Cryptography and Security Final Exam

Similar documents
Cryptography and Security Final Exam

Cryptography and Security Final Exam

Cryptography and Security Midterm Exam

Security Protocols and Application Final Exam

Cryptography and Security Midterm Exam

THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY

Lecture 1: Introduction to Public key cryptography

Lecture 22: RSA Encryption. RSA Encryption

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Solutions for week 1, Cryptography Course - TDA 352/DIT 250

Lecture 11: Key Agreement

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

CPSC 467b: Cryptography and Computer Security

1 Number Theory Basics

U.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6

MATH UN Midterm 2 November 10, 2016 (75 minutes)

CPSC 467: Cryptography and Computer Security

Lecture 11: Hash Functions, Merkle-Damgaard, Random Oracle

ECS 189A Final Cryptography Spring 2011

Authentication. Chapter Message Authentication

CPSC 467b: Cryptography and Computer Security

Lecture 24: MAC for Arbitrary Length Messages. MAC Long Messages

Lecture 14: Cryptographic Hash Functions

Exam Security January 19, :30 11:30

Security Implications of Quantum Technologies

Cryptographical Security in the Quantum Random Oracle Model

Lecture Notes, Week 10

PERFECT SECRECY AND ADVERSARIAL INDISTINGUISHABILITY

CS/Ph120 Homework 8 Solutions

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Attacks on hash functions. Birthday attacks and Multicollisions

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Exercise Sheet Cryptography 1, 2011

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

On the Big Gap Between p and q in DSA

Advanced Cryptography Quantum Algorithms Christophe Petit

PERFECTLY secure key agreement has been studied recently

CS120, Quantum Cryptography, Fall 2016

MATH 158 FINAL EXAM 20 DECEMBER 2016

Question: Total Points: Score:

RSA RSA public key cryptosystem

1 Cryptographic hash functions

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

10 Concrete candidates for public key crypto

Homework 7 Solutions

14 Diffie-Hellman Key Agreement

A new message authentication code based on the non-associativity of quasigroups. Kristen Ann Meyer. A dissertation submitted to the graduate faculty

Computer Science A Cryptography and Data Security. Claude Crépeau

Cryptographic Protocols Notes 2

COS Cryptography - Final Take Home Exam

Lecture 10 - MAC s continued, hash & MAC

CPSC 467: Cryptography and Computer Security

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Midterm 2. Your Exam Room: Name of Person Sitting on Your Left: Name of Person Sitting on Your Right: Name of Person Sitting in Front of You:

CPSC 467: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Lecture 15 - Zero Knowledge Proofs

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Solving LPN Using Covering Codes

On the query complexity of counterfeiting quantum money

An Introduction. Dr Nick Papanikolaou. Seminar on The Future of Cryptography The British Computer Society 17 September 2009

Leftovers from Lecture 3

Lectures One Way Permutations, Goldreich Levin Theorem, Commitments

Lattice Cryptography

CS 355: Topics in Cryptography Spring Problem Set 5.

Collapsing sponges: Post-quantum security of the sponge construction

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Introduction to Cryptography Lecture 13

Error Reconciliation in QKD. Distribution

Lecture 38: Secure Multi-party Computation MPC

1 Cryptographic hash functions

Multiparty Computation

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Other Topics in Quantum Information

Public-Key Cryptosystems CHAPTER 4

Block Ciphers/Pseudorandom Permutations

Solution of Exercise Sheet 7

Lecture 3,4: Multiparty Computation

CPSC 467: Cryptography and Computer Security

Public Key Encryption

Question 1. The Chinese University of Hong Kong, Spring 2018

Solution to Midterm Examination

Lecture Notes 20: Zero-Knowledge Proofs

1 Secure two-party computation

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10

Public-Key Encryption: ElGamal, RSA, Rabin

CPSC 467b: Cryptography and Computer Security

Stream ciphers I. Thomas Johansson. May 16, Dept. of EIT, Lund University, P.O. Box 118, Lund, Sweden

On Perfect and Adaptive Security in Exposure-Resilient Cryptography. Yevgeniy Dodis, New York University Amit Sahai, Princeton Adam Smith, MIT

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

LECTURE NOTES ON Quantum Cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

SECURE IDENTITY-BASED ENCRYPTION IN THE QUANTUM RANDOM ORACLE MODEL. Mark Zhandry Stanford University

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

Zero-Knowledge Proofs and Protocols

Problem Set 4 Solutions

Theory of Computation Chapter 12: Cryptography

Transcription:

Cryptography and Security Final Exam Serge Vaudenay 29.1.2018 duration: 3h no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices are not allowed the exam invigilators will not answer any technical question during the exam readability and style of writing will be part of the grade

1 Collision on Sponge-Based Hash Functions The sponge is a construction for cryptographic hashing. It uses a cryptographic permutation f : {0, 1} b {0, 1} b. To instantiate the sponge with f, we have to pick the parameters r (called the rate ) and c (called the capacity ), such that r + c = b. The sponge also allows to set an arbitrary length h of the output. We fix f, c and h and set H = Sponge[f, c, h](m) defined as follows. We first define pad(a) = 10 r (a+2 mod r) 1 for an integer a (i.e. the bitstring consisting of one bit 1 followed with r (a + 2 mod r) bits 0, then one bit 1: this is not a power of 10). Here, m denotes the length of the bitstring m. We use the notation for the concatenation of bitstrings. To compute the hash H(m) of a message m (specified as a bitstring), we use the following pseudocode: Input: m 1: M m pad( m ) {pad( m ) = 10 r ( m +2 mod r) 1} 2: l M /r 3: split M = M 1 M 2 M l {split M into l blocks of r bits M 1,..., M l } 4: S 0 b 5: for i = 1 to l do 6: S S (M i 0 c ) 7: S f(s) 8: end for 9: Z empty string 10: while Z < h do 11: Z Z left r (S) 12: S f(s) 13: end while 14: return left h (Z) where left r (Z) returns the r leftmost bits of a binary string Z. (We similarly define right c (Z) so that Z = left r (Z) right c (Z) whenever Z is of b bits.) We see that the rate impacts performance, the bigger it is, the less times we need to call f to hash a message. Now we investigate how the capacity influences the security of a sponge-based hash function. Q.1 Say why it is called a sponge and in which well-known algorithm is this construction used. 2

Q.2 Briefly describe a generic collision-search attack on the hash function H. What is its time and memory complexity? (It is convenient to measure the time complexity in computations which are equivalent to one call of f.) Q.3 Prove that given two randomly chosen strings x x such that x = x = b, the probability that right c (f(x)) = right c (f(x )) is about 2 c. (To make this estimation, you can assume that f is a random permutation.) 3

Q.4 Describe an algorithm that will find two x x such that x = x = b and right c (f(x)) = right c (f(x )). What is its time and memory complexity? Q.5 Assume that h > c. Describe a collision-search attack on the hash function H = Sponge[f, c, h](m) that is more efficient than the generic collision search from Q.2. What is its time and memory complexity? HINT: You can assume that after processing c/2r randomly chosen message blocks, the state S behaves as f(x) with a random input x. 4

2 LPN with Extreme Noise Parameters We consider a set of parameters consisting of an integer k and a probability τ. We assume that a secret vector s {0, 1} k is initially selected with a uniform distribution. We define a source S which generates some random pairs (v, b) as follows: first, the source picks a random vector v {0, 1} k with a uniform distribution and (independently) a random bit e such that Pr[e = 1] = τ. Then, the source produces b = v, s e where we use the notation.,. for the dot product in Z k 2 defined by v, s = (v 1 s 1 + + v k s k ) mod 2 and we use the notation for the addition in Z 2. The components of v and s are the v i and s i for i = 1,..., k, respectively. The output (v, b) of the source S is called a sample. Upon a query to S, the source produces a sample. By making a query, we get only the freshly generated sample (v, b) but we see neither the secret s nor the noise bit e. The Learning Parity with Noise problem (LPN) consists of designing an algorithm A S (k, τ) which recovers the secret vector s by only querying the source S and knowing the parameters k and τ, with a large enough probability of success (e.g. at least 50%): Pr[A S (k, τ) s] 1 2 We assume that τ is a function of k and we measure the complexity of A with a time complexity and a query complexity. Both are asymptotic in terms of k. The time complexity is the asymptotic expected complexity in number of binary operations. The query complexity is the number of queries to the source. The LPN problem is often used in cryptography with τ between cte k and 1 2 cte k, for a constant cte, as it is believed to be hard (even with the help of quantum computers!). In this exercise, we investigate values of τ which are not in this range. Q.1 For τ = 0, prove that the LPN problem is easy to solve: there exists a polynomially bounded (in terms of k) algorithm to solve it. Briefly describe this algorithm and its complexity (time and query). 5

Q.2 For τ = 1 2, prove that the LPN problem is impossible to solve. HINT: first show that the source is uniform whatever s. Q.3 For τ = O( 1 k ), we show in the next questions that the LPN problem is still easy to solve. Q.3a Prove that we can easily get k samples (v i, b i ), i = 1,..., k such that all v i are linearly independent. Briefly describe this algorithm with a pseudocode and its complexity (time and query). 6

Q.3b We denote b i = v i, s e i. Prove that the number X of i {1,..., k} such that e i = 1 is a random variable which has an expected value equal to kτ and a variance of kτ(1 τ). 7

Q.3c By using the previous questions, prove that for τ = O( 1 k ) we can recover s from the obtained samples. Briefly describe an algorithm with a pseudocode and its complexity (time and query). HINT: there may be an exhaustive search on a tiny space. HINT 2 : Pr[X > kτ] 37%. 8

3 Cross-Authentication based on Short Authenticated Strings Let r and k be two integers. We consider a commitment scheme commit with which we commit to (m A, K) (where m A is a message and K is a hash key) by picking some coins ρ and producing c = commit(m A, K; ρ) and we open the commitment by releasing (m A, K, ρ). We also consider a strongly universal hash function family h K from the set of all finite bitstrings to {0, 1} r, defined by a key K {0, 1} k. This is such that for any fixed m, m such that m m, the pair (h K (m), h K (m )) is uniformly distributed in ({0, 1} r ) 2 when K {0, 1} k is uniformly distributed. We define the following SAS-based message cross-authentication protocol: if Alice wants to send the message m A and Bob wants to send the message m B, they run the following protocol. Communications with the authenticate tags are authenticated (i.e. sent through a special authenticated channel) in the sense that an adversary cannot create or modify the message. Other communications are done through an insecure channel which may be corrupted by an adversary. For this reason, we put a hat on notations to designate received values. For instance, if Alice sends K to Bob through an insecure channel, Bob receives ˆK which is equal to K only if the adversary lets the message unchanged. Alice input: m A Bob input: m B pick K U {0, 1} k pick ρ m c commit(m A, K; ρ) A,c compute SAS ˆR h K ( ˆm B ) verify SAS = ˆR h K ( ˆm B ) m B,R pick R U {0, 1} r K,ρ check ĉ = commit( ˆm A, ˆK; ˆρ) authenticate(sas) verify SAS = R h ˆK(m B ) authenticate(sas) compute SAS R h ˆK(m B ) output: ˆm B output: ˆm A In the considered attacks in this exercise, we have a (wo)man-in-the-middle (let s call her Eve) who controls the (unauthenticated) channels and substitutes all variables by some variants with a hat that she computes. She wants that for any m A, m B, ˆm A, ˆm B, there exists an efficient way to make Alice and Bob succeed (i.e., both verifications succeed), with input/output m A / ˆm B and m B / ˆm A, respectively. If not specified otherwise, the attack is supposed to succeed with probability 100%. We assume that h and commit are easily computable. We assume that r is small so that a loop with 2 r iterations is considered as efficient. Eve can use m A, m B, ˆm A, ˆm B as input before the attack starts. 9

Q.1 Explain what this protocol could be used for and a typical use case. Q.2 (Case of a non-hiding commitment.) If there exists an efficiently implementable function reveal such that for all m, K, ρ, we have prove that there is an attack. reveal(m, commit(m, K; ρ)) = K 10

Q.3 (Case of a modified protocol.) If we modify the protocol by removing the commitment (as shown below), prove that there is an attack using a loop of 2 r iterations. pick K U {0, 1} k SAS = ˆR h K ( ˆm B ) m A pick R U {0, 1} r m B,R K authenticate(sas) SAS = R h ˆK(m B ) Q.4 (Case of a non-binding commitment.) If there exists an efficiently implementable function equivocate returning random coins ρ such that for all c, ˆm, ˆK, we have commit( ˆm, ˆK; equivocate(c, ˆm, ˆK)) = c prove that there is an attack using a loop of 2 r iterations. 11

Q.5 (General case: attack with success probability 2 r.) Prove that there is an attack which succeeds with probability 2 r. 12

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback