Question 1 of 21
5.0 Points
Pseudo-random generators, pseudo-random functions and pseudo-random permutations are computationally indistinguishable, respectively, from
A. a function returning a pseudo-random string, a random function, a random permutation
B. a function returning a random string, a random function, a random permutation
C. a function returning a random string, a random permutation, a random function
D. All of the above
Question 2 of 21
5.0 Points
Which of these assumptions is sufficient to construct a pseudo-random generator, a pseudo-random function and a pseudo-random permutation?
A. The hardness of factoring integers that are product of two integers of the same length
B. The hardness of computing discrete logarithms modulo random integers of a given length
C. The hardness of inverting the RSA function
D. Any of the above
Question 3 of 21
5.0 Points
Assume |s1|=|s2|=n and consider the functions defined, for any s1 and s2, as:
(a) G1(s1,s2)=s1 xor s2, (b) G2(s1,s2)=(s1, s2, s1 xor s2).
We have that:
A. G1 and G2 are pseudo-random generators because their outputs are uniformly (and thus, pseudo-randomly) distributed if so are their input
B. G1 and G2 are not pseudo-random generators because either there exists an efficient algorithm that can compute their input from their output or their outputs are not longer than their inputs
C. G1 and G2 are not pseudo-random generators because either their outputs are not longer than their inputs or there exists a statistical test that distinguishes their outputs from a random string of the same length
D.
G1 and G2 can be proved to be pseudo-random generators using a proof by reduction using the properties of the xor function
Question 4 of 21
5.0 Points
Let us denote as "X ci Y" the fact that random variables X and Y are computationally indistinguishable.
For any random variables X,Y,Z, consider the statements:
(a) if X ci Y then Y ci X,
(b) if X ci Y and Y ci X then X = Y,
(c) if X ci Y and Y ci Z then X ci Z,
(d) if X = Y then X ci Y,
(e) if X ci Y then X = Y.
Which of them are true?
A. (a), (c) and (d)
B. (b), (c) and (d)
C. (b), (c) and (e)
D. (a), (d) and (e)
Question 5 of 21
5.0 Points
An oracle adversary is an adversary that makes queries to an oracle and obtains answers, before making a determination about the oracle. To prove that a permutation P is not a pseudo-random permutation, it suffices to show an efficient oracle adversary that can distinguish, with not negligible probability, the case in which its oracle is P from the case in which its oracle is a random permutation RP with the same input and output domains as P. To obtain an algorithm that makes this distinction, it suffices to find one or more distinguishing conditions among the adversary's query inputs and query outputs such that: (a) if the oracle is P, then the condition holds with high (e.g., 1) probability; (b) if the oracle is RP, ...
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
Question 1 of 215.0 PointsPseudo-random generators, pseudo.docx
1. Question 1 of 21
5.0 Points
Pseudo-random generators, pseudo-random functions and
pseudo-random permutations are computationally
indistinguishable, respectively, from
A. a function returning a pseudo-random string, a random
function, a random permutation
B. a function returning a random string, a random function, a
random permutation
C. a function returning a random string, a random permutation,
a random function
D. All of the above
Question 2 of 21
5.0 Points
Which of these assumptions is sufficient to construct a pseudo-
2. random generator, a pseudo-random function and a pseudo-
random permutation?
A. The hardness of factoring integers that are product of two
integers of the same length
B. The hardness of computing discrete logarithms modulo
random integers of a given length
C. The hardness of inverting the RSA function
D. Any of the above
Question 3 of 21
5.0 Points
Assume |s1|=|s2|=n and consider the functions defined, for any
s1 and s2, as:
(a) G1(s1,s2)=s1 xor s2, (b) G2(s1,s2)=(s1, s2, s1 xor s2).
We have that:
3. A. G1 and G2 are pseudo-random generators because their
outputs are uniformly (and thus, pseudo-randomly) distributed
if so are their input
B. G1 and G2 are not pseudo-random generators because either
there exists an efficient algorithm that can compute their input
from their output or their outputs are not longer than their
inputs
C. G1 and G2 are not pseudo-random generators because either
their outputs are not longer than their inputs or there exists a
statistical test that distinguishes their outputs from a random
string of the same length
D.
G1 and G2 can be proved to be pseudo-random generators using
a proof by reduction using the properties of the xor function
Question 4 of 21
5.0 Points
Let us denote as "X ci Y" the fact that random variables X and
Y are computationally indistinguishable.
For any random variables X,Y,Z, consider the statements:
(a) if X ci Y then Y ci X,
(b) if X ci Y and Y ci X then X = Y,
4. (c) if X ci Y and Y ci Z then X ci Z,
(d) if X = Y then X ci Y,
(e) if X ci Y then X = Y.
Which of them are true?
A. (a), (c) and (d)
B. (b), (c) and (d)
C. (b), (c) and (e)
D. (a), (d) and (e)
Question 5 of 21
5.0 Points
An oracle adversary is an adversary that makes queries to an
oracle and obtains answers, before making a determination
about the oracle. To prove that a permutation P is not a pseudo-
random permutation, it suffices to show an efficient oracle
adversary that can distinguish, with not negligible probability,
the case in which its oracle is P from the case in which its
oracle is a random permutation RP with the same input and
output domains as P. To obtain an algorithm that makes this
distinction, it suffices to find one or more distinguishing
conditions among the adversary's query inputs and query
5. outputs such that: (a) if the oracle is P, then the condition holds
with high (e.g., 1) probability; (b) if the oracle is RP, then the
condition holds with low (e.g., negligible) probability. Define
the "extended FT transform" as the permutation that maps
(L,M,R) to (R,f_k(R) xor M,f_k(M) xor L), where k is a random
key, f is a pseudo-random function, and L,M,R are n-bit strings,
for some large integer n. Which of the following conditions are
distinguishing conditions for the 1-round iteration and 2-round
iteration of the extended FT transform, respectively? Notation:
(L',M',R') and (L'',M'',R'') denote the 1-round and 2-round
outputs, respectively, of the extended FT transform on input
(L,M,R); when we run the transform on different inputs, we use
the notations (L0,M0,R0), (L1,M1,R1), .... for the
inputs, (L0',M0',R0'), (L1',M1',R1'), .... for the 1-round outputs
and (L0'',M0'',R0''), (L1'',M1'',R1''), .... for the 2-round outputs.
A. 1-round extended FT: (L'=R); 2-round extended FT: (L0 xor
L1 = L0'' xor L1'') and (R0=R1)
B. 1-round extended FT: (L'=M); 2-round extended FT: M0=M1,
L0=L1 and L0''=L1''
C. 1-round extended FT: L=M=R, and R'=M'; 2-round extended
FT: L=M=R, and L''=M''
D. None of the above
6. Rationale:
Question 6 of 21
5.0 Points
For modern symmetric encryption schemes, which among these
are the differences between these two notions:
indistinguishability in the presence of eavesdropping and the
indistinguishability in the presence of chosen message attacks?
A. In the "indistinguishability in the presence of eavesdropping"
notion, the adversary can additionally and repeatedly query the
E(k,.) algorithm as an oracle, and can later use these queries
and responses to generate the two challenge plaintexts m(0) and
m(1) and its guess for which message was encrypted as c
B. In the "indistinguishability in the presence of chosen
message attacks" notion, the adversary can additionally and
repeatedly query the E(k,.) algorithm as an oracle, and can later
use these queries and responses to generate the two challenge
plaintexts m(0) and m(1) and its guess for which message was
encrypted as c
C. In the "indistinguishability in the presence of chosen
message attacks" notion, the adversary can additionally and
repeatedly query the E(k,.) algorithm as an oracle, but cannot
later use these queries and responses to generate the two
challenge plaintexts m(0) and m(1) and its guess for which
message was encrypted as c
7. D. In the "indistinguishability in the presence of eavesdropping"
notion, the adversary can additionally and repeatedly query the
E(k,.) algorithm as an oracle, but cannot later use these queries
and responses to generate the two challenge plaintexts m(0) and
m(1) and its guess for which message was encrypted as c
Question 7 of 21
5.0 Points
Which among these are the differences between the
indistinguishability notion with chosen message attack and the
indistinguishability notion with adaptive chosen message
attack?
A. In the indistinguishability with chosen message attack
notion, the adversary can additionally and repeatedly query the
E(k,.) algorithm as an oracle even after seeing the ciphertext
and can later use these queries and responses to generate its
guess for which message was encrypted as c
B. In the indistinguishability with chosen message attack
notion, the adversary can additionally and repeatedly query the
E(k,.) algorithm as an oracle even after seeing the ciphertext but
cannot later use these queries and responses to generate its
guess for which message was encrypted as c
8. C. In the indistinguishability with adaptive chosen message
attack notion, the adversary can additionally and repeatedly
query the E(k,.) algorithm as an oracle even after seeing the
ciphertext and can later use these queries and responses to
generate its guess for which message was encrypted as c
D. In the indistinguishability with adaptive chosen message
attack notion, the adversary can additionally and repeatedly
query the E(k,.) algorithm as an oracle even after seeing the
ciphertext but cannot later use these queries and responses to
generate its guess for which message was encrypted as c
Question 8 of 21
5.0 Points
Let G:{0,1} n-->{0,1} 2n be a pseudo-random generator and
consider the following encryption scheme (KG,E,D), where KG
generates a random string k; E, on input key k and a message bit
b, returns c = G(k) xor 1 2n if b=1 or c = G(k) if b=0 and D is
naturally defined so to satisfy the decryption correctness
property.
Which of the following security notions is satisfied by
(KG,E,D)?
A. indistinguishability in the presence of eavesdroppers
B. indistinguishability in the presence of a chosen message
attack
9. C. indistinguishability in the presence of an adaptive chosen
message attack
D. none of the above
Question 9 of 21
5.0 Points
Let P:{0,1}^n-->{0,1}^{n} be a pseudo-random permutation
and consider the following encryption scheme (KG,E,D), where
KG generates a random string k; E, on input key k and an n-bit
string m, returns c =P(k,m) and D is naturally defined so to
satisfy the decryption correctness property.
Which of the following security notions is satisfied by
(KG,E,D)?
A. indistinguishability in the presence of eavesdropping
B. indistinguishability in the presence of a chosen message
attack
C. perfect secrecy
10. D. none of the above
Question 10 of 21
5.0 Points
Let F:{0,1}^n-->{0,1}^{n} be a pseudo-random function and
consider the following encryption scheme (KG,E,D), where KG
generates a random string k; E, on input key k and a string m,
returns c =F(k,0) xor m and D is naturally defined so to satisfy
the decryption correctness property.
Which of the following security notions is satisfied by
(KG,E,D)?
A. indistinguishability in the presence of eavesdroppers
B. indistinguishability in the presence of chosen message
attacks
C. perfect secrecy
D. none of the above
Rationale:
11. Question 11 of 21
5.0 Points
Q2 http://www.coursehero.com/tutors-problems/Computer-
Science/8505193-Crytography-homework-Question-1-When-
choosing-a-previously-des/
We want to design a new block cipher based on
substitution/permutation networks. Which of the following sets
of principles should we apply?
A. Set the key and block length equal to at least 64 bits, use S-
boxes to achieve confusion effect, use permutations and mixing
to achieve a diffusion effect, achieve the avalanche effect and
use at least 3 rounds.
B. Set the key and block length equal to at least 128 bits, use S-
boxes to achieve confusion
effect, use permutations and mixing to achieve a diffusion
effect, achieve the avalanche effect and use at least 3 rounds.
C. Set the key and block length equal to at least 128 bits, use
permutations and mixing to achieve confusion effect, use S-
boxes to achieve a diffusion effect, achieve the avalanche
effect and use a large number (say, at least 10) of rounds.
D. Set the key and block length equal to at least 128 bits, use S-
boxes to achieve confusion effect, use permutations and mixing
to achieve a diffusion effect, achieve the avalanche effect and
12. use a large number (say, at least 10) of rounds.
Question 12 of 21
5.0 Points
Which one among the following block cipher modes of
operation, on an input of the type (x,y,x), returns an output of
the type (z,w,z)? Here, x,y,z,w denote distinct and equal-length
message blocks.
A. ECB
B. Counter
C. OFB
D. CBC
Question 13 of 21
5.0 Points
Which block cipher mode of operation does not associate two
outputs of the type (y,x) and (z,x) to two inputs of the type (b,a)
13. and (c,a), respectively? (If the mode requires an IV or a
counter, use the same IV or counter for the two input pairs.)
A. CBC
B. Counter
C. ECB
D. OFB
Question 14 of 21
5.0 Points
Consider function tinyDES defined by applying the following
modifications to DES (abstracted here, for simplicity, as a 16-
round Feistel network):
(a) 8-bit message inputs instead of 64-bit message inputs
(b) 8-bit secret key
k(3,1),k(3,0),k(2,1),k(2,0),k(1,1),k(1,0),k(0,1),k(0,0) inputs
instead of 56-bit secret key inputs
(c) for n=1,..,15, the n-th round key is computed as 4 bits
k'(3),..,k'(0) selected from the 8-bit secret key, as follows: write
n in binary as (n(3),n(2),n(1),n(0)), and define k'(j)=k(j,n(j));
(d) for n=1,..,15, the n-th round application of function F
14. returns the bitwise xor between the current R input and the n-th
round key k'.
Assume the initial left input L is 0111, the initial right input R
is 0011, and the 8-bit key is 01101011.
Which of the following is the output of tinyDES?
A. a binary string between 00000000 and 00111111
B. a binary string between 01000000 and 01111111
C. a binary string between 10000000 and 10111111
D. a binary string between 11000000 and 11111111
Question 15 of 21
5.0 Points
When choosing a previously designed 128-bit block cipher for
some real-life application, we want to ensure that this cipher is
somewhat resistant to known attacks, including ciphertext-only,
known-plaintext, known-ciphertext, chosen-ciphertext,
15. differential and linear attacks. Which of the following is a
realistic goal for such a cipher?
A. The cipher should remain secure in the presence of all these
attacks from any algorithm running in polynomial time.
B. Even if the cipher can be broken in constant time, it
should appear to be secure in the presence of all these attacks
from any algorithm running in time at most equal to a large
constant (e.g., 2 56 block cipher calculations).
C. Even if the cipher can be broken in constant time, it
should appear to be secure in the presence of all these attacks
from any algorithm running in time at most equal to a large
constant (e.g., 2 100 block cipher calculations).
D. The cipher should be provably unbreakable against all these
attacks.
Rationale:
Question 16 of 21
5.0 Points
Consider function tinyMD5 defined by applying the following
modifications to MD5:
(a) 12 operations instead of 64
(b) each operation maps a 4-bit state (A,B,C,D) into a 4-bit
16. state (A,B,C,D)
(c) operations 1,5,9 (resp., 2,6,10) (resp., 3,7,11) (resp., 4,8,12)
use function F (resp., G) (resp., H) (resp., I)
(d) addition mod 32 is replaced by logical XOR
(e) the left bit rotation by s bits is replaced by logical NOT
(f) M(i) and K(i) are bits.
Assume the initial state is 1100, the message M(1),...,M(12) is
100110111010 and the constant K(1),..,K(12) is 010010111011.
Which of the following is the output of tinyMD5?
A. a binary string between 0000 and 0011
B. a binary string between 0100 and 0111
C. a binary string between 1000 and 1011
D. a binary string between 1100 and 1111
Question 17 of 21
5.0 Points
Q5 Assume students randomly choose their answers to a
homework similar to this one, with only 12 questions, of 4
possible answers each. Using the appropriate result in [KL,
appendix A], which among these numbers is the smallest
number of students so that with probability at least 0.5 at least
17. two students give the same answers to all 12 questions?
A. 23
B. 2000/2500
C. 5000/3000
D. 9000/10000
Question 18 of 21
5.0 Points
Let F be a pseudo-random function, and consider the following
proposed constructions
for a Tag algorithm in a MAC:
(1) Tag(k,(m1,m2)) = (F(k;m1),F(k;m2)); and
(2) Tag(k,(m1,m2)) = F(k;m1) xor F(k;m2).
Note that both constructions are forgeable under a chosen
message attack (i.e., for construction 1, an attack making a
query (m1,m2), can use the obtained output to forge a tag for a
query (m1,m1); for construction 1, an attack making a query
(m1,m2), can use the obtained output to forge a tag for a query
(m2,m1)). Now, consider the following proposed constructions
18. for a Tag algorithm in a MAC:
(3) Tag(k,(m1,m2)) = F(k;m2 xor F(k;m1));
(4) Tag(k,(m1,m2)) = (F(k;m1),F(k;m2 xor F(k;m1)));
(5) Tag(k,(m1,m2)) = F(k;r) xor F(k;m1) xor F(k;m2), for a
random r.
Which of these constructions are unforgeable under a chosen
message attack?
A. Construction 3
B. Construction 4
C. Construction 5
D. None of them
Question 19 of 21
5.0 Points
Consider the following symmetric encryption scheme (KG,E,D),
which uses a block cipher F, and a message authentication
scheme (Gen, Tg,Vrfy) with unique tags. The key generation
algorithm KG returns randomly chosen keys k1, k2. On input
keys k1,k2 (returned by KG) and a large message m, the
encryption algorithm E computes x=(Enc-Mode-F(k,m)) and
returns ciphertext c=(x,Tg(k2;x)), where Enc-Mode-F(k,m) is an
19. encryption of message m, using F as a block cipher and the
encryption algorithm of a block cipher mode of operation,
denoted as Enc-Mode. On input keys k1,k2 (returned by KG)
and ciphertext c, the decryption algorithm D writes c as (c1,c2),
verifies whether Vrf(k2;(c1,c2))=1; if yes, it returns the
decryption m' of x computed using F as a block cipher and the
decryption algorithm of a block cipher mode of operation,
denoted as Dec-Mode; if not, it returns an error message. For
which of the following block cipher modes of operation, does
this construction satisfy security in the sense of
indistinguishability in the presence of a chosen ciphertext
attack?
A. ECB, CBC, Counter
B. CBC, Counter, OFB
C. ECB, CBC, OFB
D. ECB, Counter, OFB
Question 20 of 21
5.0 Points
20. Consider the following symmetric encryption scheme (KG,E,D),
which uses a pseudo-random function F, and a message
authentication scheme (Gen, Tg,Vrfy) with unique tags. The key
generation algorithm KG returns randomly chosen keys k1,
k2. On input keys k1,k2 (returned by KG) and message m, the
encryption algorithm E randomly chooses r, computes
x=(r,F(k1;r) xor m) and returns ciphertext c=(x,Tg(k2;x)). On
input keys k1,k2 (returned by KG) and ciphertext c, the
decryption algorithm D writes c as (c1,c2), verifies whether
Vrf(k2;(c1,c2))=1; if yes, it writes x as (x1,x2) and returns
message m'=F(k1;x1) xor x2, otherwise it returns an error
message. Which is the strongest security notion satisfied by the
scheme (KG,E,D)?
A. indistinguishability in the presence of eavesdropping
B. indistinguishability in the presence of a chosen message
attack
C. indistinguishability in the presence of an adaptive chosen
message attack
D. indistinguishability in the presence of a chosen ciphertext
attack
21. Rationale:
Question 21 of 21
35.0 Points
Questions 5, 10, 15 and 20 require a rationale (i.e., a
justification of why you chose your submitted answer and did
not choose the remaining answers). In this space the instructor
will grade your submitted rationale for all 4 answers. (No need
for you to rewrite your rationale answers in this space, but do
make sure that you write all 4 of them either in this space or
before.)
1