Question: In this section, we design a PKE scheme for bit messages from the RSA assumption. Here is the scheme: - Gen(): Choose a modulus N=pq,
In this section, we design a PKE scheme for bit messages from the RSA assumption. Here is the scheme: - Gen(): Choose a modulus N=pq, and two exponents e,dZ(p1)(q1) such that ed=1mod (p1)(q1). Output (pk,sk)=(e,d). - Enc(msg, pk): Parse msg {0,1} and pk=e (we again use that every element of ZN can be parsed as a string in {0,1}log(N)). Draw xZN, and r{0,1}log(N), and output ct=(xe,r,x,rmsg), where x,r is the string inner product. - Dec(ct, sk): Parse ct =(xe,r,L) where xeZN,r{0,1}log(N) and L{0,1}; also parse sk =d. Output Lx,r{0,1}, where xZN is computed as x=(xe)d. Problem 6. Do both of the following. (a) Prove correctness. (b) Show how to use an adversary which breaks the semantic security of the above scheme to complete the following "inner product prediction" challenge for the RSA function with probability 1/2+ for non-negligible >0 : given (N,e,xe,r) return x,r. It can be shown (using the same argument that is used to prove the Lemma) that an adversary who completes this challenge with probability 1/2+ for non-negligible >0 can be used to design an adversary to break the RSA assumption (you do not have to prove this)
Step by Step Solution
There are 3 Steps involved in it
Get step-by-step solutions from verified subject matter experts
Study Help