253 lines
8.6 KiB
TeX
253 lines
8.6 KiB
TeX
\documentclass[a4paper]{article}
|
|
\usepackage[english]{babel}
|
|
\usepackage{amsmath,amssymb,amsthm}
|
|
\usepackage{color}
|
|
\usepackage{units}
|
|
|
|
\newcommand{\TODO}{\textcolor{red}{TO DO}}
|
|
|
|
\begin{document}
|
|
|
|
\begin{center}
|
|
\textbf{\Large NWI-IMC061 -- Applied Cryptography}\\[4pt]
|
|
|
|
\textbf{\large Final Exam, Academic Year 2021--2022}
|
|
\end{center}
|
|
|
|
\bigskip
|
|
\hrule
|
|
\bigskip
|
|
|
|
\noindent \textbf{Last Name:} Eidelpes
|
|
|
|
\medskip\noindent \textbf{First Name:} Tobias
|
|
|
|
\medskip\noindent \textbf{Student Number:} s1090746
|
|
|
|
\medskip\noindent \textbf{Personalized Appendix Sequence Number:} 30
|
|
|
|
\bigskip
|
|
\hrule
|
|
\bigskip
|
|
|
|
\begin{enumerate}
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - LITERATURE %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(18 points)}
|
|
\begin{enumerate}
|
|
|
|
\item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As
|
|
the name implies, EWCDM is based on a Wegman-Carter construction which
|
|
takes the hash of a message $M$ and XORes it with the application of a
|
|
pseudorandom function (PRF) to a nonce $N$. This construction is very
|
|
efficient and also has a strong security bound. However, it is very
|
|
vulnerable to \emph{nonce-misuse}. To deal with that problem, the
|
|
Wegman-Carter construction is wrapped by another call to the PRF with a
|
|
different key. Another disadvantage is the fact that PRFs are hard to get
|
|
by and instead pseudorandom permutations are used. If a pseudorandom
|
|
permutation (i.e. block cipher) is used, the security bound of the
|
|
construction drops to the birthday bound ($2^{n/2}$). The authors replace
|
|
the inner call to the PRF with the \emph{Davies-Meyer} construction
|
|
\[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \]
|
|
and then encrypt that (with the hashed message) in another call to the
|
|
block cipher. The resulting EWCDM construction looks like this
|
|
\[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \]
|
|
and is secure \emph{beyond} the birthday bound against nonce-respecting
|
|
adversaries while still offering birthday bound security against
|
|
nonce-misusing adversaries.
|
|
|
|
\item The type of symmetric cryptographic scheme introduced is a Message
|
|
Authentication Code (MAC).
|
|
|
|
\item The size of the key(s) depends on the block cipher and the keyed hash
|
|
function. In total there likely need to be two distinct keys for the block
|
|
cipher calls and one key for the hash function.
|
|
|
|
\item Since EWCDM is based on a block cipher and a hash function and because
|
|
those usually operate on fixed-length inputs, the construction also
|
|
operates on fixed-length inputs. Messages come in variable-length sizes
|
|
and need to be padded by the block cipher to the specified block size.
|
|
|
|
\item Depending on the amount of input blocks, the construction will
|
|
generate multiples of the block size as outputs. The outputs are
|
|
variable-length.
|
|
|
|
\item EWCDM is based on a pseudorandom permutation (i.e. block cipher) and
|
|
an almost xor-universal (AXU) hash function (one-way function).
|
|
|
|
\item Yes, the authors delivered a security proof. The proof assumes that
|
|
the encryption function $E$ is a secure pseudorandom permutation for the
|
|
case of a nonce-misusing adversary. This requirement on the security of
|
|
$E$ is not present if the adversary is nonce-respecting. Additionally, the
|
|
distinguisher is computationally unbounded and never repeats a query.
|
|
|
|
\item The practical relevance is high, in my opinion. This is due to the
|
|
fact that the EWCDM construction is secure against nonce-misusing
|
|
adversaries up to the birthday bound. It has been shown that implementing
|
|
nonces securely is a difficult task. If a scheme is easily broken by wrong
|
|
handling of nonces, there is no \emph{fallback} security guarantee. The
|
|
EWCDM construction, however, provides such a \emph{fallback} security
|
|
guarantee and is of high practical relevance.
|
|
|
|
\item Poly1305 is also a message authentication code (MAC), which we
|
|
discussed in the lecture.
|
|
|
|
\item One advantage of EWCDM over Poly1305 is that the former is
|
|
nonce-misuse resistant up to the birthday bound while Poly1305 is not.
|
|
|
|
\item One disadvantage of EWCDM is that it requires two calls to the
|
|
underlying block cipher. This can have potentially serious performance
|
|
implications for small, low-resource embedded devices.
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - KEYED %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(16 points)}
|
|
\begin{enumerate}
|
|
|
|
\item $\mathsf{CrAp}_K^{-1}$ operates by taking the ciphertexts
|
|
$C_1,\cdots,C_l$ and passing them to the decryption function
|
|
$\widetilde{E}^{-1}(K,N,\cdot)$. The decryption function takes 128-bit
|
|
inputs and produces a 128-bit output. The output has to be stripped of the
|
|
counter (the last 26 bits) to obtain the 102-bit message block
|
|
$M_1,\cdots,M_l$. Finally, the padding (if any) has to be removed from
|
|
$M_1,\cdots,M_l$ to obtain the original message block (102 bits).
|
|
|
|
\item The length of the message $M$ is limited by the counter, which is at
|
|
most 26 bits long. Since the very first counter ($\langle 0\rangle_{26}$)
|
|
is reserved for the tag, $2^{26}-2$ message blocks remain. Every block
|
|
(without the counter) is at most 102 bits long which gives a maximum
|
|
message length of $102\cdot (2^{26}-2) = \unit[6845103924]{bits}$.
|
|
|
|
\item $\widetilde{E}$ should behave like a pseudorandom permutation in order
|
|
to be able to prove the security of $\mathsf{CrAp}$. If it does not, a
|
|
distinguisher is able to gain a significant advantage because the block
|
|
cipher does not actually generate \emph{random} outputs. Further, if the
|
|
security of the underlying primitive is broken, the whole scheme falls
|
|
apart.
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item The length of the random nonce $N$ is $\unit[96]{bits}$. The expected
|
|
number of evaluations an attacker has to make to obtain a repeated nonce
|
|
is $2^{96/2} = 2^{48}$.
|
|
|
|
\item After $2^b = 2^{62}$ forgery attempts, the attacker has exhausted the
|
|
keyspace of the tag because the tag $T$ is of size $\unit[62]{bits}$. The
|
|
distinguisher checks continuously if the current tag matches the
|
|
ciphertext. If it does not, the tag is incremented by one until $2^{62}$
|
|
queries have been made. Eventually, the distinguisher will get the valid
|
|
tag and is then able to identify if it is in the real world or in the
|
|
ideal world.
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% SYMMETRIC - UNKEYED %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(16 points)}
|
|
\begin{enumerate}
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% ASYMMETRIC - LITERATURE %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(17 points)}
|
|
\begin{enumerate}
|
|
|
|
\item LEDAcrypt is a post-quantum asymmetric suite of cryptosystems. It
|
|
contains a public-key encryption scheme and a key-encapsulation mechanism
|
|
(KEM). The underlying hard problem (arbitrary linear binary code decoding)
|
|
is currently believed to be secure against quantum adversaries.
|
|
|
|
\item The authors introduce a post-quantum public-key cryptosystem based on
|
|
linear codes.
|
|
|
|
\item IND-CCA2 is proven for both the KEM and the PKC. IND-CPA is proven for
|
|
the KEM.
|
|
|
|
\item LEDAcrypt is based on the hardness of the decoding problem for linear
|
|
codes. Given a parity-check matrix $H$ and a received codeword $y$, the
|
|
syndrome is $s=yH$. Find a minimum-weight solution $z_0$ for the equation
|
|
$s=zH$. The best estimate for the received codeword is $x=y+z_0$. Finding
|
|
a minimum-weight solution to $s=zH$ given $s$ and $H$ is
|
|
$\mathsf{NP}$-hard.
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
%%%%%%%%%% ASYMMETRIC - SECURITY %%%%%%%%%%
|
|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
|
\item \textbf{(33 points)}
|
|
\begin{enumerate}
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\item \TODO
|
|
|
|
\end{enumerate}
|
|
|
|
\end{enumerate}
|
|
|
|
\end{document}
|