\section{Exam 1}

\subsection{Problem 1}

We construct an explicit chosen-plaintext attack that breaks the modified RSA scheme with probability 1.

The key observation is, given public key $(N, e_1, e_2)$ and ciphertext $(c_1, c_2) = ((MR)^{e_1} \bmod N, R^{e_2} \bmod N)$, we can compute the plaintext's signature:
$$
M^{e_1 e_2} \bmod N = \frac{(MR)^{e_1 e_2}}{R^{e_1 e_2}} = \frac{c_1^{e_2}}{c_2^{e_1}} \bmod N
$$
This computation uses only public information, while revealing information about the encrypted message.

Therefore, we can construct the attack algorithm by:
\begin{enumerate}
    \item Choose challenge messages $m_0 = 1$ and $m_1 = -1$, both in $\mathbb{Z}_N^*$.
    \item Upon receiving challenge ciphertext $(c_1, c_2)$, it computes $\frac{c_1^{e_2}}{c_2^{e_1}} \bmod N$.
    \item If $\frac{c_1^{e_2}}{c_2^{e_1}} = 1 \bmod N$, then output $b' = 0$, guessing $m_0 = 1$; If $\frac{c_1^{e_2}}{c_2^{e_1}} = -1 \bmod N$, then output $b' = 1$, guessing $m_0 = -1$.
\end{enumerate}

Since $N = pq$ where $p, q$ are odd primes, we have $\phi(N) = (p-1)(q-1)$, which is even. Therefore, any $e_1, e_2 \in \mathbb{Z}_{\phi(N)}^*$ must be odd, making $e_1 e_2$ odd, and then $m_0^{e_1e_2} = 1^{e_1e_2} = 1 \bmod N$, $m_1^{e_1e_2} = (-1)^{e_1e_2} = -1\bmod N$. Thus the adversary can perfectly distinguish between encryptions of $ 1$ and $-1$, violating the security requirement of CPA-secure. 

In conclusion, the modified RSA scheme is not CPA-secure.

\subsection{Problem 2}

Assume for contradiction that a universal hardcore bit function $h:\{0,1\}^n \rightarrow \{0,1\}$ exists.
Let $f_n' : \{0,1\}^n \rightarrow \{0,1\}^{q(n)}$ be any one-way function. We define a new function $f_n: \{0, 1\}^n \rightarrow \{0, 1\}^{q(n) + 1}$ by
$$
f_n(x) = f_n'(x) \| h(x),
$$
that is, we append the output of $h(x)$ to $f_n'(x)$. Observe that $f_n$ is efficiently computable because $f_n'$ and $h$ are both efficiently computable, and $h$ cannot be a hardcore bit for $f_n$ because $h(x)$ is trivially revealed in the output.

It's left to prove that $f_n$ is hard to invert, thus also a one-way function. Assume that there exists a non-uniform probabilistic polynomial-time adversary $A$ that inverts $f_n$ with non-negligible probability $\delta(n)$, that is,
$$
\Pr_{x \leftarrow \{0,1\}^n}\left[ A(1^n, f_n(x)) \in f_n^{-1}(f_n(x)) \right] \geq \delta(n).
$$

Now the algorithm $A'$ that inverts $f_n'$ is construct by, given $f_n'(x)$,
\begin{enumerate}
    \item For $r = 0, 1$, $A'$ guesses $h(x) = r$ and computes $x_r = A(1^n, f_n'(x)\| r)$.
    \item $A'$ checks if $f_n'(x_r) = f_n'(x)$ for $r = 0, 1$, if any one of the two equations holds, then output the corresponding $x_r$.
\end{enumerate}

Since one guess of $h(x) = r$ is correct, and $A$ succeeds with probability $\ge \delta(n)$, we can conclude that 
\begin{align*}
    \Pr_{x \leftarrow \{0,1\}^n}\left[ A'(1^n, f_n'(x)) \in (f_n')^{-1}(f_n'(x)) \right] & \geq \Pr_{x \leftarrow \{0,1\}^n}\left[ A(1^n, f_n'(x) \| h(x)) \in (f_n')^{-1}(f_n'(x)) \right] \\
    & \geq \Pr_{x \leftarrow \{0,1\}^n}\left[ A(1^n, f_n'(x) \| h(x)) \in f_n^{-1}(f_n(x)) \right] \\
    & \geq \delta(n).
\end{align*}
Hence, we can invert $f_n'$ with non-negligible probability, contradicting that $f_n'$ is a one-way function.

In conclusion, no deterministic function $h$ can be a universal hardcore bit.

\subsection{Problem 3}

Let $G':=\{ G^n: \{0,1\}^n \to \{0,1\}^{2n}  \}_{n\in\mathbb{N}}$ be any secure PRG family, and $F:=\{ F^n:=\{ f^n_k: \{0,1\}^n \to \{0,1\}^n  \}_{k\in K_n} \}_{n\in\mathbb{N}}$ be any secure PRF family. We define function family $G := \{G_n: \{0,1\}^n \rightarrow \{0,1\}^{2n}\}_{n\in\mathbb{N}}$ as
$$G_n(x) = \begin{cases}
G_n'(x) & \text{if } x \neq 0^n \\
G_n'(1^n) & \text{if } x = 0^n
\end{cases}$$
We then prove that $G$ is also a PRG while $H:=\{ H^n:=\{ h^n_k: \{0,1\}^n \to \{0,1\}^{2n}  \}_{k\in K_{2n}} \}_{n\in\mathbb{N}}$ with $h^n_k(x) := f^{2n}_k(G^n(x))$ is not a PRF.

Firstly, the distribution of $\{G_n(U_n)\}_n$ and $\{G_n'(U_n)\}_n$ differs on at most one point $x = 0^n$, thus there statistical distance is at most $2^{-n}$. By the assumption that $G'$ is a PRG, we get that 
$$\{G_n(U_n)\}_n \approx_s \{G_n'(U_n)\}_n \approx_c \{U_{2n}\}_n.$$
This concludes the proof that $G$ is a PRG.

By the construction of $G$ and $H$, we have:
$$h_k^n(0^n) = f_k^{2n}(G_n(0^n)) = f_k^{2n}(G_n(1^n)) = h_k^n(1^n).$$
However, for a truly random function $R: \{0,1\}^n \rightarrow \{0,1\}^{2n}$:
$$\Pr[R(0^n) = R(1^n)] = 2^{-2n},$$
which is negligible. This gives us a distinguisher $D$ that queries the function oracle on inputs $0^n$ and $1^n$:
\begin{enumerate}
    \item If the outputs are equal, $D$ guesses the function is $H$;
    \item If the outputs are different, $D$ guesses the function is truly random.
\end{enumerate}
The distinguishing advantage is $1 - 2^{-2n}$, which is non-negligible, proving that $H$ is not a PRF family.

\subsection{Problem 4}

We prove that this SKE scheme is secure against chosen plaintext attacks by hybrid argument. Let $A$ be any p.p.t adversary of the CPA game for the SKE scheme.

\paragraph{Hybrid 0.} Game $\mathsf{G}_0$ is the real CPA game for the SKE scheme. We are aiming to prove that
$$
\left|\Pr[A\text{ wins }\mathsf{G}_0] - \frac{1}{2}\right| \le \text{negl}(n).
$$

\paragraph{Hybrid 1.} Game $\mathsf{G}_1$ runs $\mathsf{G}_0$ except when the challenger computes the ciphertext, it replaces $h_k^n(r) = f_k^{2n}(G(r))$ by $R(G(r))$, where $R: \{0, 1\}^{2n}\to \{0, 1\}^{2n}$ is a truly random function.

We prove that
$$
    \left|\Pr[A\text{ wins }\mathsf{G}_0] - \Pr[A\text{ wins }\mathsf{G}_1]\right| \le \text{negl}(n).
$$
We can construct a distinguisher $B$ for the PRF family $F$, that has the same advantage of $A$ between the two games. Given oracle access to either $f_k^{2n}$ or a truly random function $R$,
\begin{enumerate}
    \item $B$ simulates the CPA game. Whenever $A$ submits its query $(m_0, m_1)$,
    \begin{enumerate}
        \item $B$ chooses random $r \in \{0,1\}^n$ and computes $G(r)$;
        \item $B$ queries the oracle to obtain either $y = f_k^{2n}(G(r))$ or $y = R(G(r))$;
        \item $B$ sends back $A$ the ciphertext $(r, y\oplus m_b)$. 
    \end{enumerate}
    \item $B$ outputs 1 if and only if $A$ outputs the correct $b' = b$.
\end{enumerate}
Then
$$
\left|\Pr[A\text{ wins }\mathsf{G}_0] - \Pr[A\text{ wins }\mathsf{G}_1]\right| = \left|\Pr[B^{f_{k}^{2n}}(\cdot) = 1] - \Pr[B^{R}(\cdot) = 1]\right| \le \text{negl}(n).
$$

\paragraph{Hybrid 2.} Game $\mathsf{G}_2$ runs $\mathsf{G}_1$ except when the challenger computes the ciphertext, it replaces $R(G(r))$ by $u$, where $u\in \{0, 1\}^{2n}$ is truly random.
We prove that
$$
    \left|\Pr[A\text{ wins }\mathsf{G}_1] - \Pr[A\text{ wins }\mathsf{G}_2]\right| \le \text{negl}(n).
$$

Assume that $A$ makes $q = \text{poly}(n)$ queries to the challenger. Let $r_1, r_2, \cdots, r_q$ are the random values chosen by the challenger. Since $R$ is a truly random function, the pads $\{R(G(r_i))\}_{i\in [q]}$ are $q$ independent uniformly random strings, if and only if all $\{G(r_i)\}_{i\in [q]}$ exhibits no collisions.

We then bound the probability that there exists collisions in $\{G(r_i)\}_{i\in [q]}$. Firstly, the probability that there collisions in $\{r_i\}_{i\in [q]}$ is at most $\binom{q}{2}2^{-n}$, which is negligible. Secondly, given that all $r_i$'s are distinct, the probability that there exists collisions in $\{G(r_i)\}_{i\in [q]}$ must also be negligible, otherwise a distinguisher for the PRG family $G$ can easily samples $q$ inputs and check for collisions.

Therefore,
$$
\left|\Pr[A\text{ wins }\mathsf{G}_1] - \Pr[A\text{ wins }\mathsf{G}_2]\right| \le \Pr[\text{collision exists in }\{G(r_i)\}_{i\in [q]}] \le \text{negl}(n).
$$

By the fact that in game $\mathsf{G}_2$, the adversary $A$ will always receive ciphertexts that consists of two truly random strings, we get that
$$
\Pr[A\text{ wins }\mathsf{G}_2] = \frac{1}{2}.
$$
Therefore, the claim
$$
    \left|\Pr[A\text{ wins }\mathsf{G}_0] - \Pr[A\text{ wins }\mathsf{G}_1]\right| \le \text{negl}(n).
$$
in hybrid 0 holds.

\paragraph{Remark.} The attack from Problem 3 fails here because the adversary cannot control the input to $h_k^n$ - the random value $r$ is chosen by the encryption algorithm, not the adversary.

\subsection{Problem 5}

We prove that no such PRG exists case by case, by analyzing all possible types of Boolean functions $h$ and show each leads to a distinguishing attack.

\paragraph{Case 1: trivial functions.} If $h(x_1, x_2) = c$ for some constant $c \in \{0,1\}$, then every output bit of $f_{A,h}$ is the same constant $c$. The distinguisher checks if all output bits are identical. This occurs with probability 1 for $f_{A,h}$ but probability $2^{-5n+1}$ for truly random output.

\paragraph{Case 2: degenerate functions.} If $h(x_1, x_2) = x_i \oplus c$ for $i \in \{1,2\}$ and $c \in \{0,1\}$, then each output bit depends linearly on exactly one bit from the first layer. Thus the overall function is also linear:
$$f_{A,h}(x) = A'x \oplus b$$
for some matrix $A' \in \{0,1\}^{5n \times n}$ and vector $b \in \{0,1\}^{5n}$.

We can construct a distinguisher that exploits this linearity. The linear map $A'$ cannot have full rank $5n$, therefore, there exists a non-zero vector $v \in \{0,1\}^{5n}$ such that $v^T A' = 0$. The distinguisher computes $v^Ty$, where $y$ is the output:
\begin{itemize}
    \item For $f_{A,h}(x)$: it always equals $v^T b$, which is a constant.
    \item For truly random generator: it will be uniformly random over $\{0,1\}$.
\end{itemize}
This gives a distinguisher with advantage $\frac{1}{2}$.

\paragraph{Case 3: $\land$-type functions.} If $h(x_1, x_2) = ((x_1 \oplus c_1) \wedge (x_2 \oplus c_2)) \oplus c_3$, then each output bit has the form:
$$((\langle a , x\rangle \oplus c_1) \wedge (\langle b, x \rangle \oplus c_2)) \oplus c_3$$
where $a, b$ are rows from matrix $A$. We then consider the following cases:
\begin{itemize}
    \item There exists an output bit satisfies $a \neq b$ and both are non-zero. Then over uniformly random $x\in \{0, 1\}^n$, $(\langle a , x\rangle,\langle b , x\rangle)$ takes values $(0,0), (0,1), (1,0), (1,1)$ each with probability $\frac{1}{4}$. Therefore, this output bit is biased with probability $\frac{3}{4}$ on 0 and $\frac{1}{4}$ on 1, leading to a trivial distinguishing attack.
    \item All output bits satisfy $a = b$ or one of $a, b$ is zero. For the former case, the output bit becomes
    $$((\langle a , x\rangle \oplus c_1) \land (\langle a , x\rangle \oplus c_2)) \oplus c_3 = (c_1\oplus c_2\oplus1)\langle a , x\rangle \oplus (c_1 \wedge c_2) \oplus c_3,$$
    which is linear; for the latter case, assume $b = 0$, then the output bit becomes 
    $$(c_2\cdot (\langle a , x\rangle \oplus c_1)) \oplus c_3,$$
    which is also linear. Therefore, we can attack it as in Case 2.
\end{itemize}

\paragraph{Case 4: $\oplus$-type functions.}
If $h(x_1, x_2) = x_1 \oplus x_2 \oplus c$, then each output bit is
$$(a \cdot x) \oplus (b \cdot x) \oplus c = (a \oplus b) \cdot x \oplus c$$
which is linear, and we can attack it as in Case 2.

In conclusion, we constructed a distinguishing attack in all cases, showing that no such PRG exists.

\subsection{Problem 6}

Let $H := \{h^n: \{0,1\}^n \rightarrow \{0,1\}^n\}_{n\in \mathbb{N}}$ be any family of one-way functions. Define function $f^n: \{0,1\}^n \rightarrow \{0,1\}^n$ as, for input $x \| y$ where $|x| = \lfloor n/2 \rfloor$ and $|y| = \lceil n/2 \rceil$:
$$f^n(x \| y) = \begin{cases}
h^{\lfloor n/2 \rfloor}(x) \| 0^{\lceil n/2 \rceil} & \text{if } y \neq 0^{\lceil n/2 \rceil} \\
x \| 0^{\lceil n/2 \rceil - 1} \| 1 & \text{if } y = 0^{\lceil n/2 \rceil}
\end{cases}.$$

We first show that $F = \{f^n\}_n$ is a family of one-way functions. Suppose there exists a PPT algorithm $A$ and non-negligible function $\delta(n)$ such that:
$$\Pr_{x\|y\sim \{0, 1\}^n}[f^n(A(f^n(x\|y))) = f^n(x\|y)] \geq \delta(n).$$
Note that the probability that a random input has $y = 0^{\lceil n/2 \rceil}$ is negligible. Therefore, $A$ must succeed on a non-negligible fraction of inputs $x\|y$ with $y\neq 0^{\lceil n/2 \rceil}$, that is, $f^n(x\|y)$ is of the form $h^{\lfloor n/2 \rfloor}(x) \| 0^{\lceil n/2 \rceil}$.

We can then construct an inverter for $h^{\lfloor n/2 \rfloor}$:
\begin{itemize}
    \item Given $z = h^{\lfloor n/2 \rfloor}(x)$, compute $A(z \| 0^{\lceil n/2 \rceil})$;
    \item If $A$ outputs $x' \| y'$ with $h^{\lfloor n/2 \rfloor}(x') = h^{\lfloor n/2 \rfloor}(x)$, return $x'$.
\end{itemize}
This inverter succeeds with probability at least $\delta(n) - 2^{-\lceil n/2 \rceil}$, which is non-negligible. This contradicts to the one-wayness of $h^{\lfloor n/2 \rfloor}$, showing that $F$ is also one-way.

We then show that $G = \{g^n\}_n$ is not a family of one-way functions. By definition, $g^n(x)$ outputs the first $n-1$ bits of $f^n(x)$, that is, every output of $g^n$ has the form $z \| 0^{\lceil n/2 \rceil - 1}$ for some $z \in \{0,1\}^{\lfloor n/2 \rfloor}$.

Given any output $w = z \| 0^{\lceil n/2 \rceil - 1}$ of $g^n$, we can easily find a preimage $z \| 0^{\lceil n/2 \rceil}$. Note that
$$f^n(z \| 0^{\lceil n/2 \rceil}) = z \| 0^{\lceil n/2 \rceil - 1} \| 1.$$
Therefore,
$$g^n(z \| 0^{\lceil n/2 \rceil}) =  z \| 0^{\lceil n/2 \rceil - 1} = w.$$

So we can efficiently invert every possible output of $g^n$, showing that the family $G$ is not one-way.
