Homework Week 3 - Coursera PDF
Homework Week 3 - Coursera PDF
Homework Week 3 - Coursera PDF
You submitted this homework on Wed 12 Feb 2014 11:14 AM PST. You got a score
of 6.55 out of 10.00. You can attempt again in 10 minutes.
Question 1
Suppose a MAC system (S, V ) is used to protect files in a file system by appending a MAC tag to
each file. The MAC signing algorithm S is applied to the file contents and nothing else. What
Changing the last modification 1.00 The MAC signing algorithm is only applied
time of a file. to the file contents and does not protect
the file meta data.
Total 1.00 /
1.00
Question 2
n
Let (S, V ) be a secure MAC defined over (K, M , T ) where M = {0, 1} and
128 n
T = {0, 1} (i.e. the key space is K , message space is {0, 1} , and tag space is
128
{0, 1} ). Which of the following is a secure MAC: (as usual, we use ∥
∥ to denote string
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 1/10
8/26/2014 Homework Feedback | Coursera
concatenation)
′
S (k, m) = S(k, m ⊕ m) and 0.00 This
′
V (k, m, t) = V (k, m ⊕ m, t) construction is
insecure
because an
adversary can
request the
tag for
n
m = 0 and
thereby obtain
a tag for any
message.
This follows
from the fact
that
m ⊕ m = 0.
′
(i.e., V (k, m, (t1 , t2 )) only outputs "1" if t1 and t2 are equal and
valid)
′
S (k, m) = S(k, m) and 0.17 This
′ V (k, m, t) if m ≠ 0
n
construction is
V (k, m, t) = {
``1'' otherwise insecure
because the
adversary can
simply output
n s
(0 , 0 ) as
an existential
forgery.
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 2/10
8/26/2014 Homework Feedback | Coursera
tags)
′
S (k, m) = S(k, m[0, … , n − 2]∥
∥ 0) and 0.17 This
V
′
(k, m, t) = V (k, m[0, … , n − 2]∥
∥ 0, t) construction is
insecure
because the
tags on
n
m = 0 and
n−1
m = 0 1
Total 0.83 /
1.00
Question 3
Recall that the ECBC-MAC uses a fixed IV (in the lecture we simply set the IV to 0). Suppose
instead we chose a random IV for every message being signed and include the IV in the tag. In
other words, S(k, m) := (r, ECBCr (k, m)) where ECBCr (k, m) refers to the ECBC
function using r as the IV. The verification algorithm V given key k, message m, and tag (r, t)
The resulting MAC system is insecure. An attacker can query for the tag of the 1-block message
m and obtain the tag (r, t). He can then generate the following existential forgery: (we assume
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 3/10
8/26/2014 Homework Feedback | Coursera
The tag (r ⊕ t, m) is a valid tag for 0.00 The right half of the tag, m, is not
the 1-block message 0n . likely to be the result of the CBC MAC.
n
The tag (r ⊕ 1 , t) is a valid tag for
the 1-block message m ⊕ 1n .
Total 0.00 /
1.00
Question 4
Suppose Alice is broadcasting packets to 6 recipients B1 , … , B6 . Privacy is not important but
integrity is. In other words, each of B1 , … , B6 should be assured that the packets he is
Alice decides to use a MAC. Suppose Alice and B1 , … , B6 all share a secret key k. Alice
computes a tag for every packet she sends using key k. Each user Bi verifies the tag when
receiving the packet and drops the packet if the tag is invalid. Alice notices that this scheme is
insecure because user B1 can use the key k to send packets with a valid tag to users
B2 , … , B6 and they will all be fooled into thinking that these packets are from Alice.
Instead, Alice sets up a set of 4 secret keys S = { k1 , … , k4 } . She gives each user Bi some
subset Si ⊆ S of the keys. When Alice transmits a packet she appends 4 tags to it by computing
the tag with each of her 4 keys. When user Bi receives a packet he accepts it as valid only if all
tags corresponding to his keys in Si are valid. For example, if user B1 is given keys {k1 , k2 } he
will accept an incoming packet only if the first and second tags are valid. Note that B1 cannot
validate the 3rd and 4th tags because he does not have k3 or k4 .
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 4/10
8/26/2014 Homework Feedback | Coursera
How should Alice assign keys to the 6 users so that no single user can forge packets on behalf of
ican fool a
user j into
accepting a
message
sent by i.
Total 1.00 /
1.00
Question 5
Consider the encrypted CBC MAC built from AES. Suppose we compute the tag for a long
′
message m comprising of n AES blocks. Let m be the n-block message obtained from m by
′
flipping the last bit of m (i.e. if the last bit of m is b then the last bit of m is b ⊕ 1). How many
′
calls to AES would it take to compute the tag for m from the tag for m and the MAC key? (in this
question please ignore message padding and simply assume that the message length is always a
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 5/10
8/26/2014 Homework Feedback | Coursera
4 1.00 You would decrypt the final CBC MAC encryption step done using k2 ,
the decrypt the last CBC MAC encryption step done using k1 , flip the
last bit of the result, and re-apply the two encryptions.
Total 1.00 /
1.00
Question 6
Let H : M → T be a collision resistant hash function. Which of the following is collision
′
H (m) = H (m)[0, … , 31] 0.14 This construction is not collision
(i.e. output the first 32 bits of the hash) resistant because an attacker can find
a collision in time 2
16
using the
birthday paradox.
′
H (m) = H (m) ⊕ H (m) 0.00 This construction is not collision
resistant because H (0) = H (1) .
′ ′
H (m) = H (H (H (m))) 0.14 a collision finder for H gives a
collision finder for H.
′ ′
H (m) = H (m ∥
∥0) 0.14 a collision finder for H gives a
collision finder for H.
′ ′
H (m) = H (H (m)) 0.00 a collision finder for H gives a
collision finder for H .
′
H (m) = H (|m|) (i.e. hash 0.14 This construction is not collision
the length of m) resistant because
H (000) = H (111) .
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 6/10
8/26/2014 Homework Feedback | Coursera
of m)
Total 0.71 /
1.00
Question 7
Suppose H1 and H2 are collision resistant hash functions mapping inputs in a set M to
256
{0, 1} . Our goal is to show that the function H 2 (H 1 (m)) is also collision resistant. We
prove the contra-positive: suppose H 2 (H 1 (⋅)) is not collision resistant, that is, we are given
x ≠ y such that H 2 (H 1 (x)) = H2 (H 1 (y)) . We build a collision for either H1 or for H2 .
This will prove that if H 1 and H2 are collision resistant then so is H 2 (H 1 (⋅)). Which of the
Either
x, H 1 (y) are a
collision for H2
or H2 (x), y
Either x, y are
a collision for
H1 or x, y
Either
H 2 (x), H 2 (y)
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269
H1 7/10
8/26/2014 Homework Feedback | Coursera
H1 or x, y
Total 1.00 /
1.00
Question 8
In this question and the next, you are asked to find collisions on two compression functions:
f 1 (x, y) = AES(y, x) ⨁ y , and
f 2 (x, y) = AES(x, x) ⨁ y ,
We provide an AES function for you to play with. The function takes as input a key k and an x
value and outputs AES(k, x) once you press the "encrypt" button. It takes as input a key k and
−1
a y value and outputs AES (k, y) once you press the "decrypt" button. All three values
k, x, y are assumed to be hex values (i.e. using only characters 0-9 and a-f) and the function
Your goal is to find four distinct pairs (x1 , y 1 ), ( x2 , y 2 ), (x3 , y 3 ), (x4 , y 4 ) such that
f 1 (x1 , y 1 ) = f 1 (x2 , y 2 ) and f 2 (x3 , y 3 ) = f 2 (x4 , y 4 ). In other words, the first two pairs
are a collision for f1 and the last two pairs are a collision for f2 . Once you find all four pairs,
please enter them below and check your answer using the "check" button.
Note for those using the NoScript browser extension: for the buttons to function correctly
please allow Javascript from class.coursera.org and cloudfront.net to run in your browser.
Note also that the "save answers" button does not function for this question and the next.
You entered:
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 8/10
8/26/2014 Homework Feedback | Coursera
00000000000000000000000000000000
Total 0.00 /
1.00
Question 9
You entered:
Total 0.00 /
1.00
Question 10
Let H : M → T be a random hash function where |M | ≫ |T | (i.e. the size of M is much
larger than the size of T ). In lecture we showed that finding a collision on H can be done with
1/2
O(|T | ) random samples of H . How many random samples would it take until we obtain a
three way collision, namely distinct strings x, y, z in M such that H (x) = H (y) = H (z) ?
1/4
O(|T | )
3/4
O(|T | )
1/3
O(|T | )
Total 1.00 /
1.00
https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 10/10