CS255: Cryptography and Computer Security Winter 2016

Final Exam

Instructions:
− Answer all six questions.
− The exam is open book and open notes. Laptops are allowed with the network card turned
off. Connecting to a network during the exam is a serious violation of the honor code.
− Students are bound by the Stanford honor code.
− You have two hours.

Problem 1. Questions from all over.

a. What is the difficulty with CRLs that is solved by the OCSP protocol?
b. Consider the following cipher (E, D) defined over (K, M, C) where C = M = {0, 1}` and K is
the set of all `! permutations of the set {0, . . . , ` − 1}. For a key k ∈ K and message m ∈ M
define E(k, m) to be the result of permuting the bits of m using the permutation k, namely

E(k, m) := m[k(0)]...m[k(` − 1)]

Show that this cipher is not semantically secure by showing an adversary that achieves ad-
vantage 1.
c. Let G be a group of prime order q with generator g ∈ G. Let h be a random element in G.
In homework 3 you showed that the hash function H(x, y) := g x hy , from Zq × Zq to G, is
collision resistant, assuming the discrete-log problem in G is difficult. Show that H has a
trapdoor: someone who knows the discrete-log of h base g can easily find collisions for H.
d. Let (E, D) be a semantically secure cipher. Suppose the plaintext message is compressed
(using lossless compression) before encrypting it with E. Briefly explain why this compress-
then-encrypt method can break semantic security. Make sure to describe a semantic security
attacker.

Problem 2. Let π : X → X be a fixed public permutation (i.e., a one-to-one function) where X :=

{0, 1}n . When we say that π is public we mean that anyone can compute π(x) and π −1 (x) for a
given x in X .

The Even-Mansour cipher (E, D) derived from π is defined as E (k0 , k1 ), m := π(m ⊕ k0 ) ⊕ k1 .


a. Explain how D (k0 , k1 ), c works.
b. Show that E1 (k1 , m) := π(m) ⊕ k1 , with the corresponding D1 , is not a secure PRP.
c. Show that E2 (k0 , m) := π(m ⊕ k0 ), with the corresponding D2 , is not a secure PRP.

1
Problem 3. Let us show that the Davies-Meyer construction may not be collision resistant when
instantiated with a real-world block cipher. Let (E, D) be a block cipher defined over (K, X )
where K = X = {0, 1}n . For y ∈ X let ȳ denote the bit-wise complement of y.

a. Suppose that E(k̄, x̄) = E(k, x) for all keys k ∈ K and all x ∈ X . The DES block cipher has
precisely this property. Show that the Davies-Meyer construction, h(k, x) := E(k, x) ⊕ x, is
not collision resistant when instantiated with algorithm E.
b. Suppose (E, D) is an Even-Mansour cipher, E(k, x) := π(x ⊕ k) ⊕ k. Show that the Davies-
Meyer construction instantiated with algorithm E is not collision resistant. As in the previous
question, π : X → X is a fixed public permutation.

Problem 4. Double
encryption. Let (E, D) be a cipher and define the cipher (E2 , D2 ) as E2 (k, m) =
E k, E(k, m) . One would expect that if encrypting a message once with E is secure then
encrypting it twice as in E2 should be no less secure.

a. Show that there is a (one-time) semantically secure cipher (E, D) such that (E2 , D2 ) is not
semantically secure.
b. Prove that for all CPA secure ciphers (E, D), the cipher (E2 , D2 ) is also CPA secure. That
is, show that for every CPA adversary A attacking (E2 , D2 ) there is a CPA adversary B
attacking (E, D) with about the same advantage and running time.

Problem 5. Let (Gen, S, V ) be a secure signature scheme (existentially unforgeable under a cho-
sen message attack) with message space {0, 1}∗ . Generate two signing/verification key pairs
(pk0 , sk0 ) ← Gen and (pk1 , sk1 ) ← Gen. Which of the following are secure signature schemes?
Show an attack or explain why the scheme is secure, that is, explain why an attack on the scheme
leads to an attack on (Gen, S, V ).



a. Sign double: S1 sk0 , m := S(sk0 , mkm). Verify: V1 pk0 , m, σ := V (pk0 , mkm, σ)



b. Accept one valid: S2 (sk0 , sk1 ), m := S(sk0 , m), S(sk1 , m) . Verify:


V2 (pk0 , pk1 ), m, (σ0 , σ1 ) = ‘accept’ ⇐⇒
 
V (pk0 , m, σ0 ) = ‘accept’ or V (pk1 , m, σ1 ) = ‘accept’



c. Sign halves: S3 (sk0 , sk1 ), (mL , mR ) := S(sk0 , mL ), S(sk1 , mR )


V3 (pk0 , pk1 ), (mL , mR ), (σ0 , σ1 ) = ‘accept’ ⇐⇒

V (pk0 , mL , σ0 ) = V (pk1 , mR , σ1 ) = ‘accept’

d. Sign with randomness: for m ∈ {0, 1}n do

S4 sk0 , m := choose random r ← {0, 1}n , output r, S(sk0 , m ⊕ r), S(sk0 , r)



.


V4 pk0 , m, (r, σ0 , σ1 ) = ‘accept’ ⇐⇒ V (pk0 , m ⊕ r, σ0 ) = V (pk0 , r, σ1 ) = ‘accept’
e. Sign with appendage:



S5 sk1 , m := S(sk1 , mk1010) ; V5 pk1 , m, σ := V (pk1 , mk1010, σ)

2
Problem 6. Authenticated key exchange (AKE). In lecture we saw a one-sided AKE with forward-
secrecy and a two-sided AKE without forward-secrecy. Let’s try to construct the best of both
worlds: a two-sided AKE with forward-secrecy.
Consider the following two-sided AKE with forward-secrecy between Alice and Bank: They each
have a certificate for a signing key and we denote by Salice (data) and Sbank (data) their respective
signatures on ‘data’. They fix a group G of order q and generator g ∈ G. Alice chooses a random
a and Bank chooses a random b, both in Zq . They exchange the following messages:

ga
Alice −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Bank
g b , certbank , Sbank g a , g b


check sigs ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−
a b


certalice , Salice g , g , certbank
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ check sigs

Both sides compute the shared secret k ← g ab ∈ G and each side deletes its secret a or b. If all the
certificates and signatures verify correctly then Alice thinks she is speaking with Bank and Bank
thinks it is speaking with Alice. The protocol provides forward-secrecy because a compromise of
the server or the client does not compromise past sessions.

a. Since the Diffie-Hellman messages in this protocol are signed by the participants, one might
expect that the protocol is secure against a man-in-the-middle attack. Unfortunately that is
incorrect: show that the protocol is vulnerable to an identity misbinding attack.
Hint: The attacker can cause the protocol to complete successfully with Alice thinking she
is speaking to Bank, but Bank thinks it is speaking to the attacker.
b. The protocol above can be repaired by sending certalice in the first flow and having the Bank
sign certalice in the second flow as follows:

g a , certalice
Alice −−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ Bank
g b , certbank , Sbank g a , g b , certalice


check sigs ←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
−−−−−−−−−−−−−−−−−
Salice g a , g b , certbank
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ check sigs

Both sides compute the shared secret k ← g ab ∈ G and each side deletes its secret a or b. If
all the certificates and signatures verify correctly then Alice thinks she is speaking with Bank
and Bank thinks it is speaking with Alice. This prevents the attack above and is a secure
two-sided AKE with forward-secrecy.
Suppose the third flow in this protocol is replaced with the following message:

Salice (certbank )
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→

Show that it is now possible to mount a key exposure attack: the attacker can establish a
session with Bank where the attacker knows the session-key, but Bank thinks it is talking to
Alice.