CIS 5371 – Cryptography – Spring 2015 – First Midterm
Instructions.
This is a closed-book examination. Maximum score 100 pts.
You have 70 minutes.
Question 1 (10) . . . . . . . . . . . .
Question 2 (10) . . . . . . . . . . . .
Question 3 (10) . . . . . . . . . . . .
Question 4 (10) . . . . . . . . . . . .
Question 5 (10) . . . . . . . . . . . .
Question 6 (10) . . . . . . . . . . . .
Question 7 (10) . . . . . . . . . . . .
Question 8 (10) . . . . . . . . . . . .
Question 9 (10) . . . . . . . . . . . .
Question 10 (10) . . . . . . . . . . . .
================
Total
(100) . . . . . . . . . . . .
1
1. This question concerns the Vigenere cipher, Kerchoffs principle and perfectly secret encryption.
3+2+2+3=10 pts
(a) The key of a Vigenere (poly-alphabetic) cipher is cafe. Encrypt the message: killhim.
[English alphabet: a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z]
plaintext
K
I
L
L
H
I
M
key
ciphertext
(b) State Kerckhoffs’ principle.
Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
......... ......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... ......... .........
(c) Bob says: “An encryption scheme is secure if no adversary can find the secret key given the
ciphertext”. Alice disagrees. Is she right and if so, why?
Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
......... ......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... ......... .........
(d) Prove or refute. For every encryption scheme that is perfectly secret it holds that for every
distribution over the message space M, every m, m0 ∈ M, and every c ∈ C :
P r[M = m|C = c] = P r[M = m0 |C = c].
Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... .........
1
2. This question concerns symmetric key encryption and perfect secrecy.
4+3+3=10 pts
(a) In the experiment PrivKeav (A, Π) for the symmetric encryption scheme Π, the adversary A selects
two messages m0 , m1 and is then given an encryption cb of one of these, randomly selected. A
must then identify the subscript b of the corresponding plaintext. For indistinguishability we
require that his rate of success is 21 + negligible.
Suppose that Π is a deterministic symmetric encryption scheme. Show that there is an adversary A that will succeed in distinguishing the encryption of mb with certainty after one try
(describe his strategy, and the messages he choses).
Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
......... ......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... ......... .........
(b) Semantic Security. Complete the following:
A fixed-length private-key encryption scheme (Enc, Dec) for messages of length ` has indistinguishable encryptions in the presence of an eavesdropper,
If for every PPT algorithm A there exists . . . . . . . . . . . . . . . . . . . . . . . .
such that for any
`
`
S ⊂ {0, 1} and any function f : {0, 1} → {0, 1} there is a negligible function negl such that:
|P r[A(1n , Enck (m)) = f (m)] − P r[ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . | ≤ 0.5 + negl,
where the first probability is over the choices of k ∈ {0, 1}n and m ∈ S, the randomness of A
and Enc, an the second randomness is over uniform m ∈ S and the randomness of A0 .
(c) Prove or refute. Every encryption scheme for which the size of the key space equals the size of
the message space, and for which the key is chosen uniformly from the key space, is perfectly
secret.
Answer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
......... ......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... ......... .........
......... ......... ......... ......... ......... ......... ......... ......... .........
2
3. This question concerns private-key encryption.
2+5+3=10 pts
(a) Define perfect secrecy.
Answer.
............ ..........
......... ............ ......... ......... ......... .........
...... ......... ......... ......... ......... ......... ......... ......... .........
(b) Describe the four steps of the eavesdropping indistinguishability experiment PrivKeav
A,Π , for an
encryption scheme Π = (Gen, Enc, Dec) with adversary A.
1 The adversary A is given input 1n and outputs . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 A key k is generated running . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A ciphertext . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
.................................................................................
3 ..............................................................................
4 ..............................................................................
.................................................................................
.................................................................................
(c) Define “Semantic Security” for an eavesdropping adversary.
A private-key encryption scheme Π = (Gen, Enc, Dec) has indistinguishable encryptions in the
presence of an eavesdropper, if for all . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
..........................................................................................
..........................................................................................
..........................................................................................
3
4. This question concerns pseudorandom functions.
5+5=10 pts
(a) Let F be a psedorandom function. Consider the private-key encryption scheme for which:
Enck (m) = hr, Fk (r) ⊕ mi.
i. What are k, r, m:
....................................................................................
....................................................................................
ii. What is the decryption algorithm.
....................................................................................
iii. What is a CPA?
....................................................................................
iv. Is this encryption scheme secure againsts CPA? Answer.
YES
NO.
v. What is a pseudorandom permutation?
....................................................................................
(b) Draw the flow diagram for the Output Feedback mode for encrypting arbitrary length messages
using a pseudorandom permutation Fk .
4
5. This question concerns pseudorandom functions.
8+2=10 pts
Let Fk be a pseudorandom function. Show that the following MAC for messages of length 2n is
insecure. The shared key is a random key k ∈ {0, 1}n .
Mack (m1 ||m2 ) = hFk (m1 ), Fk (m1 ⊕ m2 )i,
where m1 , m2 are binary strings of length n and m2 is m2 with all its bits inverted; so 010 = 101.
What is the minimum number of queries that the adversary has to make to the MAC-oracle to forge
a MAC?
(a) Proof that this MAC is insecure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
....................................................................................
....................................................................................
....................................................................................
....................................................................................
....................................................................................
(b) Minimum number of queries to the MAC oracle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
6. This question concerns attacks on private key encryption schemes.
(a) What does CCA stand for? Answer.
1+3+4+2=10 pts
..........................................
(b) Show that the encryption scheme in Question 4a with Enck (m) = hr, Fk (r) ⊕ mi, where r is a
random string, Fk is a random function, m is the plaintext, and |r| = |Fk (m)| = |m|, is not
CCA-secure.
Answer.
..............................................................................
..........................................................................................
..........................................................................................
(c) In order to show that a variant of the CBC-mode of encryption for which the sender increments
IV by 1 each time a message is encrypted (the random IV is replaced by a counter) is not
CPA-secure we consider the following special case.
Let Enck (mi ) = hri , Fk (ri ⊕ mi )i, where
• ri is the i-th counter value, Fk a random function, mi the i-th plaintext, and |ri | =
|Fk (mi )| = |mi |,
• r0 is a random string, and ri = ri−1 + 1, i = 1, 2, . . . .
Show that this encryption scheme is not CPA-secure
Answer.
................................................................... .........
..........................................................................................
..........................................................................................
..........................................................................................
(d) Show that the encryption scheme discussed in Question 6c is not CCA-secure
Answer.
................................................................... .........
..........................................................................................
..........................................................................................
..........................................................................................
6
7. This question concerns Message Authentication Codes.
3+3+3+1=10 pts
(a) “Encryption does not provide message authentication! ” Give an example of an encryption (with
a stream cipher or a block cipher) that shows the correctness of this statement.
.............................................................................................
.............................................................................................
.............................................................................................
(b) Define a message authentication code (MAC).
(Complete.) A message authentication code (MAC) is a tuple . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• ..........................................................................................
• ..........................................................................................
• ..........................................................................................
...........................................................................................
(c) Describe the authentication experiment Mac-forge(A,Π) (n).
• ..........................................................................................
• ..........................................................................................
..........................................................................................
• ..........................................................................................
(d) Define security for message authentication codes.
(Complete.) A message authentication code Π = (· · · · · · · · · · · · · · · · · ·) is existentially unforgeable under adaptive chosen message attack, if:
.............................................................................................
.............................................................................................
7
8. This question concerns variable length Message Authentication Codes.
5+5=10 pts
(a) Describe the CBC-MAC construction that uses a pseudorandom function F(·) (·) (as in Fk (·)) to
get a variable length MAC.
Answer.
Let F be a pseudorandom function. The CBC-MAC construction is as follows:
• ....................................................................................
• ....................................................................................
....................................................................................
• ....................................................................................
Note: This is a variable length MAC: so you must either prepend or append the length |m| of
the message. Make clear which one is used.
(b) Draw the flow diagram for a variable length CBC-MAC with pseudorandom function Fk and
message m = m1 ||m2 ||m3 .
8
9. This question concerns collision resistant hash functions.
3+1+4+2=10 pts
(a) Define a hash function.
(Complete.) A hash function is a pair of polynomial-time algorithms (Gen, H) such that:
• ..........................................................................................
• ..........................................................................................
..........................................................................................
(b) Define a collision for a hash function H.
..........................................................................................
(c) Describe the collision finding experiment Hash-col(A,Π) (n).
• .......................................................................................
• .......................................................................................
• .......................................................................................
.......................................................................................
(d) Define collision resistance for a hash function.
(Complete.) A hash function (Gen, H) is collision resistant, if for all :
................................................................................................
................................................................................................
9
10. This question concerns birthday attacks.
3+2+5=10 pts
(a) Define the Birthday Problem.
(Complete.) Let H : {0, 1}∗ → {0, 1}` be a hash function. Choose q arbitrary distinct inputs
x1 , x2 , . . . , xq ∈ {0, 1}2`
and compute the values yi = H(xi ). Assume that:
• the values yi are . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . in {0, 1}` ,
• and . . . . . . . . . . . . . . . . . . . . . .
Then, when: . . . . . . . . . . . . . . . . . . . . .
, the probability of a collision among the yi is > 1/2.
The memory required to find a collision is: . . . . . . . . . . . . . . . . . .
.
(b) For the improved birthday attack on H : {0, 1}∗ → {0, 1}` what is the:
• Time complexity: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
• Space complexity: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
needed to get a collision with probability >
1
2
.
(c) Draw the flow diagram for the Merkle-Damgaard transform that uses a fixed-length collisionresistant hash function (Gen, h) with inputs of length 2`(n) = 2` and outputs of length `(n) = `
to generate a variable-length hash function (Gen, H).
Mike Burmester
10