1. (a) What is meant by the following properties of an encryption system?
• Confusion.
• Diffusion.
[4]
(b) Explain how a substitution-permutation network can be used to encrypt a block of
plaintext. [4]
(c) Describe how differential cryptanalysis may be used to attack a SPN-based
encryption system. Your answer should identify the goal of the attack and resources
required, and include explanation of the following terminology: propagation ratio,
differential trail, candidate key, right pair. [8]
(d) Why is electronic code book not considered a secure mode of operation for block
cipher encryption? Define an alternative, more secure mode of operation. [4]
2. (a) What is a cryptographic hash function? Give an example of a NIST-approved hash
function. [3]
(b) What is a collision for an unkeyed hash function? What does it mean for such
a function to be collision-resistant? Does collision resistance imply preimage
resistance (explain)? [5]
(c) What is meant by the following data security properties: integrity and message
authenticity? Explain precisely how Alice and Bob may use a message authentication
code to maintain these properties when sending and receiving unencrypted messages
over an unsecured channel. [5]
(d) Suppose Alice and Bob agree to define a message authentication code using an
unkeyed hash function h (derived using the Merkle-Damg̊ard construction) and a
shared secret key k, by defining hk(m) = (k‖m). Why is this not secure (explain
any attack)? How should Alice and Bob use h to define a MAC? [7]
Page 2 of 3 CM30173
3. (a) Using the product of the prime factors 17 and 13 as a modulus for RSA encryption,
and 5 as the public key exponent, calculate the private key exponent. [5]
(b) Why is a low value such as 3 a poor choice of public key exponent (explain any
attack). [5]
(c) Explain what is meant by semantic security of a public key encryption system. Is
basic RSA encryption semantically secure? [4]
(d) Show how knowledge of an RSA decryption exponent can be used to factor the
modulus of encryption. Does this entail that solving the RSA problem is as hard as
integer factorization? [6]
4. (a) Describe the El-Gamal digital signature scheme, including key generation, signature
generation and verification. [6]
(b) Prove that the signature generated by the signing algorithm is accepted according
to the verification procedure. [6]
(c) Give a necessary condition on the choice of parameters when:
• generating keys
• signing messages
if the scheme is to be secure in use. [2]
(c) Show how an attacker can create a key-only existential forgery in the basic scheme.
How is this prevented in practice? [6]
JDL/RJB Page 3 of 3 CM30173