\documentclass[11pt]{article} \input{headers05} \usepackage{fancyhdr} \pagestyle{fancy} \lhead{CS 355, Fall 2025} \rhead{Name: Hemanta K. Maji} %%% <-- REPLACE Hemanta K. Maji WITH YOUR NAME HERE \usepackage[strict]{changepage} \newcommand{\nextoddpage}{\checkoddpage\ifoddpage{\ \newpage\ \newpage}\else{\ \newpage}\fi} \begin{document} \title{Homework 5} \date{} \maketitle \thispagestyle{fancy} \pagestyle{fancy} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%% PLEASE LIST COLLABORATORS BELOW %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% {\bfseries Collaborators:} %%% List your collaborators and any online resources here. \newpage \centering {\Huge{Practice Questions}} These are practice questions. They will \textbf{NOT} be graded. We have also provided the final answers. However, it is up to you to understand how or why the given solution is correct. You do not need to submit these on Gradescope. However, you may find it easier to just include them in the pdf. In that case, please do not mark these questions on Gradescope. \newpage \begin{enumerate} \item {\bfseries Birthday Paradox. (00 points)} Recall that the Birthday Paradox states that if we throw $m= c\sqrt{n}$ balls into $n$ bins, then the probability that there exists a collision (\ie, a bin with at least two balls) is $\geq 0.99$, where $c>0$ is an appropriate constant. \newline An international university has 12 colleges. Moreover, the students of this university come from 121 different countries around the world. How many students (from the university) in a room will ensure with probability $\geq 0.99$ that there exists at least a pair of students such that they are from the same country, the same college, and they celebrate their birthday at the same month. {\bfseries Solution.} \newline $\ceil{132c}$ \newpage \item {\bfseries Encryption using Random Functions. (00 points)} Let $\cF$ be the set of all functions $\zo^{n} \to \zo^n$. Consider the following private-key encryption scheme. \begin{boxedalgo} \begin{itemize} \item $\gen()$: Return $\sk=F$ uniformly at random from the set $\cF$ \item $\enc_\sk(m)$: Return $(c,r)$, where $r$ is chosen uniformly at random from $\zo^n$, $c = m\oplus F(r)$, and $\sk=F$. \item $\dec_\sk(\widetilde c,\widetilde r)$: Return $\widetilde c \oplus F(\widetilde r)$. \end{itemize} \end{boxedalgo} \begin{enumerate} \item {\bfseries (15 points)} Suppose we want to ensure that even if we make $10^{30}$ calls to the encryption algorithm, all randomness $r$ that are chosen are distinct with probability $1-2^{- 401}$. What value of $n$ shall you choose? \newline {\bfseries Solution.} \newline We have proved in class that the probability that all $k$ samples chosen uniformly at random from a set $S$ to be distinct is roughly equal to $\exp({\frac{-k^2}{2\vert S\vert}})$. In this question, $\vert S \vert=2^n$ and $k=10^{30}$. We need to have: \begin{align} & \exp\left(-\frac{10^{60}}{2^{n+1}}\right)\geq 1-2^{-401}\approx \exp\left(-2^{-401}\right) \\ & \iff \left(-\frac{10^{60}}{2^{n+1}}\right)\geq \left(-2^{-401}\right) \\ & \iff 10^{60}\leq 2^{n-400} \\ & \iff 60\log_2(10)\leq n-400 \\ & \iff n\geq 400+60\log_2(10)\approx 599.314 \\ & \iff n\geq 600 \end{align} \newpage \item {\bfseries (10 points)} Conditioned on the fact that all randomness $r$ in the encryption schemes are distinct, prove that this scheme is secure. \newline {\bfseries Solution.} \newline We assume that for any $i$ and $j$, $r_i\neq r_j$. Note that $F$ is chosen uniformly at random from the set of all functions that map a string of $n$ bits to a string of $n$ bits. Therefore, the values $F(r_1),\dots,F(r_q)$ are independent and have uniform distribution. This implies that $c_1=m_1\oplus F(r_1),\dots,c_q=m_q\oplus F(r_q)$ are all uniform and independent of each other. This means that the encryption of $m_1,m_2,\dots,m_{q-1}$ does not reveal any information about the encryption of $m_q$. This scheme is like one time pad. Because, it is equivalent to XORing % $\mathrm{XOR}$ing the the sequence $m_1\dots m_q$ with uniformly random sequence $F(r_1)\dots F(r_q)$ to get $c_1\dots c_q$. \begin{align} & \Pr[M_1=m_1,\dots,M_q=m_q | C_1=c_1,\dots,C_q=c_q] \\ =&\Pr[m_1\oplus F(r_1)=c_1,m_2\oplus F(r_2)=c_2,\dots,m_q\oplus F(r_q)=c_q]\\ =& \Pr[F(r_1)=m_1\oplus c_1, F(r_2)=m_2\oplus c_2,\dots, F(r_q)=m_q\oplus c_q]\\ =&\Pr[F(r_1)=m_1\oplus c_1]\times\dots\times \Pr[F(r_q)=m_q\oplus c_q]=\left(\frac{1}{2^n}\right)^q %\right \par \end{align} \newpage \end{enumerate} \end{enumerate} \newpage \centering {\Huge{Homework Questions}} These are homework questions and will be graded. Please make sure to clearly mark each problem on Gradescope. \newpage \begin{enumerate} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%% PROBLEM 1 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries Stretching PRG Output. (10 points)} Suppose we are given a length-doubling PRG $G$ such that $$G:\{0,1\}^B \rightarrow \{0,1\}^{2B}$$ Using $G$, construct a new PRG $G'$ such that $$G': \{0,1\}^B \rightarrow \{0,1\}^{2026B}$$ ({\footnotesize Remark: We do not need a security proof. You should only use the PRG $G$ to construct the new PRG $G'$. In particular, you should not use any other cryptographic primitive like one-way function etc.}% ) {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage %%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%% PROBLEM 2 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries New Pseudorandom Function Family. (7+8+10 points)} Let $G$ be a length-doubling PRG $G\colon\zo^B\to\zo^{2B}$. Recall the basic GGM PRF construction presented below. \begin{boxedalgo} \begin{itemize} \item Define $G(x) = (G_0(x), G_1(x))$ where $G_0,G_1 : \{0,1\}^B \rightarrow \{0,1\}^B$ \item We define $g_{\pred{id}}(x_1,x_2,\ldots x_n)$ as $G_{x_n}(\ldots G_{x_2}(G_{x_1}(\pred{id})) \ldots )$ \\where $\pred{id} \xleftarrow[]{\$} \zo^B$. \end{itemize} \end{boxedalgo} Recall that in the class we studied that $g_{\pred{id}}$ is a PRF family for $\zo^n\to\zo^B$, for a fixed value of $n$ when the key $\pred{id}$ is picked uniformly at random from the set $\zo^B$. \begin{enumerate} \item {\bfseries (7 points)} Why is the above-mentioned GGM construction not a pseudorandom function family from the domain $\zo^*$ to the range $\zo^B$? (Note that $\{0,1\}^{*}$ means that the length of the input to the PRF is arbitrary) \newline {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage \item {\bfseries (8 points)} Given a length-doubling PRG $G\colon\zo^B\to\zo^{2B}$, construct a PRF family from the domain $\zo^n$ to the range $\zo^{2026B}$. \newline ({\footnotesize Remark: Again, in this problem, do not use any other cryptographic primitive like one-way function etc. You should only use the PRG $G$ in your proposed construction.}) \newline {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage \item {\bfseries (10 points)} Consider the following function family $\{h_1,\dotsc,h_\alpha\}$ from the domain $\zo^*$ to the range $\zo^B$. We define $h_{\pred{id}}(x) = g_{\pred{id}}(x , [\;\abs x\;]_2)$, for $\pred{id}\in\{1,2,\dotsc,\alpha\}$. Show that $\{h_1,\dotsc,h_\alpha\}$ is \ul{not} a secure PRF from $\zo^*$ to the range $\zo^B$. ({\footnotesize {\em Note}: The expression $[\;\abs x\;]_2$ represents the length of $x$ in $n$-bit binary expression. ($n$ denotes the length of $x$)}) \newline {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage \end{enumerate} %%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%% PROBLEM 3 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries Variant of Pseudorandom Function Family. (15 points)} Let $G$ be a length-doubling PRG $G\colon\zo^B\to\zo^{2B}$ and $G' : \{0,1\}^B \rightarrow \{0,1\}^T$ be a PRG where $T\geq B$. The following construction is suggested to construct a PRF family from $\{0,1\}^* \rightarrow \{0,1\}^T$. (Note that $\{0,1\}^{*}$ means that the length of the input to the PRF is arbitrary) \begin{boxedalgo} \begin{itemize} \item Define $G(x) = (G_0(x), G_1(x))$ where $G_0,G_1 : \{0,1\}^B \rightarrow \{0,1\}^B$ \item Let $G' : \{0,1\}^B \rightarrow \{0,1\}^T$ be a PRG. \item We define $g_{\pred{id}}(x_1,x_2,\ldots x_n)$ as $G'(G_{x_n}(\ldots G_{x_2}(G_{x_1}(\pred{id})) \ldots ))$ \\where $\pred{id} \xleftarrow[]{\$} \zo^B$. \end{itemize} \end{boxedalgo} Prove that the above-mentioned PRF construction is \ul{not} secure when $G'=G$. (Note that when $G'=G$, then $T=2B$). {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%% PROBLEM 4 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries OWF. (10 points)} Let $f:\{0,1\}^n \rightarrow \{0,1\}^n$ be a one-way function. Define $g: \{0,1\}^{2n}\rightarrow \{0,1\}^{2n}$ as \[g(x_1,x_2)=f(x_1\oplus 1^n)||x_1\oplus x_2\]\\ where $x_1 \in \{0,1\}^n$, $x_2 \in \{0,1\}^n$ and $1^n$ denotes a string of $n$ bits. Show that $g$ is also a one-way function. \newline {\footnotesize Hint. Suppose there exists an efficient adversary $\cA$ that inverts the function $g$ . You should now construct a new efficient adversary $\cA'$ that uses $\cA$ as a subroutine to invert the function $f$.} \newline {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%% PROBLEM 5 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries Encryption using Random Functions. (15+10 points)} Let $\cF$ be the set of all functions $\zo^{n} \to \zo^n$. Consider the following private-key encryption scheme. \begin{boxedalgo} \begin{itemize} \item $\gen()$: Return $\sk=F$ uniformly at random from the set $\cF$ \item $\enc_\sk(m)$: Return $(c,r)$, where $r$ is chosen uniformly at random from $\zo^n$, $c = m\oplus F(r)$, and $\sk=F$. \item $\dec_\sk(\widetilde c,\widetilde r)$: Return $\widetilde c \oplus F(\widetilde r)$. \end{itemize} \end{boxedalgo} \begin{enumerate} \item {\bfseries (15 points)} Suppose we want to ensure that even if we make $10^{30}$ calls to the encryption algorithm, all randomness $r$ that are chosen are distinct with probability $1-2^{- 401}$. What value of $n$ shall you choose? \newline {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage \item {\bfseries (10 points)} Conditioned on the fact that all randomness $r$ in the encryption schemes are distinct, prove that this scheme is secure. \newline {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage \end{enumerate} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%% PROBLEM 6 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries PRF. (10 points)} Suppose the set of functions $F_\id \colon \zo^n\to\zo^n$ forms a \ul{secure} PRF when $\id$ is chosen uniformly at random from the set $\zo^n$. We are now constructing a new PRF family $G_\id\colon\zo^{2n}\to\zo^{2n}$, where $\id\in\zo^n$. This new function is defined as follows. $$ G_\id(x_1,x_2) \defeq \left( ~ x_2 \xor F_\id(x_1) ~, ~ F_\id(x_2) ~ \right)$$ Is this new PRF secure or not? (If you think that it is secure, then prove that it is secure. If you think that it is insecure, then prove why this construction is insecure. You get no points for just writing Yes/No.) {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%% PROBLEM 7 %%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \item {\bfseries One Way Function (12 points)} In this problem, we will show that a one-way function cannot have a small range. \begin{enumerate} \item {\bfseries (6 points)} First, we need an inequality. Prove that $$ p_1^2 + p_2^2 + \dotsi + p_k^2 \geq \frac1k,$$ where $p_1,\dotsc,p_k\geq0$ such that $p_1+\dotsi +p_k=1$. Hint: The Cauchy-Schwarz inequality says that for non-negative $x_i$ and $y_i$s, the following inequality holds. $$ \sum_{i=1}^k x_iy_i \leq \left(\sum_{i=1}^k x_i^2\right)^{1/2} \left(\sum_{i=1}^k y_i^2\right)^{1/2}$$ {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \newpage \item {\bfseries (6 points)} Suppose $f\colon \zo^n \to \zo^\ell$ be a function. The honest challenger samples $x\getsr\zo^n$ and sends the challenge $y=f(x)$ to us. We, on input $y$, run the following algorithm \begin{boxedalgo} \begin{algorithmic}[1] \State Sample $r\getsr \zo^n$ \State Compute $t = f(r)$ \State If $y==t$: return $\widetilde x=r$ \State Else: return $\widetilde x=0$. \end{algorithmic} \end{boxedalgo} Prove that the probability of our algorithm successfully inverting the one-way function $f$ is $\geq \frac1{2^\ell}$ (over the random choice of $x\getsr\zo^n$ by the honest challenger). Equivalently, prove that $$ \mathop{\text{Pr}}_{x,r\getsr\zo^n}\left[f(\widetilde x) = f(x)\right] \geq \frac1{2^\ell}.$$ {\footnotesize (Remark: It is not necessary that the size of the preimage of $y\in\zo^\ell$ is same as the size of the preimage of another $y'\in\zo^\ell$.)} {\bfseries Solution.} \newline \ %%% <-- ERASE THIS LINE AND WRITE YOUR SOLUTION HERE \end{enumerate} \end{enumerate} \end{document}