Midterm Exam for Cryptography - Fall 2001 | CS 55500, Exams of Cryptography and System Security

Material Type: Exam; Class: Cryptography; Subject: CS-Computer Sciences; University: Purdue University - Main Campus; Term: Fall 2001;

Typology: Exams

Pre 2010

Uploaded on 07/30/2009

koofers-user-oi2
koofers-user-oi2 🇺🇸

10 documents

1 / 5

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CS 555 Midterm Exam Fall ’01
Name (print please):
This exam is closed book, closed notes and is designed to take 2 hours.
Understanding a question is part of the exam, so please do not ask for additional
comments or hints for the purpose of understanding a question (unless you think the
question is ill-formulated, contains typos, inconsistent or ambiguous wording, etc).
For True / False questions, just write down your answers: there is no need to justify
them.
The questions are not listed in any particular order (they are not listed by increasing
order of difficulty).
Use the blank pages as a rough working area (they will not be graded, so make sure
you write each answer in the space provided immediately near the question).
Question 1. (12 points) Consider the following protocol, in which a symmetric (i.e., single-
key) cryptosystem is used by both parties for the generation of a session key known to both
of them for the purpose of exchanging messages MAand MB. Assume the cryptosystem
used is commutative.
1. Alice generates a random RAand sends it to Bob, and Bob generates a random RB
and sends it to Alice. Alice and Bob each compute Ras the bitwise XOR of RAand
RB, i.e., R=RARB.
2. Alice generates a random key KAand Bob generates a random key KB. Alice sends
Bob X=EKA(R), and Bob sends Alice Y=EKB(R).
3. Alice computes the session key as EKA(Y), Bob computes the session key as EKB(X).
Because of commutativity, these two quantities are equal to each other (call their
value K).
4. Alice sends Bob EK(MA) that Bob decrypts to get MA, and Bob sends Alice EK(MB)
that Alice decrypts to get MB.
Is the protocol safe from from Mallory? Justify your answer (i.e., if your answer is “yes”
then briefly explain why, and if it is “no” then describe an attack through which Mallory
manages to obtain MAand MB). [Write your answer in the space below.]
1
pf3
pf4
pf5

Partial preview of the text

Download Midterm Exam for Cryptography - Fall 2001 | CS 55500 and more Exams Cryptography and System Security in PDF only on Docsity!

CS 555 Midterm Exam Fall ’

Name (print please):

  • This exam is closed book, closed notes and is designed to take 2 hours.
  • Understanding a question is part of the exam, so please do not ask for additional comments or hints for the purpose of understanding a question (unless you think the question is ill-formulated, contains typos, inconsistent or ambiguous wording, etc).
  • For True / False questions, just write down your answers: there is no need to justify them.
  • The questions are not listed in any particular order (they are not listed by increasing order of difficulty).
  • Use the blank pages as a rough working area (they will not be graded, so make sure you write each answer in the space provided immediately near the question).

Question 1. (12 points) Consider the following protocol, in which a symmetric (i.e., single- key) cryptosystem is used by both parties for the generation of a session key known to both of them for the purpose of exchanging messages MA and MB. Assume the cryptosystem used is commutative.

  1. Alice generates a random RA and sends it to Bob, and Bob generates a random RB and sends it to Alice. Alice and Bob each compute R as the bitwise XOR of RA and RB , i.e., R = RA ⊕ RB.
  2. Alice generates a random key KA and Bob generates a random key KB. Alice sends Bob X = EKA (R), and Bob sends Alice Y = EKB (R).
  3. Alice computes the session key as EKA (Y ), Bob computes the session key as EKB (X). Because of commutativity, these two quantities are equal to each other (call their value K).
  4. Alice sends Bob EK (MA) that Bob decrypts to get MA, and Bob sends Alice EK (MB ) that Alice decrypts to get MB.

Is the protocol safe from from Mallory? Justify your answer (i.e., if your answer is “yes” then briefly explain why, and if it is “no” then describe an attack through which Mallory manages to obtain MA and MB ). [Write your answer in the space below.]

Question 2. (10 points) Bob wants to buy from Alice one of two possible movies M 1 , M 2. Bob is not supposed to be able to control which one of the two movies he gets, and Alice is not supposed to ever know which of the two movies Bob got. (How Bob pays Alice for the Mi he gets is of no concern to us here.) Alice and Bob could try to cheat if they can avoid detection of their cheating. Consider the following two protocols.

  • Protocol 1: Alice and Bob run the two-player version of the “mental poker” protocol with the Mi playing the role of “cards”, with Alice dealing the two “cards”. They run the protocol exactly as described in the book and in the lecture except that now there are two “cards” rather than 52 and Bob is the only one who gets a card (i.e., Bob does not choose a card for Alice).
  • Protocol 2: Alice and Bob run the oblivious transfer protocol explained in class (the version of it where Bob has no control over which of M 1 or M 2 he will get from Alice).
  • Is Protocol 1 correct? Briefly justify your answer.
  • Is Protocol 2 correct? Briefly justify your answer.

Question 3. (9 points) An independent set in an undirected graph G is a subset of the vertices such that there is no edge of G between vertices of that subset. The size of the independent set is the number of vertices in it. Suppose that an n-vertex graph G is known to both Peggy and to Victor. Peggy also knows an independent set of size k in the graph G. Peggy wants to convince Victor that she knows such an independent set, but without making it any easier for Victor to compute such an independent set (i.e., she wants to convince him in a zero-knowledge fashion). They run 100 times the following protocol, after which Peggy is considered to have succeeded in convincing Victor only if she succeeded in every one of those 100 rounds:

Question 5. (9 points) In class we gave a protocol that allows n persons (call them p 1 , p 2 ,... , pn) to compute their average salary without any of them revealing her salary (recall that the protocol starts and ends with p 1 , who then announces the result to the others). Mark as True or False each of the following statements about this protocol.

  1. Any person pi who is dishonest can prevent all the other n − 1 honest persons from learning the correct answer while pi herself learns the correct answer.
  2. A person pi (i > 1) who is dishonest can prevent all the other n − 1 honest persons from learning the correct answer, but then that person pi herself cannot know the correct answer.
  3. A person pi who is honest, and who knows that all the other n − 1 persons lied by increasing their true salary by 10%, can figure out the correct answer.

Question 6. (33 points) Mark as True or False each of the following statements.

  1. The simultaneous exchange of secrets protocol we covered in class could give a significant advantage (in terms of capability to cheat) to one of the two parties if that party had immensely more computing power than the other party.
  2. In a 3-key cryptographic system (= generalization to 3 keys of public-key crypto), an encryption of a message with one of the three keys can be successfully decrypted by using either one of the other two keys.
  3. In the voting protocol covered in class, the total number of encryption and decryption computations performed by each of the n participants is proportional to n.
  4. If someone cheats in any Step i of the voting protocol covered in class by replacing someone else’s vote, then at the end of that same Step i someone will immediately know that such cheating has occurred.
  5. In the digital cash protocol covered in class, two merchants can conspire against an innocent and honest customer who shops with both of them, in such a way as to trick the bank into thinking that the customer tried to illegally cash the same money order twice.
  6. In the digital cash protocol covered in class, suppose the customer by mistake emails to Alice his SBank(M ) (not yet spent by the customer). The customer is unaware that he made this mistake, and does not send Alice anything other than that SBank(M ). Then Alice can rush to a merchant and, if she does so before the customer spends his money order, she can successfully spend that money order, and the customer is later accused of cheating when he tries to spend that same money order.
  7. Suppose that, in the digital cash protocol covered in class, a particular merchant X has faulty software that causes him to always send the same “challenge” bitstring to the customer. If the customer notices this and is dishonest, he could conspire with another merchant Y to make it look (to the bank) like merchant X is trying to cash the same money order twice.
  1. The technique of using “salt” in conjunction with passwords in a Unix system makes it substantially more dificult for an enemy who has the file of encrypted pass- words (/etc/passwd) to perform a dictionary attack on a particular user’s password (e.g., Alice’s password).
  2. In the anonymous message broadcasting protocol, if exactly two of the 101 par- ticipants simultaneously try to broadcast a “1”, then each of the other 99 participants knows that at least one person is trying to perform such a broadcast of a “1”, but they have no idea how many participants are trying to simultaneously do so.
  3. The Wide-Mouth Frog protocol involves only two messages, each of which con- tains a time-stamp.
  4. In the Wide-Mouth Frog protocol, the session key is selected by Trent.

Question 7. (15 points) Complete each of the following.

  1. Write down Fermat’s Little Theorem:
  2. In an SKEY scheme, Alice has the 10 numbers x 1 ,... , x 10 and she uses these numbers in the order x 10 ,... , x 1. Write down the relationship between xi and xi+1:
  3. Euclid’s algorithm for the gcd is based on the fact that, if a ≥ b ≥ 0, then gcd(a, b) is equal to:
  4. To split a secret M between Alice and Bob and Carol, Trent generates two random R and R′^ that are each as long as M , and gives each of Alice and Bob and Carol one of the following three items:
  5. Of the following five protocols {Woo-Lam, Neuman-Stubblebine, Denning-Sacco, Needham- Schroeder, Wide-Mouth-Frog}, the protocol that was not found to have a major prob- lem or weakness is: