( 30 points) A student was bothered by one aspect of the EAV-game. She finds it unnatural that the adversary produces two messages m0,m1, only one of which is encrypted. She thinks it would be more natural if the adversary were to produce just a single message m, and then be unable to distinguish between an encryption of m and ancryption of a fixed "junk" message. She argues that this means encrypting a message m (of the attacker's choice) completely hides m, because it looks like an encrypted "junk" message that obviously has nothing to do with m. To reflect this intuition, the student defines the ZERO game between an adversary A and a cryptosystem =( Gen, Enc, Dec), which proceeds as follows: 1 1. A is given the security parameter 1n, then produces a message m{0,1} (of arbitrary length). 2. The game generates kGen(1n) and a ciphertext cEnck(m^), where in the "real world", m^ is defined to be m^=m, and in the "ideal world" m^=0m, that is, the all-zeros (junk) message of the same length as m. 3. A is given the ciphertext c and ultimately either accepts (indicating that it thinks it is in the real world) or rejects (indicating that it thinks it is in the ideal world). The advantage of A in the ZERO game against is defined as AdvZERO(A)=Pr[Ain"realworld"accepts]Pr[Ain"idealworld"accepts]. Finally, we say that is ZERO-secure if any p.p.t. (Probabilistic Polynomial Time) adversary A has only negligible advantage in the ZERO game against . Prove that ZEROsecurity is equivalent to EAV-security