%
% ps1.tex (ecs227 - Winter 00 - PR)
%
\documentclass[11pt]{article}
\setlength{\evensidemargin}{0in}
\setlength{\oddsidemargin}{0in}
\setlength{\textwidth}{6.5in}
\setlength{\textheight}{9in}
\setlength{\topmargin}{-0.4in}
\setlength{\footskip}{0.5in}
\renewcommand{\baselinestretch}{1}
\renewcommand{\arraystretch}{1}
\newcommand{\PK}{{\rm PK}}
\newcommand{\SK}{{\rm SK}}
\newcommand{\calE}{{\cal E}}
\newcommand{\calD}{{\cal D}}
\newcommand{\DES}{{\rm DES}}
\newcommand{\bits}{\{0,1\}}
\newcommand{\rvT}{\mathsf{T}}
\begin{document}
\hrule\smallskip
\begin{center}
{\Large\bf ECS 227 --- Modern Cryptography --- Winter~2000
\smallskip
Problems 1--2}
\end{center}
\smallskip\hrule
\begin{center}
{\large\it Phillip Rogaway}
Out: 6 January 2000.
Due: 13 January 2000.
\end{center}
\vspace{1in}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\begin{itemize}
\item[\bf 1.] {\bf A limitation on fixed-time fair-coin-flipping TMs.}
Cosider the model of computaion in which we agument a Turing machine so that it can
obtain the output of a random coin flip: by going into a distinguished state $Q_\$$, the
next state will be $Q_\mathrm{H}$ with probability $1/2$, and the next state will be $Q_\mathrm{T}$ with probablity
$1/2$. Show that, in this model of computation, there is no constant-time algorithm to
perfectly deal out five cards to each of two players.
(A deck of cards consists of 52 cards, and a fair deal means that
all hands should be equally likely. Saying that the algorithm is constant-time means that there
is some number $T$ such that the algorithm is guaranteed to stop within $T$ steps.)
\end{itemize}
\begin{itemize}
\item[\bf 2.] {\bf Encryption with a deck of cards.}
Alice shuffles a deck of cards and deals it all out to
herself and Bob (each of them gets half of the 52 cards).
Alice now wishes to send a secret message~$M$ to Bob by saying something aloud.
Eavesdropper Eve is listening in: she hears everything Alice says (but Eve can't
see the cards).
{\bf Part A.}
Suppose Alice's message $M$ is a string of 48-bits.
Describe how
Alice can communicate~$M$ to Bob in such a way that Eve will have
\textit{no\/} information about what is $M$.
{\bf Part B.}
Now suppose Alice's message~$M$ is 49 bits.
Prove that there exists no protocol which allows
Alice to communicate~$M$ to Bob in such a way that Eve will have
{no} information about~$M$.
(What does it mean that Eve learns nothing about $M$?
That for all strings $\kappa$, the probability that Alice says
$\kappa$ is independent of $M$: for all messages $M_0, M_1$ we have that
$$\Pr[\mbox{ Alice says } \kappa | \mbox{ $M=M_0$} ] =
\Pr[\mbox{ Alice says } \kappa | \mbox{ $M=M_1$} ]\;.$$
The probability is over the the random shuffle of the cards.)
\end{itemize}
%48
\iffalse
\item[\bf 2.] {\bf Composition of EPT Algorithms.}
John designs an EPT (expected polynomial time) algorithm to solve some computational
problem $\Pi$---but he assumes
that he has in hand a black-box (ie., a unit-time subroutine) which solves some
other computational problem, $\Pi'$.
Ted soon discovers an EPT algorithm to solve $\Pi'$.
True or false: putting these two pieces together, John and Ted now have an EPT
algorithm for $\Pi$.
Give a proof or counterexample.
(When we speak of the worst-case running time of machine $M$ we are looking at the function
$T(n)$ which gives, for each~$n$, the maximal time which~$M$ might spend on an input of size~$n$:
$T(n) = \max_{x, \; |x|=n}[\mbox{\#Steps}_M(x)]$.
When we speak of the expected running time of~$M$ we are instead looking at the function
$T(n)$ which gives, for each~$n$, the maximal value among inputs of
length~$n$ of the expected value of the running time of~$M$ on this input---that is,
$T(n) = \max_{x,\;|x|=n} \mbox{\bf E}[\mbox{\#Steps}_M(x)]$, where the expectation is over
the random choices made by $M$.)
\fi
\iffalse
\item[\bf 3.] {\bf Bijectivity of the function $f$ used in RC6.}
Show that the map $x\mapsto x(2x+1) \bmod 2^w$ is one-to-one (and therefore surjective, too)
on $\{0,1,\ldots, 2^w-1\}$.
(In general, $x\mapsto x(rx+s) \bmod 2^w$ is one-to-one on this domain
whenever~$r$ is even and~$s$ is odd.
Show this more general statement, if you prefer.)
\end{itemize}
\begin{itemize}
\item[\bf 4.] {\bf Alternative formulation of real-or-random security (rr2).}
When I presented our paper on different notions of symmetric encryption at MIT,
Ron~Rivest raised the following objection to our definition real-or-random security:
\begin{quote}
In a chosen-plaintext attack the adversary $A$ should have the ability to obtain the encryptions
of messages of her choice. But in your real-or-random definition, the adversary can not
do this: she obtains what are either valid encryptions or bogus encryptions --- and she can't get,
for comparison, what she knows to be valid encryptions. Consider giving
the adversary an additional oracle which \textit{always\/} correctly encrypts.
Would this this strengthen your definition?
\end{quote}
Answer Rivest's question (being grateful that you have more than 60 seconds to consider this),
giving a careful proof. You should begin by introducing any notation you need.
\end{itemize}
\fi
\end{document}