Score:2

What would be an O(n) time adversary for this kind of scheme

et flag

Suppose we have a block cipher $$E:\{0,1\}^k \text{ x } \{0,1\}^{2k} \rightarrow \{0,1\}^{2n} \quad \text{ with } \quad k,n\geq128$$ K is the key generation algorithm that returns a random k-bit key. Let SE = (K,Enc,Dec) be the symmetric encryption scheme with encryption and decryption algorithms as described below in the code. The message input to Enc is an n-bit string, and the ciphertext input to Dec is a 4n-bit string.

def Enc(K,M):
    if len(M) != n_bytes : 
        return None
    
    A1 = random_string(n_bytes)
    A2 = xor_strings(M,A1)
    C = []
    C.append(E(K,( A1 + "\x00" * n_bytes )))
    C.append(E(K,( A2 + "\xFF" * n_bytes )))
    return join(C)


def Dec(K,C):
    if len(C) != 4 * n_bytes : 
        return None

    C = split(C,2 * n_bytes)
    X1 = E_I(K,C[0])              #X1 = A1 || P1 in the pseudocode
    X2 = E_I(K,C[1])              #X2 = A2 || P2 in the pseudocode
    X1 = split(X1,n_bytes)      #A1 is X1[0] ; P1 is X1[1]
    X2 = split(X2,n_bytes)      #A2 is X2[0] ; P2 is X2[1]

    if (X1[1] != "\x00" * n_bytes) or (X2[1] != "\xFF" * n_bytes) :
        return None
    
    M = xor_strings(X1[0],X2[0])
    return M

#THIS IS WHERE ADVERSARY CODE GOES ----- NEED TO FILL THIS UP
def A(enc):
    """
    :param enc: This is the oracle supplied by the game.
    return: a forged ciphertext
    """
    pass

#below is to test the code to see if correct adversary is given
if __name__ == '__main__':    
    k = 128
    n = 128
    k_bytes = k//8
    n_bytes = n//8
 
    EE = BlockCipher(k_bytes, 2*n_bytes)
    E = EE.encrypt
    E_I = EE.decrypt

    g = GameINTCTXT(2, Enc, Dec, k_bytes)
    s = CTXTSim(g, A2)

    print ("When k=128, n=128:")
    print ("The advantage of your adversary A2 is ~" + str(s.compute_advantage()))

    k = 256
    n = 128
    k_bytes = k//8
    n_bytes = n//8

    EE = BlockCipher(k_bytes, 2*n_bytes)
    E = EE.encrypt
    E_I = EE.decrypt

    g = GameINTCTXT(2, Enc, Dec, k_bytes)
    s = CTXTSim(g, A2)

    print ("When k=256, n=128:")
    print ("The advantage of your adversary A2 is ~" + str(s.compute_advantage()))

What O(n)-time Adversary can show that SE is not INT-CTXT secure, making at most 2 queries with Advantage = 1 - 2^(-n)

Here is a Latex version of the Encryption and Decryption scheme for ease of reading:

Encryption:

$\underline{ Alg E_K(M)}$

$\text{if } |M| \neq n \text{ then return } \perp$

$A[1] \leftarrow{$} \{0,1\}^n; A[2] \leftarrow M \oplus A[1]$

$C[1] \leftarrow E_K (A[1] || 0^n)$

$C[2] \leftarrow E_K (A[2] || 0^n)$

$\text{return } C$

Decryption:

$\underline{ Alg D_K(M)}$

$\text{if } |C| \neq 4n \text{ then return } \perp$

$C[1]C[2] \leftarrow C$

$A[1] || P[1] \leftarrow E^{-1}_K(C[1]) ; A[2] || P[2] \leftarrow E^{-1}_K(C[2])$

$\text{if }(P[1] \neq 0^n \text{ or } P[2] \neq 1^n) \text{ then return } \perp$

$M \leftarrow A[1] \oplus A[2]$

$\text{return } M$

Here's what I've tried so far:

def A(enc):

    half = n_bytes // 2
 
    C1 = enc(random_string(n_bytes))
    C2 = enc("\x00" * n_bytes)
    C_split1 = C1[:half]
    C_split2 = C2[half:]
       
    return  C_split1 + C_split2;

but get output:

When k=128, n=128:
The advantage of your adversary A2 is ~0.0
When k=256, n=128:
The advantage of your adversary A2 is ~0.0
```
Daniel S avatar
ru flag
HINT: The integrity of C[1]and C[2] are each checked by checking the padding of the decryption. This provides assurance that each was produced by someone with knowledge of the key. Does the integrity of both halves of the cipher text guarantee the integrity of the full ciphertext?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.