COL759 Cryptography Semester 1, 2023-24

Problem Set 1
Instructor: Venkata K Due Date: 28 August 2023

Instructions:

• Assignment must be done in groups of size at most 2. Each group must submit one
pdf on Gradescope, and mention the partner’s name (if any).

• The questions are divided into two parts. The first section (Part A.) consists of four
theoretical questions (32 marks). In the second part, you can either attempt the
coding questions (in Part B.1.) or the theoretical question (in Part B.2.). In case
both sections are attempted, we will consider the higher score.

• All solutions must be typeset in LaTeX. For the coding questions, provide a brief
explanation of your approach and upload the relevant files on Gradescope.

• Students who are interested in a BTP/MTP in theoretical cryptography are strongly

encouraged to attempt the theoretical question (Part B.2.).

• (Optional) Discuss how much time was spent on each problem. This will not be used
for evaluation. We will use this for calibrating future assignments.

Notations:

• {0, 1}≤` denotes the set of all strings of length at most `. For any string x ∈ {0, 1}`
and i ∈ {1, . . . , `}, x[i] denotes the ith bit of x.

• x || y denotes the concatenation of x and y.

1-1
Part A. (32 marks)
1. Perfect Two-time Security (7 marks)
In class, we saw that Shannon’s one-time pad satisfies perfect one-time security. We
also briefly discussed in class that no encryption scheme with deterministic encryp-
tion can satisfy perfect two-time security (even with key space much larger than the
message space). In this problem, we will see how to use randomness to achieve almost-
perfect two-time security.

First, let us define -perfect two-time security. A symmetric-key encryption scheme

E = (Enc, Dec) with message space M, key space K and ciphertext space C satisfies
-perfect two-time security if any adversary A has winning probability at most 1/2 + 
in the following security game:

• The adversary A sends two pairs of messages (m0,0 , m0,1 ) and (m1,0 , m1,1 ) ∈ M2 .
• The challenger chooses a uniformly random key k ← K and a bit b ← {0, 1}. It
computes ct0 ← Enc(k, mb,0 ) and ct1 ← Enc(k, mb,1 ) and sends (ct0 , ct1 ).
• The adversary sends a guess b0 and wins if b = b0 .

We say that the scheme satisfies perfect two-time security if any adversary A has
winning probability equal to 1/2.

(a) Prove that no symmetric-key encryption scheme can satisfy the perfect two-time
security definition (even if the encryption algorithm is allowed to be random-
ized). You must describe your adversary A in detail, and compute its winning
probability in the above security game. You can assume the message space is
{0, 1}`1 , key space is {0, 1}`2 and the randomness used for encryption is drawn
from {0, 1}`3 .

Interestingly, we can construct encryption schemes that are -perfect two-time secure,
for any  > 0! For simplicity, we will fix M = {0, 1}` , and we would like to achieve
O(2−` )-perfect two-time security. In order to construct such an encryption scheme,
we will use pairwise independent hash functions.

Definition 1 (Pairwise Independent Hash Function) A pairwise independent hash

function family H is a set of keyed functions {hk : X → Y}k∈K that satisfies the fol-
lowing property: for any distinct x0 , x1 ∈ X and any y0 , y1 ∈ Y,
1
Prk [hk (x0 ) = y0 ∧ hk (x1 ) = y1 ] =
|Y|2

We will see how to construct such hash functions later in the course.

(b) Let H be a pairwise independent hash function family with key space K, input
space {0, 1}` and output space {0, 1}` . Use H to construct an encryption scheme

1-2
with message space {0, 1}` such that the scheme satisfies O(2−` )-perfect two-time
security. (Note: your encryption scheme must be stateless.) You must provide a
detailed proof of security, including appropriate hybrid experiments.

1-3
2. Secure/Insecure PRGs and PRFs (8 marks)
n o
(a) Let G = Gn : {0, 1}n → {0, 1}3n be a secure pseudorandom generator fam-
n∈N
ily. Consider the following function families derived from G. For each of them,
either prove that the function family is a secure PRG, or disprove by showing a
polynomial time attacker. For proving security, it suffices to provide an informal
argument (no need to give a reduction).
n o
i. G 0 = G0n : {0, 1}2n → {0, 1}3n , where
n∈N

G0n (s1 || s2 ) = Gn (s1 ) ∧ Gn (s2 ).

Here ∧ denotes bitwise AND operation.

n o
ii. G 0 = G0n : {0, 1}2n → {0, 1}3n , where
n∈N

G0n (s1 || s2 ) = Gn (s1 ) ⊕ Gn (s2 ).

Here ∧ denotes bitwise XOR operation.

(b) Let F = {Fn : {0, 1}n × {0, 1}n → {0, 1}n }n∈N be a family of secure pseudoran-
dom functions. Consider the following keyed function families derived from F.
For each of them, either prove that the function family is a secure PRF, or dis-
prove by showing a polynomial time attacker. For proving security, it suffices to
provide an informal argument (no need to give a reduction).
n o
i. F 0 = Fn0 : {0, 1}n × {0, 1}2n → {0, 1}n where
n∈N

Fn0 (k, (x1 , x2 )) = Fn (k, x1 ) ⊕ Fn (k, x2 ).

ii. F 0 = {Fn0 : {0, 1}n × {0, 1}n → {0, 1}n }n∈N where

Fn0 (k, x) = Fn (k, x) ⊕ x.

1-4
3. PRG Security does not imply Related-Key-PRG Security (7 marks)
Whenever a PRG is used, the seed must be chosen afresh. However, sometimes, the
seed is re-used with minor modifications, and this could lead to security attacks. Such
attacks have been implemented in practice (against the RC4 stream cipher). First,
let us formally define security with respect to related-key attacks (we will look at a
special form of related-key attacks, although the security game can be modified to
capture other related-key attacks).
n o
Let G = Gn : {0, 1}n → {0, 1}`(n) be a family of deterministic length-expanding
n∈N
functions. We will define PRG Security against related-key attacks via the following
security game between a challenger and an adversary:

PRG security w.r.t. Related Key Attacks

n
• Challenger picks a uniformly random bit b ← {0, 1} and a seed s ← {0, 1} .
• The adversary makes polynomially many queries to the challenger. For each query,
the challenger does the following:
`(n)
– if b = 1, it picks a uniformly random string y ← {0, 1} and sends it to A. If
b = 0, it first computes y = Gn (s) and sends y to the adversary.
– it updates s as follows: interpret s as a number in {0, 1, . . . , 2n − 1}, set s =
s + 1 mod 2n .
• After polynomially many queries, the adversary sends its guess b0 and wins if b = b0 .

Figure 1: Security game for capturing related-key attacks against PRGs

We say that G is secure against related-key attacks if, for any p.p.t. adversary A,
there exists a negligible function µ such that for all n,
1
Pr [A wins the above game against G] ≤ + µ(n).
2
n o
Let G = Gn : {0, 1}n → {0, 1}3n be a secure pseudorandom generator. Use G
n∈N
to construct a new length-expanding function G 0 (with appropriate input and output
space) such that G 0 = {G0n }n∈N is a secure PRG, but not secure against related-key
attacks.

(a) Describe G 0 in terms of G. You can choose appropriate input and output space
for G0n ; the function must be length-expanding.
(b) Describe the related-key attack against G 0 , and analyze the adversary’s winning
probability.
(c) Show that if there exists a p.p.t. adversary A that breaks the PRG security of
G 0 , then there exists a p.p.t. reduction algorithm B that breaks the PRG security
of G.

1-5
4. Constructing PRFs from PRGs (10 marks)
In class, we saw that pseudorandom functions can be used to build pseudorandom
generators. The converseoalso holds, and we will explore this direction below. Let G =
n
Gn : {0, 1}n → {0, 1}2n be a length-doubling secure pseudorandom generator
n∈N
family. We will use G to construct a pseudorandom function family
n o
F = Fn : {0, 1}n × {0, 1}log n → {0, 1}n
n∈N

as follows:

PRG → PRF
n log n
The PRF evaluation using key k ∈ {0, 1} , on input x ∈ {0, 1} is defined as follows:
1. Let s = k. For i = 1 to log n, do the following:
a. Compute (s0 , s1 ) = Gn (s), where s0 and s1 are both n-bit strings.
b. Set s = sx[i] .
2. Output s.

Figure 2: Constructing PRF using PRG

(a) Prove that F is a secure pseudorandom function, assuming G is a secure pseu-

dorandom generator.
First, carefully define the hybrid experiments for your proof. Then, show that
the consecutive hybrids are computationally indistinguishable, assuming security
of G.
(b) The above construction can be easily extended to support input space {0, 1}n .
This construction is also secure, but would your proof from Part 4a work for this
construction?
(c) The above construction can also be easily modified to support input space {0, 1}∗ .
For completeness, we provide this modified construction in Figure 3 below.

PRG → PRF: variable length inputs

n ∗
The PRF evaluation using key k ∈ {0, 1} , on input x ∈ {0, 1} is defined as follows:
1. Let s = k, and let ` denote the length of x. For i = 1 to `, do the following:
a. Compute (s0 , s1 ) = Gn (s), where s0 and s1 are both n-bit strings.
b. Set s = sx[i] .
2. Output s.

Figure 3: A candidate PRF construction for handling variable length inputs

1-6
 This construction is not secure. Present a polynomial time adversary that
breaks the above PRF construction, and calculate the winning probability of
your adversary.
(d) Modify the construction in Figure 3 so that the resulting scheme has input do-
main {0, 1}∗ , key space {0, 1}n , output space {0, 1}n , and itnsatisfies PRF secu- o
rity. You can assume the existence of secure PRG family G = Gn : {0, 1}n → {0, 1}`(n)
n∈N
where ` is a suitably chosen polynomial. Informally explain briefly why your
construction is plausibly secure. You don’t need to provide a formal proof here
(although there exist constructions with provable security; see Question Part
B.2.).

1-7
Part B. Coding/Theoretical Problems (8 marks)
Part B.1. Coding Problems
1. CRIME Attack (4 marks)
The CRIME attack is a notable example of how seemingly unrelated elements, like
compression and encryption, can interact to create vulnerabilities that attackers can
exploit.

Context: The HTTP protocol is one of the most widely used protocols over the
Internet. This protocol is stateless, and therefore if a server and client must inter-
act over multiple messages in one session, the client stores the state in the form of
cookies, and includes this as part of the client message. Quite often, these cookies
contain sensitive information, and therefore, the server and client’s messages must be
encrypted. This is achieved via the HTTPS protocol, which is an extension of the
HTTP protocol. At a very high level, the server and the client share a secret key
k.1 Whenever the client wants to send a message cmsg, it first appends the current
cookie, then encrypts “cookie || cmsg” using k. The server decrypts this ciphertext
using k, then computes its response and then sends the encrypted response. The
client receives this ciphertext, decrypts it, and then updates its cookie, and computes
the next message. For simplicity, let us assume the client’s cookie is not updated
throughout the interaction.

Certain protocols came up with the following optimization. Instead of sending an

encryption of “cookie || cmsg”, they instead suggested the use of a (lossless) com-
pression algorithm to first compress “cookie || cmsg”, and then encrypt the resulting
compressed string. The server then first decrypts the ciphertext, then runs the de-
compression algorithm. While this does result in noticeably shorter ciphertexts (and
hence lesser communication cost), it opens up a serious vulnerability, which was called
the CRIME (Compression Ratio Info-leak Made Easy) attack.

The adversary’s goal, and the adversary’ power: The adversary’s goal is to learn the
‘cookie’. It cannot break the encryption. However, the adversary has the power
to influence what cmsg is sent. We will not discuss how the adversary manages to
influence cmsg. 2
To simplify the setup, we will assume the adversary can get an encryption of the
compressed string compress(cookie || cmsg) for any cmsg of its choice. The important
thing to note here is that, depending on the cmsg, the size of the compressed string
may vary, and as a result, the size of the ciphertext will vary! This leaks information
about the cookie. In particular, if cmsg contains a substring of the cookie, then the
compressed string is shorter. Using this, the adversary can query for sufficiently many
cmsg strings, and based on the size of the compressed string, learn the entire cookie.
1
We will discuss later in the course how the server and client arrive at a common shared key.
2
This is beyond the scope of this course, however you are encouraged to read about the CRIME attack.

1-8
Problem Description: You need to implement the CRIME attack to find the
‘cookie’. The length of the ‘cookie’ is fixed to be 24 bytes for this assignment. The
attack is based on the properties of the compressor being used.

Files Given: You are given the following python files on Teams (COL759 A1 Coding1.zip):

• encrypt.py:
– This file has a 24-byte secret ‘cookie’ and 16-bit key for the AES scheme
hard-coded into it
– It has a function called encrypt(m), which takes a string m containing only
[a-z] and returns the encrypted bytes using the key and the secret ‘cookie’.
– This script can be used to generate ciphertexts with the given key and the
secret ‘cookie’. You can use it to check the correctness of your code.
• attack.py:
– You are required to implement the attack function in this file.
– It is supposed to return the ‘cookie’ which is used during the encryption (as
a string).
– You are allowed to make calls to encrypt(m) function of encrypt.py.

Instructions:

• You would need to install the python3 and pycryptodome python packages to
run the given files. Installation instructions can be found on this link.
• You are only required to submit attack.py on Gradescope in the Assignment1
Coding1 assignment, with your implementation of attack(). You don’t need to
submit any other files. All test cases are public; you should be able to find the
number of test cases that your code passes on Gradescope.
• Provide a high-level description of your approach in the pdf submission.

Hint: You are expected to try various configurations for your attack in order to find
some heuristic which works for all test cases - in reality cryptanalysis requires a lot of
manual effort as well!

1-9
2. Attack on 2DES encryption (4 marks)

Data Encryption Standard(DES) is a symmetric-key encryption scheme that was de-

veloped by IBM in the 1970s. Over the years, its susceptibility to numerous attacks,
particularly brute-force attacks, has been revealed. Consider the following variant of
the DES scheme used in our problem:

• DES.Enc(m, k): This is the encryption function. In our case, the key k is re-
stricted to be of n = 20 bits. DES can only handle messages having length in
multiples of 64 bits
• DES.Dec(ct, k): This is the decryption function. The key k is restricted to be of
n = 20 bits. The input ciphertext ct must have a length in multiple of 64 bits.

A variant of the DES scheme known as 2DES attempts to enhance security by applying
2 rounds of DES Encryption sequentially. In this problem, our attack will be on the
2DES scheme defined below:

• 2DES.Enc(k = (k1 , k2 ), m) = DES.Enc(k2 , DES.Enc(k1 , m))

• 2DES.Dec(k = (k1 , k2 ), ct) = DES.Dec(k1 , DES.Dec(k2 , ct))

Unfortunately, as discussed in class, the above 2DES scheme does not provide any
extra security over the original DES protocol due to “meet in the middle” attack on
2DES. You are required to implement this attack.
Files Given: You are given the following python files on Teams COL759 A1 Coding2.zip:

• des.py:
– It has three functions. The first one is key gen(index) which takes an index
and returns you the corresponding key. For example, if n (the number of
bits of key) = 2 then there would be 4 keys so you can access these 4 keys
by giving indices from 0 to 3.
– Second function is encrypt(key, message) which takes key and a string message
to return the encrypted message using a single DES.
– Third function is decrypt(key, message) which takes key and a ciphertext
to return the message corresponding to this ciphertext using decryption of
single DES.
– You can use these function to implement the attack.
• attack.py:
– You are required to implement the attack(message, ciphertext) function in
this file which takes a message and corresponding ciphertext generated using
2DES.
– It is supposed to return the two keys which are used during the encryption
(as a tuple). So for example, if the keys are key1, key2 (key1 is used first
and then key2) then you have to output (key1, key2) and not (key2, key1) or
anything else.

1-10
 – You are allowed to make calls to encrypt(key, message) and decrypt(key, CT)
functions of des.py.

Instructions:

• You would need to install the python3 and pycryptodome python packages to
run the given files. Installation instructions can be found on this link
• You are only required to submit attack.py, with your implementation of at-
tack(message, ciphertext). You don’t need to submit any other files.
• Submit the attack.py file on Gradescope in the Assignment1 Coding2 assignment
• Your submission will be checked on multiple keys pair and on multiple messages.
All test cases will be public.

1-11
Part B.2. Theoretical Problem (8 marks)
Provide a detailed security proof for your PRF construction in Question 4d. As a first
step, understand the security proof for the construction in Question 4b (you can refer to
Theorem 4.10 in the textbook for this). Next, use a similar argument and show that your
construction in Question 4d is secure, assuming G is a secure PRG.

1-12