Advanced Cryptography Instructor: Chris Peikert

University of Michigan, Winter 2016 Homework 2 Student: SOLUTIONS

This homework is due by 7pm on January 29 via the course Canvas page. Start early!
Instructions. Solutions must be typed, preferably in LATEX (a template for this homework is available on the
course web page). Your work will be graded on correctness, clarity, and concision. You should only submit
work that you believe to be correct; if you cannot solve a problem completely, you will get significantly more
partial credit if you clearly identify the gap(s) in your solution. It is good practice to start any long solution
with an informal (but accurate) “proof summary” that describes the main idea.
You may collaborate with others on this problem set and consult external sources. However, you must write
your own solutions and list your collaborators/sources for each problem.
1. (Pseudorandom functions.) Let F be a pseudorandom function. For each the following, state whether F 0
is necessarily a pseudorandom function. If yes, prove it; if not, demonstrate a counterexample.
(a) Fk0 (x) = Fk (0kx)kFk (1kx)

Solution: We claim that F 0 is a pseudorandom function. To show this we use a hybrid argument.
We define hybrid experiments that each give oracle access to a function:

• H0 is the real game: oracle access to Fk0 (x) = Fk (0kx)kFk (1kx) where k ← K is
chosen uniformly at random from the keyspace.
• H1 is oracle access to the function f 0 (x) = f (0kx)kf (1kx), where f : X → Y is a
uniformly random function.
• H2 is the ideal experiment: oracle access to a uniformly random function U : X →
Y ×Y.

By definition, for any efficient adversary A0 we have

AdvF 0 (A0 ) = AdvH0 ,H1 (A0 ) + AdvH1 ,H2 (A0 ).

Next we show that each of the two terms on the right is negligible, hence so is their sum, as
desired. In fact, we will show that H1 and H2 are identical, so AdvH1 ,H2 (A0 ) = 0.
H0 and H1 are indistinguishable. We use A0 to build an adversary A against F which has
oracle access to some O and works as follows: A runs A0 ; whenever A0 queries some x, A
queries its own oracle to get y0 = O(0kx) and y1 = O(1kx) and gives y0 ky1 to A0 . One
can verify that A perfectly simulates H0 and H1 when O = Fk and O is a uniformly random
function, respectively. Therefore, the advantage of A against F is

AdvF (A) = Pr [AFk (·) = 1] − Pr[Af (·) = 1]

k←K f
0Fk0 (·) 0 (·)
= Pr [A = 1] − Pr[A0f = 1]
k←K f

= AdvH0 ,H1 (A0 ).

Because F is a PRF and A is efficient, AdvF (A) must be negligible, hence so is AdvH0 ,H1 (A0 ).
H1 and H2 are identical. We show that f 0 as defined in H1 is a uniformly random function, and
thus H1 and H2 are actually identical experiments. To see this, observe that every new input x
to f 0 corresponds to two new inputs 0kx, 1kx to f , which returns two uniformly random and
independent values in Y . Thus f 0 is a uniformly random function from X to Y × Y .
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 2 Student: SOLUTIONS

(b) Fk0 (x) = Fk (0kx)kFk (xk1)

Solution: F 0 is never a PRF when F ’s input length ` ≥ 2 (and its output length is at least
1). We describe an effective and efficient attacker A. The attacker first queries its oracle on
x1 = 0`−2 k1 and gets y1 ky2 = O(x1 ), then it queries x2 = 0`−1 to get y3 ky4 = O(x2 ).
Finally, it accepts if and only if y1 = y4 , and rejects otherwise.
When O = Fk0 for some k, we have y1 = y4 = Fk (0`−1 k1) therefore A always accepts. On
the other hand, when O is a truly random function, then because x1 6= x2 , we know that y1
and y4 are uniformly random and independent, hence they are equal (making A accept) with
probability 1/|Y | ≤ 1/2. Thus AdvF (A) = 1 − 1/|Y | ≥ 1/2, which is non-negligible.

(c) Fk0 (x) = Fk (G(x)) where G is a pseudorandom generator.

Solution: F 0 is not necessarily a pseudorandom function, as the following counterexample

shows. Let G be the PRG defined as G(s) = G0 (trunc(s)), where G0 has expansion `(n) ≥
n + 2. In words, G ignores the last bit of its input. We showed in the previous homework that
G is a PRG.
Now notice that for any key k and any x, we have Fk0 (xk0) = Fk0 (xk1) = Fk (G0 (x)). Using
this observation we build an efficient distinguisher A against F 0 as follows: given access to an
oracle O, query y1 = O(0m−1 k0), and y2 = O(0m−1 k1) where m is the input length. Accept
if and only if y1 = y2 , and reject otherwise. Clearly,
0
Pr[AFk (·) = 1] = 1.
k

On the other hand, for a uniformly random function f ,

Pr[Af (·) = 1] = 1/|Y | ≤ 1/2.

f

1
Therefore, A’s advantage against F 0 is AdvF 0 (A) = 1 − ≥ 1/2, which is non-negligible.
|Y |

(d) (Optional challenge.) Fk0 (x) = G(Fk (x)) where G is a pseudorandom generator.

Solution: F 0 is a PRF. We sketch the solution, leaving the details as an exercise. We first
consider a hybrid game where we give oracle access to H(x) = G(U (x)), where U is a
uniformly random function. A straightforward reduction shows that this is indistinguishable
from the real game, using the fact that F is a PRF.
Next, we consider a sequence of hybrid games for i = 1, 2, . . . , q, where q = poly(n) is an
upper bound on the number of queries the adversary makes. In the ith of these hybrid games,
the first i new queries are answered with uniformly random and independent answers, and the
remainder are answered as G(U (·)). (Duplicate queries are always answered consistently.)
Clearly, the last of these hybrids is identical to the ideal game, i.e., a uniformly random function.
Moreover, a simple reduction shows that adjacent hybrids are indistinguishable, using the fact
that G is a PRG. The reduction receives a string y which is either G(s) (for uniform s) or truly
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 2 Student: SOLUTIONS

random. It answers the first i − 1 new queries with random strings, answers the next new query
with y, and answers the remaining new queries by G(U (·)), “lazily” constructing the random
function U itself. One can verify that this reduction perfectly simulates the (i − 1)st or ith
hybrid, depending on whether y is G(s) or truly random, respectively.

2. (Multi-message security vs. adaptive security.) Recall that (non-adaptive) multi-message security for a
symmetric-key encryption scheme (Gen, Enc, Dec) says that for any q = poly(n) and any two tuples
(m1 , . . . , mq ), (m01 , . . . , m0q ) ∈ Mq of messages, the following are computationally indistinguishable:
c
hk ← Gen : (Enck (m1 ), . . . , Enck (mq )i ≈ hk ← Gen : (Enck (m01 ), . . . , Enck (m0q )i.

By contrast, adaptive (or IND-CPA) security says that the following two oracles are indistinguishable:
 c

k ← Gen : Ek0 (·, ·) ≈ k ← Gen : Ek1 (·, ·) ,



where oracle Ekb (m0 , m1 ) outputs Enck (mb ) (using fresh randomness for each call).
Give a separation between these two definitions: construct a (possibly contrived) scheme and prove it
secure according to the former definition (using some standard assumption), while showing that it is
insecure according to the latter definition.
(Hint: define an Enck (·) that: 1. “acts insecurely” on a secret unpredictable message m∗ , but “acts
securely” on all others; and 2. reveals m∗ via an adaptive attack.)

Solution: Let Π = (Gen, Enc, Dec) be a multi-message-secure scheme with message space M =
{0, 1}n . We construct another scheme Π0 = (Gen0 , Enc0 , Dec0 ) as follows:

• Gen0 : choose k ← Gen and a uniform k ∗ ← M, and output kkk ∗ .

• Enc0kkk∗ (m): if m = k ∗ , output 0; otherwise output Enck (m)kk ∗ .

• Dec0kkk∗ : if the input is ckk ∗ for some c, output Deck (c); on input 0, output k ∗ .

Notice that the k ∗ component of the key isn’t used in Enc0 , except as a “backdoor” to make it behave
insecurely on the special message m∗ = k ∗ .
Π0 is not IND-CPA secure. We describe an efficient adaptive attacker A: given an oracle O(·, ·), it
first queries the oracle on (m0 , m0 ) ∈ M × M for some arbitrary message m0 and receives some
c0 . Observe that if c0 = 0, then this means that k ∗ = m0 ; otherwise, c0 = ckk ∗ , so in both cases A
learns k ∗ . Next, A queries O on (k ∗ , m) where m 6= k ∗ is an arbitrary message. Finally, A accepts
if the second response is 0, otherwise it rejects. Now clearly,
0
Pr[AEk (·,·) = 1] = 1

and
1
Pr[AEk (·,·) = 1] = 0,
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 2 Student: SOLUTIONS

ind-cpa
therefore AdvΠ0 (A) = 1, which is non-negligible.
Π0 is multi-message secure. The intuition is that because the sequences of messages are fixed ahead
of time, it is extremely unlikely that any of them will match the random choice of k ∗ ← M by Gen0 .
Therefore, the “backdoor” will not be triggered for any of them, the multi-message security of Π
ensures the multi-message security of Π0 . We now proceed formally.
We want to show that for any q = poly(n) and for any two tuples (m1 , . . . , mq ), (m01 , . . . , m0q ) ∈
Mq of messages:
c
hk ← Gen, k ∗ ← M : (Enc0kkk∗ (m1 ), . . . , Enc0kkk∗ (mq )i ≈
hk ← Gen, k ∗ ← M : (Enc0kkk∗ (m01 ), . . . , Enc0kkk∗ (m0q )i.
We do this formally using a hybrid argument. Define the following hybrid experiments:

• H0 is hk ← Gen, k ∗ ← M : (Enc0kkk∗ (m1 ), . . . , Enc0kkk∗ (mq )i.

• H1 is hk ← Gen, k ∗ ← M : (Enc0k (m1 )kk ∗ , . . . , Enc0k (mq )kk ∗ i.

• H2 is hk ← Gen, k ∗ ← M : (Enc0k (m01 )kk ∗ , . . . , Enc0k (m0q )kk ∗ i.
• H3 is hk ← Gen, k ∗ ← M : (Enc0kkk∗ (m01 ), . . . , Enc0kkk∗ (m0q )i.

By definition, for any efficient adversary A0 we have

AdvH0 ,H3 (A0 ) = AdvH0 ,H1 (A0 ) + AdvH1 ,H2 (A0 ) + AdvH2 ,H3 (A0 ).
Next we show that each of the terms on the right is negligible, hence so is their sum, as desired.
H0 and H1 are “essentially” identical. The probability that any one of m1 , m2 , . . . , mq equals k ∗
q q
is at most |M| . Therefore with probability at least 1 − |M| over the choice of k ∗ :

(Enc0kkk∗ (m1 ), . . . , Enc0kkk∗ (mq )) = (Enck (m1 )kk ∗ , . . . , Enc0k (mq )kk ∗ ).
Therefore,

Pr [A0 (Enc0kkk∗ (m1 ), . . . , Enc0kkk∗ (mq )) = 1] ≤

k←Gen,k∗ ←M
q
Pr∗ [A0 (Enck (m1 )kk ∗ , . . . , Enc0k (mq )kk ∗ ) = 1] + .
k←Gen,k ←M |M|
q
Thus AdvH0 ,H1 (A0 ) ≤ |M| which is negligible.
H1 and H2 are indistinguishable. Using A0 we build an efficient attacker A for the multi-message
security of Π. Given a tuple of ciphertexts (c1 , . . . , cq ), A chooses a uniformly random k ∗ ← M
and outputs A0 (c1 kk ∗ , . . . , cq kk ∗ ). It is clear that A perfectly simulates H1 or H2 , respectively,
based on whether the tuple of ciphertexts encrypts (m1 , . . . , mq ) or (m01 , . . . , m0q ). Therefore,
AdvΠ (A) = AdvH1 ,H2 (A0 ). Because A is efficient, the left-hand side is negligible, so the
right-hand side is as well.
H2 and H3 are indistinguishable. The proof is essentially identical to the one showing that H0 and
H1 are indistinguishable, so we won’t repeat it.
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 2 Student: SOLUTIONS

3. In a network where all data is sent via broadcast (e.g., WiFi), we might want communication to be
anonymous. Informally, this that means that an eavesdropping adversary should not be able to learn,
given a ciphertext, anything about who the sender and intended recipient are.
(a) Give a formal definition of anonymity under adaptive chosen-plaintext attack for a symmetric-key
encryption scheme (Gen, Enc, Dec). Your definition should capture (only) the intuition that it is
hard to distinguish which one of two secret keys a ciphertext was encrypted under, even given other
ciphertexts encrypted under those keys.

Solution: We formally capture the following game: first, two secret keys k0 and k1 are
generated. The adversary is given access to three oracles: Enck0 (·), Enck1 (·), and O(·), where
O is either Enck0 (·) or Enck1 (·). The adversary should not be able to tell whether O is Enck0 (·)
or Enck1 (·).
More formally, for every efficient A we require:

c
hk0 ← Gen, k1 ← Gen : AEnck0 (·),Enck1 (·),Enck0 (·) i ≈
hk0 ← Gen, k1 ← Gen : AEnck0 (·),Enck1 (·),Enck1 (·) i.

(b) Does your definition of anonymity imply IND-CPA security (indistinguishability under adaptive
chosen-plaintext attack)? If so, prove it; otherwise, give the simplest counterexample you can find.
(In constructing your counterexample, you may rely on any reasonable assumption).

Solution: Anonymity does not imply IND-CPA security. A simple counterexample is an

encryption scheme (Gen, Enc, Dec) where encryption doesn’t conceal the plaintext at all, i.e.,
Enck (m) = m. Clearly the view of the adversary in the two worlds is identical, but this scheme
is obviously not IND-CPA secure.

(c) Does the PRF-based encryption scheme from class satisfy your definition of anonymity? If so,
prove it; otherwise, describe a PRF family for which the encryption scheme is not anonymous. (As
usual, your counterexample may use any reasonable cryptographic assumption.)

Solution: This part was deferred.