Foundations of Cybersecurity (Winter 16/17) saarland
university
Prof. Dr. Michael Backes
CISPA / Saarland University computer science
Solution of Exercise Sheet 6
1 Perfect Secrecy
Answer the following questions. Provide arguments for why your answers are correct!
(3 points) (a) Consider a symmetric encryption scheme with E(k, m) = 1 for every message
m and every key k. Does this scheme provide perfect secrecy?
Solution:
Yes, it does! Given two different messages m and m0 , the encryption scheme
E satisfies the condition for perfect secrecy:
P r[c = 0|k ← K, c ← E(k, m)] = 1 = P r[c = 0|k ← K, c ← E(k, m0 )]
(2 points) (b) Does DES with key-length k satisfy perfect secrecy for messages with length
larger than k?
Solution:
In the proof of optimality of the OTP, we have seen that the keyspace needs
to be at least as big as the message space in order to guarantee perfect
secrecy. This implies that messages of length k + 1 cannot be encrypted by
a k-bit key in a way that perfect secrecy is achieved.
(2 points) (c) Alice uses the same key k to encrypt two messages m1 and m2 to get ciphertexts
ci = E(k, mi ) = k ⊕ mi . Eve later manages to learn the message m2 in addition
to both ciphertexts c1 and c2 . Show how Eve can reconstruct m1 with the
available information.
Solution:
Since Eve knows m2 , she can reconstruct the key by xor-ing c2 with m2 , i.e.
c2 ⊕ m2 = k ⊕ m2 ⊕ m2 = k.
She can the retrieve the message m1 with
c1 ⊕ k = k ⊕ m1 ⊕ k = m1 .
(2 points) (d) Suppose you have a randomly chosen key k of length n to encrypt your messages.
Unfortunately, you do not have enough to communicate and your message m
1/7
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 6
only has length n − 2. You decide to pad your message with some additional
bits. Does the resulting encryption scheme E1 with
E1 (k, m) = k ⊕ (01 || m), m ∈ {0, 1}n−2 , k ∈ {0, 1}n
provide perfect secrecy?
(Note: x || y is the concatenation operator that combines the two strings
x and y to one string.)
Solution:
E1 does indeed provide perfect secrecy. Intuitively, as the key is chosen
randomly, the last bit of E1 is always random. The rest of E1 is an OTP,
which already provides perfect secrecy.
(3 points) (e) Suppose you have a message m of length n, but you can only generate random
keys of length k and l with k + l = n − 1. You decide to generate two random
keys and combine them with an additioanl bit. Does the resulting encryption
scheme E2 with
E2 (k1 , k2 , m) = (k1 || 0 || k2 ) ⊕ m, m ∈ {0, 1}n , k1 ∈ {0, 1}k , k2 ∈ {0, 1}l
provide perfect secrecy?
Solution:
E2 corresponds to an OTP where an intermediate bit of the key is fixed.
Thus, the corresponding bit of the ciphertext only depends on the chosen
message. For two messages m0 and m1 that differ in this intermediate bit
the probability that some c ∈ C is the output of E2 (k, m0 ) is not equal to
the probability that c is the output of E2 (k, m1 ). More specifically, c can
only be the output of the encryption of a message where the last bit of c
and the message are the same.
A suitable counterexample for E2 could be: m0 = 000, m1 = 111. For
every key combined k = k1 || 0 || k2 , the second bit of E2 (k, m0 ) is 0
and the second bit of E2 (k, m1 ) is 1. Given a ciphertext c, e.g., c = 110,
Pr [c = c0 : k ← K, c0 = E2 (k, m1 )] = 0, while Pr [c = c0 : k ← K, c0 = E2 (k, m1 )] =
1
2 > 0.
2 Encryption Schemes and Perfect Secrecy
Consider the following encryption scheme. Let M := {0, 1} and C := {1, 2, 3} denote
the set of plaintexts and ciphertexts, respectively. The key generation algorithm K
randomly selects a key from {1, 2, 3}. Let the encryption algorithm E be defined by
the following table:
2/7
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 6
m E(1, m) E(2, m) E(3, m)
0 3 2 1
1 2 1 3
(5 points) (a) Give a decryption function D such that (K, E, D) constitutes a correct encryption
scheme with message space M and ciphertext space C.
Solution:
One possible decryption function is the following:
c D(1, c) D(2, c) D(3, c)
1 ⊥ (∗) 1 0
2 1 0 ⊥ (∗)
3 0 ⊥ (∗) 1
Notice that the entries marked with a star (∗) are not fixed by the correctness
property of encryption. However, decryption is defined as a function from
C to M ∪ {⊥}, so one needs to specify these values to get a function.
The distinguished error symbol ⊥ is the typical choice here, however this
is not enforced by the definition of a symmetric encryption scheme (see
Definition 1.1 in the lecture notes), so any other value in M is also fine.
(8 points) (b) Does your scheme have perfect secrecy? Explain why or give a counterexample.
Solution:
To prove that this scheme provides perfect secrecy, one simply checks that,
for any c ∈ C, m ∈ M, the following holds:
h
R
i 1 1
Pr c = c0 ; K ← K, c0 ← E(K, m) = = .
|K| 3
Since this value does not depend on m, we have that for all m0 , m1 ∈ M
and for all c ∈ C
h i h i
R R
Pr c = c0 ; K ← K, c0 ← E(K, m0 ) = Pr c = c0 ; K ← K, c0 ← E(K, m1 ) .
As desired, this is the definition of perfect secrecy.
3 Imperfect Randomness
Consider a random source that outputs bits b1 , b2 , . . . that are uncorrelated but
biased, i.e., for all i = 1, 2, . . ., Pr [bi = 0] = 1 − Pr [bi = 1] = p for some 0 < p < 1.
We now use the following method to obtain unbiased bits: First, take two bits from
the source. If they are identical, throw them away and take the next two bits from
the source. Continue until the bits you obtain are (0, 1) or (1, 0). Output 0 in the
first case and 1 in the second case. Repeat the whole process by taking two bits
3/7
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 6
again from the source.
(3 points) (a) What is the probability that you throw away your two bits?
Solution:
We add the probabilities that both bits have the same value. Since Pr [b = 0] =
p, we get a probability of p2 for getting 00, and a probability of (1 − p)2 for
11.
(7 points) (b) Prove that the output c1 , c2 , . . . of the above method are unbiased coins, i.e.,
Pr [ci = 1] = Pr [ci = 0] = 1/2 for all i = 1, 2, . . ..
(Hint: Consider the conditional probabilities Pr [c = 0 | method outputs a bit]
and Pr [c = 1 | method outputs a bit], where c is the output of the method above.
You can find a refresher on conditional probabilities here:
http://www.stat.yale.edu/Courses/1997-98/101/condprob.htm)
Solution:
We calculate the probability that the algorithm, on input b1 , b2 , outputs a
specific bit c. More formally,
Pr [c = 0 | outputs a bit ] = Pr [c = 0 | b1 6= b2 ]
Pr [c = 0 ∧ b1 6= b2 ]
=
Pr [b1 6= b2 ]
Pr [b1 = 0 ∧ b2 = 1]
=
Pr [b1 6= b2 ]
p(1 − p)
=
p(1 − p) + (1 − p)p
1
= .
2
This also implies that Pr [c = 1 | outputs a bit ] = 12 , thus the output of
the above method is unbiased.
4 Perfect Secrecy for Two-time Key Use
In the lecture notes we have given the definition of perfect secrecy for the case that
the adversary sees the encryption of a single message: namely, for all m0 , m1 ∈ M
and for all c ∈ C, we have
Pr c = c0 ; k ← K, c0 ← E(k, m0 ) = Pr c = c0 ; k ← K, c0 ← E(k, m1 ) .
(8 points) (a) Formulate a definition of perfect secrecy for the case that the adversary sees the
encryption of two messages (using the same key k).
(Hint: You should have messages m0 , m1 , m00 , m01 in your definition.)
4/7
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 6
Solution:
This is probably the toughest exercise on the sheet, so let’s step through
this slowly. Recall the intuition behind the definition of perfect secrecy
above: For any ciphertext c that the adversary sees, the probability that
this ciphertext c is the encryption of some message m0 with a random key is
equal to the probability that it is the encryption of some message m1 with
a random key (i.e., c contains any plaintext with equal likelihood.)
So, to define perfect secrecy in the case the adversary sees two ciphertexts
c0 and c1 , encrypted using the same key, we would like to say this: the
probability that c0 is the encryption of some message m0 and that c1 is
the encryption of some message m1 , with the same random key, is equal to
the probability that c0 is the encryption of some message m00 and c1 is the
encryption of some message m01 , with the same random key (which may be
different from the random key used to encrypt m0 and m1 .)
Hence, the most natural solution is the following: A cipher (E, D) provides
perfect secrecy for two-time key use iff for all m0 , m1 , m00 , m01 ∈ M and for
all c0 , c1 ∈ C the following holds:
h i
R
P c0 = c00 ∧ c1 = c01 ; k ← K, c00 ← E(k, m0 ), c01 ← E(k, m1 )
h i
R
= P c0 = c00 ∧ c1 = c01 ; k ← K, c00 ← E(k, m00 ), c01 ← E(k, m01 )
Intuitively, this means that no adversary can tell which two plaintexts have
been encrypted, seeing the two ciphertexts.
(7 points) (b) Assume your encryption scheme is deterministic, i.e. for a given message m and
key k it always produces the same ciphertext c. Show that such a deterministic
encryption scheme cannot satisfy your definition in part (a).
(Hint: Consider the case that some messages of m0 , m1 , m00 , m01 are equal.)
Solution:
Since our above definition of perfect secrecy for two-time key use must hold
for all messages m0 , m1 , m00 , m01 and all ciphertexts c0 , c1 , we only need
to find one instantiation of these messages and ciphertexts for which the
above definition cannot hold, in order to prove that the definition cannot be
fulfilled by any encryption scheme.
So, let us choose any m0 = m00 = m1 6= m01 . Additionally, let us fix some
key k 0 and choose c0 = c1 = E(k 0 , m0 ).
5/7
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 6
Then, if encryption is deterministic, we will show that the following holds:
h
R
i 1
P c0 = c00 ∧ c1 = c01 ; k ← K, c00 ← E(k, m0 ), c01 ← E(k, m1 ) ≥ > 0,
|K|
(1)
but
h i
R
P c0 = c00 ∧ c1 = c01 ; k ← K, c00 ← E(k, m00 ), c01 ← E(k, m01 ) = 0. (2)
This violates the definition given in (a), and so no deterministic encryption
scheme can fulfill our definition of perfect secrecy for two-time key use.
Intuitively, what this means, and what we will show below, is that if the
adversary sees a ciphertext c0 = c1 , the probability that it is the encryption
of a message m0 and also the encryption of an identical message m1 is
non-zero, but the probability that it is the encryption of a message m00 and
at the same time the encryption of a different message m01 is 0.
First, consider equation (1). We know that c0 = c1 = E(k 0 , m0 ). Since
m0 = m1 , we also have that c00 = c01 = E(k, m0 ) for a randomly chosen k.
Clearly, if encryption is deterministic and k = k 0 , we get that c0 = c00 ∧c1 = c01 .
The event that k = k 0 happens with probability 1/|K|, which is why we
know that the probability given in equation (1) is at least 1/|K| (which is
strictly greater than 0). For example, if E was the one-time pad, then the
probability would be exactly 1/|K|. However, in general, we can only say that
it is greater or equal than 1/|K|, because there are encryption schemes that
produce the same ciphertext with different keys. (For example, imagine an
encryption scheme where the key is one bit longer than the message, and
encryption/decryption simply ignore the last bit of the key and otherwise
operate like the one-time pad; this may be useless, but it shows that there
exist encryption schemes where different keys map to the same ciphertext.
For this particular encryption scheme, the probability given in equation (1)
would be 2/|K|.)
Next, consider equation (2). Recall once more that c0 = c1 = E(k 0 , m0 ).
We also have that c00 = E(k, m00 ) and c01 = E(k, m01 ), where m00 6= m01 , for
a randomly chosen k. By the correctness of the encryption scheme, we
thus know that c00 6= c01 , because they encrypt different messages with the
same key (i.e., if encryption mapped two different messages with the same
key to the same ciphertext, then decryption, which is necessarily always
determinisic, could not be unambiguously defined, contradicting correctness.)
We consider two cases: this case distinction is exhaustive, i.e., one of these
cases always holds true.
• c0 = c00 : In this case, then since we also know that c0 = c1 and that
c00 6= c01 , we get that c1 6= c01 . Hence, in this case the probability of the
event c0 = c00 ∧ c1 = c01 in equation (2) is 0.
6/7
Foundations of Cybersecurity (Winter 16/17) Solution for Exercise Sheet 6
• c0 6= c00 : Actually, in this case we are already done since the probability
of the event c0 = c00 ∧ c1 = c01 is obviously 0.
Thus, we find that the probability given in equation (2) is 0.
Finally, we see that the probabilities given in equations (1) and (2) are
different, which concludes the proof.
7/7