\documentclass[11pt]{article}
\usepackage{amsfonts,amssymb,fullpage}
\newcommand{\Z}{\mathbb{Z}} % Rich man's black board's font.
\newcommand{\F}{\mathbb{F}}
\setlength{\topmargin}{0in}
\setlength{\headheight}{0in}
\setlength{\headsep}{0in}
\setlength{\topskip}{0in}
\begin{document}
\newlength{\boxwidth}
\setlength{\boxwidth}{\textwidth}
\addtolength{\boxwidth}{-2cm}
\framebox[\textwidth]{
\begin{minipage}[t]{\boxwidth}
{\bf CS355: Topics in Cryptography \hfill Fall 1998} \\[-0.3cm]
\begin{center} {\huge Assignment \#2} \end{center}
Due: Wednesday, November 25th, 1998.
\end{minipage}}
\vspace{0.7cm}
\begin{description}
\item[1. Alternate proof of Goldreich-Levin:]
In this problem we study the first step in an alternate proof to
the Goldreich-Levin theorem. Suppose $\alpha \in \{0,1\}^n$ and
$f_{\alpha}:\{0,1\}^n \to \{0,1\}$ is an oracle satisfying
\[ \Pr_x[ f_{\alpha}(x) = \langle x, \alpha \rangle ] > {3 \over 4} + \epsilon \]
Show that $\alpha$ can be easily recovered from the oracle $f$.
\noindent {\bf Hint:}
Show that the first bit of $\alpha$ can be found by querying
$f_{\alpha}$ at many pairs of points
$(r_1r_2\ldots r_n, \; \bar{r}_1r_2\ldots r_n)$. Generalize to show that
all bits of $\alpha$ can be found.
\noindent Remark: This approach can be extended to reduce the ${3
\over 4} + \epsilon$ bound to ${1 \over 2} + \epsilon$. The extension
is based on making the query points pair wise independent rather
than completely independent.
\item[2. Bad construction for a PRF:] Consider the following
construction for a Pseudo Random Function
$F_G:\{0,1\}^n\times\{0,1\}^s \to \{0,1\}^{n}$ based on a
Pseudo Random Number Generator $G:\{0,1\}^n \to \{0,1\}^{2n}$:
\[ F_G(x, k_1\ldots k_s) = G_{k_s}(G_{k_{s-1}}(\cdots (G_{k_1}(x)) \cdots ))
\]
where $G(x) = G_0(x) \parallel G_1(x)$ and $G_0(x)$ is the $n$ least
significant bits of $G(x)$ and $G_1(x)$ is the $n$ most significant bits
of $G(x)$.
\noindent Show that $F(x,s)$ may not be pseudo random function no matter how
secure the PRNG is.
\noindent {\bf Hint:} First show that a $(t, \epsilon)$ PRNG $G$ can be
converted into a generator $G'$ for which $G'(0^n) = 0^{2n}$.
\item[3. Insecure SPRP:]
Show that the Luby-Rackoff construction for strong pseudo random
permutations is insecure if one uses only three PRF's rather
than four.
\item[4. SSPA of ElGamal encryption:]
Let $G$ be a group of prime order $q$. Recall that an ElGamal
public key consists of $(g, h)$ where $g,h \in G$ and $h = g^x$.
The private key is $x$. To encrypt a message $m \in G$ one
picks a random $r \in \Z_q$ and computes $C=(g^r, m\cdot h^r)$.
Prove that ElGamal encryption is $(t,\epsilon)$ secure against
a passive adversary assuming $(t,\epsilon)$--DDH. To do so you
must show how an algorithm $A$ able to mount a passive attack on
ElGamal encryption can be used to solve the DDH problem.
\end{description}
\noindent {\bf Extra credit:}
\begin{enumerate}
\item Show how to construct a PRF out of a PRNG such that the PRF
can be evaluated in a logarithmic number of steps on a parallel computer.
(Currently the only constructions are based on synthesizers rather
than PRNG's).
\item Prove that the DDH assumption is equivalent to some other
standard complexity assumption or show that the DDH assumption is
false.
\end{enumerate}
\end{document}