Wednesday, September 11, 2013

Cryptography I - Final Exam

Score of 11.00 out of 13.00.

Question 1

Let (E,D) be an authenticated encryption system built by combining a CPA-secure symmetric cipher and a MAC. The system is combined with an error-correction code to correct random transmission errors. In what order should encryption and error correction be applied?
Your Answer
Score Explanation
Encrypt and then apply the error correction code. Correct 1.00 That is correct. The error correction code will do its best to correct random errors after which the MAC in the ciphertext will be checked to ensure no other errors remains.
The order does not matter -- either one is fine.


The order does not matter -- neither one can correct errors.


Apply the error correction code and then encrypt the result.


Total
1.00 / 1.00

Question 2

Let X be a uniform random variable over the set {0,1}n. Let Y be an arbitrary random variable over the set {0,1}n (not necessarily uniform) that is independent of X. Define the random variable Z=XY. What is the probability that Z equals 0n?
Your Answer
Score Explanation
2/2n


0.5


1/n2


1/2n Correct 1.00 The probability is 1/2n. To see why, observe that whatever Y is, the probability that Z=XY=0n is the same as the probability that X=Y which is exactly 1/2n because X is uniform.
Total
1.00 / 1.00

Question 3

Suppose (E1,D1) is a symmetric cipher that uses 128 bit keys to encrypt 1024 bit messages. Suppose (E2,D2) is a symmetric cipher that uses 128 bit keys to encrypt 128 bit messages. The encryption algorithms E1 and E2 are deterministic and do not use nonces. Which of the following statements is true?
Your Answer
Score Explanation
(E1,D1) can be semantically secure under a chosen plaintext attack. Correct 0.25 The statement is incorrect: (E1,D1) is deterministic and uses no nonces
(E1,D1) can be one-time semantically secure, but cannot be perfectly secure. Correct 0.25 Yes, for example (E1,D1) can be a secure stream cipher.
(E2,D2) can be semantically secure under a chosen plaintext attack. Correct 0.25 The statement is incorrect: (E2,D2) is deterministic and uses no nonces.
(E1,D1) can be one-time semantically secure. Correct 0.25 Yes, for example (E1,D1) can be a secure stream cipher.
Total
1.00 / 1.00

Question 4

Which of the following statements regarding CBC and counter mode is correct?
Your Answer
Score Explanation
CBC mode encryption requires a block cipher (PRP), but counter mode encryption only needs a PRF. Correct 1.00 Yes, CBC needs to invert the PRP for decryption, while counter mode only needs to evaluate the PRF in the forward direction for both encryption and decryption. Therefore, a PRF is sufficient for counter mode.
Both counter mode and CBC mode can operate just using a PRF.


Both counter mode and CBC mode require a block cipher (PRP).


counter mode encryption requires a block cipher (PRP), but CBC mode encryption only needs a PRF.


Total
1.00 / 1.00

Question 5

Let G:XX2 be a secure PRG where X={0,1}256. We let G(k)[0] denote the left half of the output and G(k)[1] denote the right half. Which of the following statements is true?
Your Answer
Score Explanation
F(k,m)=G(k)[m] is a secure PRF with key space X and message space m{0,1}. Correct 1.00 Yes, since the output of G(k) is indistinguishable from random, the left and right halves are indistinguishable from random independent values.
F(k,m)=G(k)[0]m is a secure PRF with key space and message space X.


F(k,m)=G(m)[0]k is a secure PRF with key space and message space X.


F(k,m)=mk is a secure PRF with key space and message space X.


Total
1.00 / 1.00

Question 6

Let (E,D) be a nonce-based symmetric encryption system (i.e. algorithm E takes as input a key, a message, and a nonce, and similarly the decryption algorithm takes a nonce as one of its inputs). The system provides chosen plaintext security (CPA-security) as long as the nonce never repeats. Suppose a single encryption key is used to encrypt 232 messages and the nonces are generated independently at random for each encryption, how long should the nonce be to ensure that it never repeats with high probability?
Your Answer
Score Explanation
16 bits


64 bits


48 bits


128 bits Correct 1.00 Yes, the probability of repetition after 232 samples is negligible.
Total
1.00 / 1.00

Question 7

Same as question 6 except that now the nonce is generated using a counter. The counter resets to 0 when a new key is chosen and is incremented by 1 after every encryption. What is the shortest nonce possible to ensure that the nonce does not repeat when encrypting 232 messages using a single key?
Your Answer
Score Explanation
the nonce must be chosen at random, otherwise the system cannot be CPA secure.


16 bits


32 bits Correct 1.00 Yes, with 32 bits there are 232 nonces and each message will use a different nonce.
64 bits


Total
1.00 / 1.00

Question 8

Let (S,V) be a deterministic MAC system with message space M and key space K. Which of the following properties is implied by the standard MAC security definition?
Your Answer
Score Explanation
Given a key k in K it is difficult to find distinct messages m0 and m1 such that S(k,m0)=S(k,m1).


S(k,m) preserves semantic security of m. That is, the adversary learns nothing about m given S(k,m). Inorrect 0.00 no, S(k,m)=(m, HMAC(k,m)) is a secure MAC, but does nothing to hide m.
The function S(k,m) is a secure PRF.


Given m and S(k,m) it is difficult to compute k.


Total
0.00 / 1.00

Question 9

Let H:MT be a collision resistant hash function where |T| is smaller than |M|. Which of the following properties is implied by collision resistance?
Your Answer
Score Explanation
H(m) preserves semantic security of m (that is, given H(m) the attacker learns nothing about m). Inorrect 0.00 no, for example H(m)=m is collision resistance, but does not hide m.
it is difficult to find m0 and m1 such that H(m0)=H(m1)+1. (here we treat the outputs of H as integers)


For all m in M, H(m) must be shorter than m.


Given a tag tT it is difficult to construct mM such that H(m)=t.


Total
0.00 / 1.00

Question 10

Recall that when encrypting data you should typically use a symmetric encryption system that provides authenticated encryption. Let (E,D) be a symmetric encryption system providing authenticated encryption. Which of the following statements is implied by authenticated encryption?
Your Answer
Score Explanation
Given c=E(k,m) for some secret k,m, the attacker cannot find k,m such that c=E(k,m). Correct 0.25 The statement is incorrect: there are no guarantees about the hardness of finding keys k with special properties. For example, it is possible to build a GCM-like system where finding k and m is easy, despite the system providing authenticated encryption.
Given m and E(k,m) the attacker cannot create a valid encryption of m+1. (here we treat plaintexts as integers) Correct 0.25 yes, otherwise the system would not have ciphertext integrity.
Given m and E(k,m) it is difficult to find k. Correct 0.25 yes, otherwise the system would not even be chosen plaintext secure.
The attacker cannot create a ciphertext c such that D(k,c)=. Correct 0.25 The statement is incorrect: a random string in the ciphertext space will most likely result in so an attacker can just choose a random ciphertext.
Total
1.00 / 1.00

Question 11

Which of the following statements is true about the basic Diffie-Hellman key-exchange protocol.
Your Answer
Score Explanation
The protocol is based on the concept of a trapdoor function. Correct 0.25 The statement is incorrect: Diffie-Hellman does not use trapdoor functions. It is based on the exponentiation function f(x)=gx and the fact that (ga)b=(gb)a. The exponentiation function in Zp does not have a trapdoor (as far as we know).
The protocol can be converted to a public-key encryption system called the ElGamal public-key system. Correct 0.25 yes, that is correct.
The basic protocol enables key exchange secure against eavesdropping, but is insecure against active adversaries that can inject and modify messages. Correct 0.25 yes, Diffie-Hellman is secure against eavesdropping, but is insecure against man in the middle attacks.
The basic protocol provides key exchange secure against active adversaries that can inject and modify messages. Correct 0.25 The statement is incorrect: basic Diffie-Hellman is secure against eavesdropping, but is insecure against man in the middle attacks.
Total
1.00 / 1.00

Question 12

Suppose n+1 parties, call them B,A1,,An, wish to setup a shared group key. They want a protocol so that at the end of the protocol they all have a common secret key k, but an eavesdropper who sees the entire conversation cannot determine k. The parties agree on the following protocol that runs in a group G of prime order q with generator g:
  • for i=1,,n party Ai chooses a random ai in {1,,q} and sends to Party B the quantity Xigai.
  • Party B generates a random b in {1,,q} and for i=1,,n responds to Party Ai with the messages YiXib.
The final group key should be gb. Clearly Party B can compute this group key. How would each Party Ai compute this group key?
Your Answer
Score Explanation
Party Ai computes gb as Yi1/ai Correct 1.00 Yes, Yi1/ai=g(bai)/ai=gb.
Party Ai computes gb as Yiai


Party Ai computes gb as Yi1/ai


Party Ai computes gb as Yiai


Total
1.00 / 1.00

Question 13

Recall that the RSA trapdoor permutation is defined in the group ZN where N is a product of two large primes. The public key is (N,e) and the private key is (N,d) where d is the inverse of e in Zφ(N).

Suppose RSA was defined modulo a prime p instead of an RSA composite N. Show that in that case anyone can compute the private key (N,d) from the public key (N,e) by computing:
Your Answer
Score Explanation
de2 (modp).


de1 (modp2).


de1 (modp1). Correct 1.00 yes, that is correct.
de (modp).


Total