CM30173 MOCK
University of Bath
DEPARTMENT OF COMPUTER SCIENCE
EXAMINATION
CM30173: Cryptography
MOCK
Full marks will be given for correct answers to THREE questions. If you opt to answer more
than the specified number of questions, you should clearly identify which of your answers you
wish to have marked. In cases where you have failed to identify the correct number of
answers the marker is only obliged to consider the answers in the order they appear up to the
number of answers required.
CM30173 MOCK
CM30173 MOCK 2.
1. The University of Wessex is concerned about the security of exam papers and demands
that they must all be encrypted. With only weeks before the first exams must be written
the lecturers need a plan.
(a) Two lecturers, Ann and Bob, need to work on an exam paper together, they’ve
sorted out the storage but then Bob finds out he has to spend a month in the Arctic
circle on an important research project. Its pretty cold out and no one has arrived
to install phones in the buildings there, in addition, Bob knows that the shared
computer on site is old and slow with only a satellite link. Bob is leaving in a few
hours so Ann and he meet up to arrange matters. Ann is concerned that Bob will
be working on a shared computer — how can she be certain that she is speaking to
him?
What options do Ann and Bob have for securing their discussion about exam
questions? Explain the advantages and disadvantages of each method and which
technologies you would use. [10]
(b) The exam papers are finished but they need to be checked by the external examiners.
Professor White needs to send his finished exam to the external. Since the external
lives in Australia Professor White can’t pass the paper to him by hand and the
University refuses to pay the fee for a secure courier.
Professor White hasn’t met the external but has his phone number and work address
and phones him, the external suggests sending the paper by secure e-mail but says
that he needs a way to verify that the paper which arrives is from Professor White.
Professor White needs to satisfy himself that he sending the paper to the right
person and that no one can read the exam paper in transit. Explain precisely how
you would solve their problems and what technologies you would use. [10]
CM30173 MOCK continued
CM30173 MOCK continued 3.
2.
(a) Describe the AES encryption algorithm, explaining how it is made up from S-boxes,
permutations, linear transformations and boolean operations. [7]
(b) Before AES was developed it was suggested that the security of DES could be increased
by using DES twice with two different keys:
eDESk2 (e
DES
k1
(x))
What would be the cost of finding the keys by exhaustive key search? Describe a faster
known plaintext attack that would recover both the keys.
Explain how to use DES multiple times to increase security. [8]
(c) An additional mode of operation called counter mode was approved for use with AES. To
encrypt a message x = x1x2 . . . of blocks of length m we choose a counter ctr which is a
bitstring of length m. Construct a sequence of bitstrings of length m:
Ti = ctr + i− 1 (mod 2m) i ≥ 1.
Encrypt blocks:
yi = xi ⊕ ek(Ti) i ≥ 1
Explain the advantages of this mode of operation. [5]
3.
(a) Define the term message authentication code (MAC). Describe how a block cipher such
as DES can be used to produce CBC-MAC. [7]
(b) Describe how an unkeyed hash function can be formed by iteration of a compression
function. What is Merkle-Damg̊ard strengthening? [6]
(c) Alice needs to design a MAC, she has an unkeyed iterated hash function h and she
proposes to use MACk(x) = h(k‖x). Assuming that h includes no preprocessing step,
what do you think of this idea? What if h does include a preprocessing step? [7]
CM30173 MOCK continued
CM30173 MOCK continued 4.
4.
(a) Describe ElGamal including parameter generation, encryption and decryption. [7]
(b) Prove that decryption returns the input plaintext in ElGamal. [2]
(c) Alice decides that generating a new random number for each message she encrypts with
ElGamal takes too long and that instead she will change the number every so often. What
do you think of this idea? [4]
(d) Describe PGP. In what ways does it fail to meet the definition of a public key
infrastructure? [7]
5.
(a) Describe the basic RSA signature scheme. [6]
(b) Define the terms existential forgery and selective forgery. [2]
(c) What is the multiplicative property of RSA? Using the multiplicative property show that
you can produce existential forgeries of RSA signatures. What mechanisms could be used
to protect against this? [6]
(d) Prove that, to split n it suffices to find x, y ∈ Z such that
x2 ≡ y2 (mod n)
x 6≡ ±y (mod n)
[6]
EHC CM30173 MOCK