\documentclass[a4paper]{article}
\usepackage[english]{babel}
\usepackage{amsmath,amssymb,amsthm}
\usepackage{color}
\usepackage{units}

\newcommand{\TODO}{\textcolor{red}{TO DO}}

\begin{document}

\begin{center}
  \textbf{\Large NWI-IMC061 -- Applied Cryptography}\\[4pt]
  
  \textbf{\large Final Exam, Academic Year 2021--2022}
\end{center}

\bigskip
\hrule
\bigskip

\noindent \textbf{Last Name:} Eidelpes

\medskip\noindent \textbf{First Name:} Tobias

\medskip\noindent \textbf{Student Number:} s1090746

\medskip\noindent \textbf{Personalized Appendix Sequence Number:} 30

\bigskip
\hrule
\bigskip

\begin{enumerate}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% SYMMETRIC - LITERATURE %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(18 points)} 
  \begin{enumerate}

    \item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As
      the name implies, EWCDM is based on a Wegman-Carter construction which
      takes the hash of a message $M$ and XORes it with the application of a
      pseudorandom function (PRF) to a nonce $N$. This construction is very
      efficient and also has a strong security bound. However, it is very
      vulnerable to \emph{nonce-misuse}. To deal with that problem, the
      Wegman-Carter construction is wrapped by another call to the PRF with a
      different key. Another disadvantage is the fact that PRFs are hard to get
      by and instead pseudorandom permutations are used. If a pseudorandom
      permutation (i.e. block cipher) is used, the security bound of the
      construction drops to the birthday bound ($2^{n/2}$). The authors replace
      the inner call to the PRF with the \emph{Davies-Meyer} construction
      \[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \]
      and then encrypt that (with the hashed message) in another call to the
      block cipher. The resulting EWCDM construction looks like this
      \[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \]
      and is secure \emph{beyond} the birthday bound against nonce-respecting
      adversaries while still offering birthday bound security against
      nonce-misusing adversaries.

    \item The type of symmetric cryptographic scheme introduced is a Message
      Authentication Code (MAC).

    \item The size of the key(s) depends on the block cipher and the keyed hash
      function. In total there likely need to be two distinct keys for the block
      cipher calls and one key for the hash function.

    \item Since EWCDM is based on a block cipher and a hash function and because
      those usually operate on fixed-length inputs, the construction also
      operates on fixed-length inputs. Messages come in variable-length sizes
      and need to be padded by the block cipher to the specified block size.

    \item Depending on the amount of input blocks, the construction will
      generate multiples of the block size as outputs. The outputs are
      variable-length.

    \item EWCDM is based on a pseudorandom permutation (i.e. block cipher) and
      an almost xor-universal (AXU) hash function (one-way function).

    \item Yes, the authors delivered a security proof. The proof assumes that
      the encryption function $E$ is a secure pseudorandom permutation for the
      case of a nonce-misusing adversary. This requirement on the security of
      $E$ is not present if the adversary is nonce-respecting. Additionally, the
      distinguisher is computationally unbounded and never repeats a query.

    \item The practical relevance is high, in my opinion. This is due to the
      fact that the EWCDM construction is secure against nonce-misusing
      adversaries up to the birthday bound. It has been shown that implementing
      nonces securely is a difficult task. If a scheme is easily broken by wrong
      handling of nonces, there is no \emph{fallback} security guarantee. The
      EWCDM construction, however, provides such a \emph{fallback} security
      guarantee and is of high practical relevance.

    \item Poly1305 is also a message authentication code (MAC), which we
      discussed in the lecture.

    \item One advantage of EWCDM over Poly1305 is that the former is
      nonce-misuse resistant up to the birthday bound while Poly1305 is not.

    \item One disadvantage of EWCDM is that it requires two calls to the
      underlying block cipher. This can have potentially serious performance
      implications for small, low-resource embedded devices.

  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% SYMMETRIC - KEYED %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(16 points)} 
  \begin{enumerate}

    \item $\mathsf{CrAp}_K^{-1}$ operates by taking the ciphertexts
      $C_1,\cdots,C_l$ and passing them to the decryption function
      $\widetilde{E}^{-1}(K,N,\cdot)$. The decryption function takes 128-bit
      inputs and produces a 128-bit output. The output has to be stripped of the
      counter (the last 26 bits) to obtain the 102-bit message block
      $M_1,\cdots,M_l$. Finally, the padding (if any) has to be removed from
      $M_1,\cdots,M_l$ to obtain the original message block (102 bits).

    \item The length of the message $M$ is limited by the counter, which is at
      most 26 bits long. Since the very first counter ($\langle 0\rangle_{26}$)
      is reserved for the tag, $2^{26}-2$ message blocks remain. Every block
      (without the counter) is at most 102 bits long which gives a maximum
      message length of $102\cdot (2^{26}-2) = \unit[6845103924]{bits}$.

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% SYMMETRIC - UNKEYED %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(16 points)} 
  \begin{enumerate}

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% ASYMMETRIC - LITERATURE %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(17 points)} 
  \begin{enumerate}

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

  \end{enumerate}

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%% ASYMMETRIC - SECURITY %%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
  \item \textbf{(33 points)} 
  \begin{enumerate}

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

    \item \TODO

  \end{enumerate} 

\end{enumerate}

\end{document}