Cryptography Week 3 Quiz Answer

Cryptography Week 3 Quiz Answer

By University Of Maryland

Cryptography Quiz 3

Private-Key Encryption

Q1) Any private-key encryption scheme that is CPA-secure must also be computationally indistinguishable: 

• True

• False

Q2) Any private-key encryption scheme that is CCA-secure must also be perfectly secret: 

• True

• False

Q3) Any private-key encryption scheme that is CCA-secure must also be CPA-secure: 

• True

• False

Q4) Let F be a block cipher with 128-bit block length. Consider the following encryption scheme for 256-bit messages: to encrypt message M=m1∥m2 using key k (where |m1|=|m2|=128), choose random 128-bit r and compute the ciphertext r∥Fk(r)⊕m1∥Fk(m1)⊕m2. Which strategy would lead to a valid chosen-plaintext attack?

• Let m1 and m2 be arbitrary but distinct. Using the encryption oracle, obtain an encryption r∥c1∥c2 of m1∥m2. Output messages M0=m1∥m2 and M1=m2∥m1. Output 0 if the third block of the challenge ciphertext is c2.

• There is no attack; this scheme is randomized, so it is CPA-secure. 

• Let m; and m2 be arbitrary but distinct. Using the encryption oracle, obtain an encryption rc1 C2 of m2 m2. Output messages Mo = m m , and M = m m2. Output o if the third block of the challenge ciphertext is cz. = mm. 

• Choose random r and let m be arbitrary but not equal to r. Output messages Mo = rm and M Output 0 if the second block of the challenge ciphertext is all-Os.

Q5) Let F be a pseudorandom function with 128-bit key and 256-bit block length. The following functions G are pseudorandom generators:

• G(x)=Fx(0…0), where x is a 128-bit input.

• G(x)=Fx(0…0)∥Fx(1…1), where x is a 128-bit input.

• G(x) = Fo...0(2)||F11(2), where r is a 256-bit input.

• G(x) = F.0...0)||F:(1...1), where x is a 128-bit input.

Q6) Define the keyed function F as follows: Fk(x)=k⊕x. Which of the following distinguishers demonstrates that F is not a pseudorandom function?

• Given access to an oracle g, query y0=g(0…0) and y1=g(1…1). Then output 1 if and only if y0⊕y1=1…1.

• Given access to an oracle g. query g(0...0). Then output 1 because we now have the key.

• Given access to an oracle g. query y= g(0...0). Then output 1 if and only if the first bit of y is equal to 1.

• Given access to an oracle g. query y = g(0...0) and y' = g(0...0). Then output 1 if and only if y=y.

 

Q7) Say we use CBC-mode encryption based on a block cipher with 256-bit key length and 128-bit block length to encrypt a 512-bit message. How long is the resulting ciphertext?

• 640 bits

• 512 bits 

• 768 bits

• Not enough information to determine. 

Q8) Assume CTR-mode encryption with PKCS #5 padding and a block cipher with 8-byte block length. Say a 4-byte message is encrypted, resulting in ciphertext 0x00 01 02 03 04 05 06 07 00 01 02 03 04 05 06 07. Which of the following ciphertexts will NOT yield an error upon decryption?

• 0x00 01 02 03 04 05 06 07 00 01 02 04 04 05 06 07

• 0x00 01 02 03 04 05 06 07 00 01 02 03 04 05 07 07 

• 0x00 01 02 03 04 05 06 07 00 01 02 03 05 05 06 07 

• Ox00 01 02 03 04 05 06 07 00 01 02 03 04 05 06 F7

Q9) Assume an honest user wants to send an 8-bit integer to their bank indicating how much money should be transferred to the bank account of an attacker. The user uses CTR-mode encryption based on a block cipher F with 8-bit block length. (Yes, this is a made-up example.) The attacker knows that the amount of money the user wants to transfer is exactly $16, and has compromised a router between the user and the back. The attacker receives the ciphertext 10111100 01100001 (in binary) from the user. What ciphertext should the attacker forward to the bank to initiate a transfer of exactly $32? (Recall that CTR-mode decryption of a ciphertext c0,c1 using key k is done by outputting c1⊕Fk(c0+1).)

• 01100001 10111100

• 10001100 01100001 

• 1011100 00100000 

• 10111100 01010001

Q10) Let F be a block cipher with n-bit block length. Consider the following encryption scheme: to encrypt a message viewed as a sequence of n-bit blocks m1,m2,…,mt using a key k, choose a random n-bit value r and then output the ciphertext r,Fk(r+1+m1),Fk(r+2+m2),…,Fk(r+t+mt), where addition is done modulo 2n. Which of the following attackers demonstrates that this scheme is not computationally indistinguishable:

• Let m be an arbitrary n-bit block, and output M0=m,m and M1=m,m−1. Given challenge ciphertext r,c1,c2, output 1 if and only if c1=c2.

• Choose random n-bit blocks m and m', and output Mo = m,m and M T, C1, C2, output 1 if and only if c = 62.

• Choose random n-bit blocks mi, m2, m3, 74, and output Mo = m, m2 and M:=m3, m. Given challenge ciphertext r, C1, C2, output o ifr=0...0, and output 1 otherwise.

• Let m be an arbitrary n-bit block, and output Mo = m and M = m, m. Given a challenge ciphertext, output o if the challenge ciphertext contains 2 blocks, and output 1 otherwise.

--------------------------------------------------------------------------------------------------------------------------------------------------------------

Cryptography

• Cryptography Week 1 Quiz Answer

• Cryptography Week 2 Quiz Answer

• Cryptography Week 3 Quiz Answer

• Cryptography Week 4 Quiz Answer

• Cryptography Week 5 Quiz Answer

• Cryptography Week 6 Quiz Answer

• Cryptography Week 7 Quiz Answer

• Cryptography Final Quiz Answer Coursera

-----------------------------------------------------------------------------------------------------------------------------------------------------------