Score of 7.00 out of 9.00.
Question 1
Consider the following five events:
- Correctly guessing a random 128-bit AES key on the first try.
- Winning a lottery with 1 million contestants (the probability is ).
- Winning a lottery with 1 million contestants 5 times in a row (the probability is ).
- Winning a lottery with 1 million contestants 6 times in a row.
- Winning a lottery with 1 million contestants 7 times in a row.
Your Answer | Score | Explanation | |
---|---|---|---|
3, 2, 5, 4, 1 | |||
2, 4, 3, 1, 5 | |||
2, 3, 4, 5, 1 | |||
2, 3, 4, 1, 5 | Correct | 1.00 |
|
Total | 1.00 / 1.00 |
Question 2
Suppose that using commodity hardware it is possible to build a computer
for about $200 that can brute force about 1 billion AES keys per second.
Suppose an organization wants to run an exhaustive search for a single
128-bit AES key and was willing to spend 4 trillion dollars to buy these
machines (this is more than the annual US federal budget). How long would
it take the organization to brute force this single 128-bit AES key with
these machines? Ignore additional costs such as power and maintenance.
Your Answer | Score | Explanation | |
---|---|---|---|
More than an hour but less than a day | |||
More than a billion () years | Correct | 1.00 | The answer is about 540 billion years.
|
More than a month but less than a year | |||
More than a day but less than a week | |||
More than a million years but less than a billion () years | |||
Total | 1.00 / 1.00 |
Question 3
Let be a secure PRF
(i.e. a PRF where the key space, input space, and output space are all ) and say .
Which of the following is a secure PRF (there is more than one correct answer):
Your Answer | Score | Explanation | |
---|---|---|---|
Correct | 0.17 | Not a PRF. A distinguisher will query at and output not random if the response is . This is unlikely to hold for a truly random function. | |
Correct | 0.17 | Not a PRF. A distinguisher will query at and and output not random if the xor of the response is . This is unlikely to hold for a truly random function. | |
(i.e., drops the last bit of ) | Correct | 0.17 | Correct. A distinguisher for gives a distinguisher for . |
where reverse(y) reverses the string y so that the first bit of y is the last bit of reverse(y), the second bit of y is the second to last bit of reverse(y), and so on. | Correct | 0.17 | Correct. A distinguisher for gives a distinguisher for . |
(here denotes concatenation) | Correct | 0.17 | Correct. A distinguisher for gives a distinguisher for . |
Correct | 0.17 | Not a PRF. A distinguisher will query at and and output not random whenever the two responses are equal. This is unlikely to happen for a truly random function. | |
Total | 1.00 / 1.00 |
Question 4
Recall that the Luby-Rackoff theorem that applying a three round Feistel network to a secure PRF gives a secure block cipher. Let's see what
goes wrong if we only use a two round Feistel.
Let be a secure PRF.
Recall that a 2-round Feistel defines the following PRP
:
Here is the right 32 bits of the 64-bit input and is the left 32 bits.
One of the following lines is the output of this PRP using a random key, while the other three are the output of a truly random permutation . All 64-bit outputs are encoded as 16 hex characters. Can you say which is the output of the PRP? Note that since you are able to distinguish the output of from random, is not a secure block cipher, which is what we wanted to show.
Hint: First argue that there is a detectable pattern in the xor of and . Then try to detect this pattern in the given outputs.
Here is the right 32 bits of the 64-bit input and is the left 32 bits.
One of the following lines is the output of this PRP using a random key, while the other three are the output of a truly random permutation . All 64-bit outputs are encoded as 16 hex characters. Can you say which is the output of the PRP? Note that since you are able to distinguish the output of from random, is not a secure block cipher, which is what we wanted to show.
Hint: First argue that there is a detectable pattern in the xor of and . Then try to detect this pattern in the given outputs.
Your Answer | Score | Explanation | |
---|---|---|---|
On input the output is "9f970f4e 932330e4". On input the output is "6068f0b1 b645c008". | Correct | 1.00 | Observe that the two round Feistel has the property that the left half of is . The two outputs in this answer are the only ones with this property. |
On input the output is "7c2822eb fdc48bfb". On input the output is "325032a9 c5e2364b". | |||
On input the output is "9d1a4f78 cb28d863". On input the output is "75e5e3ea 773ec3e6". | |||
On input the output is "5f67abaf 5210722b". On input the output is "bbe033c0 0bc9330e". | |||
Total | 1.00 / 1.00 |
Question 5
Nonce-based CBC. Recall that and if one wants to use CBC encryption with a
non-random unique nonce then the nonce must first be encrypted with an
independent PRP key and the result then used as the CBC IV.
Let's see what goes wrong if one encrypts the nonce with the
same PRP key as the key used for CBC encryption.
Let be a secure PRP with, say, . Let be a nonce and suppose one encrypts a message by first computing and then using this IV in CBC encryption using . Note that the same key is used for computing the IV and for CBC encryption. We show that the resulting system is not nonce-based CPA secure.
The attacker begins by asking for the encryption of the two block message with nonce . It receives back a two block ciphertext . Observe that by definition of CBC we know that . Next, the attacker asks for the encryption of the one block message with nonce . It receives back a one block ciphertext .
What relation holds between ? Note that this relation lets the adversary win the nonce-based CPA game with advantage 1.
Let be a secure PRP with, say, . Let be a nonce and suppose one encrypts a message by first computing and then using this IV in CBC encryption using . Note that the same key is used for computing the IV and for CBC encryption. We show that the resulting system is not nonce-based CPA secure.
The attacker begins by asking for the encryption of the two block message with nonce . It receives back a two block ciphertext . Observe that by definition of CBC we know that . Next, the attacker asks for the encryption of the one block message with nonce . It receives back a one block ciphertext .
What relation holds between ? Note that this relation lets the adversary win the nonce-based CPA game with advantage 1.
Your Answer | Score | Explanation | |
---|---|---|---|
Inorrect | 0.00 | The correct answer follows from the definition of CBC with an encrypted nonce as defined in the question. It might help to review the definition of CBC. | |
Total | 0.00 / 1.00 |
Question 6
Let be a message consisting of AES blocks
(say ). Alice encrypts using CBC mode and transmits
the resulting ciphertext to Bob. Due to a network error,
ciphertext block number is corrupted during transmission.
All other ciphertext blocks are transmitted and received correctly.
Once Bob decrypts the received ciphertext, how many plaintext blocks
will be corrupted?
Your Answer | Score | Explanation | |
---|---|---|---|
3 | |||
2 | Correct | 1.00 | Take a look at the CBC decryption circuit. Each ciphertext blocks affects only the current plaintext block and the next. |
0 | |||
Total | 1.00 / 1.00 |
Question 7
Let be a message consisting of AES blocks (say ). Alice encrypts using randomized counter mode and
transmits the resulting ciphertext to Bob. Due to a network error,
ciphertext block number is corrupted during transmission.
All other ciphertext blocks are transmitted and received correctly.
Once Bob decrypts the received ciphertext, how many plaintext blocks
will be corrupted?
Your Answer | Score | Explanation | |
---|---|---|---|
3 | |||
1 | Correct | 1.00 | Take a look at the counter mode decryption circuit. Each ciphertext block affects only the current plaintext block. |
0 | |||
Total | 1.00 / 1.00 |
Question 8
Recall that encryption systems do not fully hide the length of
transmitted messages. Leaking the length of web requests has
been used to eavesdrop on encrypted HTTPS traffic to a number of
web sites, such as tax preparation sites, Google searches, and
healthcare sites.
Suppose an attacker intercepts a packet where he knows that the
packet payload is encrypted using AES in CBC mode with a random IV. The
encrypted packet payload is 128 bytes. Which of the following
messages is plausibly the decryption of the payload:
Your Answer | Score | Explanation | |
---|---|---|---|
'If qualified opinions incline to believe in the exponential conjecture, then I think we cannot afford not to make use of it.' | |||
'The significance of this general conjecture, assuming its truth, is easy to see. It means that it may be feasible to design ciphers that are effectively unbreakable.' | |||
'We see immediately that one needs little information to begin to break down the process.' | Inorrect | 0.00 | The length of the string is 87 bytes, which after padding becomes 96 bytes, and after prepending the IV would become 112 bytes. |
'In this letter I make some remarks on a general principle relevant to enciphering in general and my machine.' | |||
Total | 0.00 / 1.00 |
Question 9
Let and consider the following
PRF defined as follows:
That is, the key is in and the function at, for example, is defined as .
For a random key unknown to you, you learn that
and and .
What is the value of ? Note that since you are able to predict the function at a new point, this PRF is insecure.
That is, the key is in and the function at, for example, is defined as .
For a random key unknown to you, you learn that
and and .
What is the value of ? Note that since you are able to predict the function at a new point, this PRF is insecure.
You entered:
Your Answer | Score | Explanation | |
---|---|---|---|
1111 | Correct | 1.00 | |
Total | 1.00 / 1.00 |