Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Similar documents
Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

ECS 189A Final Cryptography Spring 2011

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Solution of Exercise Sheet 7

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Exam Security January 19, :30 11:30

Introduction to Cybersecurity Cryptography (Part 4)

1 Number Theory Basics

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 28: Public-key Cryptography. Public-key Cryptography

Question: Total Points: Score:

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Introduction to Cryptography. Susan Hohenberger

ASYMMETRIC ENCRYPTION

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

Great Theoretical Ideas in Computer Science

5199/IOC5063 Theory of Cryptology, 2014 Fall

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

Introduction to Cryptography. Lecture 8

Introduction to Elliptic Curve Cryptography

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Block Ciphers/Pseudorandom Permutations

Cryptography CS 555. Topic 22: Number Theory/Public Key-Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Digital Signatures. Adam O Neill based on

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Lecture Note 3 Date:

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

MATH 158 FINAL EXAM 20 DECEMBER 2016

Lecture 17: Constructions of Public-Key Encryption

Lecture 7: Boneh-Boyen Proof & Waters IBE System

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Cryptography and Security Final Exam

Lecture 6. Winter 2018 CS 485/585 Introduction to Cryptography. Constructing CPA-secure ciphers

Quantum-secure symmetric-key cryptography based on Hidden Shifts

A survey on quantum-secure cryptographic systems

Pr[C = c M = m] = Pr[C = c] Pr[M = m] Pr[M = m C = c] = Pr[M = m]

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

Public Key Cryptography

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

10 Concrete candidates for public key crypto

Notes for Lecture 17

CPA-Security. Definition: A private-key encryption scheme

5.4 ElGamal - definition

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Security II: Cryptography exercises

Provable security. Michel Abdalla

El Gamal A DDH based encryption scheme. Table of contents

Outline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security

Public Key Cryptography

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

2 Message authentication codes (MACs)

Asymmetric Encryption

Instructor: Daniele Venturi. Master Degree in Data Science Sapienza University of Rome Academic Year

Introduction to Cybersecurity Cryptography (Part 5)

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Digital Signatures. p1.

Chapter 8 Public-key Cryptography and Digital Signatures

DATA PRIVACY AND SECURITY

Lecture 1: Introduction to Public key cryptography

Introduction to Elliptic Curve Cryptography. Anupam Datta

Cryptography and Security Midterm Exam

MATH UN Midterm 2 November 10, 2016 (75 minutes)

Notes for Lecture 9. 1 Combining Encryption and Authentication

Cryptography IV: Asymmetric Ciphers

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

Katz, Lindell Introduction to Modern Cryptrography

CRYPTANALYSIS OF COMPACT-LWE

BEYOND POST QUANTUM CRYPTOGRAPHY

Authentication. Chapter Message Authentication

Short Exponent Diffie-Hellman Problems

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

March 19: Zero-Knowledge (cont.) and Signatures

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

CS 355: Topics in Cryptography Spring Problem Set 5.

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Some Security Comparisons of GOST R and ECDSA Signature Schemes

G Advanced Cryptography April 10th, Lecture 11

Lossy Trapdoor Functions and Their Applications

CPSC 467: Cryptography and Computer Security

Fundamentals of Modern Cryptography

Transcription:

Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total of points is 90. You will have 100 minutes. Be strategic and allocate your time wisely. You may use two double-sided letter size (8.5-by-11) study sheet. Calculator is allowed. Any other resources and electrical devices (e.g. laptops, phones) are NOT permitted. You may refer to facts and theorems proved in class and textbook without proving them. But you need to write the statements clearly. Your work will be graded on correctness and clarity. Please write legibly. Don t forget to write your name on top! Grade Table (for instructor use only) Question Points Score 1 30 2 18 3 15 4 13 5 14 Total: 90

CS 485/585 Crypto Practice Final Exam - Page 2 of 7 March 14, 2017 1. Short answers. (a) (4 points) A research team at Letni recently built a special-purpose machine that can crack a 56-bit DES key in 6 hours, by exhaustive search. Using similar hardware, what is the time to break a block cipher with i. a 96-bit key? ii. a 128-bit key? (You may assume that the time needed to evaluate the block cipher is the same in all three cases.) (b) (5 points) Assume that there is a pseudorandom generator (PRG) that expands by 1 bit G : {0, 1} n {0, 1} n+1, does exists a PRG that expands n 2 bits? Answer (Yes, No, or Unknown) and justify your answer. (c) (6 points) Let P k : {0, 1} n {0, 1} n be a pseudorandom permutation. Under CBC mode, how to encrypt and authenticate a message m = m 0 m 1, m i {0, 1} n? CBC-ENC: CBC-MAC: (d) (5 points) Consider the DDH (Decisional Diffie-Hellman) and Discrete Logarithm (DL) assumptions relative to some group sampling algorithm G. If the DDH assumption is false, is the DL assumption necessarily false? Answer (yes, no, or unknown) and justify your answer. (e) (5 points) Use Euclidean algorithm to find 52 1 mod 225. (f) (5 points) If P = NP, is public-key encryption possible? If so, what definition covered in class can be achieved? Justify your answer briefly.

CS 485/585 Crypto Practice Final Exam - Page 3 of 7 March 14, 2017 2. Private-key primitives. (a) (6 points) G(1 n ): pick random k {0, 1} n. E k (m {0, 1} 3n ): choose random r {0, 1} n and output ciphertext c = (r, (G(r) k) m), where G is a PRG with stretch l(n) = 2n. What s the strongest security definition that this encryption scheme meets? Justify your answer. (b) (6 points) G(1 n ): pick random k {0, 1} n. E k (m {0, 1} n ): let p k = G(k) for p, k {0, 1} n where G is a PRG with stretch l(n) = 2n, output ciphertext c = m p, and replaces k with k for the next call (so E is stateful). Is it CPA-secure? Justify your answer. (c) (6 points) Let (G, S, V ) be a secure MAC for messages M. Construct Π = (G = G, S, V ) that signs messages in M l, for l > 1, by signing each component independently, using the same signing key for each component. That is, for l = 3, we have S k (m 0, m 1, m 2 ) = S k (m 0 ) S k (m 1 ) S k (m 2 ). Show that Π NOT a secure MAC. Your attack should make use of a single message query.

CS 485/585 Crypto Practice Final Exam - Page 4 of 7 March 14, 2017 3. Public-key cryptography. (a) (5 points) Consider encryption scheme E pk (m) = r e (m r), where pk = (N, e) is generated by the standard RSA key generator on input 1 n, r Z N and the message space is ZN. Is it CPA-secure? Justify your answer. (b) (10 points) Let (G, S, V ) be a secure signature scheme (existentially unforgeable under chosen-message-attacks) with message space {0, 1}. Generate two signing/verification key pairs (pk 0, sk 0 ) G(1 n ) and (pk 1, sk 1 ) G(1 n ). Which of the following are secure signature schemes? Show an attack or explain why the scheme is secure, that is, explain why an attack on the scheme leads to an attack on (G, S, V ). i. Accept one valid: S (1) sk 0,sk 1 (m) := S sk0 (m) S sk1 (m). Verify: V (1) pk 0,pk 1 (m, (σ 0, σ 1 )) = accept iff. V pk0 (m, σ 0 ) = accept OR or V pk1 (m, σ 1 ) = accept. ii. Sign with appendage: S (2) sk 1 (m) := S sk1 (m 1010); V (2) pk 1 (m, σ) := V pk1 (m 1010, σ).

CS 485/585 Crypto Practice Final Exam - Page 5 of 7 March 14, 2017 4. Collision resistant hash from Discrete logarithm. Let G be group sampling algorithm that on input 1 n generates a group G of prime order q with generator g G. Let h be a random element in G. (a) (8 points) Show that the hash function H(x, y) := g x h y from Z q Z q G is collision resistant, assuming the discrete-log problem in G is difficult. (b) (5 points) Show that one who knows the discrete-log of h base g can easily find collisions for H.

CS 485/585 Crypto Practice Final Exam - Page 6 of 7 March 14, 2017 5. Double encryption. Let E = (G, E, D) be an encryption scheme. Construct a double encryption scheme E = (G = G, E, D ), where E k (m) = E k(e k (m)). (a) (6 points) Show that there is a computationally secret E such that E is not computationally secret. (b) (8 points) Prove that for every CPA-secure E, E is also CPA-secure. That is, show that for every CPA adversary A attacking E there is a CPA adversary B attacking E with about the same success probability advantage and running time.

CS 485/585 Crypto Practice Final Exam - Page 7 of 7 March 14, 2017 Scrap paper no exam questions here.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback