This document contains the instructions for Homework 4 of the CSL759: Cryptography and Network Security course. It includes 4 problems related to digital signatures, pseudorandom functions, and collision-resistant hash functions. The homework is due on November 9th and must be submitted to the instructor, Shweta Agrawal. Problem 1 extends Lamport's one-time digital signature to a two-time signature and asks students to analyze the security properties. Problem 2 proves that secure digital signature schemes imply the existence of one-way functions. Problem 3 constructs a pseudorandom function from a message authentication code. Problem 4 analyzes the collision resistance of a hash function based on the RSA assumption.
This document contains the instructions for Homework 4 of the CSL759: Cryptography and Network Security course. It includes 4 problems related to digital signatures, pseudorandom functions, and collision-resistant hash functions. The homework is due on November 9th and must be submitted to the instructor, Shweta Agrawal. Problem 1 extends Lamport's one-time digital signature to a two-time signature and asks students to analyze the security properties. Problem 2 proves that secure digital signature schemes imply the existence of one-way functions. Problem 3 constructs a pseudorandom function from a message authentication code. Problem 4 analyzes the collision resistance of a hash function based on the RSA assumption.
This document contains the instructions for Homework 4 of the CSL759: Cryptography and Network Security course. It includes 4 problems related to digital signatures, pseudorandom functions, and collision-resistant hash functions. The homework is due on November 9th and must be submitted to the instructor, Shweta Agrawal. Problem 1 extends Lamport's one-time digital signature to a two-time signature and asks students to analyze the security properties. Problem 2 proves that secure digital signature schemes imply the existence of one-way functions. Problem 3 constructs a pseudorandom function from a message authentication code. Problem 4 analyzes the collision resistance of a hash function based on the RSA assumption.
In class, we saw Lamports construction of a one time signature. In this problem, we will extend it to build a two-time signature. Let f : X Y . Assume that the messages to be signed are ` bits long. Let L = 2` and interpret m as a number in {1, . . . , L}. Let n = {1, . . . , n} and let S1 , . . . , SL n be subsets of n . The sets S1 , . . . , SL are fixed and known to everyone. Consider the following signature scheme. Algorithm KeyGen picks random
x1 , . . . , xn X and outputs PK = f (x1 ), . . . , f (xn ) and SK = x1 , . . . , xn . We define = Sign(m, SK) = {all xi where i Sm } a. Explain how Verify(m, , PK) works. What is the worst case length of the resulting signature? b. We say that the sets S1 , . . . , SL are cover free if for all 1 i 6= j L we have Si Sj . Briefly explain why if S1 , . . . , SL are cover free then the signature scheme is a secure one time signature scheme. c. Let us assume that ` is a power of 2 and let n = ` + 1 + log `. For a message m {0, 1}` let c be the number of 0s in m. Let m = m||c {0, 1}n and let m 1, . . . , m n {0, 1} be the n bits of m. Define the set Sm as: Sm = {1 i n where m i = 1} n Prove that the sets (S1 , . . . , SL ) are cover free. What is the length of the resulting signatures as a function of `? d. We say that the sets (S1 , . . . , SL ) are 2-cover free if for all 1 i, j, k L where i 6= j, k we have that Si Sj Sk . Briefly explain why if (S1 , . . . , SL ) are 2-cover free the the signature scheme is a two time secure signature scheme (i.e. it remains secure as long as SK is not used to sign more than two messages). e. (extra credit) Construct L sets (S1 , . . . , SL ) n that are 2 cover free where n = O(`2 ). Note that n = O(`) is possible.
Problem 2: More on Digital Signatures
Prove that the existence of secure digital signature schemes implies the existence of one-way functions.
HW 4-1
Problem 3: PRF from MAC
Recall that a PRF is a MAC. In this problem, we will construct a PRF from a MAC. a. Recall that we can compute a hardcore bit of a one-way function f (x) using hx, ri where r is a Pk k random string and: hy, ri = i=1 yi ri mod 2. Suppose g is a secure MAC for {0, 1} n m 0 k n 0 {0, 1} {0, 1} . Let f : {0, 1} {0, 1} {0, 1} and f (s, x) = hg(s, x), ri where r {0, 1}m . Give a contrived example to show that f 0 is not a PRF. b. We fix the above function by keeping r secret as follows h(s, r, x) = hg(s, x), ri. Prove that h is a PRF. Hint 1: How can an adversary A that distinguishes between h and a truly random function be used to learn a value of h on an input without explicitly querying for it? Hint 2: Recall that given a value r and a good prediction for hz, ri one can learn a value of z. Hint 3: Use the above to break security of g(s, x). c. The output of h is a single bit. Propose a construction based on h that outputs more than one bit. Argue that your construction is a PRF.
Problem 4: Collision-resistant hash functions
Consider the following hash function family for hashing integers: Gen(1k ): generate 2 k-bit primes p, q. Let n = pq. Choose random y QRn and output n, y. H(n,y) (x) = y x mod n a. What is the definition of a collision-resistant hash function? b. Recall that the RSA assumption says that, given an RSA public key (n, e) GRSA (1k ) and a random y Zn , it is hard to find x Zn such that xe = y. In experiment notation: for all probabilistic polynomial-time adversaries A, there exists a negligible function () such that Pr[(n, e) GRSA (1k ); y Zn ; x A(n, e, y) : y = xe ] = (k). Prove that if the RSA assumption holds, then the hash function described above is collisionresistant (as usual, use a reduction). Hint: Recall that if we can break RSA for y QRn , we can break RSA for y Zn . Also recall that if k is the order of y Zn , then k divides (n).
Hacking: A Beginners Guide To Your First Computer Hack; Learn To Crack A Wireless Network, Basic Security Penetration Made Easy and Step By Step Kali Linux
Evaluation of Some Websites that Offer Virtual Phone Numbers for SMS Reception and Websites to Obtain Virtual Debit/Credit Cards for Online Accounts Verifications
Palo Alto Networks: The Ultimate Guide To Quickly Pass All The Exams And Getting Certified. Real Practice Test With Detailed Screenshots, Answers And Explanations
Cybersecurity: A Simple Beginner’s Guide to Cybersecurity, Computer Networks and Protecting Oneself from Hacking in the Form of Phishing, Malware, Ransomware, and Social Engineering
Computer Networking: The Complete Beginner's Guide to Learning the Basics of Network Security, Computer Architecture, Wireless Technology and Communications Systems (Including Cisco, CCENT, and CCNA)