2 views

Uploaded by Åshish

- Security 3rd Gen Pub Key V11
- Cryptography
- Cracking Method
- Sap PLM Ehs Dms Config
- Contribute Implementación CS5
- 4th UNIT NS-415
- cyber law
- The Fatass and the Jackass
- Crypt
- V4I1-0299
- w2v2-manual
- ETABS_Install_Instructions
- 5-OptiX iManager T2000 V2R7C01 FAQ-20081208-A.ppt
- hidden data in PE file secret messages.pdf
- Download 2
- skein1.1
- Internationl Mining July 2011 LR
- whm.txt
- System Programing Project
- FortiClient Android 5.6 User Guide

You are on page 1of 10

You submitted this homework on Wed 12 Feb 2014 11:14 AM PST. You got a score

of 6.55 out of 10.00. You can attempt again in 10 minutes.

Question 1

Suppose a MAC system (S, V ) is used to protect files in a file system by appending a MAC tag to

each file. The MAC signing algorithm S is applied to the file contents and nothing else. What

contents.

contents.

of one file with the tag and contents

of a file from another computer

protected by the same MAC system,

but a different key.

Changing the last modification 1.00 The MAC signing algorithm is only applied

time of a file. to the file contents and does not protect

the file meta data.

Total 1.00 /

1.00

Question 2

n

Let (S, V ) be a secure MAC defined over (K, M , T ) where M = {0, 1} and

128 n

T = {0, 1} (i.e. the key space is K , message space is {0, 1} , and tag space is

128

{0, 1} ). Which of the following is a secure MAC: (as usual, we use ∥

∥ to denote string

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 1/10

8/26/2014 Homework Feedback | Coursera

concatenation)

′ ′

′ (S , V )

S (k, m) = S(k, m)[0, … , 126] and

gives a forger

′

V (k, m, t) = [V (k, m, t∥

∥ 0) or V (k, m, t∥

∥1) ] for (S, V ).

′

(i.e., V (k, m, t) outputs ``1'' if either t∥

∥0 or t∥

∥1 is a valid tag for m)

′

S (k, m) = S(k, m ⊕ m) and 0.00 This

′

V (k, m, t) = V (k, m ⊕ m, t) construction is

insecure

because an

adversary can

request the

tag for

n

m = 0 and

thereby obtain

a tag for any

message.

This follows

from the fact

that

m ⊕ m = 0.

′ ′

′ (S , V )

S (k, m) = [t ← S(k, m), output (t, t) ) and

gives a forger

V (k, m, t1 ) if t1 = t2

V

′

(k, m, (t1 , t2 )) = {

for (S, V ).

"0" otherwise

′

(i.e., V (k, m, (t1 , t2 )) only outputs "1" if t1 and t2 are equal and

valid)

′

S (k, m) = S(k, m) and 0.17 This

′ V (k, m, t) if m ≠ 0

n

construction is

V (k, m, t) = {

``1'' otherwise insecure

because the

adversary can

simply output

n s

(0 , 0 ) as

an existential

forgery.

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 2/10

8/26/2014 Homework Feedback | Coursera

′ ′

′ (S , V )

S (( k1 , k2 ), m) = (S(k1 , m), S(k2 , m)) and

gives a forger

′

V ((k1 , k2 ), m, ( t1 , t2 )) = [V (k1 , m, t1 ) and V (k2 , m, t2 )] for (S, V ).

′

(i.e., V ((k1 , k2 ), m, (t1 , t2 )) outputs ``1'' if both t1 and t2 are valid

tags)

′

S (k, m) = S(k, m[0, … , n − 2]∥

∥ 0) and 0.17 This

V

′

(k, m, t) = V (k, m[0, … , n − 2]∥

∥ 0, t) construction is

insecure

because the

tags on

n

m = 0 and

n−1

m = 0 1

Consequently,

the attacker

can request

the tag on

n

m = 0 and

output an

existential

forgery for

1.

n−1

m = 0

Total 0.83 /

1.00

Question 3

Recall that the ECBC-MAC uses a fixed IV (in the lecture we simply set the IV to 0). Suppose

instead we chose a random IV for every message being signed and include the IV in the tag. In

other words, S(k, m) := (r, ECBCr (k, m)) where ECBCr (k, m) refers to the ECBC

function using r as the IV. The verification algorithm V given key k, message m, and tag (r, t)

The resulting MAC system is insecure. An attacker can query for the tag of the 1-block message

m and obtain the tag (r, t). He can then generate the following existential forgery: (we assume

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 3/10

8/26/2014 Homework Feedback | Coursera

The tag (r ⊕ t, m) is a valid tag for 0.00 The right half of the tag, m, is not

the 1-block message 0n . likely to be the result of the CBC MAC.

n

The tag (r ⊕ 1 , t) is a valid tag for

the 1-block message m ⊕ 1n .

n

the 1-block message 0 .

n

the 1-block message 0 .

Total 0.00 /

1.00

Question 4

Suppose Alice is broadcasting packets to 6 recipients B1 , … , B6 . Privacy is not important but

integrity is. In other words, each of B1 , … , B6 should be assured that the packets he is

Alice decides to use a MAC. Suppose Alice and B1 , … , B6 all share a secret key k. Alice

computes a tag for every packet she sends using key k. Each user Bi verifies the tag when

receiving the packet and drops the packet if the tag is invalid. Alice notices that this scheme is

insecure because user B1 can use the key k to send packets with a valid tag to users

B2 , … , B6 and they will all be fooled into thinking that these packets are from Alice.

Instead, Alice sets up a set of 4 secret keys S = { k1 , … , k4 } . She gives each user Bi some

subset Si ⊆ S of the keys. When Alice transmits a packet she appends 4 tags to it by computing

the tag with each of her 4 keys. When user Bi receives a packet he accepts it as valid only if all

tags corresponding to his keys in Si are valid. For example, if user B1 is given keys {k1 , k2 } he

will accept an incoming packet only if the first and second tags are valid. Note that B1 cannot

validate the 3rd and 4th tags because he does not have k3 or k4 .

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 4/10

8/26/2014 Homework Feedback | Coursera

How should Alice assign keys to the 6 users so that no single user can forge packets on behalf of

S1 = {k2 , k4 }, S2 = {k2 , k3 }, S 3 = {k3 , k4 }, S4 = { k1 , k3 }, S can only

generate

tags with the

two keys he

has. Since

no set Si is

contained in

another set

Sj , no user

ican fool a

user j into

accepting a

message

sent by i.

Total 1.00 /

1.00

Question 5

Consider the encrypted CBC MAC built from AES. Suppose we compute the tag for a long

′

message m comprising of n AES blocks. Let m be the n-block message obtained from m by

′

flipping the last bit of m (i.e. if the last bit of m is b then the last bit of m is b ⊕ 1). How many

′

calls to AES would it take to compute the tag for m from the tag for m and the MAC key? (in this

question please ignore message padding and simply assume that the message length is always a

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 5/10

8/26/2014 Homework Feedback | Coursera

Answer

4 1.00 You would decrypt the final CBC MAC encryption step done using k2 ,

the decrypt the last CBC MAC encryption step done using k1 , flip the

last bit of the result, and re-apply the two encryptions.

Total 1.00 /

1.00

Question 6

Let H : M → T be a collision resistant hash function. Which of the following is collision

′

H (m) = H (m)[0, … , 31] 0.14 This construction is not collision

(i.e. output the first 32 bits of the hash) resistant because an attacker can find

a collision in time 2

16

using the

birthday paradox.

′

H (m) = H (m) ⊕ H (m) 0.00 This construction is not collision

resistant because H (0) = H (1) .

′ ′

H (m) = H (H (H (m))) 0.14 a collision finder for H gives a

collision finder for H.

′ ′

H (m) = H (m ∥

∥0) 0.14 a collision finder for H gives a

collision finder for H.

′ ′

H (m) = H (H (m)) 0.00 a collision finder for H gives a

collision finder for H .

′

H (m) = H (|m|) (i.e. hash 0.14 This construction is not collision

the length of m) resistant because

H (000) = H (111) .

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 6/10

8/26/2014 Homework Feedback | Coursera

′

H (m) = H (m) ⨁ H (m ⊕ 1

|m|

) resistant because

(where m ⊕ 1

|m|

is the complement H (000) = H (111) .

of m)

Total 0.71 /

1.00

Question 7

Suppose H1 and H2 are collision resistant hash functions mapping inputs in a set M to

256

{0, 1} . Our goal is to show that the function H 2 (H 1 (m)) is also collision resistant. We

prove the contra-positive: suppose H 2 (H 1 (⋅)) is not collision resistant, that is, we are given

x ≠ y such that H 2 (H 1 (x)) = H2 (H 1 (y)) . We build a collision for either H1 or for H2 .

This will prove that if H 1 and H2 are collision resistant then so is H 2 (H 1 (⋅)). Which of the

a collision for H 1 (x) = H 1 (y) and x ≠ y, thereby giving us a

H1 or collision on H1 . Or H 1 (x) ≠ H 1 (y) but

H1 (x), H 1 (y) H 2 (H 1 (x)) = H2 (H 1 (y)) giving us a collision on H2 .

H2 .

Either

x, H 1 (y) are a

collision for H2

or H2 (x), y

H1 .

Either x, y are

a collision for

H1 or x, y

H2 .

Either

H 2 (x), H 2 (y)

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269

H1 7/10

8/26/2014 Homework Feedback | Coursera

H1 or x, y

H2 .

Total 1.00 /

1.00

Question 8

In this question and the next, you are asked to find collisions on two compression functions:

f 1 (x, y) = AES(y, x) ⨁ y , and

f 2 (x, y) = AES(x, x) ⨁ y ,

We provide an AES function for you to play with. The function takes as input a key k and an x

value and outputs AES(k, x) once you press the "encrypt" button. It takes as input a key k and

−1

a y value and outputs AES (k, y) once you press the "decrypt" button. All three values

k, x, y are assumed to be hex values (i.e. using only characters 0-9 and a-f) and the function

Your goal is to find four distinct pairs (x1 , y 1 ), ( x2 , y 2 ), (x3 , y 3 ), (x4 , y 4 ) such that

f 1 (x1 , y 1 ) = f 1 (x2 , y 2 ) and f 2 (x3 , y 3 ) = f 2 (x4 , y 4 ). In other words, the first two pairs

are a collision for f1 and the last two pairs are a collision for f2 . Once you find all four pairs,

please enter them below and check your answer using the "check" button.

Note for those using the NoScript browser extension: for the buttons to function correctly

please allow Javascript from class.coursera.org and cloudfront.net to run in your browser.

Note also that the "save answers" button does not function for this question and the next.

You entered:

00000000000000000000000000000000 x2 = enter distinct pairs !

00000000000000000000000000000000 y2 =

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 8/10

8/26/2014 Homework Feedback | Coursera

00000000000000000000000000000000

Total 0.00 /

1.00

Question 9

You entered:

00000000000000000000000000000000 x4 =

00000000000000000000000000000000 y4 =

00000000000000000000000000000000

Total 0.00 /

1.00

Question 10

Let H : M → T be a random hash function where |M | ≫ |T | (i.e. the size of M is much

larger than the size of T ). In lecture we showed that finding a collision on H can be done with

1/2

O(|T | ) random samples of H . How many random samples would it take until we obtain a

three way collision, namely distinct strings x, y, z in M such that H (x) = H (y) = H (z) ?

Answer

1/4

O(|T | )

O(|T |

2/3

) random samples. The number of triples among the n samples is n

choose 3 which is O(n3 ) . For a particular triple x, y, z to be a 3-

way collision we need H (x) = H (y) and H (x) = H (z) . Since

each one of these two events happens with probability 1/|T |

(assuming H behaves like a random function) the probability that

a particular triple is a 3-way collision is O(1/|T |2 ). Using the

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 9/10

8/26/2014 Homework Feedback | Coursera

O(n /|T | ) and since we want this probability to be close to 1,

3 2

3/4

O(|T | )

1/3

O(|T | )

Total 1.00 /

1.00

https://class.coursera.org/crypto-009/quiz/feedback?submission_id=459269 10/10

- Security 3rd Gen Pub Key V11Uploaded by123vidya
- CryptographyUploaded byRanjan Banerjee
- Cracking MethodUploaded byMajid Butt
- Sap PLM Ehs Dms ConfigUploaded bychandu.sap
- 4th UNIT NS-415Uploaded byझम्पकराव पाटील बुलेटवाले
- Contribute Implementación CS5Uploaded byNegozialari
- cyber lawUploaded bysantaukura2
- The Fatass and the JackassUploaded byBen Dahl
- CryptUploaded byPisarenco Grigore
- V4I1-0299Uploaded byGanesan Nk
- w2v2-manualUploaded byMihalcea Emanuel
- ETABS_Install_InstructionsUploaded byAri Handoko
- 5-OptiX iManager T2000 V2R7C01 FAQ-20081208-A.pptUploaded byHoang Nguyen
- hidden data in PE file secret messages.pdfUploaded byElsa Cristina David
- Download 2Uploaded byapi-3834671
- skein1.1Uploaded byMax Power
- Internationl Mining July 2011 LRUploaded byKenny Casilla
- whm.txtUploaded byAnonymous p3EuNhS3C
- System Programing ProjectUploaded byDon Baraka Daniel
- FortiClient Android 5.6 User GuideUploaded bymid_cyclone
- An Improved Histogram-Based Image Hashing Scheme Using K-Means SegmentationUploaded bySughit_Nice_154
- 25 ExportUploaded byKiran Kumar Peteru
- Computer Application LAB L ShemeUploaded byVijay Kumar
- ReadmeUploaded byautistic.fork
- Read_me.txtUploaded byjoildo junior
- The MD5 MessageUploaded byReal Gunner
- 21441687 File ionUploaded byAlisha Ray
- 461.9 PK CryptographyUploaded byCris Olipas
- MudUploaded byapletonprince
- Platinum Users Manual ENG[1]Uploaded byEbe Gümeci

- homework-week-2-_-coursera.pdfUploaded byÅshish
- Mapreduce k MeansUploaded byvrkatevarapu
- Homework Feedback Coursera12Uploaded byVishal Abhishek
- homework-week-5_-coursera.pdfUploaded byÅshish
- homework-week-6-_-coursera.pdfUploaded byÅshish
- parallelkmeansmapreduce_zhao.pdfUploaded byÅshish
- homework-week-4_-coursera.pdfUploaded byÅshish
- 16BIT0138 (DA-1)Uploaded byÅshish
- Opearating system LAb filesUploaded byÅshish
- DBMS_week_6Uploaded byÅshish
- Experiment 1(Os)Uploaded byÅshish
- Ite2002(Unix Report).PDFUploaded byÅshish
- Print the PyramidUploaded byÅshish
- Ite2002(Unix Report)Uploaded byÅshish
- Tesla CoilUploaded byÅshish
- CorruptionUploaded byÅshish

- DG43NB_TechProdSpec.pdfUploaded bytml3nr
- DSC NEO ProgrammingUploaded byJaime Hernandez Hernandez
- cyber crime and punishmentsUploaded byAnand_Bhushan28
- Install_guide-CentOS7.2-PBSPro-1.2.1-x86_64Uploaded byPlínio Silveira
- BenQ Network Projector Operation GuideUploaded byjmsmallix
- Workstation Player 12 Windows User GuideUploaded bylax
- 07_chapter2.pdfUploaded bydgm st
- Security Probe ManualUploaded bymoestbg
- PCshop PricelistUploaded byaa
- api_use_r12Uploaded byPartha Katari
- simatic_ipc547e_en_web.pdfUploaded byEmir Delic
- 3 DataCompression&CodingUploaded byAbdullah Salem
- 51581360-Web-Application-BasicsUploaded byKeerthi Kumar
- JAMES A. HALL - Accounting Information System Chapter 16Uploaded byJoe VaTa
- Schematic Diagram Blackberry Gemini 8520 by; Www.rajaponsel.comUploaded bylachiondo
- list-fullUploaded byasfalt9339
- Chapter 20 slides.pptUploaded byMuhammad Farooq
- [TUTORIAL] Interrupt Driven TWI Interface for AVR (Part 1_ MT_MR) _ ChrisHerringUploaded bymuthukumar_eee3659
- EST3 Installation and Service Manual.pdfUploaded byDaniel Garrido
- Tap Coin Wifi BrochureUploaded byJulie Joy Lacificar
- Wireless Telephony ApplicationsUploaded byudhayarose
- amikoUploaded byAlexander Wiese
- Deploying a Two-Tier Certificatio Authority InfrastructureUploaded byAfghanTechGuru
- manSLVD_GBUploaded byahmedwww
- What is RTWPUploaded byZia Ul Haq Ali
- E.shdsL Dual 2-Wire Repeater 239 SRUUploaded byasdf
- 8.1.2.7 Lab - Using the Windows Calculator With Network AddressesUploaded byRayhan Daffa R
- Joining Systems New 960-283eUploaded byNenad Ilic
- 9 Keys to Mobile Retail Success - Webinar SlidesUploaded byArtin Youssefian
- Logical Correlation Analysis on Victim and Aggressor Pairs With the Same SenseUploaded bySumanth Varma