• Aucun résultat trouvé

Security Models

N/A
N/A
Info
Télécharger
Protected

Academic year: 2022

Partager "Security Models"

Copied!
2
0
0

Chargement.... (Voir le texte intégral maintenant)

Texte intégral

(1)

Security Models

2020/2021 P. Lafourcade and L.Robert

Session 1

Exercise 1 (Negligible functions)

Letf and g be two negligible functions. Prove that:

1. f·g is negligible.

2. For anyk >0,fk is negligible.

3. For anyλ, µ∈R,λ, µ >0,λ·f +µ·g is negligible.

Exercise 2 (DL, CDH, DDH assumptions)

Recall DL, CDH, and DDH assumptions and prove that:

1. Solving DL ⇒Solving CDH.

2. Solving CDH⇒ Solving DDH.

Exercise 3 (Deterministic Asymmetric Encryption Scheme) Let Π = (G,E,D) be a deterministic asymmetric encryption scheme. Prove that Π is not IND-CPA.

Exercise 4 (Indistinguishability security)

LetE be an encryption that is IND-CPA and H be a public hash function.

We define the following encryptionE as follows: E(x) =E(x)||H(x), where

||denotes the concatenation of bit-strings.

Show that the encryptionE is not IND-CPA secure.

Exercise 5 (One-way security)

Letf be a one-way function, we construct the encryption E as follows:

• Pick a random valuex in the domain off.

• The encryption ofm is hf(x), x⊕mi

Prove that: if f is a one-way function, then E is a OW-CPA encryption scheme.

1

(2)

Exercise 6 (Prime order groups)

Usually, cyclic groups are considered for which discrete logarithm and DH problems are believed to be hard. There are several reasons we prefer prime order groups over composite ones. A first reason is that discrete logarithm is harder in prime order groups (but it is still hard in non-prime order groups).

A second reason is because finding generator is trivial (why?). A final reason applies when DDH should be hard. A necessary condition for the DDH to be hard is thatgx1x2 should be indistinguishable from a random group element.

The goal of this exercise is to show that this is (almost) true.

LetG be a group of prime orderq with generatorg.

1. Ifx1, x2 are chosen uniformly at random fromZq, show that:

P r[gx1x2 = 1] = 2 q − 1

q2

2. For anyy∈G, y 6= 1, show that:

P r[gx1x2 =y] = 1 q − 1

q2

3. Conclude by comparing the previous results with the uniform distri- bution overG when ||q||=n.

Note that using a prime order grouop is neither necessary nor sufficient for the DDH problem to be hard.

2

Références

Télécharger maintenant ( PDF - 2 Page - 125.17 KB )

Documents relatifs

In this case, if P = (N :M) ={t∈R|tM ⊆ N} we say thatN is aP−prime submodule ofM and it is easy to see thatP is a prime ideal ofR(see [4

Our aim in this paper is to find a lower bond for the number of elements of P −spectrum of module M over a ring R by having dim p M , and show that under some conditions the

Optimization is Hard, but Hillclimbing is Easy — Right?

Strictly montone functions are the easiest imaginable testbed for hillclimbers: The function f always prefers one-bits over zero-bits, so there are always short and clearly

It is a privilege.

My fi rst recognition of the changing profi le of residents came several years later when one resident emphatically tried to win me over to his perspective that developing rapport

It is

file system organization, may consider staying with the Bootstrap they are currently using instead of going through the lengthy reconfiguration cir reformatting

A - Is it white? B – Yes, it is

* Compréhension orale et écrite de phrases cellar is down the staircase.. A dark cat sat up

It is is

It is intended to be the firmware reference manuaL and to be used by the advanced microprogrammer of the Rikke MathiLda system.. WideStore, WS, is the common

What Is Software Testing? And Why Is It So Hard?

Besides testing the environment and the source code, we must also determine the values assigned to the specific data that cross- es the interface from the environment to the

Let us demonstrate that <rp is a well order

(Indeed, for the leading terms xy, xz, yz, or xy, zx, yz, we can take the element zy N x, for the leading terms yx, xz, yz, or yx, xz, zy, the element zx N y, for the leading terms