282 lines
11 KiB
TeX
282 lines
11 KiB
TeX
\documentclass[a4paper]{article}
|
|
\usepackage[english]{babel}
|
|
\usepackage{amsmath,amssymb,amsthm}
|
|
\usepackage{color}
|
|
\usepackage{units}
|
|
|
|
\newcommand{\TODO}{\textcolor{red}{TO DO}}
|
|
|
|
\begin{document}
|
|
|
|
\begin{center}
|
|
\textbf{\Large NWI-IMC061 -- Applied Cryptography}\\[4pt]
|
|
|
|
\textbf{\large Final Exam, Academic Year 2021--2022}
|
|
\end{center}
|
|
|
|
\bigskip
|
|
\hrule
|
|
\bigskip
|
|
|
|
\noindent \textbf{Last Name:} Eidelpes
|
|
|
|
\medskip\noindent \textbf{First Name:} Tobias
|
|
|
|
\medskip\noindent \textbf{Student Number:} s1090746
|
|
|
|
\medskip\noindent \textbf{Personalized Appendix Sequence Number:} 30
|
|
|
|
\bigskip
|
|
\hrule
|
|
\bigskip
|
|
|
|
\begin{enumerate}
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - LITERATURE %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(18 points)}
|
|
\begin{enumerate}
|
|
|
|
\item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As
|
|
the name implies, EWCDM is based on a Wegman-Carter construction which
|
|
takes the hash of a message $M$ and XORes it with the application of a
|
|
pseudorandom function (PRF) to a nonce $N$. This construction is very
|
|
efficient and also has a strong security bound. However, it is very
|
|
vulnerable to \emph{nonce-misuse}. To deal with that problem, the
|
|
Wegman-Carter construction is wrapped by another call to the PRF with a
|
|
different key. Another disadvantage is the fact that PRFs are hard to get
|
|
by and instead pseudorandom permutations are used. If a pseudorandom
|
|
permutation (i.e. block cipher) is used, the security bound of the
|
|
construction drops to the birthday bound ($2^{n/2}$). The authors replace
|
|
the inner call to the PRF with the \emph{Davies-Meyer} construction
|
|
\[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \]
|
|
and then encrypt that (with the hashed message) in another call to the
|
|
block cipher. The resulting EWCDM construction looks like this
|
|
\[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \]
|
|
and is secure \emph{beyond} the birthday bound against nonce-respecting
|
|
adversaries while still offering birthday bound security against
|
|
nonce-misusing adversaries.
|
|
|
|
\item The type of symmetric cryptographic scheme introduced is a Message
|
|
Authentication Code (MAC).
|
|
|
|
\item The size of the key(s) depends on the block cipher and the keyed hash
|
|
function. In total there likely need to be two distinct keys for the block
|
|
cipher calls and one key for the hash function.
|
|
|
|
\item Since EWCDM is based on a block cipher and a hash function and because
|
|
those usually operate on fixed-length inputs, the construction also
|
|
operates on fixed-length inputs. Messages come in variable-length sizes
|
|
and need to be padded by the block cipher to the specified block size.
|
|
|
|
\item Depending on the amount of input blocks, the construction will
|
|
generate multiples of the block size as outputs. The outputs are
|
|
variable-length.
|
|
|
|
\item EWCDM is based on a pseudorandom permutation (i.e. block cipher) and
|
|
an almost xor-universal (AXU) hash function (one-way function).
|
|
|
|
\item Yes, the authors delivered a security proof. The proof assumes that
|
|
the encryption function $E$ is a secure pseudorandom permutation for the
|
|
case of a nonce-misusing adversary. This requirement on the security of
|
|
$E$ is not present if the adversary is nonce-respecting. Additionally, the
|
|
distinguisher is computationally unbounded and never repeats a query.
|
|
|
|
\item The practical relevance is high, in my opinion. This is due to the
|
|
fact that the EWCDM construction is secure against nonce-misusing
|
|
adversaries up to the birthday bound. It has been shown that implementing
|
|
nonces securely is a difficult task. If a scheme is easily broken by wrong
|
|
handling of nonces, there is no \emph{fallback} security guarantee. The
|
|
EWCDM construction, however, provides such a \emph{fallback} security
|
|
guarantee and is of high practical relevance.
|
|
|
|
\item Poly1305 is also a message authentication code (MAC), which we
|
|
discussed in the lecture.
|
|
|
|
\item One advantage of EWCDM over Poly1305 is that the former is
|
|
nonce-misuse resistant up to the birthday bound while Poly1305 is not.
|
|
|
|
\item One disadvantage of EWCDM is that it requires two calls to the
|
|
underlying block cipher. This can have potentially serious performance
|
|
implications for small, low-resource embedded devices.
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - KEYED %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(16 points)}
|
|
\begin{enumerate}
|
|
|
|
\item $\mathsf{CrAp}_K^{-1}$ operates by taking the ciphertexts
|
|
$C_1,\cdots,C_l$ and passing them to the decryption function
|
|
$\widetilde{E}^{-1}(K,N,\cdot)$. The decryption function takes 128-bit
|
|
inputs and produces a 128-bit output. The output has to be stripped of the
|
|
counter (the last 26 bits) to obtain the 102-bit message block
|
|
$M_1,\cdots,M_l$. Finally, the padding (if any) has to be removed from
|
|
$M_1,\cdots,M_l$ to obtain the original message block (102 bits).
|
|
|
|
\item The length of the message $M$ is limited by the counter, which is at
|
|
most 26 bits long. Since the very first counter ($\langle 0\rangle_{26}$)
|
|
is reserved for the tag, $2^{26}-2$ message blocks remain. Every block
|
|
(without the counter) is at most 102 bits long which gives a maximum
|
|
message length of $102\cdot (2^{26}-2) = \unit[6845103924]{bits}$.
|
|
|
|
\item $\widetilde{E}$ should behave like a pseudorandom permutation in order
|
|
to be able to prove the security of $\mathsf{CrAp}$. If it does not, a
|
|
distinguisher is able to gain a significant advantage because the block
|
|
cipher does not actually generate \emph{random} outputs. Further, if the
|
|
security of the underlying primitive is broken, the whole scheme falls
|
|
apart.
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item The length of the random nonce $N$ is $\unit[96]{bits}$. The expected
|
|
number of evaluations an attacker has to make to obtain a repeated nonce
|
|
is $2^{96/2} = 2^{48}$.
|
|
|
|
\item After $2^b = 2^{62}$ forgery attempts, the attacker has exhausted the
|
|
keyspace of the tag because the tag $T$ is of size $\unit[62]{bits}$. The
|
|
distinguisher checks continuously if the current tag matches the
|
|
ciphertext. If it does not, the tag is incremented by one until $2^{62}$
|
|
queries have been made. Eventually, the distinguisher will get the valid
|
|
tag and is then able to identify if it is in the real world or in the
|
|
ideal world.
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - UNKEYED %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(16 points)}
|
|
\begin{enumerate}
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% ASYMMETRIC - LITERATURE %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(17 points)}
|
|
\begin{enumerate}
|
|
|
|
\item LEDAcrypt is a post-quantum asymmetric suite of cryptosystems. It
|
|
contains a public-key encryption scheme and a key-encapsulation mechanism
|
|
(KEM). The underlying hard problem (arbitrary linear binary code decoding)
|
|
is currently believed to be secure against quantum adversaries.
|
|
|
|
\item The authors introduce a post-quantum public-key cryptosystem based on
|
|
linear codes.
|
|
|
|
\item IND-CCA2 is proven for both the KEM and the PKC. IND-CPA is proven for
|
|
the KEM.
|
|
|
|
\item LEDAcrypt is based on the hardness of the decoding problem for linear
|
|
codes. Given a parity-check matrix $H$ and a received codeword $y$, the
|
|
syndrome is $s=yH$. The best estimate for the received codeword is
|
|
$x=y+z_0$. Find a minimum-weight solution $z_0$ for the equation $s=zH$.
|
|
Finding a minimum-weight solution to $s=zH$ given $s$ and $H$ is
|
|
$\mathsf{NP}$-hard.
|
|
|
|
\item The private key in LEDAcrypt consists of two binary matrices $Q$ and
|
|
$H$. The public key is constructed from the matrix $L=Q\cdot H$. The
|
|
security of the scheme relies on the fact that obtaining the original
|
|
information from a perturbed codeword is hard unless the factorization of
|
|
the public key ($Q\cdot H$) is known. If the aforementioned problem of
|
|
decoding linear codes has a polynomial-time solution, an attacker will
|
|
also easily be able to obtain the factorization of the public key. If that
|
|
was possible, the scheme would be broken.
|
|
|
|
\item The strongest type of security the authors claim to achieve is
|
|
IND-CCA2. The authors use the Fujisaki-Okamoto transform to achieve
|
|
IND-CCA2 security.
|
|
|
|
\item The scheme can be used to exchange symmetric keys between parties
|
|
with the usage of the key encapsulation mechanism (KEM). In that scenario,
|
|
the sender encrypts a symmetric key with LEDAcrypt and shares the
|
|
encrypted key with the other party. The other party then decrypts the
|
|
message to obtain the symmetric key which can be used for further
|
|
communication.
|
|
|
|
\item The lowest security level treated by the authors is level 1 of the
|
|
NIST security levels corresponding to AES-128. The parameters depend on
|
|
whether the scheme is used for ephemeral or long-term keys and what kind
|
|
of code rate ($n_0$) is needed. For ephemeral keys with $n_0=2$ the
|
|
authors suggest values of: $p=14,939$, $t=136$, $d_v=11$ and $m=[4,3]$.
|
|
For long-term keys the authors suggest values of: $p=35,899$, $t=136$,
|
|
$d_v=9$, $m=[5,4]$, $\overline{t}=4$ and $b_0=44$. These parameters are
|
|
chosen with respect to an adversary using Information Set Decoding (ISD)
|
|
to find a solution to the underlying hard problem.
|
|
|
|
\item The size for ephemeral keys is $\unit[452]{bytes}$ (in memory) for the
|
|
private key and $\unit[1872]{bytes}$ for the public key. The size for
|
|
long-term keys is $\unit[468]{bytes}$ (in memory) for the private key and
|
|
$\unit[4488]{bytes}$ for the public key.
|
|
|
|
\item Kyber512 is also a KEM and achieves the same level of (classical)
|
|
security.
|
|
|
|
\item One advantage of LEDAcrypt is that the key sizes are relatively small
|
|
compared to Classic McEliece, for example. Small key sizes are important
|
|
for transmission of public keys so that they can fit in commonly used
|
|
packet sizes.
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% ASYMMETRIC - SECURITY %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(33 points)}
|
|
\begin{enumerate}
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
\end{document}
|