2006 Cryptography mid-term exam This exam is closed book. There are five problems on this exam. 1. Please explain following terms briefly and precisely. (20%) (1) Kerckhoffs’ principle (2) Product cryptosystem (3) Idempotent cryptosystem (4) Chosen ciphertext attack Ans: (1) The general assumption that is usually made is that the opponent, Oscar, knows the cryptosystem being used. (2) The product cryptosystem of S1 and S2, denoted by S1xS2, is defined to be the cryptosystem (P, P, K1xK2, , D) (3) A cryptosystem S is defined to be an idempotent cryptosystem if S2=S. (4) The opponent has obtained temporary access to the decryption machinery. Hence he can choose a ciphertext string, y, and construct the corresponding plaintext string, x. 2. Let plaintext P = {a, b} with Pr[a]=1/4, Pr[b]=3/4. Let K={K1, K2, K3} with Pr[K1]=1/2, Pr[K2]=Pr[K3]=1/4. Let ciphertext ε = {1, 2, 3, 4}, and suppose the encryption functions are defined to be eK1 (a) 1, eK1 (b) 2, eK 2 (a) 2, eK 2 (b) 3 ; and eK3 (a ) 3, eK3 (b) 4. This cryptosystem can be represented by the following encryption matrix: a b K1 1 2 K2 2 3 K3 3 4 Which the ciphertexts (y = 1 or 2 or 3 or 4) are satisfied the perfect secrecy property? Why? (20%) Ans: The perfect secrecy property is satisfied for the ciphertext y=3. Pr[1]=1/8, Pr[2]=3/8+1/16=7/16, Pr[3]=3/16+1/16=1/4, Pr[4]=3/16 Pr[a|1]=1, Pr[b|1]=0, Pr[a|2]=1/7, Pr[b|2]=6/7, Pr[a|3]=1/4, Pr[b|3]=3/4, Pr[a|4]=0, Pr[b|4]=1. A cryptosystem has perfect secrecy if Pr[x|y]=Pr[x] for all x plaintext, yciphertext 3. Suppose that l =m =Nr =4. Let Πs be defined as follows, where the input (i.e., z) and the output (i.e., Πs(z)) are written in hexadecimal notation, (0 ↔(0,0,0,0), 1↔(0,0,0,1),…, F↔(1,1,1,1)): (1) Compute the empty fields in the table of values NL for this S-box. (10%) (2) Find a linear approximation using three active S-box, and use the piling-up lemma to estimate the maximum bias of the random variable X 16 U 14 U 94 . (10%) Ans: (1) (1,8)=4, (8,A)=4 (2) 1/16 4. Prove the following theorem. (20%) Suppose h : X Y is a hash function where |X| and |Y| are finite and |X| ≥ 2|Y|. Suppose ORACLEPREIMAGE is a (1, q) algorithm for Preimage, for the fixed hash function h. Then COLLISIONTOPREIMAGE is a (1/2, q+1) algorithm for Collision, for the fixed hash function h.(20%) Ans: 5. Prove the following theorem. (20%) Suppose (X, Z, M, G。H) is a nested MAC. Suppose there does not exist an (ε1, q+1)-collision attack for a randomly chosen function gKG, when the key K is secret. Further, suppose that there does not exist an (ε2, q)-forger for a randomly chosen function hLH, where L is secret. Finally, suppose there exists an (ε, q)-forger for the nested MAC, for a randomly chosen function (g。h)(K, L) G。 H. Then ε ≤ ε1+ε2. Ans: