Introduction

Cipher text are provided for questions 1, 2 and 5

You are free to use any method you wish for cracking the ciphertexts. You can use the facilities of CrypTool, you can write your own code, you can do it by hand, or use any other method.

Submission

You should submit one pdf file that explains comprehensively what you have done for each question, i.e., if you have 5 sub-parts, you should explain what each subpart contains

Questions

1 Modes of Operation [20%]

You are given an encryption of the message below, encrypted with an AES key and an initialisation value (which you are not given) using CBC with PKCS7 padding. The plaintext is about a meeting

Please meet me at Guildford Station: 7:00 be prompt!

1. Give a ciphertext (encrypted under the same AES key by using the same IV value) which corresponds to the meeting held an hour and a half later. Please provide details on how you change the ciphertext and clearly mark your changed numbers in the new ciphertext in bold. [4%]

2. State what other parts of the plaintext will change as a result of the change in (1). [2%]

3. Explain why you cannot employ the approach used to solve part (1) to change the statement from “Please meet me” to “Our rendezvous”. [2%]

4. Explain why you cannot employ the approach used to solve part (1) to change the location word, e.g., from “Station:” to “Bus Stop” within the plaintext. [2%]

5. Discuss that if this application uses AES-CTR instead of AES-CBC, what will happen. Can you solve (1), (3) and (4)? Explain your answer. [5%]

6. Suggest an encryption mode in order to avoid your attack in 1) and explain why it works.

You cannot use ECB since this is not strong enough and you cannot suggest Encrypt-then- MAC either since this is not a mode of encryption operation. [5%]

[Hint: Do not try to invent a new mode]

2 Vigenere Cipher [15%]

Claude wants to encrypt some 10 letter words from the list at http://www.bestwordlist.com/

10letterwords.htm by using the Vigenere cipher. This file is also provided in the project file.

He chooses two 10 letter words: w1 and w2. He also chooses a random string k of 10 characters and use it as his keyword for the Vigenere cipher.

He encrypts each of these two words with the key to produce two ciphertexts c1 and c2. You are provided with these two ciphertexts.

The fact that he has used the key more than once means that there is an opportunity to crack the encryption. This question asks you to work out how this can be done.

1. Give the two plaintexts (w1, w2) and the original key k. [8%]

2. Explain your method for solving this problem. [7%]

3 Block Cipher [15%]

Consider a symmetric encryption scheme with its encryption operation written as

C = E(K, R||P ),

where E is an encryption algorithm, K is an encryption key, R is a random nonce, P is a plaintext, C is a ciphertext, and “||” denotes concatenation. To implement the encryption algorithm E, the scheme makes use of either TripleDES or AES:

• TripleDES has either a 112-bit or 168-bit key and a 64-bit block.

• AES has a 128-bit, 192-bit or 256-bit key and a 128-bit block.

Let the length of R (and P ) be a half of the block size, so R||P is exactly one block long. The value R is freshly generated and never reused.

1. Explain that given K and C, how one can compute P . [2%]

2. Assume that an adversary has the capability to choose arbitrary plaintexts and obtain the corresponding ciphertexts. This is done through an oracle, to which the adversary can submit a number of encryption queries. In each query, the adversary chooses a pair of plaintexts, P0 and P1, and sends them to the oracle. After receiving q such queries, the oracle will respond with the encryptions of the first plaintexts P0 for all pairs in the q queries, or the encryptions of the second plaintexts P1 for all the pairs in the q queries. The goal of the adversary is to discover which set of these two sets of plaintexts were encrypted, i.e, the adversary needs to say if the oracle chose the first or the second plaintexts (P0 or P1). Such an attack is called a chosen-plaintext attack (CPA).

How big should the value q be in order that an adversary is able to correctly guess the encrypted plaintext set with probability greater than 1/2? To answer this question, please consider both of these two different underlying block ciphers: TripleDES and AES.

(You may find useful the following fact (also known as the birthday paradox): the probability of a collision when throwing q balls into b buckets is approximately q2/2b) [10%]

3. Is the scheme CPA secure? Explain your answer.

(If the number q is sufficiently large so it is not computationally feasible for the adversary to correctly guess the plaintext set, we say that the scheme is CPA secure.) [3%]

4 Hash Function and Message Authentication Code [15%]

1. Consider the hash function defined by encrypting an n-block message m = (m1, m2, …, mn) in the CBC mode (such as AES-CBC), where the hash result is the last ciphertext block Cn. The initialisation value IV is an arbitrary one block long number, and the encryption key K is publicly available. Is this hash function collision resistant? Provide a proof of your answer. [8%]

2. Consider the previous hash function is used to implement a MAC (where the MAC key is not publicly known) and then further to implement an authenticated encryption scheme by following the Encrypt-then-MAC approach. Assume that both the encryption algorithm and MAC function make use of AES-CBC. Assume also that the same IV value will be used in both the encryption algorithm and the MAC function. Does this authenticated encryption scheme achieve data confidentiality and data integrity? Explain why. [7%]

5 RSA [13%]

You are given an RSA public key (exponent and modulus), and a plaintext encrypted using the

Javax implementation of RSA/ECB/NoPadding with that key.

There are two ways you can approach this problem:

• Factorise the modulus of the public key to obtain p and q, then compute (p − 1)(q − 1)

and work out the private key from that, to decrypt the ciphertext.

• Use a dictionary attack (the coursework website provides a dictionary: english.txt).

1. What is the computationally hard problem that security of the RSA encryption is based on? [2%]

2. Use one of these two methods to obtain the plaintext. [3%]

3. Explain how you applied your method to this problem. [2%]

4. Explain why the approach you use is better than the other one. [3%]

5. If using RSA with OAEP, does your method still work? Explain your answer. [3%]

6 Discrete Logarithm [22%]

Alice and Bob need to digitally sign a contract C. They agree to use the Schnorr signature scheme with public parameters (g – generator, p – modulus, q – group order, H – hash function). Alice’s private key is a and public key is A = ga mod p, and Bob’s private key is b and public key is B = gb mod p. Please consider the following two scenarios:

Scenario 1.

If Alice and Bob trust each other, they separately sign the contract and exchange their signatures.

• To create a Schnorr signature, Alice chooses a random value r, computes h = H(gr mod p || C) and s = r − h · a mod q, and outputs the signature σ = (h, s). Here “||” denotes concatenation.

• Bob would use the same procedure to create his own Schnorr signature.

1. Please explain how Alice’s Schnorr signature can be verified. [2%]

2. What is the computationally hard problem that security of the Schnorr signature scheme is based on? [2%]

Scenario 2.

If Alice and Bob do not fully trust each other and neither of them wants to send their signature to the other before they receive the other’s signature, they agree to run a protocol as follows:

• Alice chooses a random value r1, generates a commitment value f, computes h = H(gr1 · Bf mod p || C), h1 = h−f mod q, and s1 = r1 −h1 ·a mod q, and sends σ1 = (s1, h1, f) as a partial signature to Bob.

• After Bob receives σ1, he first verifies it and then chooses a random value r2, computes h0 = H(gr2 · Af mod p || C), h2 = h0 − f mod q, and s2 = r2 − h2 · b mod q, and sends σ2 = (s2, h2, f) as a partial signature to Alice.

• After Alice receives σ2, she first verifies it and then releases a piece of information, say D, that indicates how she computed the commitment value f. This information allows Alice’s and Bob’s signatures to be completed.

1. Given σ1, how can Bob verify it to find out whether this is a signature from Alice or not?

Explain your reasoning. [2%]

2. Given σ1, a third party, Chris, cannot find out whether Alice or Bob created this signature.

Why not? Why does this matter? [3%]

3. Given σ1 and σ2, can Chris now find who has created these two signatures? If so, how;

and if not, why not? [3%]

4. The information D allows Chris to verify σ1 was created by Alice and σ2 was created by Bob. (D, σ1) and (D, σ2) are Alice’s and Bob’s full signatures respectively. What is D and what is its relationship to f? Explain your answer. [4%]

5. Explain how (D, σ1) and (D, σ2) can be verified. [2%]

6. Should Alice and Bob be satisfied that this protocol is fair? [4%]

Order Now

Payment Methods

All online transactions are done using all major Credit Cards or Electronic Check through PayPal. These are safe, secure, and efficient online payment methods.

Our customer support team is here to answer your questions. Ask us anything!

👋 Hi, how can I help?