Answers to the Exercises

2. Symmetric-Key Encryption
1. If all keys are equal, then C0 = 0 . . . 0 or C0 = 1 . . . 1.
We consider for example the bits at the positions
2,3,5,7,9,11,13,15,16,18,20,22,24,26,28,1 of C0 and denote this sequence
by b1 , b2 , . . . , b16 .
Bit bi appears as bit number 5 in ki , i = 1, . . . , 16. Thus we have b1 =
b2 = . . . = b16 , because all keys are equal. Additionally we consider the
positions 3,4,6,8,10,12,14,16,17,19,21,23,25,27,1,2 of C0 . The i-th bit in
this sequence is the 24th bit of ki . Thus all bits at these positions are
equal. Position 3 appears in both cases. Thus all bits of C0 are equal.
Similar arguments show that D0 = 0 . . . 0 or D0 = 1 . . . 1.
We obtain the four weak keys by combining the possible values of C0 and
D0 . If we apply P C1 to the four rows
01 01 01 01 01 01 01 01
FE FE FE FE FE FE FE FE
1F 1F 1F 1F 0E 0E 0E 0E
E0 E0 E0 E0 F 1 F 1 F 1 F 1
we see that the four rows are the weak keys of DES. Note that P C1 is a
permutation on 56 bits. The bits in the positions 8,16,24,32,40,48,56,64
are not used.
2. a. Note that k yields ki , if k yields ki and that E(x) = E(x). Thus
f (x, k) = P (S(E(x) ⊕ k)) = P (S(E(x) ⊕ k)) = f (x, k)
and
ϕi (x, y) = (x ⊕ fi (y), y)
= (x ⊕ f (y, k i ), y)
= (x ⊕ f (y, ki ), y)
= (x ⊕ fi (y), y)
= (x ⊕ fi (y), y)
= ϕi (x, y).
2 Answers to the Exercises

Hence we get
DESk (x) = IP −1 (ϕ16 (µ(ϕ15 (. . . µ(ϕ2 (µ(ϕ1 (IP (x))))) . . .))))
= IP −1 (ϕ16 (µ(ϕ15 (. . . µ(ϕ2 (µ(ϕ1 (IP (x))))) . . .))))
..
.
= IP −1 (ϕ16 (µ(ϕ15 (. . . µ(ϕ2 (µ(ϕ1 (IP (x))))) . . .))))
= DESk (x).
b. DES(k, x) = y implies
DES(k, x) = DES(k, x) = DES(k, x) = y.
Assume c = DESk (m) and c̃ = DESk (m̃) are known.
Choose k ′ and compute y = DES(k ′ , m).
i. If y = c̃, then the key is k ′ .
ii. If y = c, then the key is k ′ .
Thus, we can test the two keys k ′ and k ′ with one encryption.
3. Let f : {0, 1}n −→ {0, 1}n be a permutation, x1 an initial value and
x1 , x2 , . . . the sequence obtained by applying f . Then there exists an i
with f (xi+1 ) ∈ {x1 , . . . , xi }. Let j be the first i with this property. Since
f is a permutation f (xi ) = x1 . Otherwise an element would have two pre-
images. (x1 , . . . , xj ) is a cycle of f . The average period of the key stream
is the average length of a cycle of a randomly selected permutation.
Let S = {0, . . . , k} and
Cm = {c | c is an cycle of length m of a permutation on S}.
A fixed cycle of length m appears in (n − m)! permutations. The number
of different cycles (x1 , . . . , xm ) is k(k−1)...(k−m+1)
m . Thus
k!
|Cm | = .
m
Let Cm,l = {c ∈ Cm | c contains l}. Totally there appear k! elements in
cycles of length m. Each element l is equally likely to appear. Thus
k!
|Cm,l | =
k
(independent of m and l). The average number of cycles of length m
containing l over all permutations is k1 . We get as average over all cycle-
lengths
∑k
m k+1
= .
m=1
k 2
For n = 2k we get an average cycle-length of 2n−1 + 21 .

Introduction to Cryptography by H. Delfs and H. Knebl

 3. Public-Key Cryptography 3

3. Public-Key Cryptography

2. By the Chinese remainder theorem we have

Z∗n ∼
= Z∗p × Z∗q

and µ decomposes into

(µ1 , µ2 ) : Z∗p × Z∗q −→ Z∗p × Z∗q , (x1 , x2 ) 7−→ (xe1 , xe2 )

µ is an isomorphism if and only if µ1 , µ2 are isomorphisms. Now

µ1 : Z∗p −→ Z∗p , x 7−→ xe

and
µ2 : Z∗q −→ Z∗q , x 7−→ xe
are isomorphisms if and only if gcd(e, p − 1) = 1 and gcd(e, q − 1) = 1.
This implies the assertion.
3. Let g be a primitive root in Z∗p .

Exp : Zp−1 −→ Z∗p , α 7−→ g α

is an isomorphism of groups. Let k ∈ N, x ∈ Z∗p and xk = 1. Then x = g ν

and xk = g νk . Hence p − 1 divides νk. This implies

|{x ∈ Z∗p | xk = 1}| = |{ν ∈ Zp−1 | νk ≡ 0 mod (p − 1)}|

p−1
= |{ l | 1 ≤ l ≤ d}| = d,
d
where d = gcd(k, p − 1).
Now Z∗n ∼
= Z∗p × Z∗q and xe−1 = 1 if and only if (xe−1
1 , xe−2
2 ) = (1, 1),
where x1 = x mod p and x2 = x mod q. This implies

|{x ∈ Z∗n | RSAe (x) = x}| = gcd(e − 1, p − 1) gcd(e − 1, q − 1).

4. Compute λ = ed − 1, λ = 2t m, m odd. λ is a multiple of φ(n). Thus

[aλ ] = 1 for all [a] ∈ Z∗n . Let
{
Wn := [a] ∈ Z∗n am ≡ 1 mod n
i
}
or there is an i, 0 ≤ i ≤ t − 1, with a2 m ≡ −1 mod n .

i+1
Let [a] ∈/ Wn . Then there is an i, 0 ≤ i ≤ t − 1, with a2 m ≡ 1 mod n
i i
and a2 m ̸≡ ±1 mod n. Then [a2 m ] and [1] are square roots of [1], and the

⃝H.
c Delfs and H. Knebl
4 Answers to the Exercises

factors of n can be computed by the Euclidean algorithm (Lemma A.63).

Let Wn := Z∗n \ Wn be the complement of Wn . Then |Wn | ≥ φ(n) 2 (see
below). Hence, choosing a random [a] ∈ Z∗n we can compute the factors
of n in this way with probability ≥ 1/2, since [a] is not in Wn with a
probability ≥ 1/2. Repeating the random choice t-times, if necessary, we
can increase the probability of success to ≥ 1 − 2−t .
It remains to show that |Wn | ≥ φ(n)
2 .

Wni := {[a] ∈ Z∗n | a2

i
m
≡ −1 mod n}.

Wn0 is not empty, since [−1] ∈ Wn0 . Let r = max{i | Wni ̸= ∅} and

U := {a ∈ Z∗n | a2
r
m
≡ ±1 mod n}.

U is a subgroup of Z∗n and Wn ⊂ U.

Let [x] ∈ Wnr . By the Chinese Remainder Theorem A.29, there is a
[w] ∈ Z∗n with w ≡ x mod p and w ≡ 1 mod q. Then w2 m ≡ −1 mod p
r

r r
and w2 m ≡ +1 mod q, hence w2 m ̸≡ ±1 mod n. Thus, w ̸∈ U , and we
see that U is indeed a proper subgroup of Z∗n . Thus |Wn | ≤ φ(n)
2 .

6. a. Let Rp′ := {x ∈ Z∗p | p′ does not divide ord(x)}.

Note that
i. p′ does not divide ord(x), if and only if ord(x) divides a, and
that
ii. p′ divides ν, where ν is defined by a representation x = g ν of x
with a primitive root g.
Thus,
′
|Rp′ | = |{x ∈ Z∗p | ord(x) | a}| = |{g p l | 1 ≤ l ≤ a}| = a.

b. Let Rp′ q′ := {x ∈ Z∗n | p′ q ′ does not divide ord(x)}.

Note ord(x) is the least common multiple of ord(x mod p) and
ord(x mod q). p′ q ′ does not divide ord(x), if and only if
p′ does not divide ord(x mod p) or q ′ does not divide ord(x mod q).
By the Chinese Remainder Theorem, we have

Z∗p × Rq′ ∪ Rp′ × Z∗q = Rp′ q′ ,

Z∗p × Rq′ ∩ Rp′ × Z∗q = Rp′ × Rq′ .

This implies |Rp′ q′ | = (p − 1)b + a(q − 1) − ab and

|Rp′ q′ | (p − 1)b + a(q − 1) − ab 1 1 1

= ′ ′
= ′ + ′ − ′ ′.
φ(n) ap bq p q pq
l
7. a. RSAle (x) = xe = x if el ≡ 1 mod φ(n). The last condition is satisfied
for l = φ(φ(n)).

Introduction to Cryptography by H. Delfs and H. Knebl

 3. Public-Key Cryptography 5

b. xe = x is equivalent to xe −1 = 1. The last equation is equivalent to

i i

ei ≡ 1 mod ord(x).
To prevent the decryption-by-iterated-encryption attack, it is re-
quired that ord(e mod ord(x)) is large for x and e.
We show that the set of “exceptions”,

{(x, e) ∈ Z∗n × Z∗φ(n) | ord(e mod ord(x)) < p′′ q ′′ )},

is an exponentially small subset of Z∗n × Z∗φ(n) . The frequency of ele-

ments x ∈ Rp′ q′ (see Exercise 6) is exponentially small. Let x ∈ / Rp′ q′ .
Then n′ = p′ q ′ divides k, k := ord(x). Then ord(e mod n′ ) divides
ord(e mod k).
Thus, if p′′ q ′′ divides ord(e mod n′ ) then p′′ q ′′ divides ord(e mod k)
and ord(e mod k) is large.
Let Rp′′ q′′ := {e ∈ Z∗n′ | p′′ q ′′ does not divide ord(e)}.
Let f be the frequency of elements e ∈ Rp′′ q′′ .
By Exercise 6, f = p1′′ + q1′′ − p′′1q′′ is exponentially small. The discus-
sion shows that p′′ q ′′ is a lower bound for the number of iterations
of the repeat-until loop for all (x, e) outside an exponentially small
subset of Z∗n × Z∗φ(n) .
8. Elements (x, y) in the domain of f are bit-strings of length 2(|q − 1|).
Elements in the range Gq ⊂ Z∗p are encoded as bit strings of length |p|.
Since |q − 1| = |q| = |p| − 1, we may consider f as a compression function.
Assume (x1 , y1 ), (x2 , y2 ) is a collision of f . Then g x1 hy1 = g x2 hy2 . Thus
g x1 −x2 = hy2 −y1 . If y1 = y2 , then x1 = x2 and (x1 , y1 ) = (x2 , y2 ). This is
a contradiction, since (x1 , y1 ), (x2 , y2 ) cannot be equal, as a collision of
−x2
f . Thus y1 ̸= y2 . We get logg h = xy21 −y 1
.
9. Given a value v ∈ {0, 1}n , we randomly select messages m ∈ {0, 1}∗
and check, if h(m) = v. We don’t have to check, if we have selected a
message twice. The probability for this event is negligibly small (note
that the set of messages is infinite). The probability that h(m) = v is
1/2n . Lemma B.12 – with p = 1/2n – says that we expect to select 2n
messages m until h(m) = v. The expected number of steps does not
depend on v, and we conclude immediately tjat the expected number of
steps in the brute-force attack against the one-way property of h is 2n . To
attack second pre-image resistance, we consider a message m′ ∈ {0, 1}∗ .
Let v = h(m′ ). We randomly select messages m ∈ {0, 1}∗ , m ̸= m′ and
check, if h(m) = v. As before, the probability that h(m) = v is 1/2n , and
the expected number of steps is 2n .

11. a. We assume that it is possible to compute discrete logarithms in H

and y t ∈ H.
b. The verification condition in ElGamal’s signature scheme is g m =
y r rs .

⃝H.
c Delfs and H. Knebl
6 Answers to the Exercises

y r rs = y t rs = g tz rs
( )m−tz
= g tz t(p−3)(m−tz)/2 = g tz t(p−1)/2 t−1
( )m−tz
= g tz −t−1 = g tz g m−tz = g m .

Note that gt = p − 1 = −1 mod p implies t = −g −1 and g = −t−1

and that

t(p−1)/2 = (−g)−(p−1)/2 = (−1)−(p−1)/2 g −(p−1)/2 = 1 · (−1) = −1

(g −(p−1)/2 = −1, since g is a primitive root).

c. The above attack does not work in the DSA signature scheme.

Introduction to Cryptography by H. Delfs and H. Knebl

 4. Cryptographic Protocols 7

4. Cryptographic Protocols

1. With this protocol the simple man-in-the-middle attack does not work.
A more sophisticated attack is necessary. If adversary Eve selects e and
e
declares yA as her public key, a man-in-the-middle attack works:
a. Eve intercepts c and forwards it unchanged to Bob.
b. Eve intercepts d and forwards de to Alice.
Then Alice computes k = dexA yB a
= g bexA g axB . She believes that she
shares k with Bob. Whereas Bob believes that he shares k = cxB yE b
=
axB bexA
g g with Eve. Eve cannot compute the session key k. However, she
can masquerade as Alice.
2. Protocol 4.1.
OneOfTwoSquareRoots(x1 , x2 )
Case: Peggy knows a square root y1 of x1 (the other case follows
analogously):
1. Peggy chooses at random r1 , r2 ∈ Z∗n and e2 ∈ {0, 1} and
sets a = (a1 , a2 ) = (r12 , r22 xe22 ). Peggy sends a to Vic.
2. Vic chooses at random e ∈ {0, 1}. Vic sends e to Peggy.
3. Peggy computes

e1 = e ⊕ e2 ,
b = (b1 , b2 ) = (r1 y1e1 , r2 )

and sends b, e1 , e2 to Vic.

4. Vic accepts, if and only if

e = e1 ⊕ e2 ,
b21 = a1 xe11 , b22 = a2 xe22 .

The completeness, soundness and zero-knowledge properties are analo-

gously proven as in Protocol 4.5.
3. a. Let x ∈ QNR+1 n . a = r x ∈ QRn ⇐⇒ σ = 0. Thus σ = τ and Vic
2 σ

will accept.
b. Let x ∈ QRn . Then a = r2 xσ ∈ QRn , for σ ∈ {0, 1}, r ∈ Z∗n . Thus
τ is always 1 and prob(σ = τ ) = 1/2. Thus a dishonest Peggy can
convince Vic with probability 1/2 if x ∈ QRn .
c. Let V ∗ be a dishonest verifier defined by the following
Protocol 4.2.
P QRn
( )
1. V ∗ chooses at random r ∈ Z∗n with nx = 1 and sends
a = r to Peggy. {
0 if a ∈ QRn
2. Peggy computes τ := and sends τ to Vic.
1 if a ∈
/ QRn

⃝H.
c Delfs and H. Knebl
8 Answers to the Exercises

3. V ∗ outputs τ .
Note τ = 0 if r ∈ QRn and τ = 1 if r ∈ / QRn . Thus V ∗ can de-
cide after interaction with Peggy, whether a randomly chosen r is a
quadratic residue. Without Peggy’s help he cannot do this accord-
ing to the quadratic residuosity assumption (see Section 4.3.1 and
Definition 6.11).
d. Algorithm 4.3.
int S (int x)
1 select r ∈ Z∗n and σ ∈ {0, 1} uniformly at random
2 return (ã, τ̃ ) ← (r2 xσ , σ)
By construction, the random variables S(x) and (P, V )(x) are iden-
tically distributed for x ∈ QNRn .
e. Vic proofs to Peggy after step 1 that he knows a square root of a or
of a/x by using the protocol of Exercise 2. He can only succeed, if he
followed the protocol in step 1. Thus he is a honest verifier and d)
applies.
4. The idea is as in Exercise 3e). The verifier proves that he follows the
protocol in step 1, i.e., that he sends a message which he encrypted with
the public key. For this purpose, he shows that he knows the e-th root of
the message he transmitted.
To show that a prover Peggy knows the e-th root x of y, the following
protocol may be used.
Protocol 4.4.
e-th root(y)
1. Peggy chooses at random r ∈ Z∗n and sets a = re . Peggy
sends a to Vic.
2. Vic chooses at random σ ∈ {0, 1}. Vic sends σ to Peggy.
3. Peggy computes b = rxσ and sends b to Vic, i.e., Peggy sends
r, if e = 0, and rx, if σ = 1.
4. Vic accepts, if and only if be = ay σ .
The completeness, soundness and zero-knowledge properties are analo-
gously proven as in Protocol 4.5.
5. a. Alice commits to 0, if c ∈ QRn and to 1, if c ∈ / QRn .
Note: c ∈ QRn ⇐⇒ −c ∈ / QRn .
b. c1 c2 = r12 r22 (−1)b1 +b2 mod 2 = (r1 r2 )2 (−1)b1 ⊕b2 .
c. c1 and c2 commit to the same value, if c1 c2 ∈ QRn . They commit
to different values, if c1 c2 ∈ / QRn . Both cases can be proven by zero-
knowledge proofs (see Section 4.2.4 and Exercise 3).
6. The access structure can be realized, if P1 gets three shares, P2 two shares
and P3 , P4 , P5 and P6 each get one share in a (5, n)-Shamir threshold
scheme.

Introduction to Cryptography by H. Delfs and H. Knebl

 4. Cryptographic Protocols 9

7. Assume Pi has pi shares of a (t, n)-Shamir threshold scheme. Then p1 +

p2 ≥ t and p3 + p4 ≥ t. Thus p1 + p2 + p3 + p4 ≥ 2t. p1 + p3 < t implies
p2 + p4 ≥ t. Thus {P1 , P3 } or {P2 , P4 } are also able to reconstruct the
secret.
8. We use the notations of Section 4.4. The encryption scheme allows to
encrypt every message m = g v , 0 ≤ v ≤ q − 1. Thus, a voter could
encrypt up to (q − 1)/2 ”yes-” or ”no-votes”. If an authority posts wj g or
wj g −1 , the tally is decreased or increased by λi,J .
9. We write g1 , g2 instead of g, h (below, we denote by h a hash function).
Protocol 4.5.
OneOfTwoPairs(g1 , g2 , (y1 , z1 ), (y2 , z2 ))
Case: Peggy knows logg1 y1 = logg2 z1 = x (the other case follows
analogously):
1. Peggy chooses at random r1 , r2 and d2 ∈ {0, . . . , q − 1} and
sets a = (a1 , a2 , a3 , a4 ) = (g1r1 , g2r1 , g1r2 y2d2 , g2r2 z2d2 ). Peggy
sends a to Vic.
2. Vic chooses c ∈ {0, . . . , q−1} uniformly at random. Vic sends
c to Peggy.
3. Peggy computes
d1 = c − d2 mod q,
b = (b1 , b2 ) = (r1 − d1 x, r2 )
and sends (b1 , b2 , d1 , d2 ) to Vic.
4. Vic accepts, if and only if
c = d1 + d2 mod q,
a1 = g1b1 y1d1 ,
a2 = g2b1 z1d1 ,
a3 = g1b2 y2d2 ,
a4 = g2b2 z2d2 .
The prover Peggy can convert this interactive proof into a non-interactive
proof.
(d1 , d2 , b1 , b2 ) = OneOf T woP airsh (g1 , g2 , (y1 , z1 ), (y2 , z2 ))
She proceeds in step 1 as before. Then, she computes the challenge
c = h(g1 ||g2 ||y1 ||z1 ||y2 ||z2 ||a1 ||a2 ||a3 ||a4 ), by using a collision-resistant hash
function h.
The verification condition is
d1 + d2 = h(g1 ||g2 ||y1 ||z1 ||y2 ||z2 ||g1b1 y1d1 ||g2b1 z1d1 ||g1b2 y2d1 ||g2b2 z2d2 ).

⃝H.
c Delfs and H. Knebl
10 Answers to the Exercises

10. Voter Vj can duplicate the vote ci = (ci,1 , ci,2 ) of voter Vi . For this
purpose, he selects α and sets cj = (ci1 g α , ci2 hα ). He has to prove that
his vote is a correctly formed one, by the protocol OneOf T woP airs from
Exercise 9. We first discuss the case, where the interactive version of the
proof is applied.
a. Voter Vj can derive from voter Vi ’s proof
(a, d, b) = OneOf T woP airs(g, h, (y1 , z1 ), (y2 , z2 )),
where
y1 = ci,1 , z1 = ci,2 g, y2 = ci,1 , z2 = ci,2 g −1 ,
a = (a1 , a2 , a3 , a4 ),
d = (d1 , d2 ), b = (b1 , b2 ),
the proof
˜ b̃) = OneOf T woP airs(g, h, (ỹ1 , z̃1 ), (ỹ2 , z̃1 )),
(ã, d,
where
ỹ1 = y1 g α , z̃1 = z1 hα
ỹ2 = y2 g α , z̃2 = z2 hα
ã = a, d˜ = d,
b̃ = (b1 − d1 α, b2 − d2 α).
b. With the non-interactive proof, the attack does not work. Replac-
ing the argument (yi , zi , i = 1, 2) of the hash function will cause a
different output. Note, the hash function is assumed to be collision
resistant. To duplicate a vote, an identical copy of the ballot must
be used. However, it will be detected, if a ballot is posted twice.
11. Protocol 4.6.
BlindRSASig(m)
1. Vic randomly chooses r ∈ Z∗n , computes m = re m and sends
it to Peggy.
2. Peggy computes σ = md and sends it to Vic.
3. Vic computes σr−1 and gets the signature of m.
12. a. ry r g −s = mg k g xr g −(xr+k) = m.
b. Choose any r, s with 1 ≤ r ≤ p − 1 and 1 ≤ s < q − 1 and let
m := ry r g −s . Then (m, r, s) is a signed message. This kind of attack
is always possible, if the message can be recovered from the signature,
as in the basic Nyberg-Rueppel scheme.
c. Use a collision-resistant hash function h and hash before encrypting,
or, if you want to preserve the message recovery property, apply a
suitable bijective redundancy function R to the message to be signed
(see [MenOorVan96]).

Introduction to Cryptography by H. Delfs and H. Knebl

 4. Cryptographic Protocols 11

d. Let (m, r, s) be a valid signature. Without the first check, an attacker

may sign messages m̃ of his choice. He computes g k = rm−1 by the
extended Euclidean algorithm. Then, he uses the Chinese remainder
theorem to determine a r̃ ∈ Z with r̃ ≡ m̃g k mod p and r̃ ≡ r mod q.
Then (m̃, r̃, s) passes the verification, if 1 ≤ r̃ ≤ p − 1 is not checked.

13. a. (m, r, s) is a signed message:

ry r g −s = r̃αg rx g −(s̃α+β)
= mg k̃(α−1) g k̃ g β g rx g −(s̃α+β)
= mg αk̃ g β g rx g −(s̃α+β)
= mg α(k̃−s̃) g rx
= mg −αr̃x g rx
= m.

b. The protocol is blind: The transcript (ã, m̃, r̃, s̃) is transformed into
the signed message (m, r, s) by

m = m̃ã−(α−1) g −β α,
r = r̃α,
s = s̃α + β.

The message m is uniquely determined by r and s (m = ry r g −s ).

On the other hand, α and β are uniquely determined by r, s and
r̃, s̃. The transcript (ã, m̃, r̃, s̃) can be transformed to any (r, s) and
hence, to any signed message (m, r, s). Every signed message (m, r, s)
is equally likely to be the transformation of the transcript (ã, m̃, r̃, s̃),
if α and β are chosen at random. Thus the signature is really blind.
14. Protocol 4.7.
ProofRep(g1 , g2 , y)
1. Peggy randomly chooses r1 , r2 ∈ Zq , computes a = g r1 g r2
and sends it to Vic.
2. Vic chooses at random c ∈ Zq and sends it to Peggy.
3. Peggy computes bi = ri − cxi , i = 1, 2, and sends (b1 , b2 ) to
Vic.
4. Vic accepts the proof, if

a = g1b1 g2b2 y c ,

otherwise, he rejects it.

15. Protocol 4.8.
BlindRepSigh (m)

⃝H.
c Delfs and H. Knebl
12 Answers to the Exercises

1. Peggy randomly chooses r1 , r2 ∈ Zq , computes a = g1r1 g2r2

and sends it to Vic.
2. Vic chooses at random u ∈ Z∗q , v1 , v2 , w ∈ Zq and computes

a = au g1v1 g2v2 y w ,
c = h(m||a), c = (c − w)u−1 .

Vic sends c to Peggy.

3. Peggy computes b = (b1 , b2 ) = (r1 − cx1 , r2 − cx2 ) and sends
it to Vic.
4. Vic verifies whether

a = g1b1 g1b2 y c ,

computes b = (b1 , b2 ) = (ub1 + v1 , ub2 + v2 ) and gets the

signature σ(m) = (c, b) of m.

The verification condition for a signature (c, b) is c = h(m||g1b1 g2b2 y c ).

Introduction to Cryptography by H. Delfs and H. Knebl

 5. Probabilistic Algorithms 13

5. Probabilistic Algorithms
1. The desired Las Vegas algorithm works as follows:
Repeat
1. Compute y = A(x).
2. Check by D(x, y), whether y is a correct solution for input x.
3. If the check yields ’yes’, then return y and stop. Otherwise, go back
to 1.
The expected number of iterations is 1/prob(A(x) correct) (by Lemma
B.12) and hence ≤ P (|x|). The binary length of an output y is bounded by
R(|x|). Thus, the running time of D(x, y) is bounded by S(|x| + R(|x|)).
2. We define the algorithm à on input x as follows:
a. Let t(x) := P̃ (|x|)2 Q(|x|).
b. Compute A(x) t(x)-times, and obtain the results
b1 , . . . , bt(x) ∈ {0, 1}.
c. Let { ∑t(x)
i=1 bi ≥ a
1
+1 if t(x)
Ã(x) := 1
∑t(x)
0 if t(x) i=1 bi < a.
From Corollary B.17 applied to the t(x) independent computations of
A(x), we get for x ∈ L
 
1 ∑
t(x)
P (|x|)2 1
prob  bi < a < < ,
t(x) i=1 4t(x) Q(|x|)

and for x ̸∈ L
 
1 ∑
t(x)
P (|x|)2 1
prob  bi ≥ a < < .
t(x) i=1 4t(x) Q(|x|)

3. a. The probability that A(x) returns at least one 1 during t executions

of A(x) is 0 if x ∈/ L, and > 1 − (1 − 1/Q(|x|))t if x ∈ L. For t ≥
ln(2)Q(|x|), we have (1 − 1/Q(|x|))t ≤ 1/2 (see proof of Proposition
5.7).
b. Consider an N P-problem L and a deterministic polynomial algo-
rithm M (x, y) that answers the membership problem for L with cer-
tificates of length ≤ L(|x|). Selecting y ∈ {0, 1}L(|x|) by coin tosses
and calling M (x, y), we get a probabilistic polynomial algorithm A(x)
with deterministic extension M (x, y).
Conversely, a probabilistic polynomial algorithm A that decides the
membership in L yields a deterministic M .
These considerations show that a problem L is in N P if and only if
there is a probabilistic polynomial algorithm A with values in {0, 1},

⃝H.
c Delfs and H. Knebl
14 Answers to the Exercises

such that prob(A(x) = 1) > 0 if x ∈ L, and prob(A(x) = 1) = 0 if

x∈/ L.
Now, the inclusion RP ⊆ N P is obvious (to obtain this inclusion,
only the ’conversely’- direction of our considerations is necessary).
4. Let A(x) be a Las Vegas algorithm for the membership in a ZPP-problem
L, and let P (|x|) be a polynomial bound for the expected running time of
A. We define a Monte Carlo algorithm Ã(x) as follows. We call A(x). If
A(x) returns after less than P (|x|) steps, we set Ã(x) = A(x). Otherwise,
let Ã(x) = 0. Then à is an algorithm for the membership in L, as it is
required for RP-problems.
5. Proposition 5.6 can be improved, such that the probability of success of
the algorithm à is exponentially close to 1. More precisely:
By repeating the computation A(x) and by returning the most frequent
result, we get a probabilistic polynomial algorithm Ã, such that

prob(Ã(x) = f (x)) > 1 − 2−Q(|x|) for all x ∈ X.

The proof is completely analogous to the proof of Proposition 5.6. The

Chernoff bound is used instead of Proposition 5.6 (which is a consequence
of the weak law of large numbers B.16). The Chernoff bound implies that
 
∑t
t − t
prob  Sj >  ≥ 1 − 2e P (|x|)2 .
j=1
2

For t > ln(2)P (|x|)2 (Q(|x|) + 1), we get the desired result.

Introduction to Cryptography by H. Delfs and H. Knebl

 6. One-Way Functions and the Basic Assumptions 15

6. One-Way Functions and the Basic Assumptions

1. a. Let I˜k := {n ∈ N | n = pq, p, q distinct primes, |p| = |q| = k}. The

set of keys of security parameter k is Ik = {(n, e) | n ∈ I˜k , e ∈ Z∗φ(n) }.
Let pk be the uniform distribution on Ik and let qk be the distribution
i ← S(1k ), given by S. Then
1 1 1 1
pk (n, e) = · and qk (n, e) = · ,
|I˜k | aver(|Z∗φ(n) |) |I˜k | |Z∗φ(n) |

where aver(|Z∗φ(n) |) is the average value taken over n ∈ I˜k . As we

observed in the proof of Proposition 6.6 (referring to Appendix A.2),
x
φ(x) > 6 log(|x|) . Hence,

φ(n)
φ(n) > |Z∗φ(n) | = φ(φ(n)) >
c log(k)

(c a constant). This implies qk (n, e) ≤ c·log(k)·pk (n, e). In particular,

qk is polynomially bounded by pk .
b. Analogous to a).
k
2. The number of primes of length k is of order 2 /k (by the Prime Number
Theorem A.68). Thus, we expect to get a prime after O(k) iterations if
we randomly choose k-bit strings and apply a probabilistic primality test
(see Lemma B.12). A probabilistic primality test takes O(k 3 ) steps (step
= binary operation) and therefore, the expected running time to generate
a random prime of length k is O(k 4 ). To choose a random e ∈ Zφ(n) and
to check, whether it is a unit (by Euclid’s algorithm A.4), takes O(k 3 )
steps. The probability of getting a unit is φ(φ(n))/φ(n), with φ(n) = (p −
1)(q − 1). Let d := ⌈averagen∈Ik φ(n)/φ(φ(n))⌉. In the uniform sampling
algorithm of Proposition 6.8, we expect to get a key after generating d
moduli n = pq and d exponents. Applying the admissible key generator
from Exercise 1, we expect to get a key after generating one modulus
and d exponents. Thus, the expected running time of the uniform key
generator of Proposition 6.8 is about d-times the expected running time
of the admissible key generator from Exercise 1. We have d ≤ 6 log(2k)
(Appendix A.2).
3. f is certainly not a strong one-way function: Half of the elements of Xj
are even. For every (x, y) ∈ Dn , with x or y is even and xy < 2n−1 , a
pre-image (2, xy/2) of fn (x, y) is immediately computed.
Let D̃n := {(x, y) ∈ Dn | x, y are primes with |x| = |y| = ⌊n/2⌋}. We
have (by the Prime Number Theorem A.68)
( )2
2⌊n/2⌋−1 2n−3 2n−1 2n
|D̃n | ≈ ≥( )2 ≥ = 2.
⌊n/2⌋ − 1 (n − 1)/2 n 2 2n

⃝H.
c Delfs and H. Knebl
16 Answers to the Exercises

∑n−2
On the other hand, |Dn | = j=2 2j 2n−j < n2n and hence

|D̃n | 1
≥ 3.
|Dn | 2n
By the factoring assumption, the pre-image of xy cannot be efficiently
computed with a non-negligible probability for (x, y) ∈ D̃n . Thus, the
probability of success of an adversary algorithm is ≤ 1 − 1/2n3 .
4. Let A1 be the algorithm that calls A and then returns the difference
(a1 −a′1 , . . . , ar −a′r ) of A’s outputs. As we already observed in the∏proof of
r e
Proposition 4.21, A1 computes a non-trivial representation 1 = j=1 gj j
∏r aj
of 1 if and only if A computes two distinct representations j=1 gj =
∏r a′j
j=1 gj of the same element in Gq .
To compute the discrete logarithm of an element y ∈ Gq with respect
to g, we use the algorithm B (see the algorithm given in the proof of
Proposition 4.21):
Algorithm 6.1.
int B (int p, q, g, y)
1 if y = 1
2 then return 0
3 else select i ∈ {1, . . . , r} and
4 uj ∈ {1, . . . , q − 1}, 1 ≤ j ≤ r, uniformly at random
5 gi ← y ui
6 gj ← g uj , 1 ≤ j ̸= i ≤ r, is chosen at random
7 (a1 , . . . , ar ) ← A(g1 , . . . , gr )
8 if ai ̸= 0 mod q (∑ )
9 then return x ← −(ai ui )−1 j̸=i a j uj mod q
10 else return 0
If A1 returns a non-trivial representation and if ai ̸= 0 (modulo q), then
∏
y −ui ai = g aj uj ,
j̸=i

and B correctly returns logg (y) of y with respect to the base g.

If y ̸= 1, then y is a generator of Gq and y ui is an element which is
randomly and uniformly chosen from Gq \ {1}, and this random choice is
independent of the choice of i. If A1 returns a non-trivial representation
of 1, then at least one aj ̸= 0 mod q and therefore, the probability that
we get a position i with ai ̸= 0 mod q by the random choice of i, is
≥ 1/r ≥ 1/T (|p|). Thus,
prob(B(p, q, g, y) = logg (y))
∏
r
a
≥ prob(A(p, q, g1 , . . . , gr ) = (a1 , . . . , ar ) ̸= 0, 1= gj j :
j=1

Introduction to Cryptography by H. Delfs and H. Knebl

 6. One-Way Functions and the Basic Assumptions 17

u
gj ← Gq \ {1}, 1 ≤ j ≤ r)
1
·
T (|p|)
1 1
≥ · ,
P (|p|) T (|p|)

for every g ∈ Gq \ {1}, y ∈ Gq and (p, q) ∈ K. By repeating the com-

putation B(p, q, g, y) for a sufficiently large (but polynomial in |p|) num-
ber of times and each time checking whether the output is the desired
logarithm, we get a probabilistic polynomial algorithm Ã(p, q, g, y) with
prob(Ã(p, q, g, y) = logg (y)) ≥ 1 − 2−Q(|p|) (Proposition 5.7).
5. Let Ik := {(n, e) | n = pq, p, q distinct primes , |p| = |q| = k, e ∈ Z∗φ(n) }
be the set of public RSA keys with security parameter k. By Exer-
u
cise 1, the RSA assumption remains valid if we replace (n, e) ← Ik by
u u
n ← Jk , e ← Z∗φ(n) . In the following sequence of distributions, each dis-
tribution polynomially bounds its successor.
u u
a. n ← Jk , e ← Z∗φ(n)
u u
b. n ← Jk , e ← {f < 22k | f prime to φ(n)}
u u
c. n ← Jk , p̃ ← {f ∈ Primes≤2k | f does not divide φ(n)}
The example after Definition B.25, shows that a) bounds b) (consider
the map x 7→ x mod φ(n)). b) bounds c), since the number of primes
2k
of binary length ≤ 2k is about 2k2 (Theorem A.68). By Proposition
B.26, we conclude that the RSA assumption remains valid if we re-
u u u u
place (n ← Jk , e ← Z∗φ(n) ) by (n ← Jk , p̃ ← {f ∈ Primes≤2k |
f does not divide φ(n)}). By Lemma B.24, this distribution - we call
u u
it q - can be replaced by (n ← Jk , p̃ ← Primes≤2k ), since both distribu-
tions are polynomially close. Namely, we have for large k (up to some
constant)

|{f ∈ Primes≤2k | f does not divide φ(n)}| ≥ |Primes≤2k | − log2 (2k),

hence by Theorem A.68

1 1
q(p̃, n) − ·
|Jk | |Primes≤2k |
( )
1 1 |Primes≤2k |
≤ · · −1
|Jk | |Primes≤2k | |Primes≤2k | − log2 (2k)
( )
22k
1 1
≈ · · 22k −2k log (2k) − 1
2k
|Jk | |Primes≤2k | 2
2k

1 1 2k log2 (2k) k k 2k 2k log2 (2k) k5

≈ · · ≈ · · · ≤ .
|Jk | |Primes≤2k | 22k 2k 2k 22k 22k 26k

⃝H.
c Delfs and H. Knebl
18 Answers to the Exercises

4k
Since the number of tuples (p̃, n) is of order O( 2k4 ), the polynomial close-
ness follows.
Finally, by Theorem A.70, we have for a prime p̃ (up to some constant)
1 2k 2k
|{f ∈ Primesk | p̃ divides f − 1}| ≈ ≤ ,
p̃ − 1 k 2k
hence
22k 22k
|Jk,p̃ | ≥ 2
and then 4 · |Jk,p̃ | ≥ |Jk | ≈ 2 .
4k k
u u
We see that (n ← Jk , p̃ ← Primes≤2k ) polynomially bounds
u u
(p̃ ← Primes≤2k , n ← Jk,p̃ ). This finishes the proof.
6. Let b ∈ {0, 1}. Assume that there is a positive polynomial P , such that
u 1 1
prob(Bi (x) = b : i ← K(1k ), x ← Di ) − > ,
2 P (k)
for infinitely many k. Then the constant algorithm A(i, y) that always
returns b successfully computes the hard-core bit
u
prob(A(i, fi (x)) = Bi (x) : i ← K(1k ), x ← Di )
u 1 1
= prob(Bi (x) = b : i ← K(1k ), x ← Di ) ≥ + ,
2 P (k)
a contradiction.
7. Assume there is an algorithm A with
u
prob(A(i, fi (x), Bi (x)) = 1 : i ← K(1k ), x ← Di )
u u 1
− prob(A(i, fi (x), z) = 1 : i ← K(1k ), x ← Di , z ← {0, 1}) >
P (k)
for some positive polynomial P and for k in an infinite subset K of N
(Replacing A by 1 − A, if necessary, we may omit the absolute value).
Let à be the following algorithm with inputs i ∈ I, y ∈ Ri :
u
a. Randomly choose a bit b ← {0, 1}.
b. If A(i, y, b) = 1, then return b, else return 1 − b.
Applying Lemma B.13 we get
u
prob(Ã(i, fi (x)) = Bi (x) : i ← K(1k ), x ← Di )
1 u
= + prob(Ã(i, fi (x)) = b : i ← K(1k ), x ← Di | Bi (x) = b)
2
u
− prob(Ã(i, fi (x)) = b : i ← K(1k ), x ← Di )
1 u
= + prob(A(i, fi (x), Bi (x)) = 1 : i ← K(1k ), x ← Di )
2
u u
− prob(A(i, fi (x), b) = 1 : i ← K(1k ), x ← Di , b ← {0, 1})
1 1
> + .
2 P (k)

Introduction to Cryptography by H. Delfs and H. Knebl

 6. One-Way Functions and the Basic Assumptions 19

for the infinitely many k ∈ K. Hence, B is not a hard-core predicate.

Conversely, if Ã(i, y) is a probabilistic polynomial algorithm with

u 1 1
prob(Ã(i, fi (x)) = Bi (x) : i ← K(1k ), x ← Di ) > +
2 P (k)

for infinitely many k, then the algorithm A with

{
1 if z = Ã(i, y),
A(i, y, z) :=
0 else.

successfully distinguishes between the distributions.

8. The analogous proposition is:
The following statements are equivalent.
a. For every probabilistic polynomial algorithm A with inputs i ∈ I, x ∈
Xi and output in {0, 1} and every positive polynomial P , there is a
k0 ∈ N, such that for all k ≥ k0
pi
| prob(A(i, x) = 1 : i ← Ik , x ← Xi )
qi 1
− prob(A(i, x) = 1 : i ← Ik , x ← Xi ) | ≤ .
P (k)

b. For every probabilistic polynomial algorithm A with inputs i ∈ I, x ∈

Xi and output in {0, 1} and all positive polynomials Q, R there is a
k0 ∈ N, such that for all k ≥ k0
pi
prob({i ∈ Ik | | prob(A(i, x) = 1 : x ← Xi )
qi 1
− prob(A(i, x) = 1 : x ← Xi ) | > })
Q(k)
1
≤ .
R(k)

The proof now runs in the same way as the proof of Proposition 6.17. The
main difference is that we need an algorithm Sign(i) which computes the
sign of
pi qi
prob(A(i, x) = 1 : x ← Xi ) − prob(A(i, x) = 1 : x ← Xi )

with high probability if the absolute value of this difference is ≥ 1/T̃ (k)
(with T̃ a polynomial). This algorithm is constructed analogously. We use
the fact that the probabilities can be approximately computed with high
probability by a probabilistic polynomial algorithm (Proposition 6.18).
9. see [GolMic84].

⃝H.
c Delfs and H. Knebl
20 Answers to the Exercises

7. Bit Security of One-Way Functions

1.

17 ∈ QRp ,
/ QRp , 13 · 2−1 = 16
PSqrt(17) = 13 ∈
PSqrt(16) = 4 ∈ QRp
/ QRp , 2 · 2−1 = 1
PSqrt(4) = 2 ∈
PSqrt(1) = 1 ∈ QRp

Thus we have Logp,g (17) = 01010 (in binary encoding).

2. Algorithm 7.1.
int BinSearchLog(int p, g, y)
1 int : l, r, i
2 l ← 0; r ← p − 1
3 while l ≤ r do
4 i ← div (l + r)
5 if A1 (p, g, y) = 1
6 then l ← i
7 else r ← i + 1
8 y ← y2
9 return l
3. a. We compute the t least-significant bits as in the proof of Proposi-
tion 7.5. Let k = |p|, y = g xk−1 ...x0 , xi ∈ {0, 1}, i = 0, . . . , k − 1. The
bit x0 is 0, if and only if y ∈ QRp (Proposition A.49). This condition
can be tested with the criterion of Euler for quadratic residuosity
(Proposition A.52).
We replace y by yg −1 , if x0 = 1. Thus, we can assume x0 = 0. We
get the square roots y1 = g xk−1 ...x1 and y2 = g xk−1 ...x1 +(p−1)/2 of y.
Since p − 1 = 2t q, q odd, the t least-significant bits of p − 1 are 0.
log y1 and log y2 coincide in the t − 1 least-significant bits (t ≥ 1). If
t ≥ 2, we can continue with both square roots.

Algorithm 7.2.
int A(int p, g, x)
1 d←ε
2 for c ← 0 to t − 1 do
3 if x ∈ QRp
4 then d ← d||0
5 else d ← d||1
6 x ← xg −1
7 x ← Sqrt(p, g, x)
8 return d

Introduction to Cryptography by H. Delfs and H. Knebl

 7. Bit Security of One-Way Functions 21

b. Let {u, v} = Sqrt(y). Then Lsbt−1 (Logp,g (u)) ̸= Lsbt−1 (Logp,g (v))
(the logarithms differ by p−1 2 ). Observe that you can compute these
bits by a).
Algorithm 7.3.
int A(int p, g, y)
1 {u, v} ← Sqrt(y)
2 if A1 (p, g, y) = Lsbt−1 (Logp,g (u)
3 then return u
4 else return v
A computes the principal square root of y. The assertion now follows
by Proposition 7.5.

c. Let P be a positive polynomial and A1 be a probabilistic polynomial

algorithm, such that

u 1 1
prob(A1 (p, g, g x ) = Lsbt (x) : x ← Zp−1 ) ≥ + ,
2 P (k)

where p is an odd prime, p = 2t a, a odd, and g is a primitive root

modp. As in b) we get a probabilistic polynomial algorithm A, such
that
u 1 1
prob(A(p, g, y) = PSqrtp,g (y) : y ← QRn ) ≥ + .
2 P (k)

This contradicts the discrete logarithm assumption (see Theorem 7.7).

4. a. Let p − 1 = 2t q, q odd, y = g x . Compute the t least-significant bits of

x by the Algorithm of Exercise 7.2. Guess the next j − t bits from x
(note there are only polynomially many, namely O(k), alternatives).
Thus, we can assume that the j least-significant bits of x are known.

⃝H.
c Delfs and H. Knebl
22 Answers to the Exercises

Algorithm 7.4.
int A(int p, g, y)
1 Lj ← j least-significant bits of x
2 d ← Lj
3 for c ← j to k − 1 do
4 b ← A1 (p, g, y, Lj )
5 if Lsb(Lj ) = 1
6 then y ← yg −1
7 {u, v} ← Sqrt(p, g, y)
8 if Lsb(Logp,g (u)) = Lsb1 (Lj )
9 then y ← u
10 else y ← v
11 Lj ← b||Lsbj−1 (Lj ) . . . Lsb1 (Lj )
12 d ← b||d
13 return d

b. The probability of success of A1 can be increased as in Lemma 7.8.

Observe that you can compute Lsbj (x) from Lsbj (x + r), where r is
randomly chosen, if x + r ≤ p − 1. Use this, to compute Lsbj (x) with
probability almost 1 for small values of x. Then continue as in the
proof of Theorem 7.7 to prove statement b).
5. Assume there is a positive polynomial P ∈ Z[X] and an algorithm A1 ,
such that

prob(A1 (p, g, Lsbt (x), . . . , Lsbt+j−1 (x), g x )

u u 1 1
= Lsbt+j (x) : (p, g) ← Ik , x ← Zp−1 ) > + .
2 P (k)
for infinitely many k. By Proposition 6.17, there are polynomials Q, R,
such that
({
prob (p, g) ∈ Ik prob(A1 (p, g, Lsbt (x), . . . , Lsbt+j−1 (x), g x )
})
u 1 1 1
= Lsbt+j (x) : x ← Zp−1 ) > + > ,
2 Q(k) R(k)
for infinitely many k. From the preceding Exercise 4, we conclude that
there is an algorithm A2 and a positive polynomial S ∈ Z[X], such that
({
prob (p, g) ∈ Ik
})
u 1 1
prob(A2 (p, g, g ) = x : x ← Zp−1 ) ≥ 1 −
x
> ,
S(k) R(k)
for infinitely many k. By Proposition 6.3, there is a positive polynomial
T ∈ Z[X], such that

Introduction to Cryptography by H. Delfs and H. Knebl

 7. Bit Security of One-Way Functions 23

u u 1
prob(A2 (p, g, g x ) = x : (p, g) ← Ik , x ← Zp−1 ) > ,
T (k)
for infinitely many k, a contradiction to the discrete logarithm assump-
tion.
6.

t at ut at x Lsb(at x)
0 1 0 13 1
1 15 0.5 21 1
2 22 0.75 25 1
3 11 0.875 27 1
4 20 0.9375 28 0
5 10 0.46875 14 0
6 5 0.234375 7 1
15
Thus we have a = 5, u = 64 .
7.

t at ut returned bits
0 1 0 0
1 196 0 0
2 98 0 1
3 49 0.5 0
4 220 0.25 0
5 110 0.125 1
6 55 0.5625 1
7 223 0.78125 1
8 307 0.890625 1
9 349 0.9453125 0
10 370 0.47265625 1
⌊ 121 ⌋
We get a = 370, ax = 256 391 + 1 and x = a−1 ax = 196.
8. Observe that

Msb(x) = Lsb(2x) and

Lsb(x) = Msb(2−1 x).

Thus, an algorithm A(n, e, y) computing Lsb(x) can be used to compute

Msb(x) (Msb(x) = A(n, e, 2e y)) and vice versa.

⃝H.
c Delfs and H. Knebl
24 Answers to the Exercises

9. Follows immediately by Exercise 8.

10. Let y = xe . Observe that 2e y = (2x)e .
11. Algorithm 7.5.
int RSA−1 (int y)
1 for i ← 1 to k − 1 do
2 if LsbRSA−1 (y) = 0
3 then LSB[i] ← 0
4 y ← y2−e mod n
5 else LSB[i] ← 1
6 y ← (n − y)2−e mod n
7 t[k] ← LsbRSA−1 (y); t[1] = . . . = t[k − 1] = 0
8 for i ← k − 1 downto 1 do
9 t ← Shift(t)
10 if LSB[i] = 1
11 then t ← Delta(n, t, k − i + 1)
12 return t
Shif t(t) returns the bits of t, shifted one position to the left, filling the
emptied bit with 0. Delta(s, t, i) returns for t ≤ s the i least-significant
bits of s − t. The remaining bits are 0.

12. a. We define
Lj : Z∗n −→ {0, 1}j , x 7−→ x mod 2j .
We get the RSA-inversion by rational approximation by using the
equations

a0 = 1, u0 = 0,
−1 1
at = 2 at−1 , ut = 2 (ut−1 + Lsb(at−1 x)) .

We have
1
Lj−1 (at x) = Lj (at−1 x + Lsb (at−1 x) n) ,
2
and we compute Lj (at x) for t ≥ 0 by

Guess Lj (a0 x),

1
Lj (at x) = Lsbj (at x)2j−1 + Lj (at−1 x + Lsb(at−1 x)n).
2
and get

Introduction to Cryptography by H. Delfs and H. Knebl

 7. Bit Security of One-Way Functions 25

Algorithm 7.6.
int A2 (int n, e, y)
1 a ← 1, u ← 0
2 guess Lstj ← Lj (a0 x)
3 for t ← 1 to k do
4 u ← 21 (u + Lsb(Lstj ))
5 a ← 2−1 a mod n
6 Lstj ← A1 (n, e, ae y mod n)2j−1 + 12 (Lstj + Lsb(at−1 x)n)
7 return a−1 ⌊un + 1⌋ mod n
b. With the notations from the proof of Theorem 7.14 we have
At,i = at + iat−1 + b = (1 + 2i)at + b,
Wt,i = ⌊ut + iut−1 + v⌋.
and if Wt,i = q (see proof of proof of Theorem 7.14) we have
At,i x = at x + iat−1 x + bx − Wt,i n.
Thus, we get
Lj (At,i x) = Lj (at x) + Lj (iat−1 x) + Lj (bx) − Lj (Wt,i n) mod 2j
and
Lsbj (At,i x)2j−1 + Lj−1 (At,i x) =
Lsbj (at x)2j−1 + Lj−1 (at x) + Lj (iat−1 x) + Lj (bx) −
Lj (Wt,i n) mod 2j , hence
Lsbj (at x)2j−1 =
Lsbj (At,i x)2j−1 + Lj−1 (At,i x) − Lj−1 (at x + Lj (iat−1 x) − Lj (bx) +
Lj (Wt,i n) mod 2j .
We use the last equation to get Lsbj (at x) by a majority decision com-
puting Lsbj (At,i x) by algorithm A1 . Observe that the other terms of
the right side of the equation are known. Lj−1 (at x) and Lj−1 (At,i x)
can be recursively computed from Lj (at−1 x) and Lj (At−1,i x):
1
Lj−1 (at x) = (Lj (at−1 x + Lsb (at−1 x) n) ,
2
Lj−1 (At,i x) = (1 + 2i)Lj−1 (at x) + Lj−1 (bx) mod 2j−1 .
Initially we have to guess Lj (a0 x) and Lj (bx). This is polynomial in
k, because j ≤ ⌊log2 (2k)⌋.
We can modify the Algorithm from Lemma 7.15 to get an algorithm
which computes Lj (at x) with probability almost 1. From Lj (at x) we
can easily derive Lsb(at x), and we can use Lsb(at x) in Algorithm
7.17 and continue as in Section 7.2.

13. The proof is analogous to the proof of Exercise 5.

⃝H.
c Delfs and H. Knebl
26 Answers to the Exercises

8. One-Way Functions and Pseudorandomness

1. If Ã(i, z) is a probabilistic polynomial algorithm that distinguishes be-

tween the sequences generated by π ◦ G and true random sequences (see
Definition 8.2), then A(i, z) : (i, z) 7→ Ã(i, Π(i, z)) distinguishes the se-
quences generated by G from true random sequences.
2. Examples can be constructed by one-way permutations
f = (fi : Di −→ Di )i∈I with hard-core predicate B, like the RSA family.
Consider the pseudorandom generator G with Gi (x) := (fi (x), Bi (x)),
u
which generates from a randomly chosen seed x ← Di a pseudorandom
sequence of length |x| + 1. G is computationally perfect, by Exercise
7 in Chapter 6. Let π be the permutation πi (y, b) := (fi−1 (y), b) (y ∈
Di , b ∈ {0, 1}). Then πi (Gi (x)) = (x, B(x)), and we see that π ◦ G is not
computationally perfect (since B(x) is computable from x).
3. The proof is an immediate consequence of Exercise 1 (consider the per-
mutation (x1 , . . . , xl(k) ) 7→ (xl(k) , . . . , x1 ) and Yao’s Theorem 8.7.
4. Assume there is a probabilistic polynomial statistical test A(i, z) and a
positive polynomial R, such that
u
prob(A(i, Gli (x)) = 1 : i ← K(1k ), x ← {0, 1}Q(k) )
u 1
− prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}Q(k)+l ) > ,
R(k)

for k in an infinite subset K of N ( replacing A by 1 − A if necessary we

may drop the absolute value).
For k ∈ K and i ∈ Ik we consider the following sequence of distributions

di,0 , di,1 , . . . , di,l

on {0, 1}m , where m = m(k) := Q(k) + l.

u u
di,0 = {(b1 , . . . , bl , x) : (b1 , . . . , bl ) ← {0, 1}l , x ← {0, 1}Q(k) )}
u u
di,1 = {(b1 , . . . , bl−1 , G1i (x)) : (b1 , . . . , bl−1 ) ← {0, 1}l−1 , x ← {0, 1}Q(k) }
u u
di,2 = {(b1 , . . . , bl−2 , G2i (x)) : (b1 , . . . , bl−2 ) ← {0, 1}l−2 , x ← {0, 1}Q(k) }
..
.
u u
di,r = {(b1 , . . . , bl−r , Gri (x)) : (b1 , . . . , bl−r ) ← {0, 1}l−r , x ← {0, 1}Q(k) }
..
.
u
di,l = {Gli (x) : x ← {0, 1}Q(k) }.

di,0 is the uniform distribution, di,l is the distribution induced by Gli .

For k ∈ K, we have

Introduction to Cryptography by H. Delfs and H. Knebl

 8. One-Way Functions and Pseudorandomness 27

1 di,l
< prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )
R(k)
di,0
− prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )
∑
l−1
di,r+1
= (prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )
r=0
di,r
− prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )).

Define the algorithm à as follows:

a. Randomly choose r, with 0 ≤ r < l.
b. Choose random bits b1 , b2 , . . . , bl−r−1 .
c. For z = (z1 , . . . , zQ(k)+1 ) ∈ {0, 1}Q(k)+1 let

Ã(i, z) := A(i, b1 , . . . , bl−r−1 , z1 , Gri ((z2 , . . . , zQ(k)+1 ))).

We have
u
prob(Ã(i, Gi (x)) = 1 : i ← K(1k ), x ← {0, 1}Q(k) )
u
− prob(Ã(i, z) = 1 : i ← K(1k ), z ← {0, 1}Q(k)+1 )
∑
l−1
di,r+1
= prob(r) · (prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )
r=0
di,r
− prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )))
1∑
l−1
di,r+1
= (prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )
l r=0
di,r
− prob(A(i, z) = 1 : i ← K(1k ), z ← {0, 1}m )))
1
> ,
lR(k)
for the infinitely many k ∈ K. This contradicts the assumption that G is
computationally perfect.
5. The proof runs in the same way as the proof of Yao’s Theorem 8.7. An
additional input y ∈ Yi has to be added to the algorithms A and à and
the probabilities
u
prob(Ã(i, fi (x), z) = . . . : i ← K(1k ), x ← Xi , z ← . . .)
u
must also be taken over x ← Xi . The distributions pi,r are modified to

pi,r = {(fi (x), Gi,1 (x), Gi,2 (x), . . . , Gi,r (x), br+1 , . . . , bQ(k) :
u u
(br+1 , . . . , bQ(k) ) ← {0, 1}Q(k)−r , x ← Xi }.

⃝H.
c Delfs and H. Knebl
28 Answers to the Exercises

6. Assume there is a probabilistic polynomial algorithm A(i, y), such that

u
prob(A(i, fi (x)) = Ci (Bi,1 (x), . . . , Bi,l(k) (x)) : i ← K(1k ), x ← Di )
1 1
> + ,
2 P (k)
for k in an infinite subset K of N.
Define the algorithm Ã(i, y, z1 , . . . , zl ) as follows:
{
1 if A(i, y) = Ci (z1 , . . . , zl ),
Ã(i, y, z1 , . . . , zl ) :=
0 else
We have
u
prob(A(i, fi (x)) = Ci (z1 , . . . , zl ) : i ← K(1k ), x ← Di ,
u
(z1 , . . . , zl ) ← {0, 1}l )
u
= prob(A(i, fi (x)) = 0 : i ← K(1k ), x ← Di )
u
·prob(Ci (z1 , . . . , zl ) = 0 : (z1 , . . . , zl ) ← {0, 1}l )
u
+ prob(A(i, fi (x)) = 1 : i ← K(1k ), x ← Di )
u
·prob(Ci (z1 , . . . , zl ) = 1 : (z1 , . . . , zl ) ← {0, 1}l )
u 1
= prob(A(i, fi (x)) = 0 : i ← K(1k ), x ← Di ) ·
2
u 1
+ prob(A(i, fi (x)) = 1 : i ← K(1 ), x ← Di ) ·
k
2
1
= .
2
Hence
u u
| prob(Ã(i, fi (x), z1 , . . . , zl ) = 1 : i ← K(1k ), x ← Di , (z1 , . . . , zl ) ← {0, 1}l )
u
− prob(Ã(i, fi (x), Bi,1 (x), . . . , Bi,l (x)) = 1 : i ← K(1k ), x ← Di ) |
1 u
= − prob(A(i, fi (x)) = Ci (Bi,1 (x), . . . , Bi,l (x))) : i ← K(1k ), x ← Di )
2
1 1 1
> + −
2 P (k) 2
1
> ,
P (k)
for infinitely many k. This is a contradiction.
7. Assume that the bits Bi,1 , . . . , Bi,l are not simultaneously secure. From
the stronger version of Yao’s Theorem, Exercise 5, we conclude that there
is a probabilistic polynomial algorithm A, a positive polynomial P and
a jk , 1 ≤ jk ≤ l(k), such that

Introduction to Cryptography by H. Delfs and H. Knebl

 8. One-Way Functions and Pseudorandomness 29

u
prob(A(i, fi (x), Bi,1 (x) . . . Bi,jk −1 (x)) = Bi,jk (x) : i ← K(1k ), x ← Xi )
1 1
> + ,
2 P (k)
for infinitely many k. This is a contradiction.
8. The statement, which is analogous to Theorem 8.4, is almost identical to
the statement of Theorem 8.4:
For every probabilistic polynomial algorithm A with inputs i ∈ Ik , z ∈
{0, 1}l(k)Q(k) , y ∈ Di and output in {0, 1} and every positive polynomial
P ∈ Z[X], there is a k0 ∈ N, such that for all k ≥ k0
u u
| prob(A(i, z, y) = 1 : i ← K(1k ), z ← {0, 1}l(k)Q(k) , y ← Di )
Q(k) u 1
− prob(A(i, Gi (x), fi (x)) = 1 : i ← K(1k ), x ← Di ) | ≤ .
P (k)
The proof runs as the proof of Theorem 8.4. There are only the following
differences:
In the distributions pi,r , the elements bi have to be chosen from {0, 1}l(k) :
u
bi ← {0, 1}l(k) , and Xi has to be set as Xi := {0, 1}l(k)Q(k) × Di .
We define the algorithm à as follows:
On inputs i ∈ Ik , y ∈ Di , w ∈ {0, 1}l(k)
a. Randomly choose r, with 0 ≤ r < Q(k).
b. Randomly choose b1 , b2 , . . . , bQ(k)−r−1 in {0, 1}l(k) .
c. For y = fi (x) let Ã(i, y, w) :=
A(i, b1 , . . . , bQ(k)−r−1 , w, Bi (fi (x)), Bi (fi2 (x)), . . . , Bi (fir (x)), fir+1 (x)).
Then
u
| prob(Ã(i, fi (x), Bi (x)) = 1 : i ← K(1k ), x ← Di )
u u
− Ã(i, y, w) = 1 : i ← K(1k ), y ← Di , w ← {0, 1}l(k) ) |
∑
Q(k)−1
pi,r+1
= prob(r) · (prob(A(i, z, y) = 1 : i ← K(1k ), (z, y) ← Xi )
r=0
pi,r
− prob(A(i, z, y) = 1 : i ← K(1k ), (z, y) ← Xi ))
1 ∑
Q(k)−1
pi,r+1
= (prob(A(i, z, y) = 1 : i ← K(1k ), (z, y) ← Xi )
l(k) r=0
pi,r
− prob(A(i, z, y) = 1 : i ← K(1k ), (z, y) ← Xi ))
1
> ,
l(k)P (k)

for infinitely many k. This contradicts the fact that B is an l-bit hard-core
predicate.

⃝H.
c Delfs and H. Knebl
30 Answers to the Exercises

9. Provably Secure Encryption

1. The affine cipher is perfectly secret. Namely, let m ∈ Zn and c ∈ Zn . We

look for the number of keys (a, b), such that m is encrypted as c. a is a
unit modulo n, so we have φ(n) choices for a. Since b = c − a · m mod n,
the choice of a determines b. We conclude that there are φ(n) keys (a, b)
which transform m to c. If the keys are selected uniformly at random, as
assumed, this means that prob(c | m) = φ(n)/φ(n)n = 1/n. The probability
is independent of m, which implies that the affine cipher is perfectly secret
(Proposition 9.4).
2. Knowing the key and the ciphertext, the plaintext m can be derived.
Hence, H(M | KC) = 0. Therefore, we have

0 ≤ I(M ; K | C) = H(K | C) − H(K | M C)

= H(M |C) − H(M |KC) = H(M |C).

Hence, H(K |C) ≥ H(M | C), because H(K | M C) ≥ 0.
3. It is not computationally secret, as the following considerations show. Let
(p, g, y := g x ) be an ElGamal public key. We have Ep,g,y (m) = (g k , y k m)
for plaintexts m ∈ Z∗p . Applying Logp,g to both components of Ep,g,y (m),
we get (k, kx + Logp,g (m)) ∈ Z2p−1 . If p − 1 = 2t a, a odd, then the t
least-significant bits of Logp,g (z) can be easily computed for z ∈ Z∗p (see
Section 7.1, Exercise 3 in Chapter 7). In particular, we can compute the t
least-significant bits of k, x, Logp,g (y k m). Since (kx mod p − 1) mod 2t =
kx mod 2t , we can compute the t least-significant bits of kx mod (p − 1)
and hence also of Logp,g (m). Thus, we can distinguish between plain-
texts, whose Logp,g differ in their t least-significant bits.
If we consider only the least-significant bit, this means that we can dis-
tinguish between quadratic residues and non-residues.
4. Note that S(i) returns two distinct messages m0 ̸= m1 . We have for every
pair m0 ̸= m1
u
prob(A(i, m0 , m1 , c) = m : i ← K(1k ), m ← {m0 , m1 }, c ← E(m))
1 u
= · prob(A(n, e, m0 , m1 , c) = m0 : (n, e) ← Ik , c ← E(m0 ))
2
1 u
+ · prob(A(n, e, m0 , m1 , c) = m1 : (n, e) ← Ik , c ← E(m1 ))
2
1 1 u
= + · [prob(A(n, e, m0 , m1 , c) = m0 : (n, e) ← Ik , c ← E(m0 ))
2 2
u
− prob(A(n, e, m0 , m1 , c) = m0 : (n, e) ← Ik , c ← E(m1 )].

Introduction to Cryptography by H. Delfs and H. Knebl

 9. Provably Secure Encryption 31

5. For m ∈ {0, 1}r , we denote by m the padded m.

Assume that the encryption scheme is not computationally secret. Then,
by Exercise 4, there is a probabilistic polynomial algorithm A and a
positive polynomial P , such that for infinitely many k: For all (n, e) ∈ Ik
there are m0,n,e , m1,n,e ∈ {0, 1}r , m0,n,e ̸= m1,n,e , such that
u
prob(A(n, e, m0,n,e , m1,n,e , c) = m0,n,e : (n, e) ← Ik , c ← RSAn,e (m0,n,e ))
u
− prob(A(n, e, m0,n,e , m1,n,e , c) = m0,n,e : (n, e) ← Ik ,
c ← RSAn,e (m1,n,e ))
1
> .
P (k)

Here, observe that there are only polynomially many, namely < 4k 2 ,
message pairs {m0 , m1 }, so we can omit the sampling algorithm S (all
message pairs can be considered in polynomial time).
Let Q be a positive polynomial with deg(Q) > deg(P ) + 1. Replacing A
by a modification, if necessary, we may assume that the probability of
u u
those (n, e) ← Ik , m0 , m1 ← {0, 1}r , such that either

prob(A(n, e, m0 , m1 , c) = m0 : c ← RSAn,e (m0 ))

− prob(A(n, e, m0 , m1 , c) = m0 : c ← RSAn,e (m1 ))
≥ 0.

or the absolute value of the difference is ≤ 1/Q(k), is ≥ 1 − 1/Q(k). (The

sign of the difference may be computed by a probabilistic polynomial
algorithm with high probability, see Proposition 6.18 and, e.g., the proof
of Proposition 6.17. Replace the output by its complement, if the sign is
negative).
Then
u u
prob(A(n, e, m0 , m1 , c) = m0 : (n, e) ← Ik , m0 ← {0, 1}r ,
u
m1 ← {0, 1}r \ {m0 }, c ← RSAn,e (m0 ))
u u
− prob(A(n, e, m0 , m1 , c) = m0 : (n, e) ← Ik , m0 ← {0, 1}r ,
u
m1 ← {0, 1}r \ {m0 }, c ← RSAn,e (m1 ))
1 1 1
> ≥ 2 .
22r 2P (k) 8k P (k)

Let à be the following algorithm with inputs (n, e) ∈ I, y ∈ Zn , z ∈

{0, 1}r :
u
{ m1 ← {0, 1} , z ̸= m1 .
r
a. Randomly select
1 if A(n, e, z, m1 , y) = z,
b. Ã(n, e, y, z) :=
0 else .

⃝H.
c Delfs and H. Knebl
32 Answers to the Exercises

Then
u u
prob(Ã(n, e, RSAn,e (z), z) = 1 : (n, e) ← Ik , z ← {0, 1}r )
u u u
− prob(Ã(n, e, y, z) = 1 : (n, e) ← Ik , y ← Zn , z ← {0, 1}r )
u u
≈ prob(A(n, e, z, m1 , y) = z : (n, e) ← Ik , z ← {0, 1}r ,
u
m1 ← {0, 1}r \ {z}, y ← RSAn,e (z))
u u
− prob(A(n, e, z, m1 , y) = z : (n, e) ← Ik , z ← {0, 1}r ,
u
m1 ← {0, 1}r \ {z}, y ← RSAn,e (m1 ))
1 1 1
> ≥ 2 ,
22r 2P (k) 8k P (k)

for infinitely many k.

u u
To justify ≈, observe that y ← Zn is the same as m1 ← {0, 1}r , y ←
u
RSAn,e (m1 ) (RSAn,e is bijective !), hence polynomially close to m1 ←
{0, 1}r \ {z}, y ← RSAn,e (m1 ).
We obtained a contradiction to the fact that the r ≤ log2 (|n|) least sig-
nificant bits of RSA are simultaneously secure (see Exercise 7 in Chapter
u
8, there only units are considered as inputs to RSA, but y ← Zn is
u ∗
polynomially close to y ← Zn (Lemma B.23)).
6. In order to decrypt, the recipient of the encrypted message c1 . . . cn uses
his secret trapdoor information to compute the elements xj = fi−1 (cj ).
Then, he obtains m as Bi (x1 ) . . . Bi (xn ).
To prove security, assume that the scheme is not computationally secret.
Let S be a sampling algorithm and A be a distinguishing algorithm, such
that

prob(A(i, m0 , m1 , c) = m0 : i ← K(1k ), {m0 , m1 } ← S(i), c ← E(m0 ))

− prob(A(i, m0 , m1 , c) = m1 : i ← K(1k ), {m0 , m1 } ← S(i), c ← E(m0 ))
1
> ,
P (k)

for some positive polynomial P and infinitely many k (see Exercise 4).
For m0 , m1 ∈ {0, 1}n and 0 ≤ r ≤ n, we denote by sr (m0 , m1 ) the
concatenation of the first n − r bits of m0 with the last r bits of m1 .
Thus, s0 (m0 , m1 ) = m0 and sn (m0 , m1 ) = m1 . We denote by mj,l the
l-th bit of mj . Then sr (m0 , m1 ) = m0,1 m0,2 . . . m0,n−r m1,n−r+1 . . . m1,n .
For 0 ≤ r ≤ n, let
u
pr := prob(A(i, m0 , m1 , c) = m1 : i ← k(1k ),
{m0 , m1 } ← S(i), c ← E(i, sr (m0 , m1 ))).

and

Introduction to Cryptography by H. Delfs and H. Knebl

 9. Provably Secure Encryption 33

pr,m0,l =m1,l
:= prob(A(i, m0 , m1 , c) = m1 |m0,l = m1,l :
u
i ← k(1k ), {m0 , m1 } ← S(i), c ← E(i, sr (m0 , m1 ))).

be the conditional probability assuming that m0,l = m1,l . Analogously

for the condition m0,l ̸= m1,l . ∑n
With this notation, we have pn −p0 > P (k) 1
. Since pn −p0 = r=0 (pr+1 −
pr ), there is some r, 0 ≤ r ≤ n, with pr+1 −pr > nP1(k) (Recall n = Q(k)).
sr (m0 , m1 ) and sr+1 (m0 , m1 ) differ only in the l = n − r − 1-th bit.
Hence sr (m0 , m1 ) = sr+1 (m0 , m1 ), if m0,l = m1,l , and thus pr,m0,l =m1,l =
pr+1,m0,l =m1,l . Therefore, the inequality pr+1 − pr > nP1(k) also implies

1
prob(m0,l ̸= m1,l ) · (pr+1,m0,l ̸=m1,l − pr,m0,l ̸=m1,l ) > .
nP (k)
We can approximately compute the probabilities pr by a probabilistic
polynomial algorithm, with high probability (Proposition 6.18). We con-
clude that for a given positive polynomial T , there is a probabilistic
polynomial algorithm that on input 1k computes an r with pr+1 − pr >
1/nP (k), with probability ≥ 1 − 1/T (k).
Now, we give an algorithm Ã(i, y) which successfully computes the pred-
icate B. In a preprocessing phase, Ã computes an r with pr+1 − pr >
1/nP (k) (with probability ≥ 1 − 1/T (k)). Ã then uses this r for all in-
puts (i, y) with i ∈ Ik . Let l := n − r − 1. Note that sr (m0 , m1 ) and
sr+1 (m0 , m1 ) differ only in the l-th bit. On input (i, y), Ã works as fol-
lows:
a. Compute {m0 , m1 } ← S(i).
u
b. If m0,l = m1,l , then return a random b ← {0, 1} and stop.

c. Else, i.e., if m0,l ̸= m1,l ,

randomly (and uniformly) choose x1 , . . . , xn , such that Bi (xj ) equals
the j-th bit of sr (m0 , m1 ). Let yj := fi (xj ).
(Note that y1 ||y2 || . . . ||yn is an encryption of sr (m0 , m1 ).)
d. Let c := y1 || . . . ||yl−1 ||y||yl+1 || . . . ||yn .

e. If A(i, m0 , m1 , c) = m0 , then return Ã(i, y) = Bi (xl ) = m0,l . Else,

return Ã(i, y) = 1 − Bi (xl ) = 1 − m0,l = m1,l .
We want to prove that for some positive polynomial R and infinitely
many k,
1 1 u u
+ < prob(Ã(i, fi (x)) = Bi (x) : i ← k(1k ), x ← Di )
2 R(k)
= prob(m0,l = m1,l ) · prob(Ã(i, fi (x)) = Bi (x)|m0,l = m1,l )
+ prob(m0,l ̸= m1,l ) · prob(Ã(i, fi (x)) = Bi (x)| m0,l ̸= m1,l )

⃝H.
c Delfs and H. Knebl
34 Answers to the Exercises

1
= prob(m0,l = m1,l ) ·
2
+ prob(m0,l ̸ m1,l ) · prob(Ã(i, fi (x)) = Bi (x)| m0,l ̸= m1,l )
=
=: (1),
u u
where the probabilities are taken over i ← k(1k ), x ← Di and the coin
tosses. This will be the desired contradiction to the fact that B is a
hard-core predicate. The following probabilities are computed under the
assumption that m0,l ̸= m1,l (we omit the assumption in our notation).
prob(Ã(i, fi (x)) = Bi (x)))
= prob(Bi (x) = m0,l ) · prob(Ã(i, fi (x)) = m0,l |Bi (x) = m0,l ))
+ prob(Bi (x) = m1,l ) · prob(Ã(i, fi (x)) = m1,l |Bi (x) = m1,l ))
1 1
= q1 + · q2 + ε
2 2
=: (2)
with
u
q1 := prob(A(i, m0 , m1 , c) = m0 : i ← k(1k ),
{m0 , m1 } ← S(i), c ← E(i, sr (m0 , m1 )))
u
= 1 − prob(A(i, m0 , m1 , c) = m1 : i ← k(1k ),
{m0 , m1 } ← S(i), c ← E(i, sr (m0 , m1 )))
= 1 − pr,m0,l ̸=m1,l ,

u
q2 := prob(A(i, m0 , m1 , c) = m1 : i ← k(1k ),
{m0 , m1 } ← S(i), c ← E(i, sr+1 (m0 , m1 )))
= pr+1,m0,l ̸=m1,l
and a negligibly small ε, i.e., given a positive polynomial U , ε ≤ 1/U (k)
for sufficiently large k (see Exercise 7 in Chapter 6).
Thus
1
(2) = + pr+1,m0,l ̸=m1,l − pr,m0,l ̸=m1,l + ε.
2
We insert (2) in (1) and get
1
(1) = + prob(m0,l ̸= m1,l ) · (pr+1,m0,l ̸=m1,l − pr,m0,l ̸=m1,l + ε)
2
1 1 1
> + (1 − )· +ε
2 T (k) nP (k)
1 1 1 1
> + = + ,
2 2nP (k) 2 2Q(k)P (k)
for infinitely many k.
The proof is finished.

Introduction to Cryptography by H. Delfs and H. Knebl

 9. Provably Secure Encryption 35

7. To decrypt an encrypted message c1 . . . cn , Bob checks (by using the

factorization of n), whether cj is a quadratic residue or not.
The security proof is almost identical to the proof of Exercise 6. It leads
to a contradiction to statement 2 in Exercise 9 in Chapter 6, which is
equivalent to the quadratic residuosity assumption (see Exercise 9).
8. a) Let x0 , x1 ∈ F2l , x0 ̸= x1 . Multiplying in F2l by some element x ∈ F2l
is a linear map over F2 . Thus, a 7→ a · (x1 − x0 ) can be computed by an
l × l-matrix M over F2 . M is invertible, because x1 ̸= x0 . Let M ′ be the
first f rows of M . Then M ′ has rank f . Therefore

|{a ∈ F2l | M ′ · a = 0}| = 2l−f and hence

prob(msb(a · x0 ) = msb(a · x1 ) : a ← F2l ) = 2l−f · 2−l = 2−f .

u

b) Let x0 , x1 , z0 , z1 ∈ F2l , x0 =
̸ x1 and y0 , y1 ∈ F2f . The equation
( )( ) ( )
x0 1 a0 z0
=
x1 1 a1 z1

has exactly one solution, since x0 ̸= x1 and hence, the matrix is invertible.
Thus

|{(a0 , a1 ) | ha0 ,a1 (x0 ) = y0 , ha0 ,a1 (x1 ) = y1 }| = 2l−f 2l−f and

prob(ha0 ,a1 (x0 ) = y0 , ha0 ,a1 (x1 ) = y1 : a0 ← F2l , a1 ← F2l ) = 2−f · 2−f
u u

1
= .
|F2f |2

⃝H.
c Delfs and H. Knebl
36 Answers to the Exercises

10. Provably Secure Digital Signatures

1. We can use a pair of claw-free one-way permutations to construct a
collision-resistant compression function {0, 1}l(k) −→ {0, 1}g(k) , m 7→
fm,i (x) with some l(k) > g(k), as in Section 10.2. The collision resistance
can be proven as in the proof of Proposition 10.7. Here, the prefix-free
encoding is not necessary, since all strings in the domain have the same
binary length. Then, we can derive a provably collision-resistant family
of hash functions by applying Merkle’s meta method.
2. Let K be the key generator of H.
Let A(i, y) be a probabilistic algorithm with output in {0, 1}≤li which
successfully computes pre-images, i.e., there is a positive polynomial P ,
such that
1
prob(A(i, hi (x)) ∈ h−1 ≤li
u
i (hi (x)) : i ← K(1 ), x ← {0, 1} )≥
k
P (k)
for k in an infinite subset K ⊆ N.

By Dk we denote the subset {(i, x) | i ∈ Ik , x ∈ {0, 1}≤li , h−1

i (h(x)) =
{x}} of those (i, x) where x is the only pre-image of hi (x) and by Di be
the set of elements of Dk with key i. hi maps Di injectively to {0, 1}g(k) .
Thus Di contains at most 2g(k) elements. Moreover, we have li ≥ g(k)+k
by assumption, thus
∑ 2g(k) ∑ 1 1
prob(Dk ) ≤ prob(i) · ≤ prob(i) k = k .
−1
2li +1 2 2
i∈Ik i∈Ik

the computation, observe that the number of bit strings ≤ li is equal

In ∑
li
to j=1 2j = 2li +1 − 1.
Let Di := {0, 1}≤li \ Di be the complement of Di .
Lemma B.10 tells us that
1 1 1
prob(A(i, hi (x)) ∈ h−1
u
i (hi (x)) : i ← K(1 ), x ← Di ) ≥ − ≥
k
P (k) 2k 2P (k)

for k in an infinite subset K′ ⊆ N.

Now let Ã(i) be the following algorithm:
u
a. Randomly choose x ← {0, 1}≤li .
b. Return (x, A(i, hi (x)).
If x ̸= A(i, hi (x)) and A(i, hi (x)) ∈ h−1
i (hi (x)), then à returns a collision
of H. (In fact,the algorithm computes a second pre-image. Therefore, our
proof will even show that second-pre-image resistance implies the one-
way property.)
We compute the probability of this event.

Introduction to Cryptography by H. Delfs and H. Knebl

 10. Provably Secure Digital Signatures 37

prob(x ̸= A(i, hi (x)), A(i, hi (x)) ∈ h−1

i (hi (x)) :
i ← K(1k ), x ← {0, 1}≤li )
u

≥ prob(x ̸= A(i, hi (x)), A(i, hi (x)) ∈ h−1

i (hi (x)) :
u 1
i ← K(1k ), x ← Di ) − (Lemma B.10)
2k
= prob(A(i, hi (x)) ∈ h−1
u
i (hi (x)) : i ← K(1 ), x ← Di )
k

· prob(x ̸= A(i, hi (x)) |A(i, hi (x)) ∈ h−1

i (hi (x)) :
u 1
i ← K(1k ), x ← Di ) −
2k
1 1 1
≥ · −
2P (k) 2 2k
1
≥
5P (k)
for infinitely many k ∈ K′ . This is a contradiction, since H is assumed to
be collision-resistant. Note that for x ∈ Di the fibre h−1
i (hi (x)) contains
more than one element. So, for a randomly chosen x, the probability that
x ̸= A(i, hi (x)) is ≥ 1/2.
3. a) RSA:
The attacks discussed in Section 3.3.1 are key-only attacks against the
RSA one-way function which may result in the retrieval of secret keys.
Forging signed messages (me , m) (Section 3.3.2) is an existential forgery
by a key-only attack. The “homomorphism attacks” can be used for uni-
versal forgery by chosen-message attacks.
b) ElGamal:
The retrieval of secret keys is possible, if the random number k is figured
out by the adversary in a known-signatures attack (see Section 3.5.2).
Existential forgery by a key-only attack is possible (loc.cit.). If step 1 in
the verification procedure is omitted, then signatures can be universally
forged by a known-signature attack, as Bleichenbacher observed (loc.cit.).

4. a. Retrieving the secret key by a key-only attack means to determine the

private key x from y = −x−2 . Since x is chosen randomly, this means
that the adversary has a probabilistic algorithm A(n, z) that com-
putes square roots from randomly chosen elements z ∈ QRn , with
a non-negligible probability (the probability taken over the random
choice of n and x). Then, the adversary can also compute the prime
factors of n with a non-negligible probability (Proposition A.64).
b. Take any s1 , s2 and compute m := s21 + ys22 . Then, (s1 , s2 ) is a valid
signature for m.
c. For a given m, about n of the n2 pairs (s1 , s2 ) are solutions of m =
s21 + ys22 . Choosing a pair randomly (and uniformly), the probability
that it is a solution is about n−1 ≈ 2−|n| and hence negligible.

⃝H.
c Delfs and H. Knebl
38 Answers to the Exercises

d. The adversary has to own a probabilistic polynomial algorithm

A(n, y, m) which yields solutions of m = s21 + ys22 (modulo n) with a
non-negligible probability.
5. a. We have f[m],i (σ(i, x, m)) = x = f[m′ ],i (σ(i, x, m′ )). Let [m] =
m1 . . . mr and [m′ ] = m′1 . . . m′r′ . Let l be the smallest index u with
mu ̸= m′u . Such an index l exists, since neither [m] is a prefix of [m′ ]
nor vice versa. We have fml ...mr ,i (σ(i, x, m)) = fm′l ...m′r′ ,i (σ(i, x, m′ )),
since f0,i and f1,i are injective. Then fml+1 ...mr ,i (σ(i, x, m))
and fm′l+1 ...m′r′ ,i (σ(i, x, m′ )) are a claw of (f0 , f1 ).

b. A successful existential forgery by a key-only attack computes a valid

signature σ(i, x, m) from (i, x), for some message m. Let b be the first
−1
bit of [m], i.e., [m] = bm′ . Then fm′ ,i (σ(i, x, m) = fb,i (x). Thus, a
pre-image of x may be computed from (i, x), for f0,i or f1,i . We ob-
tain a contradiction to the one-way property of f0 and f1 .

c. Adaptively-chosen-message attack means in a one-time signature

scheme that the adversary knows the signature σ of one message m
of his choice and tries to forge the signature σ ′ for another message
m′ .
Assume that a successful forger F exists performing an adaptively-
chosen-message attack. Then, we can define an algorithm A which
computes claws of f0 , f1 with a non-negligible probability.
On input i ∈ Ik , A works as follows:
u
i. Randomly choose a message m̃ ← {0, 1}c⌊log2 (k)⌋ .
u
ii. Randomly choose x ← Di and compute z := f[m̃],i (x).
iii. Call F (i, z) with the key (i, z).
Note that z is also uniformly distributed in Di , since x was chosen
uniformly and f[m̃],i is bijective.
iv. F (i, z) requests the signature σ for a message m. If m = m̃ (which
happens with probability ≥ 1/kc ), then σ = x is supplied to F .
Otherwise, A returns with a failure.
v. If F (i, z) now returns a valid forged signature σ ′ for a message
m′ ̸= m, then A easily finds a claw of f0 , f1 , as shown in a).
A’s probability of success is greater than or equal to F ’s probability
of success multiplied by 1/kc , hence non-negligible. This is a contra-
diction.
d. We do not know how to simulate the legitimate signer and provide the
forger with the requested signature, with a non-negligible probability.
The approach of c), simply to guess the message in advance, does not
work, if there are exponentially many messages.
6. a) The verification procedure for a signature σ = (s, m̂) for m is:
1. Check whether m̂ is well-formed, i.e., m̂ = [m̂1 ]|| . . . ||[m̂r ] with mes-
sages mj ∈ {0, 1}∗ .

Introduction to Cryptography by H. Delfs and H. Knebl

 10. Provably Secure Digital Signatures 39

2. Check fm̂||[m],i (s) = x.

The first step cannot be omitted, in general. Take, e.g., the prefix-free
encoding given in Section 10.2, and assume that an adversary learns a
valid signed message (m, (s, m̂)), m̂ = [m1 ]|| . . . ||[mr ]. Let t be a proper
tail of m (i.e., m = ũ||t, t ̸= m), and let u be defined by [m] = u||[t]. Then
(s, m̂||u) is a valid signature for t, i.e., it passes step 2 of the verification
procedure.
b) Assume there is a probabilistic polynomial algorithm
F (i, x, m1 , σ1 , . . . , ml , σl ) that tries to forge a signature for m̃ ̸= m1 , . . . , ml ,
when supplied with i, x and all the signatures for messages m1 , . . . , ml
that were generated before by the user with key (i, x) (l = l(k) a polyno-
mial function). Recall that the messages of user (i, x) are generated by
the probabilistic polynomial algorithm M (i). Assume that F is success-
ful. This means that there is a positive polynomial, such that

prob(F (i, x, m1 , σ(i, x, m1 ), . . . , ml , σ(i, x, ml )) = (m̃, σ̃),

u u
V erif y(m̃, σ̃) = accept : i ← Ik , x ← Di , (m1 , . . . , ml ) ← M (i))
1
> ,
P (k)

for k in an infinite subset K ⊆ N.

We now define an algorithm à which, with non-negligible probability,
either finds a claw of f0 , f1 or inverts f0 resp. f1 . This will be the desired
contradiction. Ã works on input i, x as follows:
a. (m1 , . . . , ml ) := M (i). Let m := [m1 ]|| . . . ||[ml ].
b. Let z := fm,i (x) = f[m1 ],i (f[m2 ],i (. . . f[ml ],i (x) . . .)).
c. Generate the signatures

σ(i, z, m1 ) = (f[m2 ],i (. . . f[ml ],i (x), ε)

σ(i, z, m2 ) = (f[m3 ],i (. . . f[ml ],i (x), [m1 ])

...
σ(i, z, ml ) = (x, [m1 ]|| . . . ||[ml−1 ]).
Here, ε denotes the empty string.
d. (m̃, σ̃) := F (i, z, m1 , σ(i, z, m1 ), . . . , ml , σ(i, z, ml )).
We have σ̃ = (s, m̂) and m̃ ̸= mj , 1 ≤ j ≤ l. If (m̃, σ̃) does not
pass the verification procedure, we return some random element and
stop. Otherwise, if (m̃, σ̃) is a valid signature, i.e., fm̂||[m̃],i (s) = z,
we continue.
e. m̂||[m̃] is not a prefix of m, because otherwise m̃ would be equal to
one of the mj . Here, note that by step 1 in the verification procedure,
m̂ is well-formed with respect to the prefix-free encoding.
The algorithm now distinguishes two cases.

⃝H.
c Delfs and H. Knebl
40 Answers to the Exercises

f. Case 1: m is not a prefix of m̂||[m̃].

We have σ(i, z, ml ) = (x, . . .). Since fm,i (x) = z = fm̂||[m̃] (s), we
immediately find a claw of f0,i , f1,i , as in Exercise 6 a). We return
this claw.
g. Case 2: m is a prefix of m̂||[m̃].
Let m̂||[m̃] = m||u. Note that u ̸= ε, because m̃ ̸= ml . Let u =
−1
bu′ , b ∈ {0, 1}. Since fu,i (s) = fm,i (z) = x, we can immediately
−1
compute fb,i (x) = fu′ ,i (s). We return this pre-image.
We have
−1 −1
prob(A(i, x) is a claw or one of the pre-images f0,i (x), f1,i (x) :
u u
i ← Ik , x ← D i )
= prob(F (i, fm,i (x), m1 , σ(i, fm,i (x), m1 ), . . . , ml , σ(i, fm,i (x), ml ))
= (m̃, σ̃),
V erif y(m̃, σ̃) = accept :
u u
i ← Ik , (m1 , . . . , ml ) ← M (i), x ← Di )
= prob(F (i, z, m1 , σ(i, z, m1 ), . . . , ml , σ(i, z, ml )) = (m̃, σ̃),
u u
V erif y(m̃, σ̃) = accept : i ← Ik , (m1 , . . . , ml ) ← M (i), z ← Di )
1
> ,
P (k)

for infinitely many k, a contradiction to the claw-freeness and the one-

way property of f0 , f1 .
u
Note that fm,i is a permutation of Di and hence z = fm,i (x), x ← Di is
u
the uniform distribution z ← Di .

Introduction to Cryptography by H. Delfs and H. Knebl