Question for Practice
Principles Of Information Security - Spring 2024, IIIT Hyderabad
January 28, 2025
1. [10 points] Construct a PRNG assuming DLP is hard. What is a hardcore bit, and prove whether
the MSB/LSB of the DLP problem is a hardcore bit.
2. [6 points] Define a OWF. What assumptions can you relax if you want to have symmetric key cryp-
tography, but the adversary is a “Deterministic” Poly Time Turing Machine? [Medium]
3. [7 points] Define CPA security through a game. In CPA security, what happens if the adversary is
given key to the encryption oracle instead of just the oracle access? (Hint: Kerchkoff’s theorem)
4. [4 points] Define Negligible functions. Is the following equivalent to the definition of a negligible
function? Explain why its different, or prove its the same.
1
f is negligible if f (x) =
g(x) (1)
poly(x) +
where g(x) = c.e c∈R
5. [10 points] Are the following functions negligible
1
• f (x) =
x!
x
• f (x) = x
2
• f (x) = (log1 x)!
• f (x) = 1
(log log x)!
2−n
• f (x) = 1000
6. [7 points] Using your experience in security definitions, privide a definition for perfect pseudorandom
generators G : {0, 1}n → {0, 1}n+1 . Furthermore, prove that such perfect PRGs do not exist.
7. [10 points] Assuming that DLP is hard in Z∗17 (of course, it isn’t really), using 4-bits to reperesent
each of its elements, design a corresponding PRG G : {0, 1}4 → {0, 1}∗ , and output the first six bits
if seed is set to be the last 4 bits of the last 2 digits of your roll number.
8. [6 points] Prove that the shift cipher is perfectly secret as long as only one character in [a, ..., z] is
encrypted
9. [4 points] For each of the following encryption schemes, state whether the scheme is perfectly secret.
Justify your answer in each case.
(a) The message space is M = {0, . . . , 4}. Algorithm Gen chooses a uniform key from the key space
{0, . . . , 5}. Enck (m) returns [k + m mod 5], and Deck (c) = [c − k mod 5].
1
� (b) The message space is M = {m ∈ {0, 1}l | the last bit of m is 0 }. Gen chooses a uniform key
from {0, 1}l−1 . Enck (m) = m ⊕ (k||0) , and Deck (c) = c ⊕ (k||0).
10. [2 points] If (Gen, Enc, Dec) is a perfectly secret encryption scheme with message space M and
key space K, then prove that |K| ≥ |M|.
11. [10 points] Assume the adversary has the ability to obtain ciphertexts for arbitrary plaintexts, i.e.,
it can choose a message and receive an encryption of the message without knowing the secret key.
Attacks that leverage this information are known as chosen plaintext attacks.
(a) Using chosen plaintext attacks, show how to learn the secret key for the shift, substitution, and
Vigenère ciphers. Your attacks should each use only a single plaintext. What is the smallest
plaintext length that suffices for each attack?
(b) For the Vigenère cipher, please consider two cases: (a) when the period t is known; (b) when the
period t is unknown but an upper bound tmax on t is known. For the latter case, an asymptotic
analysis of the required plaintext length suffices, i.e., an upper bound on the required plaintext
length.
12. [10 points] PRG or not? Let G : {0, 1}2n → {0, 1}2n+1 be a pseudorandom generator (PRG). For
each part below, either prove or disprove that G′ : {0, 1}2n → {0, 1}2n+1 is necessarily a PRG no
matter which PRG G is used.
(a) G′ (x) := G(π(x)) for, where π : {0, 1}2n → {0, 1}2n is any poly(n)-time computable bijective
function. (You may not assume that π −1 is poly(n)-time computable.)
(b) G′ (x||y) := G(x||x ⊕ y), where |x| = |y| = n. (Note: Here, and throughout the course, x||y refers
to the concatenation of two strings x and y.)
(c) G′ (x||y) := G(x||0n ) ⊕ G(0n ||y), where |x| = |y| = n. (Note: Here, and throughout the course,
0n and 1n denote the string of 0s and 1s, respectively, of length n.)
(d) G′ (x||y) := G(x||y) ⊕ (x||0n+1 ), where |x| = |y| = n.
13. [6 points] Let f : {0, 1}n × {0, 1}n → {0, 1}n be a pseudorandom function (PRF). For the functions
f ′ below, either prove that f ′ is a PRF (for all choices of f ), or prove that f ′ is not a PRF.
(a) fk′ (x) := fk (0||x)||fk (1||x)
(b) fk′ (x) := fk (0||x)||fk (x||1)
14. [9 points] Give complete details of how to construct Y from X in each of the following cases:
(a) X = One-way permutation, Y = pseudorandom generator
(b) X = pseudorandom generator, Y = one-way function
(c) X = pseudorandom generator, Y = pseudorandom function
For each construction, provide:
• A detailed description of the construction
• A proof sketch demonstrating that Y satisfies the required security properties given that X
satisfies its security properties
15. [5 points] Let F ′ be a secure pseudorandom function (PRF). Construct a PRF Fa that satisfies both
of the following properties:
Page 2
� (i) Fa is a secure PRF when the key is completely hidden
(ii) Fa becomes insecure when the first bit of the key is leaked, i.e., there exists an efficient adversary
that can distinguish Fa from a random function with non-negligible advantage when given access
to the first bit of the key
Your answer should include:
• A formal description of your construction of Fa using F ′
• A proof that Fa is secure when the key is completely hidden
• A concrete attack demonstrating how Fa can be distinguished from a random function when the
first bit of the key is known
16. [ points] Let f be a negligible function. Consider the following definitions:
Definition 1 (Overwhelming Function) A function f is overwhelming if 1 − f is negligible.
Definition 2 (Noticeable Function) A positive function f is noticeable if there exist a positive
1
polynomial p and a number n0 such that f (n) ≥ p(n) for all n ≥ n0 .
Now consider the function Z : N → R defined as:
(
1 if n is even
Z(n) =
2−n if n is odd
Given this two definitions determine the nature of function Z
Justify your answer.
17. [10 points] In block cipher operations, we analyzed four basic modes (ECB, CBC, OFB, and Counter)
with respect to how changing a single plaintext block affects ciphertext blocks. Now, let’s examine
the reverse scenario:
Consider a sequence of ciphertext blocks c1 , c2 , . . . , cn where some ciphertext block cj is erroneous
(1 ≤ j < n). For each mode of operation, analyze how this error affects the decryption of the
remaining blocks.
Specifically, determine which plaintext blocks among xj , xj+1 , xj+2 , . . . , xn are received correctly in
each mode.
For the special case where c1 is incorrect, determine the blocks that are decrypted incorrectly.
Justify your answer by explaining the error propagation characteristics of ECB mode.
18. [10 points] Let G : {0, 1}n → {0, 1}n+1 be a secure pseudorandom generator (PRG).
1. Construct a new PRG Ĝ with expansion factor poly(n) where poly(n) is a polynomial in n
2. Prove that your construction Ĝ is secure, assuming G is secure
3. Calculate the exact expansion factor of your construction
4. Show that your construction is efficient (runs in polynomial time)
Note: Your construction should be general enough to work for any polynomial poly(n). You may
use G as a building block multiple times in your construction.
Hint: Consider how you can iteratively apply G to achieve larger expansion factors while maintaining
security.
Page 3
�19. [10 points] Consider the following statement about encryption schemes:
Let (Enc, Dec) be a fixed-length private-key encryption scheme for messages of length ℓ
that is EAV-secure. Let A be a PPT algorithm, D be a distribution over {0, 1}ℓ , and
f : {0, 1}ℓ → {0, 1} be any function.
1. Prove or disprove that for any such A, there exists a PPT algorithm A′ and a negligible function
negl such that:
Pr[A(1n , Enck (m)) = f (m)] − Pr[A′ (1n ) = f (m)] ≤ negl(n)
where:
• The first probability is taken over:
– choice of m according to D
– uniform choice of k ∈ {0, 1}n
– the randomness of A and Enc
• The second probability is taken over:
– choice of m according to D
– the randomness of A′
2. If you proved the statement true, provide a construction for A′ . If you proved it false, provide
a counterexample.
3. Explain the significance of this result in terms of the security properties of EAV-secure encryption
schemes.
20. [3 points] Consider a stateful variant of CBC-mode encryption where the sender simply increments
the IV by 1 each time a message is encrypted (rather than choosing IV at random each time). Show
that the resulting scheme is not CPA-secure.
21. [1 point] Say CBC-mode encryption is used with a block cipher having a 256-bit key and 128-bit
block length to encrypt a 1024-bit message. What is the length of the resulting ciphertext?
22. [2 points] Let negl1 and negl2 be negligible functions. Then, prove
1. The function negl3 (n) = negl1 (n) + negl2 (n) is negligible.
2. For any polynomial p, the function negl4 (n) = p(n) · negl1 (n) is negligible.
Page 4
