Scribd Logo
Upload

Welcome to Scribd!

  • Coursera 2

    Uploaded by

    Vlad Doru
    2K views9 pages
    Cryptography

    Original Title

    coursera2

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Cryptography

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2K views9 pages

    Coursera 2

    Uploaded by

    Vlad Doru
    Cryptography

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    FeedbackWeek2ProblemSet

    Help

    YousubmittedthishomeworkonThu22May20145:07AMPDT.Yougotascore
    of6.83outof9.00.

    Question1
    Considerthefollowingfiveevents:
    1. Correctlyguessingarandom128bitAESkeyonthefirsttry.
    ).
    6

    ) 01/1(

    01/1

    3. Winningalotterywith1millioncontestants5timesinarow(theprobabilityis
    4. Winningalotterywith1millioncontestants6timesinarow.
    5. Winningalotterywith1millioncontestants7timesinarow.

    2. Winningalotterywith1millioncontestants(theprobabilityis

    ).

    Whatistheorderoftheseeventsfrommostlikelytoleastlikely?
    Your
    Answer
    2,3,
    4,1,5

    Score

    1.00

    2,3,
    1,4,5
    2,3,
    5,4,1
    2,4,
    3,1,5
    Total

    1.00/
    1.00

    Explanation

    Theprobabilityofevent(1)is1/2^128.
    Theprobabilityofevent(5)is1/(10^6)^7whichisabout1/2^{139}.
    Therefore,event(5)istheleastlikely.
    Theprobabilityofevent(4)is1/(10^6)^6whichisabout
    1/2^{119.5}whichismorelikelythanevent(1).
    Theremainingeventsareallmorelikelythanevent(4).

    Question2
    Supposethatusingcommodityhardwareitispossibletobuildacomputerforabout$200that
    canbruteforceabout1billionAESkeyspersecond.Supposeanorganizationwantstorunan
    exhaustivesearchforasingle128bitAESkeyandwaswillingtospend4trilliondollarstobuy
    thesemachines(thisismorethantheannualUSfederalbudget).Howlongwouldittakethe
    organizationtobruteforcethissingle128bitAESkeywiththesemachines?Ignoreadditional
    costssuchaspowerandmaintenance.
    YourAnswer

    Score

    Explanation

    1.00

    Theanswerisabout540billionyears.
    #machines=4*10^12/200=
    2*10^10

    Morethanayearbutlessthan100
    years
    9

    01

    Morethanabillion(

    )years

    #keysprocessedpersec=10^9
    *(2*10^10)=2*10^19
    #seconds=2^128/(2*10^19)=
    1.7*10^19
    Thismanysecondsisabout540
    billionyears.
    Morethanamillionyearsbutless
    thanabillion(
    )years
    9

    01

    Morethanamonthbutlessthana
    year
    Morethana100yearsbutlessthana
    millionyears
    Total

    Question3

    1.00/
    1.00

    }1 ,0{

    }1 ,0{

    }1 ,0{

    }1 ,0{ : F

    inputspace,andoutputspaceareall

    beasecurePRF(i.e.aPRFwherethekeyspace,
    )andsay

    .Whichofthefollowingisa

    821 = n

    Let

    securePRF(thereismorethanonecorrectanswer):
    Score
    0.17

    NotaPRF.Adistinguisherwill
    queryat
    and
    andoutputnotrandomifthexor
    n

    1 = x

    Explanation

    YourAnswer
    x k = )x ,k(

    0 = x

    oftheresponseis .Thisis
    unlikelytoholdforatruly
    randomfunction.
    n

    0.17

    Correct.Adistinguisherfor
    givesadistinguisherfor .

    0.17

    Correct.Adistinguisherfor
    givesadistinguisherfor .

    0.17

    NotaPRF.Adistinguisherwill
    outputnotrandomwhenever
    thelastbitof
    is .

    0.17

    Correct.Adistinguisherfor
    givesadistinguisherfor .

    0.00

    NotaPRF.Adistinguisherwill
    queryat
    and
    andoutputnotrandom
    wheneverthetworesponses

    1 x ,k( F = )x ,k(

    )x , 2k( F )x , 1k ( F = )x ,) 2k , 1k((

    )x ,k( F = )x ,k(

    0 ,k( F

    where
    reverse(y)reversesthestringysothatthe
    firstbitofyisthelastbitofreverse(y),the
    secondbitofyisthesecondtolastbitof

    denotesconcatenation)

    (here

    ))x ,k( F(esre ver = )x ,k(

    reverse(y),andsoon.

    1 = x

    0 = x

    1 x ,k( F )x ,k( F = )x ,k(

    Total

    Question4

    0.83/
    1.00

    areequal.Thisisunlikelyto
    happenforatrulyrandom
    function.

    RecallthattheLubyRackofftheoremdiscussedinLecture3.2statesthatapplyingathreeround
    FeistelnetworktoasecurePRFgivesasecureblockcipher.Let'sseewhatgoeswrongifwe

    46

    }1 ,0{

    istheleft32bits.

    usingarandomkey,whiletheotherthree
    46

    }1 ,0{

    46

    K :

    0L

    2F

    2F

    0R

    }1 ,0{ : f

    aretheoutputofatrulyrandompermutation

    }1 ,0{

    } 1 ,0{ K : F

    OneofthefollowinglinesistheoutputofthisPRP

    46

    23

    istheright32bitsofthe64bitinputand

    beasecurePRF.Recallthat

    }1 ,0{

    a2roundFeisteldefinesthefollowingPRP

    Here

    23

    onlyuseatworoundFeistel.Let

    .All64bitoutputsare

    encodedas16hexcharacters.CanyousaywhichistheoutputofthePRP?Notethatsince
    fromrandom,

    2F

    2F

    youareabletodistinguishtheoutputof

    isnotasecureblockcipher,which

    iswhatwewantedtoshow.

    23

    23

    1 ,( 2 F

    and

    46

    0 ,( 2 F

    Hint:Firstarguethatthereisadetectablepatterninthexorof
    Thentrytodetectthispatterninthegivenoutputs.

    YourAnswer
    46

    Oninput

    Score

    Explanation

    1.00

    ObservethatthetworoundFeistelhastheproperty

    the

    outputis"7c2822eb
    fdc48bfb".Oninput
    theoutputis
    23

    23

    "325032a9c5e2364b".
    46

    Oninput

    the

    outputis"2d1cfa42
    c0b1d266".Oninput
    theoutputis

    23

    23

    "eea6e3ddb2146dd0".

    23

    ,( F )

    46

    ,( F

    23

    the

    46

    Oninput

    23

    1 ,( F )

    46

    0 ,( F

    932330e4".Oninput
    theoutputis

    23

    thatthelefthalfof

    outputis"9f970f4e

    is

    .Thetwooutputsinthisansweraretheonly

    23

    oneswiththisproperty.

    23

    23

    "6068f0b1b645c008".
    46

    Oninput

    the

    outputis"7b50baab
    07640c3d".Oninput
    theoutputis
    23

    23

    "ac343a22cea46d60".
    Total

    1.00/
    1.00

    Question5
    NoncebasedCBC.Recallthatinlecture4.4wesaidthatifonewantstouseCBCencryptionwith
    anonrandomuniquenoncethenthenoncemustfirstbeencryptedwithanindependentPRP
    keyandtheresultthenusedastheCBCIV.Let'sseewhatgoeswrongifoneencryptsthenonce
    withthesamePRPkeyasthekeyusedforCBCencryption.

    )n ,k( F = V I

    }1 ,0{

    } 1 ,0{ K : F

    andthenusingthisIVin

    .Notethatthesamekey isusedforcomputingtheIVandfor
    k

    ) ,k( F

    CBCencryptionusing

    byfirstcomputing

    .Let beanonceand

    821 =

    supposeoneencryptsamessage

    beasecurePRPwith,say,

    Let

    CBCencryption.WeshowthattheresultingsystemisnotnoncebasedCPAsecure.

    0c

    = n

    c , 1c , 0c

    1c

    Score

    .Itreceivesbackaoneblockciphertext

    ?Notethatthisrelationletstheadversarywinthe

    1c

    0 = n

    0c

    1m

    noncebasedCPAgamewithadvantage1.
    YourAnswer

    .Observethatbydefinitionof

    .Next,theattackerasksfortheencryptionoftheoneblock

    withnonce

    Whatrelationholdsbetween

    with

    ) 0c ,k( F =

    message

    ) 1c , 0c(

    CBCweknowthat

    .Itreceivesbackatwoblockciphertext

    nonce

    ) 0 , 0( = m

    Theattackerbeginsbyaskingfortheencryptionofthetwoblockmessage

    Explanation

    0c

    c =

    1c

    0.00

    ThecorrectanswerfollowsfromthedefinitionofCBCwithan
    encryptednonceasdefinedinthequestion.Itmighthelpto

    reviewthedefinitionofCBC.

    0c

    1c

    1c

    0c

    Total

    0.00/
    1.00

    Question6
    ).Aliceencrypts

    001 =

    beamessageconsistingof AESblocks(say

    Let

    usingCBC

    modeandtransmitstheresultingciphertexttoBob.Duetoanetworkerror,ciphertextblock
    iscorruptedduringtransmission.Allotherciphertextblocksaretransmittedand

    2/

    number

    receivedcorrectly.OnceBobdecryptsthereceivedciphertext,howmanyplaintextblockswillbe
    corrupted?
    Your
    Answer
    2/

    Score

    Explanation

    0.00

    ItisbesttotakeacloserlookattheCBCdecryptioncircuitandask
    howmanyplaintextblocksareaffectedbyasingleciphertextblock.

    2/ + 1

    1
    3
    Total

    0.00/
    1.00

    Question7
    ).Aliceencrypts

    001 =

    beamessageconsistingof AESblocks(say

    Let

    using

    randomizedcountermodeandtransmitstheresultingciphertexttoBob.Duetoanetworkerror,
    iscorruptedduringtransmission.Allotherciphertextblocksare

    2/

    ciphertextblocknumber

    transmittedandreceivedcorrectly.OnceBobdecryptsthereceivedciphertext,howmany
    plaintextblockswillbecorrupted?
    Your

    Score

    Explanation

    1.00

    Takealookatthecountermodedecryptioncircuit.Eachciphertext

    Answer
    2/

    2/ + 1

    3
    1

    blockaffectsonlythecurrentplaintextblock.
    Total

    1.00/
    1.00

    Question8
    Recallthatencryptionsystemsdonotfullyhidethelengthoftransmittedmessages.Leakingthe
    lengthofwebrequestshasbeenusedtoeavesdroponencryptedHTTPStraffictoanumberof
    websites,suchastaxpreparationsites,Googlesearches,andhealthcaresites.Supposean
    attackerinterceptsapacketwhereheknowsthatthepacketpayloadisencryptedusingAESin
    CBCmodewitharandomIV.Theencryptedpacketpayloadis128bytes.Whichofthefollowing
    messagesisplausiblythedecryptionofthepayload:

    YourAnswer

    Score

    Explanation

    1.00

    Thelengthofthestringis106bytes,which

    'Themostdirectcomputation
    wouldbefortheenemytotry
    all2^rpossiblekeys,oneby
    one.'
    'Toconsidertheresistance
    ofanencipheringprocessto
    beingbrokenweshould
    assumethatatsametimesthe
    enemyknowseverythingbut
    thekeybeingusedandto
    breakitneedsonlydiscover
    thekeyfromthisinformation.'
    'Weseeimmediatelythat
    oneneedslittleinformationto
    begintobreakdownthe
    process.'
    'Anencipheringdeciphering

    machine(ingeneraloutline)of
    myinventionhasbeensentto

    afterpaddingbecomes112bytes,andafter
    prependingtheIVbecomes128bytes.

    yourorganization.'
    Total

    1.00/
    1.00

    Question9
    5

    R : F

    andconsiderthefollowingPRF

    R R

    }1 ,0{ =: R

    Let

    ]0[k = t

    od 4 ot 1=i ro f
    ]i[k t = t

    )1 == ]1 i[x( fi
    t tuptuo

    )]4[k ,]3[k ,]2[k ,]1[k ,]0[k( = k

    ]4[k ]2[k ]0[k = )1010 ,k( F

    isdefinedas

    in

    =: )x ,k( F

    Thatis,thekeyis

    definedasfollows:

    andthefunctionat,forexample,

    1010

    Forarandomkey unknowntoyou,youlearnthat
    k

    and

    0110 = )0111 ,k( F

    0101 = )1010 ,k( F

    1100 = )0110 ,k( F

    point,thisPRFisinsecure.
    Youentered:
    1111

    YourAnswer
    1111
    Total

    ?Notethatsinceyouareabletopredictthefunctionatanew

    )1011 ,k( F

    Whatisthevalueof

    and

    Score

    1.00
    1.00/1.00

    Explanation

    You might also like