\documentclass[a4paper]{article}
\usepackage[english]{babel}
\usepackage{amsmath,amssymb,amsthm}
\usepackage{color}

\newcommand{\TODO}{\textcolor{red}{TO DO}}

\begin{document}

\begin{center}
  \textbf{\Large NWI-IMC061 -- Applied Cryptography}\\[4pt]
  
  \textbf{\large Final Exam, Academic Year 2021--2022}
\end{center}

\bigskip
\hrule
\bigskip

\noindent \textbf{Last Name:} Eidelpes

\medskip\noindent \textbf{First Name:} Tobias

\medskip\noindent \textbf{Student Number:} s1090746

\medskip\noindent \textbf{Personalized Appendix Sequence Number:} 30

\bigskip
\hrule
\bigskip

\begin{enumerate}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% SYMMETRIC - LITERATURE %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(18 points)} 
  \begin{enumerate}

    \item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As
      the name implies, EWCDM is based on a Wegman-Carter construction which
      takes the hash of a message $M$ and XORes it with the application of a
      pseudorandom function (PRF) to a nonce $N$. This construction is very
      efficient and also has a strong security bound. However, it is very
      vulnerable to \emph{nonce-misuse}. To deal with that problem, the
      Wegman-Carter construction is wrapped by another call to the PRF with a
      different key. Another disadvantage is the fact that PRFs are hard to get
      by and instead pseudorandom permutations are used. If a pseudorandom
      permutation (i.e. block cipher) is used, the security bound of the
      construction drops to the birthday bound ($2^{n/2}$). The authors replace
      the inner call to the PRF with the \emph{Davies-Meyer} construction
      \[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \]
      and then encrypt that (with the hashed message) in another call to the
      block cipher. The resulting EWCDM construction looks like this
      \[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \]
      and is secure \emph{beyond} the birthday bound against nonce-respecting
      adversaries while still offering birthday bound security against
      nonce-misusing adversaries.

    \item The type of symmetric cryptographic scheme introduced is a Message
      Authentication Code (MAC).

    \item The size of the key(s) depends on the block cipher and the keyed hash
      function. In total there likely need to be two distinct keys for the block
      cipher calls and one key for the hash function.

    \item Since EWCDM is based on a block cipher and a hash function and because
      those usually operate on fixed-length inputs, the construction also
      operates on fixed-length inputs. Messages come in variable-length sizes
      and need to be padded by the block cipher to the specified block size.

    \item Depending on the amount of input blocks, the construction will
      generate multiples of the block size as outputs. The outputs are
      variable-length.

    \item EWCDM is based on a pseudorandom permutation (i.e. block cipher) and
      an almost xor-universal (AXU) hash function (one-way function).

    \item Yes, the authors delivered a security proof. The proof assumes that
      the encryption function $E$ is a secure pseudorandom permutation for the
      case of a nonce-misusing adversary. This requirement on the security of
      $E$ is not present if the adversary is nonce-respecting. Additionally, the
      distinguisher is computationally unbounded and never repeats a query.

    \item The practical relevance is high, in my opinion. This is due to the
      fact that the EWCDM construction is secure against nonce-misusing
      adversaries up to the birthday bound. It has been shown that implementing
      nonces securely is a difficult task. If a scheme is easily broken by wrong
      handling of nonces, there is no \emph{fallback} security guarantee. The
      EWCDM construction, however, provides such a \emph{fallback} security
      guarantee and is of high practical relevance.

    \item Poly1305 is also a message authentication code (MAC), which we
      discussed in the lecture.

    \item \TODO
    \item \TODO
  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% SYMMETRIC - KEYED %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(16 points)} 
  \begin{enumerate}
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% SYMMETRIC - UNKEYED %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(16 points)} 
  \begin{enumerate}
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% ASYMMETRIC - LITERATURE %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(17 points)} 
  \begin{enumerate}
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% ASYMMETRIC - SECURITY %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(33 points)} 
  \begin{enumerate}
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
    \item \TODO
  \end{enumerate} 

\end{enumerate}

\end{document}