2006 Cryptography mid-term exam
This exam is closed book. There are five problems on this exam.
1.
Please explain following terms briefly and precisely. (20%)
(1) Kerckhoffs’ principle
(2) Product cryptosystem
(3) Idempotent cryptosystem
(4) Chosen ciphertext attack
Ans:
(1) The general assumption that is usually made is that the opponent, Oscar,
knows the cryptosystem being used.
(2) The product cryptosystem of S1 and S2, denoted by S1xS2, is defined to be
the cryptosystem (P, P, K1xK2, , D)
(3) A cryptosystem S is defined to be an idempotent cryptosystem if S2=S.
(4) The opponent has obtained temporary access to the decryption machinery.
Hence he can choose a ciphertext string, y, and construct the corresponding
plaintext string, x.
2.
Let plaintext P = {a, b} with Pr[a]=1/4, Pr[b]=3/4. Let K={K1, K2, K3} with
Pr[K1]=1/2, Pr[K2]=Pr[K3]=1/4. Let ciphertext ε = {1, 2, 3, 4}, and suppose the
encryption functions are defined to be eK1 (a)  1, eK1 (b)  2, eK 2 (a)  2, eK 2 (b)  3 ;
and eK3 (a )  3, eK3 (b)  4. This cryptosystem can be represented by the
following encryption matrix:
a
b
K1
1
2
K2
2
3
K3
3
4
Which the ciphertexts (y = 1 or 2 or 3 or 4) are satisfied the perfect secrecy
property? Why? (20%)
Ans:
The perfect secrecy property is satisfied for the ciphertext y=3.
Pr[1]=1/8, Pr[2]=3/8+1/16=7/16, Pr[3]=3/16+1/16=1/4, Pr[4]=3/16
Pr[a|1]=1, Pr[b|1]=0, Pr[a|2]=1/7, Pr[b|2]=6/7, Pr[a|3]=1/4, Pr[b|3]=3/4, Pr[a|4]=0,
Pr[b|4]=1.
A cryptosystem has perfect secrecy if Pr[x|y]=Pr[x] for all x plaintext,
yciphertext
3.
Suppose that l =m =Nr =4. Let Πs be defined as follows, where the input (i.e., z)
and the output (i.e., Πs(z)) are written in hexadecimal notation, (0 ↔(0,0,0,0),
1↔(0,0,0,1),…, F↔(1,1,1,1)):
(1) Compute the empty fields in the table of values NL for this S-box. (10%)
(2) Find a linear approximation using three active S-box, and use the piling-up
lemma to estimate the maximum bias of the random variable X 16  U 14  U 94 .
(10%)
Ans:
(1) (1,8)=4, (8,A)=4
(2) 1/16
4.
Prove the following theorem. (20%)
Suppose h : X  Y is a hash function where |X| and |Y| are finite and |X| ≥ 2|Y|.
Suppose ORACLEPREIMAGE is a (1, q) algorithm for Preimage, for the fixed
hash function h. Then COLLISIONTOPREIMAGE is a (1/2, q+1) algorithm for
Collision, for the fixed hash function h.(20%)
Ans:
5.
Prove the following theorem. (20%)
Suppose (X, Z, M, G。H) is a nested MAC. Suppose there does not exist an (ε1,
q+1)-collision attack for a randomly chosen function gKG, when the key K is
secret. Further, suppose that there does not exist an (ε2, q)-forger for a randomly
chosen function hLH, where L is secret. Finally, suppose there exists an (ε,
q)-forger for the nested MAC, for a randomly chosen function (g。h)(K, L)  G。
H. Then ε ≤ ε1+ε2.
Ans: