Furthermore,
+ $\Pr[Y] = \Pr[Y \wedge (x=0)] + \Pr[Y \wedge (x\neq 0)] = 0 +
+ \frac{q-1}{q} \frac 1 2$.
+ Indeed, when $x \neq 0$, the inputs of $A$ are independent of $b$, and
+ therefore $A'$ wins with probability exactly $\frac 1 2$.
+
+ As a result,
+ $|\Pr[X] - \Pr[Y]| = \frac 1 q + \frac{q-1}{q}\negl(n) $. If $\negl(n)$ is non negligible (\textit{i.e.} this ElGamal variant is non CPA secure), then $|\Pr[X] - \Pr[Y]|$ is non negligible and DDH does not hold in $\Gr$. Reciprocally, if $\DDH$ holds in $\Gr$, this ElGamal variant is CPA secure.
+ \end{enumerate}
+
+\end{solution}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp7.tex b/src/q7/crypto-MAT2450/exercises/tp/tp7.tex
index 7c1b11f2a661de01cb1af42d31b18d64626da14e..cc883b82a8d25572e888194987aab99414bcc817 100644
--- a/src/q7/crypto-MAT2450/exercises/tp/tp7.tex
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp7.tex
@@ -1,226 +1,226 @@
-% This practical session was entirely corrected by the teaching assistants so, there is no need to correct the solutions.
\section{}
-\subsection{Exercise 0}
-\copypaste{6}{2}
-\begin{solution}
-\begin{enumerate}
- \item We show the correctness (if the signature is well formed, it is accepted).
- \begin{align*}
- [g^{u_1} y^{u_2} \mod p] \mod q = &[g^{H(m)\cdot s^{-1}} (g^x)^{r
- \cdot s^{-1}} \mod p] \mod q,\\
-= &[g^{(H(m)+rx) \cdot s^{-1}} \mod p] \mod q,\\
-= &[g^{k} \mod p] \mod q,\\
-= &r .\\
- \end{align*}
-
- \item As the same $k$ was used for two signatures, we have the valid signatures $(r,s_1)$ where $s_1:=(H(m_1) + xr) \cdot k^{-1} \mod
- q$ and $(r,s_2)$ where $s_1:=(H(m_2) + xr) \cdot k^{-1} \mod
- q$. Now, we consider the quotient of $s_1$ divided by $s_2$ (the operations are modulo $q$), in order to cancel the part depending on $k$, note that we can do it with two signatures only because the same $k$ is reused:
- \[\frac{s_1}{s_2}=\frac{(H(m_1) + xr) \cdot k^{-1}}{(H(m_2) + xr) \cdot k^{-1}}=\frac{H(m_1) + xr}{H(m_2) + xr} .\]
- This is equivalent to: $s_1 (H(m_2) + xr)= s_2 (H(m_1) + xr)$, then:
- \[xr= \frac{s_1 H(m_2) - s_2 H(m_1)}{s_2-s_1}.\]
- Finally, dividing by $r$ we get $x$ which is the secret key. As with non negligible probability (when the denominators are non null we can perform the operations described below) we can get $x$ and sign any other message, this variant of DSS is non secure.
-
-\end{enumerate}
-\end{solution}
+\subsection{Exercise 1 (Commitment scheme)}
+\label{subsec:commit-scheme}
-\subsection{Exercise 1 (A variant of ElGamal Encryption.)}
-Let us consider the following variant of ElGamal encryption. Let
+Define the bit-commitment scheme $\langle \G, \Com, \Open \rangle$ with the following PPT algorithms:
\begin{itemize}
- \item $\Gen$ output a pair
- $\langle pk, sk \rangle := \langle(\Gr, q, g, h), (\Gr, q, g, x)
- \rangle$ as in traditional ElGamal encryption, except that $x$ is selected in $\Z_q - \{0\}$;
- \item $\Enc_{pk}(m) := \langle m\cdot g^y, h^y\rangle$ with $y \leftarrow \Z_q$ and $m \in \Gr$.
+ \item $\Gen(1^n)$ sets $pk$ as $(\PRG,R)$, where
+ \begin{itemize}
+ \item $\mathsf{G}$ is a random generator $\lbrace 0,1 \rbrace^n \longmapsto \lbrace 0,1\rbrace^{3n}$
+ \item $R$ is a random $3n$-bit string
+ \end{itemize}
+ \item $\Com_{pk}(b)$ with $b\in\{0,1\}$ provides $(c,d)$ where:
+ \begin{itemize}
+ \item $Y$ is an $n$-bit string
+ \item if $b=0$ $c=\mathsf{G}(Y)$
+ \item if $b=1$, $c=\mathsf{G}(Y) \oplus R$
+ \item $d=(b,Y)$
+ \end{itemize}
+ \item $\Open_{pk}(c,d)$ outputs $b$ if it can recompute $c$ from $d$ and $pk$, or $\bot$ otherwise
\end{itemize}
\begin{enumerate}
- \item Define the corresponding decryption operation.
- \item Why did we exclude ``0'' from the set in which $x$ is selected?
- \item Prove that this variant of ElGamal is CPA-secure if the DDH
- problem is hard with respect to the group key generation algorithm $\Gr$.
+ \item Is this scheme perfectly hiding?
+ \item Is this scheme computationaly binding?
+ \item If the committer choose $R$ is the scheme secure?
\end{enumerate}
+
\begin{solution}
-\begin{enumerate}
- \item $\D_{sk}(c_1, c_2) = \frac{c_1}{c_2^{1/x}}$, where $1/x$ is the inverse of $x \bmod q$.
- \item We exclude ``0'' as $0 \not \in \Z_q^*$, so it has no inverse mod $q$.
- \item The reduction $A'$ proceeds as follows, using an attacker $A$ of
- the modified ElGamal scheme:
\begin{enumerate}
- \item $A'$ starts an instance of $A$ and gets
- $\mathbb{G}, q, g, g^x, g^y, g^z$ from the DDH challenger (where $z$
- is or is not $xy$)
- \item $A'$ checks if $g^x = 1$ (that is, if $x=0$). If it is the
- case, it claims that it received a DDH tuple if $g^y = g^z$ (by
- returning 1) and a random tuple otherwise (by returning 0) and
- stops. The claim will be always correct, but this event will only
- happen with probability $1/q$.
- \item $A'$ forwards $(\mathbb{G},q, g, g^x)$ as ElGamal public key
- to $A'$.
- \item When $A'$ outputs two messages $m_0, m_1$, $A'$ flips a coin
- $b$ and returns $(m_b g^y, g^z)$.
- \item When $A$ outputs its guess $b'$, $A'$ claims that it received
- a DDH tuple if and only if $b = b'$, and returns ''1'' in this case.
- \end{enumerate}
- If $A$ runs in PPT, then so does $A'$ (its extra operations are
- clearly PPT).
- Let $X$ be the event that $A'$ outputs 1 when receiving a DDH tuple,
- and $Y$ be the event that $A'$ outputs 1 when receiving a random
- tuple.
- %Since DDH is hard, we know that $|\Pr[X] - \Pr[Y]|$ is a negligible quantity.
- Let us assume that $A$ wins the CPA
- game with probability $\frac 1 2 + \epsilon(n)$.
-
- We can see that
- $\Pr[X] = \Pr[X \wedge (x=0)] + \Pr[X \wedge (x\neq 0)] = \frac 1 q +
- \frac{q-1}{q}(\frac 1 2 + \epsilon(n))$.
- Indeed, when $x \neq 0$, $A$ exactly sees inputs that are
- distributed exactly as he expects them. Furthermore,
- $\Pr[Y] = \Pr[Y \wedge (x=0)] + \Pr[Y \wedge (x\neq 0)] = 0 +
- \frac{q-1}{q} \frac 1 2$.
- Indeed, when $x \neq 0$, the inputs of $A$ are independent of $b$, and
- therefore $A'$ wins with probability exactly $\frac 1 2$.
-
- As a result,
- $|\Pr[X] - \Pr[Y]| = \frac 1 q + \frac{q-1}{q}\epsilon(n) $. If $\epsilon(n)$ is non negligible (\textit{i.e.} this ElGamal variant is non CPA secure), then $|\Pr[X] - \Pr[Y]|$ is non negligible and DDH does not hold in $\Gr$. Reciprocally, if DDH holds in $\Gr$, this ElGamal variant is CPA secure.
-\end{enumerate}
+ \item For a scheme to be perfectly hiding, we need that $\forall \A$:
+ \[ \Pr[\ComHide_{\A,\Pi}=1]=\frac12 \Leftrightarrow \Pr[c|b=0] = \Pr[c|b=1] \]
+ If $b=0$, then $c$ has as much randomness as $\mathsf{G}$, which has as much randomness as $Y$, so $n$ bits of randomnes (=there are $2^n$ possible values for $c$).
+
+ If $b=1$, then $c$ has as much randomness as $\mathsf{G}$ and $R$, so basically $3n$ bits of randomness (=there are $2^{3n}$ possible values for $c$).
+
+ If we have unbounded computational power, then we could enumerate all possible outputs $\mathsf{G}(Y)$, and see if $c$ is in this set of values.
+ If $b=0$, we are sure they are in;
+ if $c=1$, there are $2^{2n}$ possible $R$ such that $\mathsf{G}(y) \oplus R$ cannot be distinguished from $\mathsf{G}(Y')$ (simply, $R=\mathsf{G}(Y)\oplus \mathsf{G}(Y')$), so there is a probability $\frac{2^{2n}}{2^{3n}}=\frac{1}{2^{n}}$ that $c \in \{\mathsf{G}(Y)\}$.
+ So the probability of success for an unbounded adversary is
+ \[ \frac{1}{2} \cdot 1 + \frac{1}{2} (1-\frac{1}{2^{n}}) = 1-\frac{1}{2^{n+1}} \]
+ So, an unbounded adversary has near-certainty of breaking the hiding property.
+
+ To break the hiding property, an adversary would need to enumerate all possible outputs of $\mathsf{G}$ (requires $2^n$ steps) if $G(Y) \oplus R \notin \{x | \forall u : x = G(u)\}$.
+
+ But this kind of event has a negligible chance of probability ($\Pr = \frac{|\mathsf{G}(Y)|}{|\mathsf{G}(Y) \oplus R|} = \frac{2^n}{2^{3n}} = \frac{1}{2^{2n}} = \negl(n)$) so an adversary with an unbounded power of calculation can easily break the property of perfectly hiding.
+ It is however simple to prove that the scheme is computationally hiding.
+
+ \item For the scheme to be computationally binding, it should be intractable to find $(c, d_0, d_1)$ such that $\Open_{pk}(c, d_0)=0$ and $\Open_{pk}(c, d_1)=1$.
+ If we replace, we find that it is equivalent to find $Y_0, Y_1$ such that
+ \[ c=\mathsf{G}(Y_0) = \mathsf{G}(Y_1) \oplus R \]
+ For this to be possible at all, we need to have $R=\mathsf{G}(Y_0) \oplus \mathsf{G}(Y_1)$ for some $Y_0, Y_1$.
+ But, we have that $|\{R\}|=2^{3n}$ while $|\{ \mathsf{G}(Y_0) \oplus \mathsf{G}(Y_1) \}| \le 2^{2n}$, so the probability of $R$ being correct for this to happen is at most $\frac{2^{2n}}{2^{3n}}=\frac{1}{2^n}$, which is negligible.
+ And so, \[ \Pr[\ComBind_{\A, \Pi}(n)=1] \le \frac{1}{2^n} \quad \forall \A. \]
+ So even if we have an adversary capable of finding $Y_0$ and $Y_1$ with near-certainty, the fact that $R$ can just be badly chosen for him causes its probability of success to be \emph{in all cases} negligible.
+ So, the scheme is computationally binding.
+
+ \item Not secure, because if the committer chooses $R = G(Y)$, then the opposite player can easily deduce the value of b. If $c = 0$, $b = 1$, else $b = 0$.
+ \end{enumerate}
\end{solution}
-\subsection{Exercise 2}
-Let $F$ be a PRF. Below, we describe three \textit{insecure} \emph{variable-length} message authentication codes (\textit{a.k.a.} MACs), $\Pi_1$, $\Pi_2$ and $\Pi_3$, which all use the same key generation algorithm $\G$. The message space is \emph{any (non negative) number} of message blocks in $\{0,1\}^n$, where $n$ is the security parameter.
-%
-\begin{description}
- \item[$\G(1^n)$] outputs a random key $k\gets\{0,1\}^n$.
-\end{description}
-%
-The scheme $\Pi_3$ is built from $\Pi_2$ which is itself built from $\Pi_1$ as an (unsuccessful) attempt to ``patch'' the previous scheme:
-%
-\begin{description}
- \item[$\Pi_1=(\Gen,\Mac^1,\Vrfy^1)$:]
- \emph{``Deterministic MAC -- Chaining PRFs''}
-
- $\Mac^1_k(m_1,\ldots,m_\ell)$ computes $t_1=F_k(m_1)$ as well as
- $t_i=F_k(m_i\oplus t_{i-1})$, for $i=2$ to $\ell$, and returns $t:=t_\ell$ (note that only the last block is returned).
-
- $\Vrfy^1_k((m_1,\ldots,m_{\ell}),t)$ outputs $1$ if
- $\Mac^1_k(m_1,\ldots,m_{\ell})=t$, and 0 otherwise.
- \item[$\Pi_2=(\Gen,\Mac^2,\Vrfy^2)$:]
- \emph{``Padding a random message block in the end''}
-
- $\Mac^2_k(m_1,\ldots,m_\ell)$ first picks a random $r\gets\{0,1\}^n$ and
- then runs $t=\Mac_k^1(m_1,\ldots,m_\ell,r)$ and outputs $(r,t)$.
-
- $\Vrfy^2_k((m_1,\ldots,m_{\ell}),(r,t))$ outputs $1$ if
- $\Mac^1_k(m_1,\ldots,m_{\ell},r)=t$, and 0 otherwise.
-
- \item[$\Pi_3=(\Gen,\Mac^3,\Vrfy^3)$:]
- \emph{``Padding a random message block in the beginning''}
-
- $\Mac^3_k(m_1,\ldots,m_\ell)$ first picks a random $s\gets\{0,1\}^n$ and
- then runs $(r,t)=\Mac_k^2(s,m_1,\ldots,m_\ell)$ and outputs $(r,s,t)$.
-
- $\Vrfy^3_k((m_1,\ldots,m_{\ell}),(r,s,t))$ outputs $1$ if
- $\Mac^1_k(s,m_1,\ldots,m_{\ell},r)=t$, and 0 otherwise.
-\end{description}
-\begin{enumerate}
- \item Describe $\Mac_k^3(m_1,\ldots,m_\ell)$ explicitly in term of computations
- of $F_k$ (and $\oplus$ of course).
- \item Show the correctness of $\Pi_3$.
- \item Mount a forgery attack on these MACs.
-\end{enumerate}
+
+\subsection{Exercise 2 (Commitment with DL)}
+
+Let $(\mathbb{G}, \cdot)$ be a group in which the discrete logarithm is difficult, with $|\mathbb{G}|=q$.
+Let $g$ be a generator of the group and $h$ be a random element of the group ($(g, h)$ may be seen as the key of the hash function).
+Define the following hash funtion $\mathsf{H}\colon \Z^*_q \times \Z^*_q \mapsto \mathsf{G}$:
+\[ \mathsf{H}_{g,h} (\alpha, \beta) \define g^\alpha h^\beta \]
+Prove that if the DL is difficult, then, the hash function is collision resistant.
+For simplicity we assume that $q$ is prime.
+
\begin{solution}
-\begin{enumerate}
- \item For random $r,s\leftarrow \{0,1\}^n$,
- $\Mac^3_k(m_1,\ldots,m_\ell)$ computes $t_0=F_k(s)$, then $t_i=F_k(m_i \oplus t_{i-1})$ for $i=1$ to $\ell$, and finally
- $t_{\ell+1}=F_k(r\oplus t_\ell)$.
- It outputs $(r,s,t)$ where $t:=t_{\ell+1}$.
-
-
- \item Using the description of $\Mac^1_k$, on inputs $(s,m_1,\ldots,m_\ell,r)$ it gives $t'_1=F_k(s)$, for $i=1$ to $\ell$, $t'_{i+1}=F_k(m_i \oplus t'_i)$, and $t'_{\ell+2}=F_k(r \oplus t'_{\ell+1})$. $t'_{\ell+2}$ is the output, or equivalently:
+ I don't know, maybe a reduction might be useful? It's been such a long time!
+
+ For the reduction, let's assume that we have an adversary $\A$ that can break the collision resistance by finding a collision with advantage $\negl(2n)$.
+ We have $2n$ instead of $n$ because the seed of the hash function has $2n$ bits instead of $n$.
+ Then, we can build an adversary $\D$ that can solve the DL problem:
+ \begin{enumerate}
+ \item Run $\mathcal{G}(1^n)$ to obtain $(\mathbb{G}, q, g)$ where $g$ generates $\mathbb{G}$ of order $q$ with $|q|=n$.
+ \item Choose $h \pick \mathbb{G}$.
+ \item Send $(\mathbb{G}, q, g, h)$ to $\D$.
+ \item $\D$ uses $\A$: he sends $(g, h)$ as the seed.
+ Then, with probability $\negl(2n)$, $\A$ answers with $(\alpha, \beta)$ and $(\alpha', \beta')$ such that $\alpha\neq\alpha' \vee \beta\neq\beta'$ and
+ \[ g^\alpha h^\beta = g^{\alpha'} g^{\beta'} \]
+ From this, if we want to find $x$ such that $g^x=h$, then we just replace:
\begin{align*}
- F_k(r \oplus t'_{\ell+1})&=F_k(r \oplus (F_k(m_\ell \oplus F_k( m_{\ell-1} \oplus( \cdots F_k(m_1\oplus F_k(s)) )^{\ldots} )))),\\
- &=t.
+ g^\alpha (g^x)^\beta &= g^{\alpha'} (g^x)^{\beta'} \\
+ \alpha + x \beta &= \alpha' + x \beta' \\
+ x &= \frac{\alpha'-\alpha}{\beta-\beta'}
\end{align*}
-
-
-
- \item These MACs are not even one-time secure:
- \begin{description}
- \item $\Pi_1$: (1) query $\Mac^1_k(m)$ on any $m\in\{0,1\}^n$ and get the tag $t=F_k(m)$; \\
- (2) output $((m,m\oplus t),t)$.
-
- $t_1=F_k(m)$, $t_2=F_k(m\oplus t \oplus t_1)= F_k(m \oplus 0)=t$.
-
- \item $\Pi_2$: (1) query $\Mac^2_k(m)$ on any $m\in\{0,1\}^n$ and get the tag $(r,t)$, where $t=F_k(F_k(m)\oplus r)$; \\
- (2) output $((m,r,m\oplus t),(r,t))$.
-
- $t_1=F_k(m)$, $t_2=F_k(F_k(m)\oplus r)=t$, $t_3=F_k(t\oplus m \oplus t)=F_k(m)$, $t_4=F_k(F_k(m)\oplus r)=t$.
-
- \item $\Pi_3$: (1) query $\Mac^3_k(m)$ on any $m\in\{0,1\}^n$ and get the tag $(r,s,t)$, where $t=F_k( F_k(F_k(s) \oplus m) \oplus r)$ \\
- (2) output $((m,r,s\oplus t,m),(r,s,t))$.
-
- $t_1=F_k(s)$, $t_2=F_k(F_k(s) \oplus m)$, $t_3=F_k(F_k(F_k(s) \oplus m) \oplus r)=t$, $t_4=F_k(t \oplus s \oplus t)= F_k(s)$, $t_5=F_k(F_k(s)\oplus m)$, $t_6=F_k( F_k(F_k(s) \oplus m) \oplus r)=t$.
-
- \end{description}
\end{enumerate}
+ We have
+ \[ \Pr[\DLog_{\D, \mathcal{G}}(n)=1] = \Pr[g^x=h] = \Pr[\HashColl_{\A, \mathsf{H}}(n)=1] = \negl(2n) \le \negl'(n)\]
+ And, as we know that the DL problem is hard is $\mathbb{G}$, then we know that these probabilities should be negligible, and so that finding a collision is also hard.
\end{solution}
-\subsection{Exercise 3}
-Let $F$ be a pseudorandom function, $G$ be a pseudorandom permutation, $T$ be a public $n$-bit constant, $k$ be a $n$-bit secret key, $m$ be a $n$-bit message, $IV$ be a $n$-bit random value chosen by the party computing the encryption (resp.~MAC) before each operation. Among the following constructions, determine the ones that would be acceptable and justify your answer. (Your justifications can rely on results that have been presented during the class.)
+
+
+% OK
+\subsection{Exercise 3 (Commitment scheme and batching)}
+
+\copypaste{9}{0}
+
+
+
+\subsection{Exercise 4 (Decisional Diffie-Hellman and \texorpdfstring{$\mathbb{Z}_p^\ast$}{Zp*})}
+
+The goals of this exercise are to define $QR_p$, prove some of its properties, and to show that in some groups DDH and CDH assumptions are conjectured not equivalent, as DDH is easy whereas CDH is conjectured to be hard.
\begin{enumerate}
- \item $E_k(m):=F_k(m \oplus T)$ as an encryption scheme secure against
- eavesdropping.
-
- \item $E_k(m):=G_k(m \oplus T)$ as an encryption scheme secure against eavesdropping.
-
- \item $E_k(m):=G_k(m \oplus T)$ as an encryption scheme secure against a CPA-adversary.
-
- \item $E_k(m):=(IV,G_k(m \oplus T \oplus IV))$ as an encryption scheme secure against a CPA-adversary.
-
- \item $\Mac_k(m):=F_k(m \oplus T)$ as a MAC scheme existentially unforgeable under an
- adaptive chosen-message attack.
-
- \item $\Mac_k(m):=(IV,G_k(m\oplus IV \oplus T))$ as a MAC scheme
- existentially unforgeable under an adaptive chosen-message attack.
-
+ \item For all element $a$ of $\mathbb{Z}_{11}^*$, compute $a^2 \mod 11$.
+
+ For a prime number $p$, we denote $QR_p$ the set $\{x \in \mathbb{Z}_{p}^* \; | \; \exists a\in \mathbb{Z}_{p}^*, a^2=x\}$, such $x$ are called quadratic residues modulo $p$. Show that if $p$ is odd then $|QR_p|=\frac{p-1}{2}$.
+
+ \item Show that, if $p$ is odd, $QR_p$ is a cyclic group (therefore, $QR_p$ is a subgroup of $\Z^*_p$).
+
+ \item For all element $a$ of $\mathbb{Z}_{11}^*$, compute $a^5 \mod 11$. Show that for any odd prime $p$, $x \in QR_p \Leftrightarrow x^{\frac{p-1}{2}}= 1 \mod p$, and that $x \not \in QR_p \Leftrightarrow x^{\frac{p-1}{2}}= -1 \mod p$.
+
+ \item Show that $2$ is a generator of $\mathbb{Z}_{11}^*$. For the following pairs $(a,b)$, compute $g^a, g^b$ and $g^{ab}$ in $\mathbb{Z}_{11}^*$ where $g=2$:
+ \begin{itemize}
+ \item $(2,8)$,
+ \item $(1,4)$,
+ \item $(3,5)$.
+ \end{itemize}
+ Show that for $p$ an odd prime, $g^{ab} \not \in QR_p \Leftrightarrow g^a \not \in QR_p \text{ and } g^b \not \in QR_p$.
+
+ \item Show that DDH does not hold in $\mathbb{Z}_{p}^*$ with $p$ an odd prime.
\end{enumerate}
+
+
+% TODO rewrite this to use the official proof
\begin{solution}
-\begin{enumerate}
-\item No, decryption does not work in general, as we do not
- necessarily know how to invert a PRF.
-
-\item Yes, it is secure. The reduction to the PRP security can work as follows:
- the reduction gets $m_0$ and $m_1$ from the eavesdropper
- adversary, picks a random bit $b$, sends $m_b \oplus T$ to the
- PRP and receives a value $c$ that it sends back the eavesdropper
- adversary. This adversary has a probability exactly $1/2$ to
- guess $b$ if $c$ comes from a random permutation, and a
- probability $1/2 + \epsilon$ to guess $b$ if $c$ comes from a
- pseudorandom permutation. The reduction can therefore claim that
- it sees a PRP every time the adversary makes a successful
- guess. So, if $F$ is a PRP, $\epsilon$ must be negligible.
-
-\item No: it is not probabilistic. CPA security is not achievable with deterministic encryption.
-
-\item We first observe that the $\oplus T$ does not matter:
-since $T$ is public, the adversary has the possibility to adapt
-its choice of $m$ in order to cancel it. Now, if we abstract
-from $T$, this is exactly the CBC encryption mode, which we know
-to be CPA-secure.
-\item Again, we observe that the $\oplus T$ does not matter: since
-$T$ is public, the adversary has the possibility to choose exactly
-on which value $F_k$ will be applied. Now, if we abstract from $T$,
-this is exactly the basic MAC scheme from the class, which is secure.
-\item This is insecure. Given one tag $(IV, t)$ on a message
-$m$, the adversary can produce a valid tag $(IV', t)$ on the
-message $m' = m \oplus IV \oplus IV'$ for any $IV'$.
-
-\end{enumerate}
+ An official solution was given in the exercise session.
+
+ For this exercise we will work with $\Z_{11}^* = \{1,2,3,4,5,6,7,8,9,10\}$
+ \begin{enumerate}
+ \item
+ For all element $a$ of $\Z_{11}^*$, I've calculated $a^2$ mod $11$.
+ \[1^2 = 1 \quad 2^2 = 4 \quad 3^2 = 9 \quad 4^2 = 5 \quad 5^2 = 3 \quad 6^2 = 3 \quad 7^2 = 5 \quad 8^2 = 9 \quad 9^2 = 4 \quad 10^2 = 1\]
+ We see that with $p$ odd, we have $\left|QR_p\right| = \frac{p-1}{2}$. We can show it with this development:
+
+ \item
+ \nosubsolution
+
+ \item
+ For all element $a$ of $\Z_{11}^*$, I've calculated $a^5$ mod $11$.
+ \[1^5 = 3^5 = 4^5 = 5^5 = 9^5 = 1 \qquad 2^5 = 6^5 = 7^5 = 8^5 = 10^5 = 10\]
+ We can see that for $p$ prime, we have $x \in QR_p \Leftrightarrow x^{\frac{p-1}{2}} = 1 \mod p$ and $x \notin QR_p \Leftrightarrow x^{\frac{p-1}{2}} = p-1 \mod p$.
+ \begin{itemize}
+ \item $x \in QR_p \Leftrightarrow x^{\frac{p-1}{2}} = 1 \mod p$:\\
+ We know that \[x \in QR_p \Leftrightarrow \exists a \st x = a^2 \mod p\]
+ So we have now \[x = a^2 \mod p \Leftrightarrow x^{\frac{p-1}{2}} = 1 \mod p\]
+ If we replace $x$ by $a$ we obtain $a^{2^{(\frac{p-1}{2})}} = 1 \mod p$.\\
+ But also more simply $a^{p-1} = 1 \mod p$ which is true by the group theory.
+ \item $x \notin QR_p \Leftrightarrow x^{\frac{p-1}{2}} = p-1 \mod p$:\\
+ We know that \[x \notin QR_p \Leftrightarrow \exists a \st x = a^{1+2n} \mod p\]
+ So we have now \[x = a^{1+2n} \mod p \Leftrightarrow x^{\frac{p-1}{2}} = -1 \mod p\]
+ We replace $x$ by $a$ and we get \[a^{\frac{p-1}{2}} a^{n(p-1)} \mod p = -1 \mod p\]
+ We know that $ a^{n(p-1)} \mod p = 1$, thus we simplify the equation like \[a^{\frac{p-1}{2}} \mod p = -1 \mod p\]
+ We know that $g = a^{\frac{p-1}{2}} \mod p \ne 1 \mod p$ but $g^2 = a^{p-1} = 1 \mod p$. The only solution of these two equations is $g = -1 \mod p$ which is equivalent to
+ \[x^{\frac{p-1}{2}} = p-1 \mod p\]
+ \end{itemize}
+
+ \item
+ The number $2$ is a generator of $\Z_{11}^*$, because ord($2$) $= 10$. In fact, we have $2^1 = 2$, $2^2 = 4$, $2^5 = 10$ and $2^10 = 1$. (Fermat's little theorem)
+ We have $g = 2$ so:
+ \begin{itemize}
+ \item $(2,8):\quad g^2 = 4$, $g^8 = 3$ and $g^{16} = -2$
+ \item $(1,4):\quad g^1 = 2$, $g^4 = 5$ and $g^{4} = 5$
+ \item $(3,5):\quad g^3 = -3$, $g^5 = -1$ and $g^{15} = -1$ TODO
+ \end{itemize}
+ We have to show that $g^{ab} \notin QR_p \Leftrightarrow g^a \notin QR_p \text{ and } g^b \notin QR_p$.\\
+ We know by the definition of the $QR_p$ set that
+ \[g^n \notin QR_p \Leftrightarrow \exists m \st n = 2m+1\]
+ We can thus extract from $g^{ab} \notin QR_p$ that $\exists m \st ab = 2m+1$.
+
+ % not necessary
+ %We can do a proof by contradiction:\newline
+ %If $a = 2v$ then $ab = 2bv$ and can not be equal to $2m + 1$.\\
+ %If $b = 2v$ then $ab = 2av$ and can not be equal to $2m + 1$.\\
+
+ So we are assured that $a$ and $b$ are not pairs, so we have the relation $g^a \notin QR_p \text{ and } g^b \notin QR_p$ if and only if $ab = 2m+1$ which is equivalent to $g^{ab} \notin QR_p$. That was what we had to proof.
+
+ \item
+ We have to show that DDH does not hold in $\Z_p^*$ with p an odd prime number.
+
+ We define an attacker that can see $p$, $g$, $g^a$, $g^b$ and receive $h_b = g^{ab}$ or $g^z$.
+ The behaviour of the attacker will be this one:
+ \begin{itemize}
+ \item It receives $g^a \notin QR_p$ and $g^b \notin QR_p$:\\
+ It will answer in function of $h_b$:
+ \begin{itemize}
+ \item $h_b \notin QR_p$:\\
+ It answers $h_b = g^{ab}$
+ \item $h_b \in QR_p$:\\
+ It answers $h_b = g^z$
+ \end{itemize}
+ \item It receives $g^a \in QR_p$ or $g^b \in QR_p$:\\
+ It answers randomly.
+ \end{itemize}
+ We can identify four cases with their chances of success and appearance (we already know that $\left|QR_p\right|$ is of size $\frac{p-1}{2}$):
+ \begin{enumerate}[a)]
+ \item $g^a \in QR_p$ or $g^b \in QR_p$ appears $3/4$ of the time with success = $1/2$.
+ \item $g^a \notin QR_p$ and $g^b \notin QR_p$ with $h_b = g^{ab}$ appears $1/8$ of the time with success = $1$.
+ \item $g^a \notin QR_p$ and $g^b \notin QR_p$ with $h_b = g^z$ and $g^z \in QR_p$ appears $1/16$ of the time with success = $1$.
+ \item $g^a \notin QR_p$ and $g^b \notin QR_p$ with $h_b = g^z$ and $g^z \notin QR_p$ appears $1/16$ of the time with success = $0$.
+ \end{enumerate}
+ We can now recalculate the expected value of success of our attacker:
+ \begin{align*}
+ \mathbb{E}(success) &= \frac{3}{4}\cdot \frac{1}{2} + \frac{1}{8}\cdot 1 + \frac{1}{16}\cdot 1 + \frac{1}{16}\cdot 0\\
+ &= \frac{1}{2} + \frac{1}{16}
+ \end{align*}
+ This attacker has one sixteenth of probability more than one half which is not a negligible function (in fact it is a constant function). It is not DDH secure.
+ \end{enumerate}
\end{solution}
+
+
+\subsection{Exercise 5}
+
+\copypaste{8}{1}
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp8.tex b/src/q7/crypto-MAT2450/exercises/tp/tp8.tex
new file mode 100644
index 0000000000000000000000000000000000000000..a4cb3055d80be14457ffc2947821b2fe3dba8e13
--- /dev/null
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp8.tex
@@ -0,0 +1,115 @@
+
+\section{}
+
+% OK
+\subsection{Exercise 1 (Zero knowledge Petersen)}
+
+We work in a group $\mathbb{G}$ of prime order $q$ with generator $g$.
+The Schnorr protocol, used to prove the knowledge of discrete
+logarithm, is (honest-verifier) zero-knowledge. However, the value
+$y=g^x \pmod{p}$ (for a safe prime $p=2q+1$) leaks some information
+about the discrete logarithm $x$ (since for a given generator $g$ of
+order $q$ there is exactly one such $x$ in $\Z_q$). On the
+other hand, the Pedersen commitment is perfectly hiding and thus does
+not reveal information about the committed value. The following
+protocol attempts to merge the both properties i.e., to prove the
+knowledge of a commited value under the Pedersen commitment scheme in
+a zero-knowledge manner.
+
+\emph{The protocol.} The public inputs of the proof are the prime $p$,
+the Pedersen public key $(g, h)$, a security parameter $k$ and a
+(hypothetic) commitment $c\in QR(p)$. The prover's private intputs are
+$x$ and $r$ in $\mathbb{Z}_q$ s.t. $c=g^xh^r$ (mod $p$). The protocol executes as follows.
+\begin{itemize}
+ \item The prover randomly chooses $y,s \in_R \Z_q$ and sends $d=g^yh^s \pmod{p}$ to the verifier.
+ \item The verifier randomly chooses $e\in_R \bset^k$ and sends it to the prover.
+ \item The prover computes $z=y-ex$ and $t=s-er$ modulo $q$ and sends it to the verifier.
+ \item The verifier accepts the proof iff $d = c^e g^zh^t
+ \pmod{p}$.
+\end{itemize}
+If the verifier accepts the proof, we say that the conversation $\langle d,e,(z,t) \rangle$ is valid.
+%
+\begin{enumerate}
+ \item Prove the correctness property of this construction.
+
+ \item Assume that an adversary is able to produce two valid responses for two distinct challenges, under the same commit.
+ How can you use this faculty to extract an opening of $c$?
+ Discuss the soundness property of the protocol.
+
+ \item Assume you are able to ``rewind'' an adversarial prover
+ who tries to build a valid conversation. How can you use
+ this faculty to extract an opening of $c$. Which property
+ did you break ? Briefly discuss the soundness property of
+ the protocol.
+
+ \item Show how a valid conversation $\langle
+ d,e,(z,t) \rangle$ can be simulated from $c$, without the use of any
+ private inputs. (Assume that the valid conversation involves
+ honest parties.)
+
+ \item Generalize the process to prove the knowledge of an opening to
+ a multi-Pedersen commitment as in exercise 3.
+\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item The construction is correct if $Pr[d \neq c^eg^zh^t] \leq \negl(n)$.
+ Let's evaluate this probability:
+ \[ \Pr[d \neq c^eg^zh^t] = \Pr[g^y h^s \neq (g^x h^r)^e g^{y-ex}h^{s-er}] = Pr[g^yh^s \neq g^y h^r] = 0 \]
+ Then our construction is correct.
+
+ \item When using the same commitment $c=g^xh^r$, if we get two different conversations $(e, z, t)$ and $e', z', t')$, we can recover the private secret $(x, r)$ by doing the following:
+ \[ \begin{cases} z = y - ex \\ z' = y - e'x \end{cases} \Rightarrow x = \frac{z-z'}{e'-e} \]
+ \[ \begin{cases} t = s - er \\ t' = s - e'r \end{cases} \Rightarrow r = \frac{t-t'}{e'-e} \]
+ This means that the adversary $P^*$ should know $x$ and $r$, otherwise he could not build two valid responses for the same commit.
+
+ Does that break the zero-knowledge property?
+ In a sense, no, as in a practical scheme, the commit would be different each time due to a random $r$.
+
+ \item (This answer has not been verified, and looks wrong, but as the subquestion has not been asked this year, I can't verify it.)
+
+ When we get the conversation $(d, e, (z,t))$, we can ``rewind'' the conversation to submit another e' and get new z' and t'. Therefore we can obtain the private key (x,r) by doing those calculations:
+ \[ \begin{cases} z = y - ex \\ z' = y - e'x \end{cases} \Rightarrow x = \frac{z-z'}{e'-e} \]
+ \[ \begin{cases} t = s - er \\ t' = s - e'r \end{cases} \Rightarrow r = \frac{t-t'}{e'-e} \]
+ We broke the zero-knowledge property since the verifier can extract the private key using such power.
+
+ According to the assistants, since it is not zero-knowledge, there is no point of discussing the soundness property.
+
+ \item It is easy to show, with honest parties, how we can simulate from $c$ a new valid conversation:
+ \begin{enumerate}
+ \item We pick $e$, $z$ and $t$ randomly.
+ \item We evaluate $d \define c^e z^z h^t$.
+ \end{enumerate}
+
+ \item To generalize the process, we have:
+ \begin{itemize}
+ \item pk = $g^x_1$, ..., $g^x_n$, h
+ \item sk = $x_1$, ..., $x_n$, r
+ \item c = $g^x_1 \cdot ... \cdot g^x_n \cdot h^r$
+ \end{itemize}
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 2 (Schnorr ZKP with faulty PRG)}
+
+Let us study what happens when the prover of a Schnorr ZKP uses a faulty random generator. this generator is used to choose the secret $\alpha$ used to generate the commitment $c=g^\alpha$, where $g$ is a generator of the group. Assuming that the prover made two proofs, one with secret $\alpha_0$, and the other one with secret $\alpha_1=a \alpha_0 + b$, how can you reciver the secret witness, knowing the public values, the transcripts of the proofs, $a$ and $b$?
+
+
+\begin{solution}
+ We then have
+ \[ \begin{cases} g^r = g^{\alpha_0} \\ e \\ f = \alpha_0 + ex \pmod q \end{cases} \qquad \text{and} \qquad \begin{cases} g^{r'} = g^{\alpha_1}=g^{a\alpha_0+b} \\ e' \\ f' = a \alpha_0 + b + e'x \pmod q \end{cases} \]
+ Then, we can immediately infer
+ \[af-f' = aex - b - e'x\]
+ \[x=\frac{a\cdot f-f'+b}{a\cdot e-e'}.\]
+ And also, $\alpha_0=f-e\cdot x$.
+\end{solution}
+
+
+
+\subsection{Exercise 3 (Commitment scheme and batching)}
+
+\copypaste{9}{0}
+
diff --git a/src/q7/crypto-MAT2450/exercises/tp/tp9.tex b/src/q7/crypto-MAT2450/exercises/tp/tp9.tex
new file mode 100644
index 0000000000000000000000000000000000000000..74be44f26f7fdcf427e925920f8ca4ff6c5e11c7
--- /dev/null
+++ b/src/q7/crypto-MAT2450/exercises/tp/tp9.tex
@@ -0,0 +1,337 @@
+
+\section{}
+
+\subsection{Exercise 0 (Commitment scheme and batching)}
+% This practical session was entirely corrected by the teaching assistants so, there is no need to correct the solutions.
+
+By design secure public-key encryption schemes are perfectly binding commitment schemes (which are also computationally hiding, why?).
+Then, if perfect hiding property is not a concern, do commitment schemes really consist of a new usefull cryptographic building block?
+This exercise aims to build a perfectly hiding commitment scheme which supports a \emph{batching} property that encryption schemes
+cannot achieve.
+
+Let $p$ be a prime and let $g \in QR(p)$ be an element of prime order $q>2^l$.
+We let $G$ denote the group generated by $g$ and we let $I$ denote the set of integers $\{1,\dots, q\}$.
+Fix $n$ random values $g_1,\dots, g_n \in G$ and define the commitment function $\Com\colon I^n \mapsto G$ by
+\[\Com(x_1,\dots, x_n\,; r) = g^r g_1^{x_1}g_2^{x_2}\cdots g_n^{x_n}\]
+\begin{enumerate}
+ \item Describe formally the commitment scheme. Discuss its efficiency and its correctness.
+ \item Show that the scheme is computationally binding assuming that DLog is intractable in $G$.
+ That is, show that an adversary computing two openings of a commitment $c$ for random
+ $g,g_1,\dots, g_n \in G$ can be used to compute discrete-log in $G$.
+
+ \emph{Hint:} given a pair $g, h \in G$ your goal is to find an $\alpha \in \mathbb{Z}_q$ such that $g^\alpha = h \mod p$.
+ Choose $g_1,\dots, g_n \in G$ so that two valid openings will reveal $\alpha$.
+ \item Show that the scheme results in a perfectly hiding commitment on several messages. Compare the size of the construction
+ with respect to an encryption (viewed as a commitment) of all these messages.
+\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item
+ We define $\Pi\define\langle \Gen, \Com, \Open \rangle$ as:
+ \begin{itemize}
+ \item $\Gen(1^n, 1^l)$ sets $pk$ as $(p,q,g)$ where $q > 2^l$ ang $g$ has order $q$ modulo $p$ (since $\phi(p)$ is even, that means that $g \in QR(p)$).
+ \item $\Com_{pk}(x_1, \ldots, x_n)$ provides $(c,d)$ where:
+ \begin{itemize}
+ \item $c \define g^r g_1^{x_1} g_2^{x_2} \cdots g_n^{x_n}$ (for a random $r \in \Z_q$)
+ \item $d \define (r,x_1,\dots,x_n)$
+ \end{itemize}
+ \item $\Open_{pk}(c,d)$ outputs $(x_1, \dots, x_n)$ if it can recompute $c$ from $d$ and $pk$,
+ or $\bot$ otherwise.
+ \end{itemize}
+ We can see that there are different possible $x_1, \dots, x_n$ that are valid.
+ If we fix $x_2, \dots, x_n$,
+ there is an $x_1$ such that $g_1^{x_1} = c / (g^r g_2^{x_2} \cdots g_n^{x_n})$
+ so there is $q^n$ possible opening.
+ However, it is not easy to find for a PPT algorithm.
+
+ I should maybe have defined $d \define (r, x_1, \dots, x_n)$ because here it is weird because $\Open$ can have different outputs.
+ \item %\textcolor{red}{Olivier : pas trop d'accord avec ce qu'ils disent.}
+
+ For two random $g, h$, we need to find $x$ such that $g^x=h$.
+ For this task, we have access to an adversary $\A_\Pi$ against our scheme $\Pi$ that can find $(c, d_0, d_1)$ with different $(c, d_0)$ and $(c, d_1)$ that have valid openings.
+
+ Pick a random $j$ and set $g_{i} = h = g^x$ if $i=j$, or $g_i = g^{\alpha_i}$ for random $\alpha_i$ if $i\neq j$.
+ We need to pick a random $j$ so that $\A_\Pi$ has no idea where we've put the $h$ (the adversary may also be adversarious against us!).
+ From the point of view of $\A_\Pi$, everything looks like it should.
+ From $c = g^rg_1^{x_1} \cdots g_n^{x_n} = g^{r'}g_1^{x_1'} \cdots g_n^{x_n'}$, and $d_0=(r, x_1, \dots, x_n)$ and $d_1=(r', x'_1, \dots, '_n)$ generated by $\A_\Pi$, we get
+ \[ r + \alpha_1 x_1 + \dots + x x_j + \dots + \alpha_n x_n \equiv r' + \alpha_1 x_1' + \dots + x x_j' + \dots + \alpha_n x_n' \pmod{q} \]
+ so we get
+ \[ x \equiv \frac{ r' - r + \sum_{i=1\\i \neq j}^n (x_i' - x_i) \alpha_i}{x_j-x_j'} \pmod{q} \]
+ We know that for at least one $i^*$, $x_i \neq x_i'$ so we have $\frac{1}{n}$ chance that $i^*=j$ and $x_{j} \not\equiv x_{j}' \pmod{q}$.
+ If this is the case, we can find the inverse of $(x_{j} - x_{j}')$ and solve the $\DLog$ problem.
+
+ \item
+ As r is randomly selected in $\Z_q$ and g generates G, $g^rg_1^{x_1} \dots g_n^{x_n}$ could be any element of G, whatever the values of ($g_1,\dots,g_n$) and ($x_1,\dots,x_n$) so the commitment looks random and is thus perfectly hiding.
+
+ The size is $n$ times smaller.
+ However, there is a difference in the ``negligibility level'' of the two constructs.
+ We may thus need a bigger group for this scheme than for a standard encryption scheme in $QR_p$.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 1 (Jan 2011 evaluation)}
+% This practical session was entirely corrected by the teaching assistants so, there is no need to correct the solutions.
+
+The Digital Signature Standard (DSS, also often called DSA) is one of
+the most commonly used signature algorithms. Its three algorithms
+$\Gen$, $\mathsf{Sign}$ and $\Vrfy$ work as follows.
+\begin{itemize}
+ \item $\Gen$: on input $1^n$, select prime integers $p$ and $q$ such
+ that $|q|=n$, $q | (p-1)$ and $q^2 \not | \, (p-1)$, together with an
+ integer $g$ that generates the subgroup of $\Z_p^*$ of prime
+ order $q$. Also choose a hash function $H\colon \bset^* \mapsto
+ \Z_q$. Then, select $x \pick \Z_q$ uniformly at
+ random, and compute $y \define g^x \mod p$. The public key is $\langle H,
+ p, q, g, y\rangle$, and the private key is $\langle x\rangle$.
+ \item $\Sign$: in order to sign the message $m \in \{0,1\}^*$, choose
+ $k \pick \Z_q^*$ uniformly at random and set $r \define [g^k
+ \mod p] \mod q$. Then, compute $s \define (H(m) + xr) \cdot k^{-1} \mod
+ q$, and output the signature $(r,s)$.
+ \item $\Vrfy$: compute $u_1 \define H(m)\cdot s^{-1} \mod q$ and $u_2 \define r
+ \cdot s^{-1} \mod q$, and output 1 if and only if $r = [g^{u_1} y^{u_2} \mod p] \mod q$.
+\end{itemize}
+
+\begin{enumerate}
+ \item Show the correctness of the DSS algorithm.
+ \item
+ As randomness is an expensive resource, it is proposed to select
+ the random value $k$ once and for all, and to sign all messages
+ using that value of $k$. Is this variant of DSS secure?
+
+ \emph{(Hint: see what you can deduce from the signature of two
+ different messages.)}
+\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item We show the correctness (if the signature is well formed, it is accepted).
+ \begin{align*}
+ [g^{u_1} y^{u_2} \mod p] \mod q = &[g^{H(m)\cdot s^{-1}} (g^x)^{r
+ \cdot s^{-1}} \mod p] \mod q,\\
+ = &[g^{(H(m)+rx) \cdot s^{-1}} \mod p] \mod q,\\
+ = &[g^{k} \mod p] \mod q,\\
+ = &r .
+ \end{align*}
+
+ \item As the same $k$ was used for two signatures, we have the valid signatures $(r,s_1)$ where $s_1 \define (H(m_1) + xr) \cdot k^{-1} \mod
+ q$ and $(r,s_2)$ where $s_1 \define (H(m_2) + xr) \cdot k^{-1} \mod
+ q$. Now, we consider the quotient of $s_1$ divided by $s_2$ (the operations are modulo $q$), in order to cancel the part depending on $k$, note that we can do it with two signatures only because the same $k$ is reused:
+ \[\frac{s_1}{s_2}=\frac{(H(m_1) + xr) \cdot k^{-1}}{(H(m_2) + xr) \cdot k^{-1}}=\frac{H(m_1) + xr}{H(m_2) + xr} .\]
+ This is equivalent to: $s_1 (H(m_2) + xr)= s_2 (H(m_1) + xr)$, then:
+ \[xr= \frac{s_1 H(m_2) - s_2 H(m_1)}{s_2-s_1}.\]
+ Finally, dividing by $r$ we get $x$ which is the secret key. As with non negligible probability (when the denominators are non null we can perform the operations described below) we can get $x$ and sign any other message, this variant of DSS is non secure.
+ \end{enumerate}
+
+ Alternative solution:
+
+ \begin{enumerate}
+ \item
+ $(r, s) = ([g^k \pmod{p}] \pmod{q}, [H(m) + xr]k^{-1} \pmod{q})$, then:
+ $u_1 = H(m)s^{-1} \pmod{q}$, $u_2 = rs^{-1} \pmod{q}$, $r = [g^{u_1} g^{u_2} \pmod{p}] \pmod{q}$, $y = g^x$
+
+ \[\Rightarrow g^{u_1 + xu_2} = g^{s^{-1}(H(m) + rx)} = [g^k \pmod{p}] \pmod{q} = r\]
+
+ \item
+ $s = (H(m) + xr)k^{-1} \pmod{q}$, $s' = (H(m') + xr)k^{-1} \pmod{q}$ ($s \neq s'$ otherwise we have a collision).
+ $s - s' = (H(m) - H(m'))k^{-1} \pmod{q}$, $k = \frac{H(m) - H(m')}{s - s'}$.
+ $s = (H(m) + xr)k^{-1}$ so $\frac{sk - H(m)}{r} = x$ where x is the secret.
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise 2 (RSA permutation with modulus 221)}
+
+Suppose we decide to use an RSA permutation with modulus $221$, we consider RSA encryption scheme, and RSA signature.
+\begin{enumerate}
+ \item What is the smallest non trivial public exponent $e$ than can be
+ chosen?
+ \item Can we choose $e=11$? What is the corresponding private exponent $d$? Give the public and private key of the corresponding RSA encryption scheme.
+ \item Compute $c \define 219^e \pmod{221}$.
+ \item Verify that $c^d = 219 \pmod{221}$ as expected.
+ \item How Alice (owning the private key) could sign a message $m$? Sign the message $m=3$ (hint: $22^7= 61 \pmod{221}$).
+ \item Is $160$ a valid signature for $m=218$?
+ % \emph{Hint: use the square and multiply algorithm.}
+\end{enumerate}
+
+
+\begin{solution}
+ We suggest you to use a calculator to do this exercise, the assistants said we could (pour faire taire les rageux).
+ \begin{enumerate}
+ \item
+
+ First we have to find $\phi$(221). As 221 is not a prime, we must find $p$ and $q$ such that $221 = pq$. After a few try, we find $p = 13$ and $q = 17$. Wet get then $\phi(221) = (p-1)(q-1) = 192$.
+
+ The searched smallest $e$ should respect the condition $gcd(192, e) = 1$. Again, after a few try, we find $e = 5$.
+ \item \textbf{Could we choose $e = 11$ ?}
+
+ Yeah, since 11 is a prime, then $gcd(192, 11) = 1$.
+
+ \textbf{What is the corresponding private exponent d ?}
+ \[ ed = 1 \pmod{192}\] \[11d = 1 \pmod 192\] \[d = \frac{192k + 1}{11}\]
+ If we take k=2, we find $d = 35$.
+
+ \textbf{Give the public and private key of the corresponding RSA encryption scheme}
+
+ pk = $(221, 11)$
+ sk = $(221, 35)$
+ \item
+ \begin{itemize}
+ \item $219^{1} = -2 $
+ \item $219^{2} = 4 $
+ \item $219^{4} = 16 $
+ \item $219^{5} = -32$
+ \item $219^{10} = 140$
+ \item $219^{11} = 162$
+ \end{itemize}
+ \item
+ \begin{itemize}
+ \item $162^{1} = -59 $
+ \item $162^{2} = -55 $
+ \item $162^{4} = -69 $
+ \item $162^{5} = 93 $
+ \item $162^{6} = 38 $
+ \item $162^{7} = -32 $
+ \item $162^{35} = -2 = 219 $
+ \end{itemize}
+ \item
+
+ According the scheme described in the slides, $\Sign_{(N, d)}(m) \define [m^d mod N]$
+
+ \textbf{Sign the message m = 3}
+ \begin{itemize}
+ \item $3^{1} = 3 $
+ \item $3^{2} = 9 $
+ \item $3^{4} = 81 $
+ \item $3^{5} = 22 $
+ \item $3^{35} = 61 $ (using the hint given)
+ \end{itemize}
+ \item
+ Let's calculate (yipie)
+ \begin{itemize}
+ \item $218^{1} = -3 $
+ \item $218^{2} = 9 $
+ \item $218^{4} = 81 $
+ \item $218^{5} = -22 $
+ \item $218^{35} = -61 = 160$
+ \end{itemize}
+ Yes it is a valid signature
+ \end{enumerate}
+\end{solution}
+
+
+
+% OK
+\subsection{Exercise 3 (Derandomizing signatures)}
+
+\copypaste{10}{2}
+
+
+
+% OK
+\subsection{Exercise 4}
+
+Let $f$ be a one-way permutation on $\bset^\lambda$.
+Consider the following signature scheme for messages in the set
+$\{1,\dots,\,n\}$, where $n\in\mathsf{poly}(\lambda)$: \vspace{3mm}
+
+\begin{enumerate}
+ \item To generate keys, choose $x\pick \bset^\lambda$ at random
+ and set $y \define f^n(x)$. The public key is $y$ and the private key is $x$.
+ \item To sign message $i\in\{1,\dots,\,n\}$, output $f^{n-i}(x)$
+ (where $f^0(x)\stackrel{\mbox{\small def}}{=}x$).
+ \item To verify signature $\sigma$ on message $i$ with respect to
+ public key $y$, check whether $y\stackrel{?}{=}f^i(\sigma)$.
+\end{enumerate}
+
+\begin{enumerate}
+ \item Show that the above is not a one-time signature scheme. Given
+ a signature on a message $i$, for what messages $j$ can an
+ adversary output a forgery?
+ \item Prove that no PPT adversary given a signature on $i$
+ can output a forgery on any message $j>i$ except with negligible
+ probability.
+ \item Suggest how to modify the scheme so as to obtain a one-time
+ signature scheme.
+
+ \emph{Hint: include two values $y,\,y'$ in the public key.}
+\end{enumerate}
+
+
+\begin{solution}
+ \begin{enumerate}
+ \item
+ A has $(i, \sigma(i))$ with $\sigma (i) = f^{n-i} (x)$. We know (because $f$ is a permutation function) that:
+ \[f(\sigma(i)) = f^{n-i+1}(x) = f^{n-(i-1)}(x) = \sigma(i-1)\]
+ Then it's possible to compute a valid forgery for every $j < i$. The scheme is then not a one time-signature.
+ \item
+ Need schema drawn at TP !! It's a lot simpler with it\dots
+
+ $\Pr[\text{Success}_{\A_\sigma}] = \negl(\lambda)$, $\Pr[\text{Abort}] = \frac{n-k}{n}$, $\Pr[\text{Success}] = \frac{n-k}{n-m-1}$ then:
+ \[\Pr[\text{Success}_{\A_{owf}}] = \negl(\lambda) \frac{n-k}{n} \frac{n-k}{n-m-1}\]
+
+ If $\negl(\lambda)$ is not negligible, then the probability of success is not negligible.
+ \item
+ We have $s_k = (x, x')$, $p_k = (f^n(x), f^n(x'))$.
+ Then $m \rightarrow \sigma = (f^{n-m}(x), f^m(x'))$.
+
+ \end{enumerate}
+\end{solution}
+
+
+
+\subsection{Exercise X (Jan 2011 evaluation)}
+
+Consider the following one-time signature scheme $\Pi \define \langle \Gen,
+\Sign, \Vrfy\rangle$, parameterized by a PPT function $f\colon \bset^*
+\mapsto \bset^*$.
+\begin{itemize}
+ \item $\Gen$: on input $1^n$, select $(x_0,x_1) \leftarrow
+ \bset^n\times \bset^n$ uniformly at random, compute $(y_0,y_1) \define
+ (f(x_0),f(x_1))$ and output the pair $(pk,sk) \define
+ ((y_0,y_1),(x_0,x_1))$.
+ \item $\Sign$: the signature $\sigma$ of the bit $m$ is $x_m$.
+ \item $\Vrfy$: on input $(m,\sigma)$, output 1 iff $y_m = f(\sigma)$.
+\end{itemize}
+
+Show that if $\Pi$ is existentially unforgeable under a single-message
+attack, then $f$ is a one-way function.
+
+
+\begin{solution}
+ Two solution have been proposed. (Actually they are the same but with a different explanation)
+ \begin{itemize}
+ \item
+ Let's show that if $f$ is not one way, then $\Pi$ is not existentially unforgeable.
+ Let $\A$ be the inverter of $f$, we will build $\A'$ that builds an existential forgery with non-negligible probability.
+
+ \begin{itemize}
+ \item $\A'$ receives $pk = (y_0, y_1)$
+ \item $\A'$ ask the signature of 0 and gets $\sigma$, he does not really care about it
+ \item $\A'$ gives $y_0$ (or $y_1$) to $\A$ which outputs $x_0$ (or $x_1$) with non-negligible probability.
+ \item $\A'$ outputs $(0,x_0)$ (or $(1, x_1)$)
+ \end{itemize}
+ Since $y_1$ is the image of a random $x_1$, we are exactly in the inverting experiment so $f(x_1') = y_1$
+ with probability $\Pr[\Invert_{\A,f}(n) = 1]$.
+
+ We know that
+ \[
+ \Pr[\Sigforgeone_{\A',\Pi}(n) = 1] = \Pr[\Invert_{\A,f}(n) = 1]
+ \]
+ \item
+ Let assume that $f$ is not one way function $y = f(x)$.
+ Then, we can recover $x$ with a non negligible probability $\epsilon_x (n)$.
+
+ So, $(y_0, y_1) \Rightarrow (x_0, x_1)$ with probabilities $(\epsilon_{x_0} (n), \epsilon_{x_1} (n))$.
+ We cannot compute a pre-image by asking the oracle. So I output $(0, x_0)$ and $(1, x_1)$ as a forgery.
+
+ The probability $\Pr[\Sigforge_{\A,\Pi}(n)=1]= \Pr[f^{-1}(\cdot)_{Inv,f(\cdot)}(n)=1] \leq \epsilon(n)$. As $\Pi$ is supposed to be existentially unforgeable under a single-message attack, then $\epsilon(n)$ is negligible and this implies that f is a one-way function.
+ \end{itemize}
+\end{solution}
+
+