Cryptography - Key Encription

1. Any private-key encryption scheme that is CPA-secure must also be computationally indistinguishable: True
2. Any private-key encryption scheme that is CCA-secure must also be perfectly secret: False
3. Any private-key encryption scheme that is CCA-secure must also be CPA-secure: True
4. Let F be a block cipher with 128-bit block length. Consider the following encryption scheme for 256-bit messages: to encrypt message M=m1∥m2 using key k (where |m1|=|m2|=128), choose random 128-bit r and compute the ciphertext r∥Fk(r)⊕m1∥Fk(m1)⊕m2. Which strategy would lead to a valid chosen-plaintext attack?

• Let m1 and m2 be arbitrary but distinct. Using the encryption oracle, obtain an encryption r∥c1∥c2 of m1∥m2. Output messages M0=m1∥m2 and M1=m2∥m1. Output 0 if the third block of the challenge ciphertext is c2.

5. Let F be a pseudorandom function with 128-bit key and 256-bit block length. The following functions G are pseudorandom generators:

• G(x)=Fx(0…0)∥Fx(1…1), where x is a 128-bit input.
• G(x)=Fx(0…0), where x is a 128-bit input.

6. Define the keyed function F as follows: Fk(x)=k⊕x. Which of the following distinguishers demonstrates that F is not a pseudorandom function?

• Given access to an oracle g, query y0=g(0…0) and y1=g(1…1). Then output 1 if and only if y0⊕y1=1…1.

 
7. Say we use CBC-mode encryption based on a block cipher with 256-bit key length and 128-bit block length to encrypt a 512-bit message. How long is the resulting ciphertext?

• 640 bits

 
8. Assume CTR-mode encryption with PKCS #5 padding and a block cipher with 8-byte block length. Say a 4-byte message is encrypted, resulting in ciphertext 0x00 01 02 03 04 05 06 07 00 01 02 03 04 05 06 07. Which of the following ciphertexts will NOT yield an error upon decryption?

• 0x00 01 02 03 04 05 06 07 00 01 02 04 04 05 06 07

9. Assume an honest user wants to send an 8-bit integer to their bank indicating how much money should be transferred to the bank account of an attacker. The user uses CTR-mode encryption based on a block cipher F with 8-bit block length. (Yes, this is a made-up example.) The attacker knows that the amount of money the user wants to transfer is exactly $16, and has compromised a router between the user and the back. The attacker receives the ciphertext 10111100 01100001 (in binary) from the user. What ciphertext should the attacker forward to the bank to initiate a transfer of exactly $32? (Recall that CTR-mode decryption of a ciphertext c0,c1 using key k is done by outputting c1⊕Fk(c0+1).)

• 01100001 10111100

 10. Let F be a block cipher with n-bit block length. Consider the following encryption scheme: to encrypt a message viewed as a sequence of n-bit blocks m1,m2,…,mt using a key k, choose a random n-bit value r and then output the ciphertext r,Fk(r+1+m1),Fk(r+2+m2),…,Fk(r+t+mt), where addition is done modulo 2n. Which of the following attackers demonstrates that this scheme is not computationally indistinguishable:

• Let m be an arbitrary n-bit block, and output M0=m,m and M1=m,m−1. Given challenge ciphertext r,c1,c2, output 1 if and only if c1=c2.