Scribd
Upload
27 views

2024 CS783 Mid Term

Uploaded by

Tinklus Pinklus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
27 views

2024 CS783 Mid Term

Uploaded by

Tinklus Pinklus
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

CS783: Theoretical Foundations of Cryptography Fall 2024

Mid-Term Exam
September 19, 2024
Full marks: 40, Time: 2 hours
Instructor: Chethan Kamath

Roll Number: Name:

1. Please enter your roll number and name in the answer booklet.

2. There are eight problems. Answer problems 1-2 in the same page of the answer
booklet and use separate pages for the rest.

3. Problems 1-2 are all or nothing: you get the full marks only if your answer is the
exact subset. If you think the correct answers are 1 and 3, just write “1, 3”

4. Answer using a pen. Pencils are not allowed.

Problem 1 (3 marks). Consider the following randomised encryption scheme Π =


(Enc, Dec) related to one-time pad:
ˆ Enc(m, k; r) := (m ⊕ k, k ⊕ r), where m, k, r ∈ {0, 1}n and r denotes the random
coins used by Enc

ˆ Dec(c =: (c1 , c2 ), k) := c1 ⊕ k

Select the true statement(s) about Π.


1. Π is not perfectly secure

2. Π is perfectly secure

3. Π is perfectly secure even when the eavesdropper is given the coins r used to encrypt

4. Π becomes insecure when the eavesdropper is given the coins r used to encrypt

Problem 2 (4 marks). Recall that for a collision-resistant hash function (CRHF)


{H : K × {0, 1}∗ → {0, 1}n } with key generation algorithm Gen, the following is negligible
for every efficient F:
Pr n [H(k, x1 ) = H(k, x2 )].
k←Gen(1 )
(x1 ,x2 )←F(k)

Given below are four hash functions H′ defined using H with Gen′ := Gen. Select the
collision resistant one(s).
1. Hash-then-flip: H′ (k, x) := H(k, x) ⊕ 1n

CS783 Page 1 of 3 Mid-Term Exam


2. Hash-then-append: H′ (k, x) := H(k, x)∥1n

3. Truncate-then-hash: H′ (k, x) := H(k, x1 ∥ · · · ∥xℓ−1 ), where x := x1 ∥ · · · ∥xℓ−1 ∥xℓ

4. Hash-then-truncate: H′ (k, x) := y1 ∥ · · · ∥yn−1 , where y1 ∥ · · · ∥yn−1 ∥yn := H(k, x)

Problem 3 (4 marks). Consider the message authentication code (Gen, Tag, Ver) con-
structed below using a pseudo-random function (PRF) {F : {0, 1}n × {0, 1}n → {0, 1}n }.

ˆ Gen(1n ): Output k1 , k2 ← {0, 1}n

ˆ Tag(k1 ∥k2 , m1 ∥m2 ) := F(k1 , m1 )∥F(k2 , m2 ), where |m1 | = |m2 | = n

ˆ Ver(k1 ∥k2 , t, m1 ∥m2 ): accept if F(k1 , m1 )∥F(k2 , m2 ) = t.

Note that the message space is {0, 1}2n . Describe an attack that shows the scheme is not
EU-CMA secure. (Hint: you need to query the tag oracle twice.)

Problem 4 (4 marks). Let f = {fn : {0, 1}n → {0, 1}n } be any one-way permutation
(OWP). For n := |x|, consider the n-time self-composition of f

fn′ (x) := fn (fn (· · · (fn (fn (x))).


| {z }
n

Is f ′ = {fn′ : {0, 1}n → {0, 1}n } always a OWP? Come up either with

ˆ a counter-example f that is a OWP but such that f ′ is not a OWP; or

ˆ a brief security proof that f ′ is a OWP (describe your reduction in full detail, and
then briefly analyse why it works).

Problem 5 (4 marks). Let {F : {0, 1}n × {0, 1}n → {0, 1}n } be any PRF. Consider the
following construction of pseudo-random generator (PRG) G using F:

G(s) := F(1, s)∥F(2, s) · · · ∥F(|s| − 1, s)∥F(|s|, s),

i.e., evaluate the seed s on fixed keys 1, . . . , |s|. Note that G expands its seed s to |s|2
bits. Is G always a PRG? Come up either with

ˆ a counter-example F that is a PRF but such that G is not a PRG; or

ˆ a brief security proof that G is a PRG (describe your reduction in full detail, and
then briefly analyse why it works).

Problem 6 (2+3=5 marks). You are given a public-key encryption scheme Σ = (Gen, Enc, Dec)
that is IND-CPA-secure. Using Σ, construct a two-message (i.e., one-round) key-exchange
protocol Π.

CS783 Page 2 of 3 Mid-Term Exam


1. Describe your protocol Π: specify what Alice’s and Bob’s messages are.

2. Formally prove that if Σ is IND-CPA-secure then Π is secure against eavesdroppers.


Recall that in the security experiment for key-exchange protocol Π, the eavesdropper
Eve should not be able to distinguish the real key from a random key given the
transcript of the protocol Π.

Problem 7 (3+3=6 marks). You are given a one-time EU-CMA-secure digital signature
scheme Σ = (Gen, Sign, Ver) that can sign one-bit messages. Using Σ, construct a one-way
function f.

1. Describe your one-way function f.

2. Formally prove that if Σ is one-time EU-CMA-secure then f is one-way. Recall that


in the one-time EU-CMA security experiment for digital signature Σ on one-bit
messages, the forger Tam is given the public key, access to a signature of a bit b of
her choice and must forge signature on b̄.

Problem 8 (4+3+3=10 marks). Let H : K × {0, 1}n+1 → {0, 1}n be a collision-resistant


compression function. Recall the Merkle-Damgård transform, which uses H to construct
a compression function H′ : K × {0, 1}ℓ(n) → {0, 1}n for any polynomial ℓ, ℓ(n) > n + 1
(and with the same key generation algorithm):

Construction 1. H′ (k, x)

ˆ Parse the input x ∈ {0, 1}ℓ(n) as x1 ∥ · · · ∥xℓ(n) , where each xi ∈ {0, 1}

ˆ Set y1 := H(k, 0n ∥x1 )

ˆ For each i ∈ [2, ℓ(n)], set yi := H(k, yi−1 ∥xi )

ˆ Output yℓ(n)

We proved in class that H′ is a collision-resistant compression function. Now answer the


following questions about Construction 1.

1. Design an H such that H′ is not collision-resistant when used with inputs over the
domain {0, 1}≤ℓ(n) , i.e., strings of length at most ℓ(n). Write down your collision
(which must be of different length).

2. Describe a fix for Construction 1 so that it works for {0, 1}∗ . (Hint: you need to
pad your input appropriately.)

3. Prove security of the fixed construction.

CS783 Page 3 of 3 Mid-Term Exam

You might also like