Scribd
Upload
104 views2 pages

Final 06

This document provides the instructions and problems for the final exam in the CS255: Cryptography and Computer Security course. It contains five problems related to topics like encryption, digital signatures, certificate revocation, and threshold cryptography. Students are instructed to answer four of the five problems in the two hour exam period. Calculators are allowed but laptops are not.

Uploaded by

Moudi Mouhamadou
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
104 views2 pages

Final 06

This document provides the instructions and problems for the final exam in the CS255: Cryptography and Computer Security course. It contains five problems related to topics like encryption, digital signatures, certificate revocation, and threshold cryptography. Students are instructed to answer four of the five problems in the two hour exam period. Calculators are allowed but laptops are not.

Uploaded by

Moudi Mouhamadou
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

CS255: Cryptography and Computer Security Winter 2006

Final Exam

Instructions
− Answer four of the following five problems. Do not answer more than four.
− All questions are weighted equally.
− The exam is open book and open notes. A calculator is fine, but a laptop is not.
− You have two hours.

Problem 1. General questions.

a. When combining encryption and compression would you encrypt and then compress or
compress and then encrypt? No need to justify your answer.
b. When combining encryption and error correction codes would you encrypt and then ap-
ply the error correction code or vice versa? Encryption here refers to authenticated
encryption, namely encrypt then MAC. Briefly justify your answer.
c. When using counter-mode, explain what goes wrong if the same IV is used for all encryp-
tions with a given key. Why is the resulting system insecure?
d. Let H : {0, 1}∗ → {0, 1}n be a collision resistant hash function. Define H1 (M ) =
H(M )k0n−10 . That is, H1 appends n − 10 zeros to the output of H. Clearly H1 is
also collision resistant. Now, let H2 be the result of truncating the output of H1 to n
bits. Show that if truncation is done incorrectly then H2 will not be collision resistant.
In other words, a truncated collision resistant function need not be collision resistant.
e. Let (S, V ) be a secure MAC where S outputs 256-bit tags. If we truncate the output of S
to 128 bits, will the result necessarily be a secure MAC? If so explain why. If not, give
a counter-example along the lines of part (c).

Problem 2. Basic constructions

a. Suppose you are given a secure PRF that takes a fixed size block as input. Explain how
to use the PRF for symmetric encryption of arbitrary size messages.
b. Explain how you would use a secure PRF for authenticated encryption, that is to provide
both encryption and integrity for arbitrary size inputs.
c. Suppose a user and a server have a secret key k that they both know. Briefly, explain how
to use a secure PRF for challenge-response mutual authentication.

1
Problem 3. Digital Signatures

a. Briefly explain what it means for a digital signature system to be existentially unforgeable
under a chosen message attack.
b. Consider the RSA Full Domain Hash signing method. Let (N, e) be an RSA public key
and let H be a hash function that outputs ∗
Q5 elements in ZN . Suppose an attacker can
find five messages M1 , . . . , M5 such that i=1 H(Mi ) = 1 (mod N ). Explain how the
attacker can use this 5-tuple to break security of RSA signatures for this public key.

Problem 4. Certificate Revocation Trees (CRT).

a. In class we described a number of methods for certificate revocation including the Online
Certificate Status Protocol (OCSP) and CRTs. How are CRTs better than OCSP?
b. Suppose a CRT uses a ternary tree instead of a binary tree. Explain how to prove that
a certificate is revoked using such a tree. Give an example. You may assume that the
number of revoked certificates in the tree is a power of 3.
c. How would you use the tree from part (b) to prove that a certificate is not revoked? Give
an example.

Problem 5. Threshold ElGamal. Let p be a prime and g a generator of Z∗p . Let x be an ElGamal
private decryption key. To protect x one may wish to split x into three pieces and store each
piece on a different server. An attacker who breaks into one of the servers should learn no
information about x. Consider the following scheme: pick three random numbers x1 , x2 , x3
in [0, p − 1] so that x1 + x2 + x3 = x mod p − 1. Store xi on server i.

a. Very briefly explain how the ElGamal encryption algorithm works.


b. Suppose Alice wants to decrypt an ElGamal ciphertext C. Show that Alice can do the
following: (1) she sends C to the three servers, (2) each server i performs a local com-
putation (using xi ) and responds with Mi to Alice, and (3) given M1 , M2 , M3 Alice
decrypts C. Explain how server i computes Mi and how Alice combines M1 , M2 , M3 to
obtain the plaintext M .
c. To provide fault tolerance, show how the key x can be shared among the three servers
so that any two of the three can be used to decrypt C as in part (b). You may store
multiple xi ’s on each server. An attacker who breaks into one of the servers should learn
no information about x. As in part (b), your solution should not reconstruct the key x
and there should be no interaction between the servers.

You might also like