Documente Academic
Documente Profesional
Documente Cultură
1/1
point
1.
Suppose a MAC system (S, V ) is used to protect les in a le system
Correct
The MAC signing algorithm is only applied to the le contents and
on the le system.
Replacing the tag and contents of one le with the tag and contents of a le
from another computer protected by the same MAC system, but a di erent key.
1/1
point
2.
Let (S, V ) be a secure MAC de ned over (K, M , T ) where M = {0, 1}n and T = {0, 1}128 . That is, the key space is K , message space is {0, 1}n , and
tag space is {0, 1}128 .
Un-selected is correct
Un-selected is correct
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 1/9
11/28/2018 Cryptography I - Home | Coursera
Correct
a forger for (S ′ , V ′ ) gives a forger for (S, V ).
(i.e., V ′ ((k1 , k2 ), m, (t1 , t2 )) outputs ``1'' if both t1 and t2 are valid tags)
Correct
a forger for (S ′ , V ′ ) gives a forger for (S, V ).
V ′ (k, m, t) = {
V (k, m, t) if m ≠ 0n
“1” otherwise
Un-selected is correct
V ′ (k, m, (t1 , t2 )) = {
V (k, m, t1 ) if t1 = t2
"0" otherwise
Correct
a forger for (S ′ , V ′ ) gives a forger for (S, V ).
1/1
point
3.
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 2/9
11/28/2018 Cryptography I - Home | Coursera
Recall that the ECBC-MAC uses a xed IV (in the lecture we simply set the IV to 0).
``0'' otherwise.
and obtain the tag (r, t). He can then generate the following
Correct
The CBC chain initiated with the IV r ⊕ m and applied
1/1
point
4.
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 3/9
11/28/2018 Cryptography I - Home | Coursera
Suppose Alice is broadcasting packets to 6 recipients
share a secret key k . Alice computes a tag for every packet she
receiving the packet and drops the packet if the tag is invalid.
by computing the tag with each of her 4 keys. When user Bi receives
to his keys in Si are valid. For example, if user B1 is given keys {k1 , k2 } he will accept an incoming packet only if the rst and second tags are valid. Note
that B1 cannot validate the 3rd and 4th tags because he does not have k3 or k4 .
How should Alice assign keys to the 6 users so that no single user
can forge packets on behalf of Alice and fool some other user?
S1 = {k1 , k2 }, S2 = {k2 , k3 }, S3 = {k3 , k4 }, S4 = {k1 , k3 }, S5 = {k1 , k2 }, S6 = {k1 , k4 }
Un-selected is correct
S1 = {k1 , k2 }, S2 = {k1 }, S3 = {k1 , k4 }, §4 = {k2 , k3 }, S5 = {k2 , k4 }, S6 = {k3 , k4 }
Un-selected is correct
S1 = {k1 , k2 }, S2 = {k1 , k3 }, S3 = {k1 , k4 }, §4 = {k2 , k3 }, S5 = {k2 , k4 }, S6 = {k4 }
Un-selected is correct
S1 = {k2 , k4 }, S2 = {k2 , k3 }, S3 = {k3 , k4 }, S4 = {k1 , k3 }, S5 = {k1 , k2 }, S6 = {k1 , k4 }
Correct
Every user can only generate tags with the two keys he has.
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 4/9
11/28/2018 Cryptography I - Home | Coursera
1/1
point Week 3 - Problem Set
Quiz, 10 questions
5.
Consider the encrypted CBC MAC built from AES. Suppose we
last bit of m (i.e. if the last bit of m is b then the last bit
to compute the tag for m′ from the tag for m and the MAC key? (in this question please ignore message padding and simply assume that the message
length is always a multiple of the AES block size)
Correct
You would decrypt the nal CBC MAC encryption step done using k2 ,
the decrypt the last CBC MAC encryption step done using k1 ,
ip the last bit of the result, and re-apply the two encryptions.
n+1
0/1
point
6.
Let H : M → T be a collision resistant hash function.
H ′ (m) = H(m∥
∥ m)
H ′ (m) = H(m)∥
∥ H(m)
Correct
a collision nder for H ′ gives a collision nder for H .
Un-selected is correct
H ′ (m) = H(m∥
∥ 0)
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 5/9
11/28/2018 Cryptography I - Home | Coursera
Correct
nder Week 3 - Problem Set
′
a collision Quiz,for
10H gives a collision nder for H .
questions
Un-selected is correct
H ′ (m) = H(0)
Un-selected is correct
Un-selected is correct
1/1
point
7.
Suppose H1 and H2 are collision resistant
Correct
If H2 (H1 (x)) = H2 (H1 (y)) then
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 6/9
11/28/2018 Cryptography I - Home | Coursera
1/1
point
8.
In this question you are asked to nd a collision for the compression function:
f1 (x, y) = AES(y, x) ⨁ y ,
Your goal is to nd two distinct pairs (x1 , y1 ) and (x2 , y2 ) such that f1 (x1 , y1 ) = f1 (x2 , y2 ).
Which of the following methods nds the required (x1 , y1 ) and (x2 , y2 )?
Correct
You got it !
1/1
point
9.
Repeat the previous question, but now to nd a collision for the compression function f2 (x, y) = AES(x, x) ⨁ y .
Which of the following methods nds the required (x1 , y1 ) and (x2 , y2 )?
y2 = y1 ⊕ AES(x1 , x1 ) ⊕ AES(x2 , x2 )
Correct
Awesome!
y2 = y1 ⊕ AES(x1 , x1 )
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 7/9
11/28/2018 Cryptography I - Home | Coursera
Choose Week
x1 , x2 , y13arbitrarily
- Problem (with x1Set
≠ x2 ) and set
Quiz, 10 questions
y2 = y1 ⊕ x1 ⊕ AES(x2 , x2 )
y2 = AES(x1 , x1 ) ⊕ AES(x2 , x2 )
1/1
point
10.
Let H : M → T be a random hash function where ∣M ∣ ≫ ∣T ∣ (i.e. the size of M is much larger than the size of T ).
In lecture we showed
O(∣T ∣2/3 )
Correct
An informal argument for this is as follows: suppose we
and H(x) = H(z). Since each one of these two events happens
follows.
O(∣T ∣3/4 )
O(∣T ∣)
O(∣T ∣1/4 )
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 8/9
11/28/2018 Cryptography I - Home | Coursera
https://www.coursera.org/learn/crypto/exam/ECqUF/week-3-problem-set 9/9