In tutorial we briefly reviewed the definition of privacy for session protocols and discussed a number of session protocols,
\begin{align} e_i = r_i, F_k(r_i) \xor m_i \mbox{ where $F_k$ is a PRFG} \label{eq:SP1} \\ e_i = P_k(m_i \xor e_{i-1}) \mbox{ where $P_k$ is a PRPG} \label{eq:SP2} \\ e_i = P_k(m_i) \xor e_{i-1} \mbox{ where $P_k$ is a PRPG} \label{eq:SP2v2} \\ \end{align}
I stated, but did not prove, that \eqref{eq:SP1} is a private session protocol. We worked out an attack on \eqref{eq:SP2}. I stated that \eqref{eq:SP2v2} the third protocol is private, but, this is in correct - can you find an attack? The variant of \eqref{eq:SP2} that is private is the following:
\begin{equation} \label{eq:SP2v3} e_i = m_i \xor P_k(e_{i-1}) \end{equation}
Can you work out a proof? All of these cryptosystems appear in notes 5 (\eqref{eq:SP1} is Cryptosystem III, \eqref{eq:SP2} is Cryptosystem VI, \eqref{eq:SP2v3} is Cryptosystem VI').