This is a sample! Final Exam on CMPT-404 Cryptography and Protocols

Transcription

This is a sample! Final Exam on CMPT-404 Cryptography and Protocols
Final Exam on
CMPT-404 Cryptography and Protocols
Some Day, 2014
This is a sample!
1. Explain the symmetric encryption scheme based on pseudorandom functions and prove it is CPAsecure.
2. What is the largest set M of plaintexts you can find, for which the simple substitution cipher provides
perfect security?
(Note: M need not contain only valid English words.)
3. Let G be a pseudorandom generator, G: {0, 1}n → {0, 1}m(n) where m(n) > 2n. Define G0 :
{0, 1}2n → {0, 1}m(n) to be G0 (s1 , . . . , s2n ) = G(s1 , . . . , sn ). Is G0 a pseudorandom generator?
4. Let F be a pseudorandom function. Show that the following message authentication code is insecure.
(The shared key is a random k ∈ {0, 1}s .)
To authenticate a message M = M1 || . . . ||M` , where Mi ∈ {0, 1}n , compute T = Fk (M1 ) ⊕ . . . ⊕
Fk (M` ).
5. The public exponent e in RSA can be chosen arbitrarily, subject to GCD(e, ϕ(n)) = 1. Popular
choices of e include e = 3 and e = 216 + 1. Explain why such e are preferable to a random value of
the same length.
(Hint: Think of modular exponentiation.)
6. Give a definition of a trapdoor function.
7. Describe the Challenge-Response password authentication protocol. (Note: It does not involve any
number theory.)
8. Explain what it means that an interactive proof is zero-knowledge.
9. Explain the difference between oblivious transfer and private information retrieval.
10. Consider the following protocol that involves two parties A and B, who want to generate a secret
shared key Ks , and a trusted Key Distribution Center (KDC). Both parties know the public key
P UKDC of the KDC, but don’t necessarily know the public keys of each other. The parties have
their private keys P RA , P RB , and P RKDC , they also have ID’s: IDA and IDB . The protocol also
uses random nonces NA , NB generated by A and B, respectively.
1.
2.
3.
4.
5.
6.
7.
A → KDC
KDC → A
A→B
B → KDC
KDC → B
B→A
A→B
IDA ||IDB
EP RKDC (IDB ||P UB )
EP UB (NA ||IDA )
IDA ||IDB ||EP UKDC (NA )
EP RKDC (IDA ||P UA )||EP UB (EP RKDC (NA ||Ks ||IDB ))
EP UA (EP RKDC (NA ||Ks ||IDB )||NB )
EKs (NB )
(a) Why do we encrypt with P RKDC in Steps 2 and 5?
(b) Why do we need Step 7?
(c) How does the protocol prevents the Man-in-the-Middle attack?