PALESTINE POLYTECHNIC UNIVERSITY

COLLEGE OF INFORMATION TECHNOLOGY AND COMPUTER ENGINEERING

CRYPTOGRAPHY AND CRYPTANALYSIS
FIRST EXAM – FIRST SEMESTER 2021/2022
Student Name: _________________________ :)‫االسم (عربي‬
Date: 21/03/2022 Student Number: _____________________
Time: 70 Minutes Instructor:- Dr. Eng. Mousa Farajallah

Q1 Q2 Q3 Q4 Q4 Total Grade
Question no
(20) (20) (10) (30) (30) 105
Grade

Problem 1) Let F be a PRF. Show that each of the following MACs is insecure, even if used to
authenticate fixed-length messages?

1- To authenticate a message m = m1 , m2 , m3 , … ml , where mi ∈ {0,1}n , compute

𝒕 ∶= 𝑭𝒌 (𝒎𝟏) ⊕ … ⊕ 𝑭𝒌 (𝒎𝒍 )

𝒎𝟏𝟐 = m1 , m2
𝒕𝟏𝟐 = 𝑭𝒌 (𝒎𝟏 ) ⊕ 𝑭𝒌 (𝒎𝟐 )

𝒎𝟐𝟏 = m2 , m1

𝒕𝟐𝟏 = 𝑭𝒌 (𝒎𝟐 ) ⊕ 𝑭𝒌 (𝒎𝟏) = 𝒕𝟏𝟐

2- To authenticate a message m = m1 , m2 , m3 , … ml , where mi ∈ {0,1}l , the tag is calculated

as:-
𝒕 ∶= 𝑭𝒌 (1||𝒎𝟏 ) ⊕ 𝑭𝒌(2||𝒎𝟐 ) ⊕ … ⊕ 𝑭𝒌 (𝑙||𝒎𝒍 )

𝒎𝟏𝟐 = m1 , m2
𝒕𝟏𝟐 = 𝑭𝒌(𝟏||𝒎𝟏 ) ⊕ 𝑭𝒌 (𝟐||𝒎𝟐 )

𝒎𝟏𝟑 = m1 , m𝑥

𝒕𝟏𝒙 = 𝑭𝒌(𝟏||𝒎𝟏 ) ⊕ 𝑭𝒌 (𝟐||𝒎𝒙 )

𝒎𝟏𝟑 = mx , m2

𝒕𝒙𝟐 = 𝑭𝒌(𝟏||𝒎𝒙 ) ⊕ 𝑭𝒌 (𝟐||𝒎𝟐 )

𝒕𝟏𝟐 ⊕ 𝒕𝟏𝒙 ⊕ 𝒕𝒙𝟐

= 𝑭𝒌 (𝟏||𝒎𝟏 ) ⊕ 𝑭𝒌 (𝟐||𝒎𝟐) ⊕ 𝑭𝒌 (𝟏||𝒎𝟏 ) ⊕ 𝑭𝒌 (𝟐||𝒎𝒙 ) ⊕ 𝑭𝒌 (𝟏||𝒎𝒙 )
⊕ 𝑭𝒌 (𝟐||𝒎𝟐 )
Quality_Assurance_Unit_Exam_Template_2008 1/4
 𝒕𝒙𝒙 = 𝑭𝒌(𝟐||𝒎𝒙 ) ⊕ 𝑭𝒌 (𝟏||𝒎𝒙 )
𝒎𝒙𝒙 = mx , m𝑥

Problem 2) show that the PMAC is incremental?

Quality_Assurance_Unit_Exam_Template_2008 2/4
 Problem 3) Given are two protocols in which the sender’s party performs the following operation:

Where x is the message, H is a hash function such as SHA-1, e is a symmetric-key encryption

algorithm, E is a public key encryption, “||” denotes simple concatenation, and k1, k2 are secret keys
which are only known to the sender and the receiver.

Where k is a shared secret key, and kpr is a private key of the sender (not shared with the receiver) and
kpub is a public key of the receiver.

a) Provide a step-by-step description of what the receiver does

upon reception of y.
Protocol A receiver steps:-
- Decrypt y using 𝒌𝟏 to obtain 𝒙||𝑯(𝒌𝟐 ||𝒙)
- Extract 𝒙 from the concatenation data
- Hash 𝒙 using the 𝒌𝟐 to compare the result with 𝑯(𝒌𝟐 ||𝒙)

Protocol B receiver steps:-

- Decrypt y using the private key of the receiver 𝒌𝒑𝒓𝒓 to obtain 𝑯(𝒙)
- Hash 𝒙 to compare the result with 𝑯(𝒙)

b) State whether the following security services is achieved using

each protocol:

Protocol A Yes No Why?

x Using hashing based shared key between the sender
Integrity
and the receiver.
x Anyone including the sender and the receiver can
Non-repudiation claim not received the message or the message is
created by the other part
Confidentiality x Using Encryption

Protocol B Yes No Why?

x The adversary can change the message and
Integrity
recomputed the new hash!
x The adversary can change the message and
Non-repudiation
recomputed the new hash!
Confidentiality x The public key of the sender can be reached by all
Quality_Assurance_Unit_Exam_Template_2008 3/4
 Problem 4) The Frozen ElGamal Digital Signatures has the same key generation as the original
ElGamal Digital Signature, which means that receiver generates the public key PKA and private
key SKA as follows:
1. Receiver generates a large prime p and an integer α satisfying 1 ≤ α < (p − 1). Where α must be
a primitive element.
2. Receiver then generates an integer a with 1 ≤ a < (p − 1), and computes
𝛽 = 𝛼 𝑎 𝑚𝑜𝑑 𝑝.
3. Receiver public key is PKA = (p, α, β), and private key is SKA = a.

Receiver publishes PKA, and keeps SKA as a secret.

Sender generates his (public key, private key) pair, (PKK, SKK) in a similar fashion.

The Frozen ElGamal Digital Signature differs, however, in the signing and the verification phases.

A- Assume that the sender generates a random number k such that 1

≤ k ≤ (p − 2) and gcd (k, p − 1) = 1, and then computes:
𝑟 = 𝛼 𝑘 𝑚𝑜𝑑 𝑝
−1 (
𝑠 = 𝑎 𝑚 − 𝑘𝑟) (𝑚𝑜𝑑 𝑝 − 1)

Show that the verification:

𝛼 𝑚 = (𝛼 𝑎 )𝑠 𝑟 𝑟 𝑚𝑜𝑑 𝑝
is a valid verification procedure.

B- Assume again that the sender generates a random number k such

that 1 ≤ k ≤ (p − 2) and gcd (k, p − 1) = 1, and then computes:
𝑟 = 𝛼 𝑘 𝑚𝑜𝑑 𝑝
𝑠 = 𝑎𝑚 + 𝑘𝑟 (𝑚𝑜𝑑 𝑝 − 1)

Show that the verification:

𝛼 𝑠 = (𝛼 𝑎 )𝑚 𝑟 𝑟 𝑚𝑜𝑑 𝑝
is a valid verification procedure.

Quality_Assurance_Unit_Exam_Template_2008 4/4
 Using padding oracle in CBC mode of encryption, assume that each block is 4 byte of data,
show the complete cryptanalysis steps to find the values of m[0]={2,5,2,1}

Quality_Assurance_Unit_Exam_Template_2008 5/4
 𝑚03 = 𝑥03 ⨁𝐼𝑉3

𝑆𝑡𝑒𝑝 1: − ̅̅̅̅
𝐼𝑉3 = 𝐼𝑉3 ⨁𝑔3 ⨁1
𝑔3 = 𝟎 ==> ̅̅̅̅̅
𝑚03 = 𝑥03 ⨁𝐼𝑉3 ⨁𝑔3⨁1
𝑚03 = 𝑚03 ⨁𝑔3 ⨁1
̅̅̅̅̅
𝑚03 = 1⨁0⨁1 = 0
̅̅̅̅̅ Reject

𝑔3 = 𝟏 ==> ̅̅̅̅̅
𝑚03 = 𝑥03 ⨁𝐼𝑉3 ⨁𝑔3⨁1
𝑚03 = 𝑚03 ⨁𝑔3 ⨁1
̅̅̅̅̅
𝑚03 = 1⨁1⨁1 = 1
̅̅̅̅̅ Accept

𝑆𝑡𝑒𝑝 2: −
̅̅̅̅
𝐼𝑉3 = 𝐼𝑉3 ⨁1⨁2
𝑚03 = 𝑥03 ⨁𝐼𝑉3 ⨁1⨁2
̅̅̅̅̅
𝑚03 = 1⨁1⨁2 = 𝟐
̅̅̅̅̅

̅̅̅̅
𝐼𝑉2 = 𝐼𝑉2 ⨁𝑔2 ⨁2
𝑔2 = 𝟎 ==> ̅̅̅̅̅
𝑚02 = 𝑥02 ⨁𝐼𝑉2 ⨁𝑔2⨁2
𝑚02 = 𝑚02 ⨁𝑔2 ⨁2
̅̅̅̅̅
𝑚02 = 2⨁0⨁2 = 0
̅̅̅̅̅ Reject

𝑔2 = 𝟏 ==> ̅̅̅̅̅
𝑚02 = 𝑥02 ⨁𝐼𝑉2 ⨁1⨁2
𝑚02 = 𝑚02 ⨁1⨁2
̅̅̅̅̅
𝑚02 = 2⨁1⨁2 = 1
̅̅̅̅̅ Reject
𝑔2 = 𝟐 ==> ̅̅̅̅̅
𝑚02 = 𝑥02 ⨁𝐼𝑉2 ⨁2⨁2
𝑚02 = 𝑚02 ⨁2⨁2
̅̅̅̅̅
𝑚02 = 2⨁2⨁2 = 2
̅̅̅̅̅ Accept
Quality_Assurance_Unit_Exam_Template_2008 6/4
 𝑆𝑡𝑒𝑝 3: −
̅̅̅̅
𝐼𝑉3 = 𝐼𝑉3 ⨁1⨁3
𝑚03 = 𝑥03 ⨁𝐼𝑉3 ⨁1⨁3
̅̅̅̅̅
𝑚03 = 1⨁1⨁3 = 𝟑
̅̅̅̅̅

̅̅̅̅
𝐼𝑉2 = 𝐼𝑉2 ⨁2⨁3
𝑚02 = 𝑥02 ⨁𝐼𝑉2 ⨁2⨁3
̅̅̅̅̅
𝑚02 = 𝑚02 ⨁2⨁3
̅̅̅̅̅
𝑚02 = 2⨁2⨁2 = 3
̅̅̅̅̅

̅̅̅̅
𝐼𝑉1 = 𝐼𝑉1⨁𝑔1 ⨁3
𝑔1 = 𝟎 ==> ̅̅̅̅̅
𝑚01 = 𝑥01 ⨁𝐼𝑉1 ⨁𝑔1⨁3
𝑚01 = 𝑚01 ⨁𝑔1 ⨁3
̅̅̅̅̅
𝑚01 = 5⨁0⨁3 = 6
̅̅̅̅̅ Reject

Quality_Assurance_Unit_Exam_Template_2008 7/4