Question 1
Let be an authenticated encryption system built by combining
a CPA-secure symmetric cipher and a MAC. The system is combined
with an error-correction code to correct random transmission errors.
In what order should encryption and error correction be applied?
Your Answer | Score | Explanation | |
---|---|---|---|
Encrypt and then apply the error correction code. | Correct | 1.00 | That is correct. The error correction code will do its best to correct random errors after which the MAC in the ciphertext will be checked to ensure no other errors remains. |
The order does not matter -- either one is fine. | |||
The order does not matter -- neither one can correct errors. | |||
Apply the error correction code and then encrypt the result. | |||
Total | 1.00 / 1.00 |
Question 2
Let be a uniform random variable over the set .
Let be an arbitrary random variable over the set (not
necessarily uniform) that is independent of .
Define the random variable . What is the probability
that equals ?
Your Answer | Score | Explanation | |
---|---|---|---|
Correct | 1.00 | The probability is . To see why, observe that whatever is, the probability that is the same as the probability that which is exactly because is uniform. | |
Total | 1.00 / 1.00 |
Question 3
Suppose is a symmetric cipher that uses 128 bit keys to
encrypt 1024 bit messages. Suppose is a symmetric
cipher that uses 128 bit keys to encrypt 128 bit messages.
The encryption algorithms and are deterministic and
do not use nonces. Which of the following statements is true?
Your Answer | Score | Explanation | |
---|---|---|---|
can be semantically secure under a chosen plaintext attack. | Correct | 0.25 | The statement is incorrect: is deterministic and uses no nonces |
can be one-time semantically secure, but cannot be perfectly secure. | Correct | 0.25 | Yes, for example can be a secure stream cipher. |
can be semantically secure under a chosen plaintext attack. | Correct | 0.25 | The statement is incorrect: is deterministic and uses no nonces. |
can be one-time semantically secure. | Correct | 0.25 | Yes, for example can be a secure stream cipher. |
Total | 1.00 / 1.00 |
Question 4
Which of the following statements regarding CBC and counter mode is correct?
Your Answer | Score | Explanation | |
---|---|---|---|
CBC mode encryption requires a block cipher (PRP), but counter mode encryption only needs a PRF. | Correct | 1.00 | Yes, CBC needs to invert the PRP for decryption, while counter mode only needs to evaluate the PRF in the forward direction for both encryption and decryption. Therefore, a PRF is sufficient for counter mode. |
Both counter mode and CBC mode can operate just using a PRF. | |||
Both counter mode and CBC mode require a block cipher (PRP). | |||
counter mode encryption requires a block cipher (PRP), but CBC mode encryption only needs a PRF. | |||
Total | 1.00 / 1.00 |
Question 5
Let be a secure PRG where .
We let denote
the left half of the output and denote the right half.
Which of the following statements is true?
Your Answer | Score | Explanation | |
---|---|---|---|
is a secure PRF with key space and message space . | Correct | 1.00 | Yes, since the output of is indistinguishable from random, the left and right halves are indistinguishable from random independent values. |
is a secure PRF with key space and message space . | |||
is a secure PRF with key space and message space . | |||
is a secure PRF with key space and message space . | |||
Total | 1.00 / 1.00 |
Question 6
Let be a nonce-based symmetric encryption system (i.e. algorithm
takes as input a key, a message, and a nonce, and similarly the
decryption algorithm takes a nonce as one of its inputs). The system
provides chosen plaintext security (CPA-security) as long as the nonce
never repeats. Suppose a single encryption key is used to encrypt
messages and the nonces are generated independently at random for each
encryption, how long should the nonce be to ensure that it never repeats
with high probability?
Your Answer | Score | Explanation | |
---|---|---|---|
16 bits | |||
64 bits | |||
48 bits | |||
128 bits | Correct | 1.00 | Yes, the probability of repetition after samples is negligible. |
Total | 1.00 / 1.00 |
Question 7
Same as question 6 except that
now the nonce is generated using a counter. The counter resets to 0
when a new key is chosen and is incremented by 1 after every encryption.
What is the shortest nonce possible to ensure that the nonce does not
repeat when encrypting messages using a single key?
Your Answer | Score | Explanation | |
---|---|---|---|
the nonce must be chosen at random, otherwise the system cannot be CPA secure. | |||
16 bits | |||
32 bits | Correct | 1.00 | Yes, with 32 bits there are nonces and each message will use a different nonce. |
64 bits | |||
Total | 1.00 / 1.00 |
Question 8
Let be a deterministic MAC system with message space and key
space . Which of the following properties is implied by the
standard MAC security definition?
Your Answer | Score | Explanation | |
---|---|---|---|
Given a key in it is difficult to find distinct messages and such that . | |||
preserves semantic security of . That is, the adversary learns nothing about given . | Inorrect | 0.00 | no, is a secure MAC, but does nothing to hide . |
The function is a secure PRF. | |||
Given and it is difficult to compute . | |||
Total | 0.00 / 1.00 |
Question 9
Let be a collision resistant hash function where is smaller than .
Which of the following properties is implied by collision resistance?
Your Answer | Score | Explanation | |
---|---|---|---|
preserves semantic security of (that is, given the attacker learns nothing about ). | Inorrect | 0.00 | no, for example is collision resistance, but does not hide . |
it is difficult to find and such that . (here we treat the outputs of as integers) | |||
For all in , must be shorter than . | |||
Given a tag it is difficult to construct such that . | |||
Total | 0.00 / 1.00 |
Question 10
Recall that when encrypting data you should typically use
a symmetric encryption system that provides authenticated encryption.
Let be a symmetric encryption system providing authenticated
encryption. Which of the following statements is implied by
authenticated encryption?
Your Answer | Score | Explanation | |
---|---|---|---|
Given for some secret , the attacker cannot find such that . | Correct | 0.25 | The statement is incorrect: there are no guarantees about the hardness of finding keys with special properties. For example, it is possible to build a GCM-like system where finding and is easy, despite the system providing authenticated encryption. |
Given and the attacker cannot create a valid encryption of . (here we treat plaintexts as integers) | Correct | 0.25 | yes, otherwise the system would not have ciphertext integrity. |
Given and it is difficult to find . | Correct | 0.25 | yes, otherwise the system would not even be chosen plaintext secure. |
The attacker cannot create a ciphertext such that . | Correct | 0.25 | The statement is incorrect: a random string in the ciphertext space will most likely result in so an attacker can just choose a random ciphertext. |
Total | 1.00 / 1.00 |
Question 11
Which of the following statements is true about the basic Diffie-Hellman
key-exchange protocol.
Your Answer | Score | Explanation | |
---|---|---|---|
The protocol is based on the concept of a trapdoor function. | Correct | 0.25 | The statement is incorrect: Diffie-Hellman does not use trapdoor functions. It is based on the exponentiation function and the fact that . The exponentiation function in does not have a trapdoor (as far as we know). |
The protocol can be converted to a public-key encryption system called the ElGamal public-key system. | Correct | 0.25 | yes, that is correct. |
The basic protocol enables key exchange secure against eavesdropping, but is insecure against active adversaries that can inject and modify messages. | Correct | 0.25 | yes, Diffie-Hellman is secure against eavesdropping, but is insecure against man in the middle attacks. |
The basic protocol provides key exchange secure against active adversaries that can inject and modify messages. | Correct | 0.25 | The statement is incorrect: basic Diffie-Hellman is secure against eavesdropping, but is insecure against man in the middle attacks. |
Total | 1.00 / 1.00 |
Question 12
Suppose parties, call them , wish to setup
a shared group key. They want a protocol so that at the end
of the protocol they all have a common secret key , but an eavesdropper
who sees the entire conversation cannot determine . The parties
agree on the following protocol that runs in a group of prime order
with generator :
- for party chooses a random in and sends to Party the quantity .
- Party generates a random in and for responds to Party with the messages .
Your Answer | Score | Explanation | |
---|---|---|---|
Party computes as | Correct | 1.00 | Yes, . |
Party computes as | |||
Party computes as | |||
Party computes as | |||
Total | 1.00 / 1.00 |
Question 13
Recall that the RSA trapdoor permutation is defined in the group
where is a product of two large
primes. The public key is and the private key is
where is the inverse of in .
Suppose RSA was defined modulo a prime instead of an RSA composite . Show that in that case anyone can compute the private key from the public key by computing:
Suppose RSA was defined modulo a prime instead of an RSA composite . Show that in that case anyone can compute the private key from the public key by computing:
Your Answer | Score | Explanation | |
---|---|---|---|
. | |||
. | |||
. | Correct | 1.00 | yes, that is correct. |
. | |||
Total |