3/1/2021 NERDOLOGY!

: Block Ciphers (Week - 2) - Cryptography I

NERDOLOGY!
Tuesday, September 3, 2013

Block Ciphers (Week - 2) - Cryptography I

Score of 7.00 out of 9.00.
Question 1
Consider the following five events:

1. Correctly guessing a random 128-bit AES key on the first try.

2. Winning a lottery with 1 million contestants (the probability is 1/106 ).
3. Winning a lottery with 1 million contestants 5 times in a row (the probability is
(1/106)5 ).
4. Winning a lottery with 1 million contestants 6 times in a row.
5. Winning a lottery with 1 million contestants 7 times in a row.

What is the order of these events from most likely to least likely?
Your Scor
Explanation
Answer e
3, 2,
5, 4, 1
2, 4,
3, 1, 5
2, 3,
4, 5, 1

The probability of event (1) is 1/2^128.

The probability of event (5) is 1/(10^6)^7 which is about

2, 3, Cor 1/2^{139}. Therefore, event (5) is the least likely.
1.00
4, 1, 5 rect The probability of event (4) is 1/(10^6)^6 which is about
1/2^{119.5} which is more likely than event (1).

The remaining events are all more likely than event (4).

1.00 /
Total
1.00
Question 2
Suppose that using commodity hardware it is possible to build a computer for about $200
that can brute force about 1 billion AES keys per second. Suppose an organization wants to
run an exhaustive search for a single 128-bit AES key and was willing to spend 4 trillion
dollars to buy these machines (this is more than the annual US federal budget). How long
would it take the organization to brute force this single 128-bit AES key with these machines?
Ignore additional costs such as power and maintenance.
Your Answer Score Explanation
More than an hour but less than a
day
The answer is about 540 billion years.

# machines = 4*10^12/200 =
2*10^10

# keys processed per sec =

Cor
More than a billion (109 ) years 1.00 10^9 * (2*10^10) = 2*10^19
rect
# seconds = 2^128 /
(2*10^19) = 1.7*10^19

This many seconds is about 540 billion

years.
More than a month but less than a
year
More than a day but less than a
week
More than a million years but less
than a billion (109 ) years
1.00 /
Total
1.00
Question 3
Labels
Let F:{0,1}n×{0,1}n→{0,1}n be a secure PRF (i.e. a PRF where the key space, input
space, and output space are all {0,1}n ) and say n=128 . Which of the following is a secure Business Communication (3)
PRF (there is more than one correct answer):
Your Answer S Explanation Case Studies (5)
c
Control of Mobile Robots (1)

printed-notes.blogspot.com/2013/09/block-ciphers-week-2.html 1/5
3/1/2021 NERDOLOGY!: Block Ciphers (Week - 2) - Cryptography I
or
Coursera (27)
e
C Cryptography I (7)
o
Not a PRF. A distinguisher will query at
r 0. Economics (9)
x=0n and output not random if the
F′(k, x)=F(k,x)when x≠0n0notherwise r 1
response is 0n . This is unlikely to hold Finance.. (1)
e7
for a truly random function.
c Financial Accounting.. (3)
t
C Human Resource Management (2)
o Not a PRF. A distinguisher will query at
r 0. x=0n and x=1n and output not Interactive Python (3)
F′(k, x)=k⨁x r 1 random if the xor of the response is 1n . International Business (17)
e7 This is unlikely to hold for a truly random
c function. M-Commerce (1)
t
C Maps and the Geospatial
o Revolution (5)
r 0.
F′(k,x)=F(k,x)[0,…,n−2] (i.e., Correct. A distinguisher for F′ gives a Marketing (4)
r 1
F′(k,x) drops the last bit of F(k,x) ) e7
distinguisher for F.
Mathematics and Statistics (2)
c
t Penn State (5)
C
Photography.. (2)
F′(k,x)=reverse(F(k,x)) where o
reverse(y) reverses the string y so that the r 0. Project Management (10)
Correct. A distinguisher for F′ gives a
first bit of y is the last bit of reverse(y), the r 1
distinguisher for F.
second bit of y is the second to last bit of e7 Python Programming (16)
reverse(y), and so on. c
t Stanford (7)
C
Strategic Management (1)
o
r 0. Tech Tutorials (14)
F′((k1,k2), x)=F(k1,x) ∥ F(k2,x) Correct. A distinguisher for F′ gives a
r 1
(here ∥ denotes concatenation) distinguisher for F.
e7 Toronto (11)
c
t
C
Not a PRF. A distinguisher will query at
Blog Archive
o
r 0. x=0n and x=1n and output not ► 2017 (1)
F′(k,x)=F(k, x)⨁F(k, x⊕1n) r 1 random whenever the two responses are
e7 equal. This is unlikely to happen for a ► 2016 (1)
c truly random function. ► 2014 (10)
t
▼ 2013 (30)
1.
0 ► October (1)
0 ▼ September (21)
Total /
Learn to Program:
1.
The Fundamentals
0 - Assignment 3
0
Learn to Program:
Question 4 The Fundamentals
Recall that the Luby-Rackoff theorem that applying a three round Feistel network to a secure - Week 6 Exercise
PRF gives a secure block cipher. Let's see what goes wrong if we only use a two round
Learn to Program:
Feistel. Let F:K×{0,1}32→{0,1}32 be a secure PRF. Recall that a 2-round Feistel
The Fundamentals
defines the following PRP F2:K2×{0,1}64→{0,1}64 : - Week 5 Exercise
Learn to Program:
The Fundamentals
- Assignment 2 ...
Learn to Program:
The Fundamentals
- Week 4 Exercise
Learn to Program:
Here R0 is the right 32 bits of the 64-bit input and L0 is the left 32 bits. The Fundamentals
— Week 3
One of the following lines is the output of this PRP F2 using a random key, while the other
Exercise
three are the output of a truly random permutation f:{0,1}64→{0,1}64 . All 64-bit outputs Learn to Program:
are encoded as 16 hex characters. Can you say which is the output of the PRP? Note that The Fundamentals
since you are able to distinguish the output of F2 from random, F2 is not a secure block
- Assignment 1
cipher, which is what we wanted to show. Learn to Program:
The Fundamentals
Hint: First argue that there is a detectable pattern in the xor of F2(⋅,064) and — Week 2
Exercise
F2(⋅,132032) . Then try to detect this pattern in the given outputs.
Learn to Program:
Sc The Fundamentals
- Week 1 Exercise
Your Answer or Explanation
e Cryptography I - Final
C Exam
On input 064 the output is Observe that the two round Feistel has the property
o Public Key
"9f970f4e 932330e4". On 1. that the left half of F(⋅,064)⨁F(⋅,132032) is
rr Encryption from
input 132032 the output is 00 132. The two outputs in this answer are the only
e trapdoor
"6068f0b1 b645c008". ones with this property. permutations (...
ct

printed-notes.blogspot.com/2013/09/block-ciphers-week-2.html 2/5
3/1/2021 NERDOLOGY!: Block Ciphers (Week - 2) - Cryptography I
On input 064 the output is Maps and the
"7c2822eb fdc48bfb". On input Geospatial
132032 the output is "325032a9 Revolution -
c5e2364b".
Feedback — Fi...

On input 064 the output is Basic key exchange

(Week - 5) -
"9d1a4f78 cb28d863". On
Cryptography I
input 132032 the output is
"75e5e3ea 773ec3e6". Maps and the
Geospatial
On input 064 the output is Revolution -
"5f67abaf 5210722b". On Feedback — Le...
input 132032 the output is
Authenticated
"bbe033c0 0bc9330e". Encryption (Week -
1. 4) - Cryptography I
00
Maps and the
Total /
Geospatial
1. Revolution -
00 Feedback — Le...
Question 5 Message Integrity
Nonce-based CBC. Recall that and if one wants to use CBC encryption with a non-random (Week - 3) -
unique nonce then the nonce must first be encrypted with an independent PRP key and the Cryptography I
result then used as the CBC IV. Let's see what goes wrong if one encrypts the nonce with the
Maps and the
same PRP key as the key used for CBC encryption.
Geospatial
Revolution -
Let F:K×{0,1}ℓ→{0,1}ℓ be a secure PRP with, say, ℓ=128 . Let n be a nonce and Feedback — Le...
suppose one encrypts a message m by first computing IV=F(k,n) and then using this IV
Block Ciphers (Week
in CBC encryption using F(k,⋅) . Note that the same key k is used for computing the IV and - 2) - Cryptography
for CBC encryption. We show that the resulting system is not nonce-based CPA secure. I
Maps and the
The attacker begins by asking for the encryption of the two block message m=(0ℓ,0ℓ)
Geospatial
with nonce n=0ℓ . It receives back a two block ciphertext (c0,c1) . Observe that by Revolution -
definition of CBC we know that c1=F(k,c0) . Next, the attacker asks for the encryption of Feedback — Le...
the one block message m1=c0⨁c1 with nonce n=c0 . It receives back a one block Stream Ciphers
ciphertext c0′. (Week - 1) -
Cryptography I
What relation holds between c0,c1,c0′? Note that this relation lets the adversary win the
nonce-based CPA game with advantage 1. ► July (7)
Your Sco ► April (1)
Explanation
Answer re
► 2012 (12)
c1=0ℓ
Ino The correct answer follows from the definition of CBC with an ► 2011 (29)
rre 0.00 encrypted nonce as defined in the question. It might help to review ► 2010 (15)
c0′=c0⨁1ℓ ct the definition of CBC.
c1=c0
c1=c0′
0.00
Total / This blog 'Nerdology!' by Jay is
1.00 licensed under a Creative
Commons Attribution-
Question 6 Noncommercial-No Derivative
Let m be a message consisting of ℓ AES blocks (say ℓ=100 ). Alice encrypts m using CBC Works 3.0 Unported License.
mode and transmits the resulting ciphertext to Bob. Due to a network error, ciphertext block
number ℓ/2 is corrupted during transmission. All other ciphertext blocks are transmitted and
received correctly. Once Bob decrypts the received ciphertext, how many plaintext blocks will
be corrupted?
Your Scor
Explanation
Answer e
3

1+ℓ/2
Cor Take a look at the CBC decryption circuit. Each ciphertext blocks
2 1.00
rect affects only the current plaintext block and the next.
0
ℓ
1.00 /
Total
1.00
Question 7
Let m be a message consisting of ℓ AES blocks (say ℓ=100 ). Alice encrypts m using
randomized counter mode and transmits the resulting ciphertext to Bob. Due to a network
error, ciphertext block number ℓ/2 is corrupted during transmission. All other ciphertext
blocks are transmitted and received correctly. Once Bob decrypts the received ciphertext,
how many plaintext blocks will be corrupted?
Your
Score Explanation
Answer
3

1+ℓ/2
Corr Take a look at the counter mode decryption circuit. Each ciphertext
1 1.00
ect block affects only the current plaintext block.

printed-notes.blogspot.com/2013/09/block-ciphers-week-2.html 3/5
3/1/2021 NERDOLOGY!: Block Ciphers (Week - 2) - Cryptography I
0
ℓ
1.00 /
Total
1.00
Question 8
Recall that encryption systems do not fully hide the length of transmitted messages. Leaking
the length of web requests has been used to eavesdrop on encrypted HTTPS traffic to a
number of web sites, such as tax preparation sites, Google searches, and healthcare sites.
Suppose an attacker intercepts a packet where he knows that the packet payload is
encrypted using AES in CBC mode with a random IV. The encrypted packet payload is 128
bytes. Which of the following messages is plausibly the decryption of the payload:
Sc
Your Answer or Explanation
e
'If qualified opinions incline to believe in the
exponential conjecture, then I think we cannot
afford not to make use of it.'
'The significance of this general conjecture,
assuming its truth, is easy to see. It means that
it may be feasible to design ciphers that are
effectively unbreakable.'
In
The length of the string is 87 bytes,
'We see immediately that one needs little o
0. which after padding becomes 96
information to begin to break down the rr
00 bytes, and after prepending the IV
process.' e
would become 112 bytes.
ct
'In this letter I make some remarks on a
general principle relevant to enciphering in
general and my machine.'
0.
00
Total /
1.
00
Question 9
Let R:={0,1}4 and consider the following PRF F:R5×R→R defined as follows:

F(k,x):=t=k[0] for i=1 to 4 doif (x[i−1]==1)t=t⊕k[i] output t

That is, the key is k=(k[0],k[1],k[2],k[3],k[4]) in R5 and the function at, for example,
0101 is defined as F(k,0101)=k[0]⊕k[2]⊕k[4] .

For a random key k unknown to you, you learn that

F(k,0110)=0011 and F(k,0101)=1010 and F(k,1110)=0110 .
What is the value of F(k,1101) ? Note that since you are able to predict the function at a
new point, this PRF is insecure.
You entered:
1111

Your Answer Score Explanation

1111 Correct 1.00
Total 1.00 / 1.00

Posted by Jay at Tuesday, September 03, 2013

Labels: Coursera, Cryptography I, Stanford

#1 Banner Preview Tool

Impress Your Clients Today
Easily Preview Your Banner Ads To Your Client. Save 3 Hours Per
Campaign.
adpiler.com

OPEN

Newer Post Home Older Post

printed-notes.blogspot.com/2013/09/block-ciphers-week-2.html 4/5
3/1/2021 NERDOLOGY!: Block Ciphers (Week - 2) - Cryptography I

Awesome Inc. theme. Powered by Blogger.

Changed Quickly

Vehicle Graphics Can Be Changed Quickly

And Easily And Reused.
Roadvert Limited

printed-notes.blogspot.com/2013/09/block-ciphers-week-2.html 5/5