Final Exam on CMPT-404 Cryptography and Protocols Some Day, 2014 This is a sample! 1. Explain the symmetric encryption scheme based on pseudorandom functions and prove it is CPAsecure. 2. What is the largest set M of plaintexts you can find, for which the simple substitution cipher provides perfect security? (Note: M need not contain only valid English words.) 3. Let G be a pseudorandom generator, G: {0, 1}n → {0, 1}m(n) where m(n) > 2n. Define G0 : {0, 1}2n → {0, 1}m(n) to be G0 (s1 , . . . , s2n ) = G(s1 , . . . , sn ). Is G0 a pseudorandom generator? 4. Let F be a pseudorandom function. Show that the following message authentication code is insecure. (The shared key is a random k ∈ {0, 1}s .) To authenticate a message M = M1 || . . . ||M` , where Mi ∈ {0, 1}n , compute T = Fk (M1 ) ⊕ . . . ⊕ Fk (M` ). 5. The public exponent e in RSA can be chosen arbitrarily, subject to GCD(e, ϕ(n)) = 1. Popular choices of e include e = 3 and e = 216 + 1. Explain why such e are preferable to a random value of the same length. (Hint: Think of modular exponentiation.) 6. Give a definition of a trapdoor function. 7. Describe the Challenge-Response password authentication protocol. (Note: It does not involve any number theory.) 8. Explain what it means that an interactive proof is zero-knowledge. 9. Explain the difference between oblivious transfer and private information retrieval. 10. Consider the following protocol that involves two parties A and B, who want to generate a secret shared key Ks , and a trusted Key Distribution Center (KDC). Both parties know the public key P UKDC of the KDC, but don’t necessarily know the public keys of each other. The parties have their private keys P RA , P RB , and P RKDC , they also have ID’s: IDA and IDB . The protocol also uses random nonces NA , NB generated by A and B, respectively. 1. 2. 3. 4. 5. 6. 7. A → KDC KDC → A A→B B → KDC KDC → B B→A A→B IDA ||IDB EP RKDC (IDB ||P UB ) EP UB (NA ||IDA ) IDA ||IDB ||EP UKDC (NA ) EP RKDC (IDA ||P UA )||EP UB (EP RKDC (NA ||Ks ||IDB )) EP UA (EP RKDC (NA ||Ks ||IDB )||NB ) EKs (NB ) (a) Why do we encrypt with P RKDC in Steps 2 and 5? (b) Why do we need Step 7? (c) How does the protocol prevents the Man-in-the-Middle attack?