UNIVERSITY OF BRISTOL

January 2020 Examination Period

FACULTY OF ENGINEERING

Third Year Examination for the Degrees of

Bachelor of Science and Master of Engineering

COMS-30002(J)
Cryptography A

TIME ALLOWED:
2 Hours

Answers to COMS-30002(J): Cryptography A

Intended Learning Outcomes:

• Explain and apply the principles of modern cryptology in the context of secure com-
munication;

• Explain and demonstrate the functionality and desired security of standard crypto-
graphic schemes used for confidentiality and authenticity;

• Link the design and operation of standard, state-of-the-art symmetric and asymmetric
cryptographic schemes to their mathematical underpinnings;

• Use basic cryptanalytic techniques to evaluate the security level of simple cryptographic
schemes.

Page 1 of 10
Q1. For each of the questions below, four possible answers are presented. Zero or more of
these answers are correct. Select all the answers that you believe apply, or write ”none”
if you believe none apply. You do not need to justify your answer.
Each question carries 3 marks. You lose one mark for each incorrect classification, down
to a minimum of 0 marks per question. (For example, if the correct answer is ”A and
B”, then answering ”B”, or ”none” leads to 2 points, whereas answering ”B and C” only
leads to 1 point.) No marks will be awarded for questions to which you give no answer,
so do make sure to write ”none” in case you believe none of the proposed answers apply.
(a) Which of these statements apply to the one-time pad?
A. The one-time pad provides perfect secrecy.
B. The one-time pad is not secure if keys are reused.
C. The one-time pad is always secure, however it is used.
D. The one-time pad is secure even when there are more messages than
possible keys.
[3 marks]
(b) Which of these statements apply to Encrypt-then-MAC?
A. Encrypt-then-MAC is a blockcipher construction.
B. One needs to be careful to include both the nonce and ciphertext in the
MAC computation.
C. If Encrypt is IND-secure and MAC is EUF-CMA-secure, then Encrypt-
then-MAC is AE secure.
D. If Encrypt is IND-secure and MAC is EUF-CMA-secure, then Encrypt-
then-MAC is IND-CCA secure.

Solution:
Marking note: Answer C could be valid or invalid depending on the definition of
AE-security used, as recognized by some students. Marks were never deducted
for ticking, or not ticking, it.

[3 marks]
(c) Which of the following statements most accurately reflect the threat quantum com-
puters pose to modern cryptography?
A. Grover’s algorithm allows a quantum computer to factor or compute dis-
crete logarithms in time polynomial in the bitsize of the input.
B. Grover’s quantum search algorithm speeds√exhaustive search attacks on
symmetric cryptography from O(N) to O( N).
C. Grover’s and Shor’s algorithms are known to be the only possible threats
that would arise from a scalable quantum computer.
D. Shor’s period-finding algorithm allows a quantum computer to factor or
compute discrete logarithms in time polynomial in the bitsize of the input.

Page 2 of 10 Qu. continues …

 (cont.)

[3 marks]

Page 3 of 10 Turn Over/Qu. continues …

(cont.)

(d) For which of the following choices for f (x) ∈ Z/3Z[x] is (Z/3Z)[x]/(f (x)) a field?
A. f (x) = x 2 + 1.
B. f (x) = x 4 + 2 ∗ x 2 + 1.
C. f (x) = x 2 − 1.
D. f (x) = x 3 + x + 1.
[3 marks]
(e) If you are trying to solve a discrete logarithm problem in a large prime-order sub-
group of a finite field Fp , which of the following algorithms are likely to be most
efficient (disregarding memory concerns)?
A. Index calculus
B. Pollard-rho
C. Baby-step-giant-step
D. Pohlig-Hellman
[3 marks]

Page 4 of 10
Q2. In this question, we will consider a candidate authenticated encryption scheme, shown
below, where EK is a blockcipher that we assume is IND-secure. We only define this
scheme for messages whose length is exactly three times the block length ℓ of the under-
lying blockcipher.
EncNK (M = M[1]∥M[2]∥M[3])
C[0] ← N
for i ∈ [1, . . . , 3]
X[i ] ← EK (C[i − 1])
C[i ] ← M[i ] ⊕ X[i ]
K ′ ← EK (N)
T ← C[n] ⊕ K ′
return (C[1]∥C[2]∥C[3], T )
(a) Which mode of operation is the blockcipher being used in?
Solution: The blockcipher is being used in CFB mode.
Marking note: The original sample answer erroneously read “CBC”. Partial
marks were given to students who recognized that the mode was not quite CBC
but could not name it. Partial marks were given to students who identified the
Encrypt-then-MAC “feel” of the mode.

[2 marks]
(b) Describe, draw or define the decryption oracle, taking care to process as little
unverified data as possible.

Solution:
DecN K (C = C[1]∥M[2]∥M[4], T )
′
K ← EK (N)
T ′ ← C[3] ⊕ K ′
if T ̸= T ′
return ⊥
C[0] ← N
for i ∈ 1, . . . , 3
X[i ] ← EK (C[i − 1])
M[i ] ← C[i ] ⊕ X[i ]
return (M[1]∥M[2]∥M[3])
Marking note: 1 mark for verifying the tag before decryption, 1 mark for recom-
puting the tag properly, 1 mark for decrypting properly.

[3 marks]
(c) We would like to prove that our candidate scheme is a secure authenticated encryp-
tion scheme. This first requires us to prove that the scheme is a secure (nonce-based)

Page 5 of 10 Turn Over/Qu. continues …

(cont.)

encryption scheme. Define an adversary’s advantage in breaking a scheme’s indis-

tinguishability. This must include a description (in words, diagram or code) of an
experiment.
Solution: The advantage of an adversary A in distinguishing a scheme Enc from
random is defined as
[ ] [ ]
(n)ind
AdvEnc (A) = Pr Exp(n)ind-real
Enc (A) : b̂ = 1 − Pr Exp (n)ind-ideal
Enc (A) : b̂ = 1

where the real and ideal experiments are defined as follows.

Exp(n)ind-real
Enc (A) Exp(n)ind-ideal
Enc (A)
K ←$ Kg
b̂ ←$ AE(·,·) b̂ ←$ AE(·,·)

E(N, M) E(N, M)
no repeat nonces no repeat nonces
C ← EncN K (M) C ←$ C(|M|)
return C return C

Marking note: IND-CPA and IND-CCA were both accepted as valid answers.
1 mark for real/ideal idea, 1 mark for good oracles with appropriate restric-
tions, 1 mark for good advantage expression. Some students used Left-or-Right
definitions, which were accepted for full marks (as equivalent).

[3 marks]
(d) Our candidate scheme does not provide (nonce-based) indistinguishability. Name
(or describe) a weaker indistinguishability notion that is likely to hold on our candi-
date scheme. Give a rough argument explaining why you believe this weaker notion
applies to our scheme.
Solution: From the point of view of confidentiality, our scheme is simply the block-
cipher being used in CFB mode, which is not nonce-based indistinguishable from
random.
However, CFB mode is indeed indistinguishable from random if nonces are chosen
at random (this is the (IV)IND security notion), rather than controlled by the
adversary. Our scheme is likely to inherit this property since the tag computation
can easily be simulated with oracle access to the blockcipher and information that
is known to the (IV)IND adversary.

Page 6 of 10 Qu. continues …

 (cont.)

Marking note: The scheme is thoroughly insecure! The idea was to get students
to think about the hierarchy of security notions, and to briefly come up with
rationales for their thoughts. The sample answer is one of those I expected.
1 mark was given for identifying (and naming or definining) a security notion
that is truly weaker than the one given by the student in 2c; 1 mark for a rough
rationale for security; the final mark was given to any student who noted that the
scheme simply cannot meet any notion that requires indistinguishability (even
under passive attack) since the tag reveals the first block of plaintext.

[3 marks]
(e) Does the scheme provide ciphertext integrity? If yes, explain why informally and
explain the high-level reduction logic (without writing out the reduction or analyz-
ing it). If no, demonstrate an attack and identify what kind of attack it is.
Solution: The scheme does not provide ciphertext integrity. Given a single nonce-
ciphertext-tag triple (N, C, T ) given by a known-message oracle, the adversary can
easily forge a new valid triple as (N, C ⊕ Z, T ⊕ Z) for any Z ̸= 0ℓ .
Since it requires a nonce-ciphertext-tag triple but does not require the adversary
to control the plaintext (or indeed the ciphertext), the attack is a known-message
(or known-ciphertext) attack. Classifying it as a chosen-message attack would
yield partial marks.
Marking note: 1 mark for “No”; 1 mark for identifying the flaw; 1 mark for
demonstrably exploiting it; 1 mark for a name (CMA was, in the end, accepted
for full marks).

[4 marks]

Page 7 of 10 Turn Over/…

Q3. (a) If p is a prime and a ∈ Z>0 , state the conditions on f (x) ∈ (Z/pZ)[x] in order for
(Z/pZ)[x]/(f (x)) to be a field of size p a .
Solution: f (x) must be a polynomial of degree a, and must be irreducible.
[1 mark]
∑n
(b) Given a polynomial g(x) = i=0 ai x i ∈ Z[x] and m ∈ Z≥2 , define g(x) mod m to
be
∑
n
g(x) mod m := (ai mod m)x i ∈ (Z/mZ)[x].
i=0

Give a polynomial g(x) ∈ Z[x] such that (Z/2Z)[x]/(g(x) mod 2) is a finite field
of size 4, but (Z/3Z)[x]/(g(x) mod 3) is not a field. Justify your answer.

Solution: To fulfill the first condition, we must have g(x) mod 2 = x 2 + x + 1. To

avoid forming a field of characteristic 3, we must have that g(x) mod 3 is reducible
in Z/3Z[x].
We can, for example, pick x 2 + x + 1 itself as this factors mod 3 as (x − 1)2 .
[4 marks]

Page 8 of 10
Q4. In this question, we will play the part of an adversary and use index calculus to break
the discrete logarithm problem to compute Alice’s private key and forge her digital
signature. It is recommended that you use a calculator to help you. Suppose that Alice
is using a service which requires ElGamal signatures. This service uses the finite field
F107 and the generator g = 17 for the unit group of the finite field F∗107 . (The generator
17 has order 106 so does indeed generate the whole group).
(a) Using the following equations:

172 ≡ 3 · 52 (mod 107)

17 ≡ 2 · 5 (mod 107)
9 2

1711 ≡ 2 (mod 107),

compute log17 (2), log17 (3), and log17 (5) mod 106.
Solution: The last equation immediately gives us

log17 (2) ≡ 11 (mod 106)

From the second equation, we get that 9 ≡ 2 · log17 (2) + log17 (5) (mod 106). We
substitute and simplify, obtaining

log17 (5) ≡ 93 (mod 106)

Finally, from the first equation, we get 2 ≡ log17 (3) + 2 · log17 (5) (mod 106), and
conclude after substitution and simplification that

log17 (3) ≡ 28 (mod 106)

[4 marks]
(b) Alice chooses a secret a ∈ Z (mod 106) and publishes her public key 17a = 94
(mod 107). Find Alice’s secret using index calculus with factor base {2, 3, 5}.
Solution: Observe that 94 does not factorise into only powers of elements in the
factor base, so we try 17 · 94, which is 22 · 52 (mod 107). Therefore, we have
log17 (94) ≡ 2 · log17 (2) + 2 · log17 (5) − 1 (mod 106). Using the pre-computed
values for log17 (2) and log17 (5), we conclude that

log17 (94) ≡ 101 (mod 106)

[3 marks]
(c) Give the steps of signing and verifying a message using ElGamal.

Page 9 of 10 Turn Over/Qu. continues …

(cont.)

Solution:

Signsk (m)
s←0
Verifypk (m, (r, s))
while s = 0
Check that 0 < r < p
k ←$ (Z/pZ)∗
Check that 0 < s < p − 1
r ← g k (mod p)
return g H(m) ≡ pkr · r s (mod p)
s ← (H(m) − r · sk) · k −1 (mod p − 1)
return (r, s)

[4 marks]
(d) Using the nonce k = 1 and a message m with hash H(m) = 0, compute an ElGamal
signature as if you were Alice. (If you did not manage part (b), suppose for this
question that Alice’s secret was a = 102. This is not the correct answer to (b).)

Solution: r = g k = 171 = 17, and with a = sk = 101 as computed in part (b) we

get

s = (0 − 17 · 101) · 1 (mod 106)

= 17 · 5 (mod 106)
= 85 (mod 106).

The result using a = 102 is (17, 68).

[2 marks]
(e) Suppose now that you observe Alice and Bob using the same parameters to com-
pute a shared secret via a Diffie-Hellman key exchange. Bob’s public key is 17b =
54 (mod 107). Compute their shared secret. (Hint: observe that 54 = 2−1
(mod 107).)
Solution: Their shared secret is

(17b )a (mod 107) ≡ 54101 (mod 107)

≡ 2−101 (mod 107)
≡ 2 (mod 107)
5

≡ 32 (mod 107).

The result using a = 102 is 16.

[2 marks]

Page 10 of 10
END OF PAPER