170 lines
5.5 KiB
TeX
170 lines
5.5 KiB
TeX
\documentclass[a4paper]{article}
|
|
\usepackage[english]{babel}
|
|
\usepackage{amsmath,amssymb,amsthm}
|
|
\usepackage{color}
|
|
|
|
\newcommand{\TODO}{\textcolor{red}{TO DO}}
|
|
|
|
\begin{document}
|
|
|
|
\begin{center}
|
|
\textbf{\Large NWI-IMC061 -- Applied Cryptography}\\[4pt]
|
|
|
|
\textbf{\large Final Exam, Academic Year 2021--2022}
|
|
\end{center}
|
|
|
|
\bigskip
|
|
\hrule
|
|
\bigskip
|
|
|
|
\noindent \textbf{Last Name:} Eidelpes
|
|
|
|
\medskip\noindent \textbf{First Name:} Tobias
|
|
|
|
\medskip\noindent \textbf{Student Number:} s1090746
|
|
|
|
\medskip\noindent \textbf{Personalized Appendix Sequence Number:} 30
|
|
|
|
\bigskip
|
|
\hrule
|
|
\bigskip
|
|
|
|
\begin{enumerate}
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - LITERATURE %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(18 points)}
|
|
\begin{enumerate}
|
|
|
|
\item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As
|
|
the name implies, EWCDM is based on a Wegman-Carter construction which
|
|
takes the hash of a message $M$ and XORes it with the application of a
|
|
pseudorandom function (PRF) to a nonce $N$. This construction is very
|
|
efficient and also has a strong security bound. However, it is very
|
|
vulnerable to \emph{nonce-misuse}. To deal with that problem, the
|
|
Wegman-Carter construction is wrapped by another call to the PRF with a
|
|
different key. Another disadvantage is the fact that PRFs are hard to get
|
|
by and instead pseudorandom permutations are used. If a pseudorandom
|
|
permutation (i.e. block cipher) is used, the security bound of the
|
|
construction drops to the birthday bound ($2^{n/2}$). The authors replace
|
|
the inner call to the PRF with the \emph{Davies-Meyer} construction
|
|
\[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \]
|
|
and then encrypt that (with the hashed message) in another call to the
|
|
block cipher. The resulting EWCDM construction looks like this
|
|
\[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \]
|
|
and is secure \emph{beyond} the birthday bound against nonce-respecting
|
|
adversaries while still offering birthday bound security against
|
|
nonce-misusing adversaries.
|
|
|
|
\item The type of symmetric cryptographic scheme introduced is a Message
|
|
Authentication Code (MAC).
|
|
|
|
\item The size of the key(s) depends on the block cipher and the keyed hash
|
|
function. In total there likely need to be two distinct keys for the block
|
|
cipher calls and one key for the hash function.
|
|
|
|
\item Since EWCDM is based on a block cipher and a hash function and because
|
|
those usually operate on fixed-length inputs, the construction also
|
|
operates on fixed-length inputs. Messages come in variable-length sizes
|
|
and need to be padded by the block cipher to the specified block size.
|
|
|
|
\item Depending on the amount of input blocks, the construction will
|
|
generate multiples of the block size as outputs. The outputs are
|
|
variable-length.
|
|
|
|
\item EWCDM is based on a pseudorandom permutation (i.e. block cipher) and
|
|
an almost xor-universal (AXU) hash function (one-way function).
|
|
|
|
\item Yes, the authors delivered a security proof. The proof assumes that
|
|
the encryption function $E$ is a secure pseudorandom permutation for the
|
|
case of a nonce-misusing adversary. This requirement on the security of
|
|
$E$ is not present if the adversary is nonce-respecting. Additionally, the
|
|
distinguisher is computationally unbounded and never repeats a query.
|
|
|
|
\item The practical relevance is high, in my opinion. This is due to the
|
|
fact that the EWCDM construction is secure against nonce-misusing
|
|
adversaries up to the birthday bound. It has been shown that implementing
|
|
nonces securely is a difficult task. If a scheme is easily broken by wrong
|
|
handling of nonces, there is no \emph{fallback} security guarantee. The
|
|
EWCDM construction, however, provides such a \emph{fallback} security
|
|
guarantee and is of high practical relevance.
|
|
|
|
\item Poly1305 is also a message authentication code (MAC), which we
|
|
discussed in the lecture.
|
|
|
|
\item \TODO
|
|
\item \TODO
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - KEYED %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(16 points)}
|
|
\begin{enumerate}
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - UNKEYED %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(16 points)}
|
|
\begin{enumerate}
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% ASYMMETRIC - LITERATURE %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(17 points)}
|
|
\begin{enumerate}
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% ASYMMETRIC - SECURITY %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(33 points)}
|
|
\begin{enumerate}
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\item \TODO
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
\end{document}
|