# Exercises

- Page ID
- 7324

2.1: Consider the following encryption scheme:

(a) Fill in the details of the Dec algorithm so that the scheme satisfies correctness.

(b) Prove that the scheme satisfies one-time secrecy.

2.2: In abstract algebra, a (finite) **group** is a finite set ? of items together with an operator ⊗ satisfying the following axioms:

**Closure**: for all \(a, b \in ?\), we have \(a \oplus b \in ?\).**Identity**: there is a special*identity**element*\(e \in ?\) that satisfies \(e \oplus a= a\) for all \(a \in ?\). We typically write “1” rather than e for the identity element.**Associativity**: for all \(a, b, c \in ?\), we have \((a \oplus b) \oplus c = a \oplus (b \oplus c)\).**Inverses**: for all \(a \in ?\), there exists an inverse element \(b \in ?\) such that \(a \oplus b = b \oplus a\) is the identity element of ?. We typically write “\(a^{−1}\)” for the inverse of a.

Define the following encryption scheme in terms of an arbitrary group (\(?,\oplus\)):

(a) Prove that \(\{0,1\}^{\lambda}\) is a group with respect to the XOR operator. What is the identity element, and what is the inverse of a value \(x \in \{0,1\}^{\lambda}\)?

(b) Fill in the details of the Dec algorithm and prove (using the group axioms) that the scheme satisfies correctness.

(c) Prove that the scheme satisfies one-time secrecy.

2.3: Show that the following encryption scheme does **not** have one-time secrecy, by constructing a program that distinguishes the two relevant libraries from the one-time secrecy definition.

2.4: Prove that if an encryption scheme \(\Sigma\) has \(|\Sigma.?| < |\Sigma.?|\) then it cannot satisfy one-time secrecy. Show an explicit attack.

2.5: Let \(\Sigma\) denote an encryption scheme where \(\Sigma.? = \Sigma.?\), and define \(\Sigma^2\) to be the following **double-encryption** scheme:

Prove that if \(\Sigma\) satisfies one-time secrecy, then so does \(\Sigma^2\).

2.6: Let \(\Sigma\) denote an encryption scheme and define \(\Sigma^2\) to be the following encrypt-twice scheme:

Prove that if \(\Sigma\) satisfies one-time secrecy, then so does \(\Sigma^2\).

2.7: Formally define a variant of the one-time secrecy definition in which the calling program can obtain two ciphertexts (on chosen plaintexts) encrypted under the same key. Call it two-time secrecy.

(a) Suppose someone tries to prove that one-time secrecy implies two-time secrecy. Show where the proof appears to break down.

(b) Describe an attack demonstrating that one-time pad does not satisfy your definition of two-time secrecy.

2.8: Show that the following libraries are interchangable:

Note that \(x\) and \(y\) are swapped in the first two lines, but not in the return statement.

2.9: In this problem we consider modifying one-time pad so that the key is not chosen uniformly. Let \(?^{\lambda}\) denote the probability distribution over \([0,1]^{\lambda}\) where we choose the \(i\)th bit to be 0 with probability 0.4 and 1 with probability 0.6.

Let \(\Sigma\) denote one-time pad encryption scheme but with the key sampled from distribution \(?^{\lambda}\) rather than uniformly in \(\{0,1\}^{\lambda}\).

Consider the case of \(\lambda = 5\). A calling program ? for the \(\mathscr{L}^{\Sigma}_{ots-^{\ast}}\) libraries calls QUERY(01011,10001) and receives the result 01101. What is the probability that this happens, assuming that ? is linked to \(\mathscr{L}_{ots-L}\)? What about when ? is linked to \(\mathscr{L}_{ots-R}\)?

2.10: During Alice’s role-playing campaign, it becomes necessary to roll an 8-sided die. Unfortunately, she has misplaced hers! Her only source of randomness is a coin. Help her out by showing that the following two libraries are interchangeable: