FC08 Assignment 2

From Theory
Jump to: navigation, search

Back to CS 8803FC - Foundations of Cryptography. Spring 2008.

Problem 1: One-way functions.

Let <math>f_{mult}:\{0,1\}^*\rightarrow\{0,1\}^*</math> be the function defined by <math>f_{mult}(x,y)= x\cdot y</math>.

(1) Prove that assuming the factoring assumption is true, <math>f_{mult}</math> is a weak one-way function. (Hint: Use Chevyshev's Theorem on density of primes).

(2) Use the weak one-way function <math>f_{mult}</math> to construct a strong one-way function. Prove that your construction satisfies the definition of strong one-wayness without referencing the general hardness amplification theorem.

Problem 2: Averaging argument.

Let <math>A</math> be a (possibly probabilistic) algorithm, and let <math>f:\{0,1\}^*\rightarrow\{0,1\}^*</math> be a function. Suppose that there exists <math>\alpha(\cdot)</math> such that for every <math>n\in N</math>,

<math>Pr[A(x)=f(x)]\geq \alpha(n)</math>, where the probability is over <math>x\in_R \{0,1\}^n</math> and over the random coin tosses of <math>A</math>.

For any <math>\epsilon(\cdot)</math> and for any <math>n \in N</math>, let <math>S_n=\{x\in\{0,1\}^n: Pr [A(x)=f(x)]\geq \alpha(n)-\epsilon(n)\}</math>, where the probability is over the random coin tosses of <math>A</math>.

Prove that <math>Pr[x\in S_n] \geq \epsilon(n)</math>, where the probability is over <math>x\in_R \{0,1\}^n</math>.

Problem 3: Number Theory.

(1) The Diffie-Hellman problem is as follows: Given input <math>(p,q,g,g^x,g^y)</math> where <math>p</math> is a safe prime, i.e. <math>p</math> is a prime of the form <math>2q+1</math> where <math>q</math> is prime, <math>g</math> is a generator of a subgroup of order <math>q</math> in <math>Z_p</math>, and <math>x,y \in Z_q</math> compute the element <math>g^{xy} \bmod p</math>.

The Square problem is as follows: Given input <math>(p,q,g,g^x)</math> where <math>p</math> is a safe prime , i.e. <math>p</math> is a prime of the form <math>2q+1</math> where <math>q</math> is prime, <math>g</math> is a generator of a subgroup of order <math>q</math> in <math>Z_p</math>, and <math>x \in Z_q</math>, compute the element <math>g^{x^2} \bmod p</math>.

Show that the Diffie-Hellman and the Square problem are polynomial-time equivalent. In other words, show that an algorithm that solves the Square problem can be used to solve the Diffie-Hellman problem (with at most a polynomial amount of extra work) and vice-versa.

(2) Suppose <math>p>2</math> is a prime and <math>g</math> and <math>h</math> are both generators of <math>Z_p^*</math>. Prove or disprove the following statements:

A: <math>\{g^x \bmod p\}_{x\leftarrow Z_p^*} = \{g^{xy} \bmod p\}_{x,y \leftarrow Z_p^*}</math>

B: <math>\{g^x \bmod p\}_{x\leftarrow Z_p^*} = \{h^x \bmod p\}_{x\leftarrow Z_p^*}</math>

C: <math>\{g^x \bmod p\}_{x\leftarrow Z_p^*} = \{x^g \bmod p\}_{x\leftarrow Z_p^*}</math>

D: <math>\{x^g \bmod p\}_{x\leftarrow Z_p^*} = \{x^{gh} \bmod p\}_{x\leftarrow Z_p^*}</math>

(Recall that <math>\{g^x \bmod p\}_{x\leftarrow Z_p^*}</math> is a probability distribution. To show that two distributions are identical prove that each of member of one distribution occurs with same probability in both the distribution. To show they are not identical, give a counter example, by finding a member in one distribution, which occurs with different probability in the two distributions.)

Problem 4: Computational and statistical indistinguishability.

Two distribution ensembles <math>\{X_n\}, \{Y_n\}</math> are statistically close if their statistical difference is negligible, where their statistical difference is defined as


(1) Prove that <math>\{X_n\}, \{Y_n\}</math> are statistically close if and only if for every set <math>S\subseteq \{0,1\}^*</math>,

<math>\delta_S(n)= |Pr[X_n\in S]-Pr[Y_n\in S]|</math>

is negligible in n.

(Hint: Prove that the statistical difference between <math>X_n, Y_n</math> equals <math>\max_S\{\delta_S(n)\})</math>.

(2) Prove that if two ensebmles are statistically close then they are computationally indistinguishable.

(3) Let <math>\{X_n\}, \{X_n'\}, \{Y_n\}, \{Y_n'\}</math> be four distribution ensembles such that <math>\{X_n\}\approx\{Y_n\}</math> and <math>\{X_n'\}\approx\{Y_n'\}</math>, where <math>\approx</math> denotes computational indistinguishability. Prove that <math>\{X_n\circ X_n'\}\approx\{Y_n\circ Y_n'\}</math>.

(Hint: use the triangle inequality, along with the fact that the adversary/distinguisher is a non-uniform machine, and thus can "hardwire" advice.)