Janvi Rakeshkumar Patel CS 608: Cryptography and Security jp2343
Assignment 2
Q1: Let 𝐺:{0,1}𝑛→{0,1}𝑛 is a PRG. We define 𝐻𝑘(𝑥) = 𝐺(𝑘) ⊕ 𝑥,
is 𝐻𝑘 a PRF? If yes, explain why; if not, give an explicit attack (a
PPT adversary that violates the definition).
No, a PRG (Pseudorandom Generator) is not automatically a PRF (Pseudorandom Function). To
be a PRF, the output should look random but behave like a function that takes an input and
gives a deterministic output. A probabilistic polynomial-time (PPT) adversary can mount an
attack by leveraging the fact that G(k) is fixed for a given key k. By providing multiple distinct
inputs x, the adversary could use the outputs to deduce G(k) through the XOR patterns. Once
G(k) is revealed, the function's output becomes predictable, violating the definition of a PRF.
Q2: Given a PRF 𝐸:𝐾 × {0,1}𝑛→{0,1}𝑚, we construct
𝐹:𝐾 × {0,1}𝑛―1→{0,1}2𝑚 as follows:
𝐹(𝐾,𝑥): = 𝐸(𝐾,𝑥||0)||𝐸(𝐾,𝑥||1).
Is 𝐹(𝐾, ⋅ ) still a PRF? If yes, give a brief proof, if not, give a brief
attack showing the violation of PRF definition.
Yes, F(K,x) = E(K, x ∣∣ 0) ∣∣ E(K, x ∣∣ 1) is still a PRF.
This is because a PRF keeps its pseudorandom properties as long as the output remains
indistinguishable from random to any adversary, even if it is composed of such functions. The
function F(K,⋅) constructs its output by concatenating the results of two separate evaluations of
the PRF E with different inputs derived from the original input x. Specifically, E is evaluated on x
concatenated with 0 and on x concatenated with 1. The output of each evaluation is then
combined into a single output of twice the length, 2m.
Given that an adversary who cannot distinguish E(K,⋅) from a truly random function would also
be unable to distinguish F(K,⋅) from a truly random function, F maintains the pseudorandomness
properties required for it to be considered a PRF. Therefore, F is a valid PRF
11
� Janvi Rakeshkumar Patel CS 608: Cryptography and Security jp2343
Q3: Can we construct a PRG from a PRF (assuming the PRF
output length is larger than the key length or the input length)? If
yes, give the concrete construction and briefly explain; if not,
explain why.
Yes we can construct PRG from PRF.
- Let F:K × {0,1} ^ m → {0,1} ^ m is a PRF where m > n. So here we can construct a PRG G:K →
{0,1} ^ +m as below:
G(K) = F(K,1) ll F(K,2) ll …. F(K,t)
Where k is the key of PRF and t is the desired number of blocks of length m. F(k,i) is each
generates an independent block of length m.
So, we can see above that by repeatedly evaluating PRF on different inputs and concatenating
it’s outputs, we can obtain a pseudorandom generates while maintaining its security
Q4: Enc1(𝑘,𝑚) is defined as follows:
-It runs Enc(𝑘,𝑚) and obtains 𝑐0 ;
- It runs Enc(𝑘,𝑚) again to obtain 𝑐1 . The final ciphertext
will be (𝑐0,𝑐1)
The new encryption scheme is still IND-CPA (Indistinguishability under Chosen-Plaintext
Attack) secure because the additional encryption step doesn’t expose any extra
information about the plaintext, assuming both uses of the symmetric encryption remain
IND-CPA secure themselves.
Now if we run this same function 2 times then it will give us two different outputs both
times as Enc(k,m) is IND-CPA secure. And if we concatenate that both outputs then that
will also be IND-CPA secure because both the strings are different and indistinguishable
from each other also.
So we can say that Enc(k,m) → (c0,c1) will also be IND-CPA secure.
11
� Janvi Rakeshkumar Patel CS 608: Cryptography and Security jp2343
𝐐𝟓: 𝐄𝐧𝐜𝟐 (𝒌, 𝒎) is defined as follows:
-It runs 𝐄𝐧𝐜(𝒌, 𝒎) and obtains 𝒄𝟎 ;
-It runs 𝒇 on 𝒎 to obtain 𝒄𝟏 , where 𝒇 is a pseudorandom generator. The final
ciphertext will be (𝒄𝟎 , 𝒄𝟏 ).
The scheme Enc2(k,m) is not IND-CPA secure.
Since it uses a PRG after the first encryption step, an attacker can distinguish whether a
message was encrypted by observing the predictable patterns or differences introduced
by the PRG, violating the definition.
The problem with the encryption scheme Enc2(k,m) is that it leaks information about the
plaintext message . This happens because the second part of the output, c1, is created by
applying a pseudorandom generator f directly to m. Since f operates in a deterministic
way (meaning it always gives the same output for the same input), the output c1 can
reveal something about the original message mmm.
A smart attacker can take advantage of this weakness by trying to distinguish between
two different messages, m0 andm1, based on how their corresponding c1 values look. If
c1 is different for the two messages, the attacker can easily figure out which message was
encrypted, breaking the security guarantee.
Q6: 𝜫𝟑 :=(𝑲𝒆𝒚𝑮𝒆𝒏𝟑 , 𝑻𝒂𝒈𝟑 , 𝑽𝒆𝒓𝒊𝒇𝒚𝟑 ) is defined as follows:
𝑲𝒆𝒚𝑮𝒆𝒏𝟑 first runs 𝑲𝒆𝒚𝑮𝒆𝒏𝟏 obtains 𝒌𝟏 , and then runs 𝑲𝒆𝒚𝑮𝒆𝒏𝟐 obtains 𝒌𝟐 , the
output key is (𝒌𝟏 , 𝒌𝟐 ).
𝑻𝒂𝒈𝟑 [(𝒌𝟏, 𝒌𝟐 ), (𝒎𝟏 , 𝒎𝟐 )] first runs 𝑻𝒂𝒈𝟏 (𝒌𝟏, 𝒎𝟏 ) and obtains 𝝈𝟏 and it runs
𝑻𝒂𝒈𝟐 (𝒌𝟐 , 𝒎𝟏 ⊕ 𝒎𝟐 ) and obtains 𝝈𝟐 , where the message 𝒎 that 𝑻𝒂𝒈𝟑 works on is a
pair of messages 𝒎𝟏 , 𝒎𝟐 . The final tag is 𝝈𝟑 ≔ 𝝈𝟏 ||𝝈𝟐 . The verification can be defined
accordingly.
Is 𝜫𝟑 a secure MAC? Briefly explain why
Yes, 𝛱3 is secure MAC as long as Π1 and Π2 are secure.
11
� Janvi Rakeshkumar Patel CS 608: Cryptography and Security jp2343
Since Π1 and Π2 are assumed to be secure MAC schemes, an attacker cannot generate a valid
tagσ1 for any new message m1 without knowing k1. Similarly, the attacker cannot produce a valid
tagσ2 for any new input m1⊕m2 without knowing k2.
Tag3 operates on a pair of messages (m1,m2). It first applies Tag1 using key k1 to tag m1 and
produces σ1. Then, it applies Tag2 using key k2 to the XOR combination m1⊕m2 and produces
σ2. The final tag is σ3 = σ1 ∣∣ σ2
By combining σ1 and σ2 into σ3 = σ1 ∣∣ σ2, it makes forging a valid tag for Π3 very difficult.
To create a fake tag, an attacker would have to break the security of either Π1 orΠ2. Since
both of these are secure MACs on their own, breaking Π3 is just as hard as breaking one of
its components. This makes the overall scheme strong and secure.
Q7: 𝜫𝟒 :=(𝑲𝒆𝒚𝑮𝒆𝒏𝟒 , 𝑻𝒂𝒈𝟒 , 𝑽𝒆𝒓𝒊𝒇𝒚𝟒 ) is defined as follows:
𝑲𝒆𝒚𝑮𝒆𝒏𝟒 is identical to 𝑲𝒆𝒚𝑮𝒆𝒏𝟏 , and it outputs a key 𝒌.
𝑻𝒂𝒈𝟒 [𝒌, (𝒎𝟏 , 𝒎𝟐 )] first runs 𝑻𝒂𝒈𝟏 (𝒌, 𝒎𝟏 ) and obtains 𝝈𝟏 and it runs 𝑻𝒂𝒈𝟐 (𝒌, 𝒎𝟐 ) and
obtains 𝝈𝟐 . The final tag is
𝝈 ≔ 𝝈𝟏 ⊕ 𝝈𝟐 .
Is 𝜫𝟒 a secure MAC? Briefly explain why.
No, Π4 = (KeyGen4,Tag4,Verify4) is not a secure MAC.
The use of XOR (⊕) to combine σ1 andσ2 introduces a vulnerability because the output
tag σ depends linearly on both σ1 and σ2. This makes it possible for an attacker to
manipulate or predict changes in the final tag based on changes to either m1 or m2.
Specifically, an attacker could create valid tag forgeries by exploiting the linear
relationship between σ1 and σ2. For example, if the attacker knows the tag for (m1,m2)
and modifies one of the messages (e.g., changes m1 to m’1), they may be able to compute
the new tag by predicting the change to σ1 without knowing the key k.
11
� Janvi Rakeshkumar Patel CS 608: Cryptography and Security jp2343
Q8: Given two constructions of message authentication codes
𝜫𝟏 :=(𝑲𝒆𝒚𝑮𝒆𝒏𝟏 , 𝑻𝒂𝒈𝟏 , 𝑽𝒆𝒓𝒊𝒇𝒚𝟏 ), 𝜫𝟐 :=(𝑲𝒆𝒚𝑮𝒆𝒏𝟐 , 𝑻𝒂𝒈𝟐 , 𝑽𝒆𝒓𝒊𝒇𝒚𝟐 ). Construct a secure
MAC scheme 𝜫𝟑 :=(𝑲𝒆𝒚𝑮𝒆𝒏𝟑 , 𝑻𝒂𝒈𝟑 , 𝑫𝒆𝒄𝟑 ) which will be secure (unforgeable) as long as
one of 𝜫𝟏 , 𝜫𝟐 is unforgeable (but you don’t know which one), and briefly explain why.
To construct a secure MAC scheme Π3 = (KeyGen3,Tag3,Verify3) that remains unforgeable
as long as one of Π1 or Π2 is unforgeable, we can use the following approach:
Key Generation (KeyGen3):
Generate two independent keys k1 and k2 using KeyGen1 and KeyGen2 respectively. The
output key forΠ3 is (k1,k2). (KeyGen3) = (KeyGen1, KeyGen2) = (k1,k2)
Tagging(Tag3):
Given a message m:
Compute the tag σ1 using Tag1(k1,m).
Compute the tag σ2 using Tag2(k2,m).
The final tag for m is σ = (σ1,σ2).
Tag3 = (Tag1(k1,m), Tag2(k2,m)) = (σ1,σ2).
Verification(Verify3):
Given a tag σ = (σ1,σ2) and a message m:
Verify σ1 using Verify1(k1,m,σ1).
Verify σ2 using Verify2(k2,m,σ2).
Accept the tag if either σ1 is valid or σ2 is valid.
Verify3 = (Verify1(k1,m, σ1) , Verify2(k2,m, σ2))
Where in Verify3, we need one of the verifications to succeed.
Here we have simply generated two keys k1 and k2 and generated tags with both keys
according to their tags generation algorithm. And then in verification tag we need atleast
one of them to be verified.
11
� Janvi Rakeshkumar Patel CS 608: Cryptography and Security jp2343
Q9: Explain why the following paradigm does not provide secure authenticated
encryption, i.e. an encryption scheme that satisfies both IND-CPA security and
ciphertext integrity (where the adversary cannot create new ciphertexts without
knowing the key or asking the encryption oracle). The paradigm’s encryption algorithm
initially executes an Enc algorithm on message 𝒎 to obtain 𝒄, then runs a Tag algorithm
on message 𝒎 and obtains 𝝈. The final ciphertext will be (𝒄, 𝝈).
The described paradigm does not provide secure authenticated encryption because it fails
to ensure ciphertext integrity while maintaining IND-CPA.
Here if we take tag generation algorithm t then, Ciphertext = Enc(m) ll t(m) = c ll 𝝈, means
here 𝝈 is not related to c in anyway as 𝝈 is directly generated using message m. So here if
adversary do decrypt c and obtain m and then with the same Enc(.) algorithm it generates
c’ and put it in place of c then still the ciphertext (𝒄, 𝝈) will be valid as 𝝈 is dependent on
message m only. So here it’s the violation of ciphertext integrity.
Additionally, if the tag σ is generated using a deterministic tagging mechanism, an attacker
might be able to create new, valid ciphertexts or forge messages by reusing the tag without
having to know the encryption key.
Conclusion:
This paradigm does not satisfy the requirements for secure authenticated encryption
because it does not bind the ciphertext ccc and tag σ tightly enough. This allows an
adversary to manipulate or forge new ciphertexts while maintaining a valid tag, violating
ciphertext integrity and thus failing to protect against attacks on both confidentiality and
authenticity.
11
