Need technical help? Visit our new Learner Help Center!

Feedback — Week 4 - Problem Set Help Center

You submitted this homework on Tue 17 Feb 2015 1:51 PM CET. You got a
score of 8.50 out of 10.00. You can attempt again in 10 minutes.

Question 1
An attacker intercepts the following ciphertext (hex encoded):

   20814804c1767293b99f1d9cab3bc3e7 ac1e37bfb15599e5f40eef805488281d

He knows that the plaintext is the ASCII encoding of the message "Pay Bob 100$" (excluding the

quotes). He also knows that the cipher used is CBC encryption with a random IV using AES as the

underlying block cipher. Show that the attacker can change the ciphertext so that it will decrypt to

"Pay Bob 500$". What is the resulting ciphertext (hex encoded)? This shows that CBC provides

no integrity.

You entered:

20814804c1767293bd9f1d9cab3bc3e7
ac1e37bfb15599e5f40eef805488281d

Your Answer Score Explanation

20814804c1767293bd9f1d9cab3bc3e7  1.00 You got it!

ac1e37bfb15599e5f40eef805488281d

Total 1.00 /
1.00

Question 2
Let (E, D) be an encryption system with key space K , message space {0, 1} n and ciphertext
space {0, 1} s . Suppose (E, D) provides authenticated encryption. Which of the following
systems provide authenticated encryption: (as usual, we use ∥ to denote string concatenation)

Your Answer Score Explanation

′
E (k, m) = (E(k, m),  0) and  0.00 ′
(E , D ) provides
′

′
D(k, c) if b = 0 authenticated
D (k,  (c, b) ) =
{ ⊥ otherwise encryption because
an attack on
(E , D ) directly
′ ′

gives an attack on
(E, D) .

′
E (k, m) = (E(k, m),  0) and  0.25 This system does
′
D (k,  (c, b) ) = D(k, c) not provide
ciphertext integrity.
The attacker
queries for
to obtain
′ n
E (k, 0 )

(c, 0) . It then

outputs (c, 1) and

wins the ciphertext
integrity game.

′
⨁ s
and  0.00 ′ ′
provides
⨁
E (k, m) = E(k, m) 1 (E , D )

authenticated
′ s
D (k, c) = D(k, c 1 )

encryption because
an attack on
′
(E , D )
′
directly
gives an attack on
(E, D) .

′
E (k, m) = (E(k, m),  E(k, m)) and  0.25 This system does
′
D(k, c 1 ) if D(k, c 1 ) = D(k, c 2 ) not provide
D (k,  (c 1 , c 2 ) ) =
{ ⊥ otherwise ciphertext integrity.
To see why, recall
that authenticated
encryption (without
a nonce) must be
randomized to
provide CPA
security. Therefore,
′
E (k, m) = (c 1 , c 2 )

will likely output a

distinct ciphertext
pair c 1 ≠ c 2 . The
attacker can then
output the
ciphertext (c 1 , c 1 )
and win the
ciphertext integrity
game.
 Total 0.50 /
1.00

Question 3
If you need to build an application that needs to encrypt multiple messages using a single key,
what encryption method should you use? (for now, we ignore the question of key generation and

management)

Your Answer Score Explanation

implement MAC-then-Encrypt yourself

use a standard implementation of randomized counter mode.

use a standard implementation of CBC encryption with a

random IV.

use a standard implementation of one of the authenticated  1.00

encryption modes GCM, CCM, EAX or OCB.

Total 1.00 /
1.00

Question 4
Let (E, D) be a symmetric encryption system with message space M (think of M as only

consisting for short messages, say 32 bytes). Define the following MAC (S, V ) for messages in M :

1 if D(k, t) = m
   S(k, m) := E(k, m) ; V (k, m, t) :=
{0 otherwise

What is the property that the encryption system (E, D) needs to satisfy for this MAC system to be

secure?

Your Answer Score Explanation

authenticated encryption  1.00 Indeed, authenticated encryption implies

ciphertext integrity which prevents existential
forgery under a chosen message attack.

semantic security under

 a deterministic chosen
plaintext attack

perfect secrecy

semantic security

Total 1.00 /
1.00

Question 5
In lecture 8.1 we discussed how to derive session keys from a shared secret. The problem is what

to do when the shared secret is non-uniform. In this question we show that using a PRF with a

non-uniform key may result in non-uniform values. This shows that session keys cannot be
derived by directly using a non-uniform secret as a key in a PRF. Instead, one has to use a key

derivation function like HKDF.

Suppose k is a non-uniform secret key sampled from the key space {0, 1} 256 . In particular, k is

sampled uniformly from the set of all keys whose most significant 128 bits are all 0. In other

words, k is chosen uniformly from a small subset of the key space. More precisely,

128 128
1/2 if MSB 128 (c) = 0
  for all c ∈ {0, 1} 256
: Pr[k = c] =
{0 otherwise

Let F(k, x) be a secure PRF with input space {0, 1} 256 . Which of the following is a secure PRF

when the key k is uniform in the key space {0, 1} 256 , but is insecure when the key is sampled

from the non-uniform distribution described above?

Your Answer Score Explanation

128
′
F(k, x) if MSB 128 (k) = 0
F (k, x) =
256
{1 otherwise

 1.00 ′
F (k, x) is a secure PRF
′
F(k, x) if MSB 128 (k) ≠0 128
because for a uniform key k the
F (k, x) =
{1
256
otherwise probability that
is
128
MSB 128 (k) = 0

negligible. However, for the

*non-uniform* key k this PRF
always outputs 1 and is
therefore completely insecure.
This PRF cannot be used as a
 key derivation function for the
distribution of keys described in
the problem.

′
F (k, x) = F(k, x)

′
F(k, x) if MSB 128 (k) ≠1 128

F (k, x) =
256
{0 otherwise

Total 1.00 /
1.00

Question 6
In what settings is it acceptable to use deterministic authenticated encryption (DAE) like SIV?

Your Answer Score Explanation

when a fixed message is

repeatedly encrypted using a single
key.

to individually encrypt many

packets in a voice conversation with
a single key.

when messages are chosen at  1.00 Deterministic encryption is safe to use

random from a large enough space when the message/key pair is never used
so that messages are unlikely to more than once.
repeat.

to encrypt many records in a

database with a single key when the
same record may repeat multiple
times.

Total 1.00 /
1.00

Question 7
Let E(k, x) be a secure block cipher. Consider the following tweakable block cipher:
   E ′ ((k1 , k2 ), t, x) =   E(k1 , x) ⨁ E(k2 , t) .

Is this tweakable block cipher secure?

Your Answer Score Explanation

no because for t ≠ t we have

′
 0.00 This relation
′
E ((k1 , k2 ), t, 0) ⨁ ′ ′ ′
E ((k1 , k2 ), t , 1) = E ((k1 , k2 ), t , 1)
′
⨁ ′
E ((k1 , k2 ), t
′
doesn't hold
for E ′ .

no because for x ≠ x and t ≠ t we have

′ ′

′
E ((k1 , k2 ), t, x) ⨁ ′ ′ ′
E ((k1 , k2 ), t , x) = E ((k1 , k2 ), t, x )
′
⨁ ′
E ((k1 , k2 ), t
′

no because for x ≠ x we have ′

′
E ((k1 , k2 ), 0, x) ⨁ ′ ′
E ((k1 , k2 ), 1, x) = E ((k1 , k2 ), 0, x )
′
⨁ ′
E ((k1 , k2 ), 1,

no because for x ≠ x we have ′

′
E ((k1 , k2 ), 0, x) ⨁ ′ ′
E ((k1 , k2 ), 0, x) = E ((k1 , k2 ), 0, x )
′
⨁ ′
E ((k1 , k2 ), 0,

yes, it is secure assuming E is a secure block cipher.

Total 0.00 /
1.00

Question 8
In lecture 8.5 we discussed format preserving encryption which is a PRP on a domain

{0, … ,s − 1} for some pre-specified value of s. Recall that the construction we presented
worked in two steps, where the second step worked by iterating the PRP until the output fell into

the set {0, … ,s − 1} .

Suppose we try to build a format preserving credit card encryption system from AES using *only*

the second step. That is, we start with a PRP with domain {0, 1} 128 from which we want to build

a PRP with domain 1016 . If we only used step (2), how many iterations of AES would be needed in

expectation for each evaluation of the PRP with domain 1016 ?

Your Answer Score Explanation

 1.00 On every iteration we have a probability of 1016 /2 128

2
128
/10
16
≈ 3.4 × 10 22
of falling into the set {0, …
, 10
16
} and therefore in

expectation we will need 2 /10 iterations. This

128 16

should explain why step (1) is needed.

16
 16
10

16 128
10 /2

Total 1.00 /
1.00

Question 9
Let (E, D) be a secure tweakable block cipher. Define the following MAC (S, V ) :

1 if E(k, m, 0) = tag
   S(k, m) := E(k, m, 0) ; V (k, m, tag) :=
{0 otherwise

In other words, the message m is used as the tweak and the plaintext given to E is always set to

0 . Is this MAC secure?

Your Score Explanation

Answer

it
depends
on the
tweakable
block
cipher.

yes  1.00 A tweakable block cipher is indistinguishable from a collection of

random permutations. The chosen message attack on the MAC
gives the attacker the image of 0 under a number of the
permutations in the family. But that tells the attacker nothing about
the image of 0 under some other member of the family.

no

Total 1.00 /
1.00

Question 10
In Lecture 7.6 we discussed padding oracle attacks. These chosen-ciphertext attacks can break

poor implementations of MAC-then-encrypt. Consider a system that implements MAC-then-

encrypt where encryption is done using CBC with a random IV using AES as the block cipher.

Suppose the system is vulnerable to a padding oracle attack. An attacker intercepts a 64-byte

ciphertext c (the first 16 bytes of c are the IV and the remaining 48 bytes are the encrypted

payload). How many chosen ciphertext queries would the attacker need in the worst case in order

to decrypt the entire 48 byte payload? Recall that padding oracle attacks decrypt the payload one

byte at a time.

Your Score Explanation

Answer

 1.00 Correct. Padding oracle attacks decrypt the payload one byte at a
12288 time. For each byte the attacker needs no more than 256 guesses in
the worst case. Since there are 48 bytes total, the number queries
needed is 256 × 48 = 12288 .

1024

12240

256

Total 1.00 /
1.00