Crypto - Quiz Flashcards

1
Q

Perfect secrecy

Q: Which assertion is correct? (Note: unconditional security = perfect secrecy)

A) A cipher is unconditionally secure implies that the secret key is at least as long as the plaintext.
B) A cipher is unconditionally secure as soon as the secret key is at least as long as the plaintext.
C) A cipher is unconditionally secure if and only if the secret key is at least as long as the plaintext.

A

The correct answer is A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Not-so-one-time pad

Q: What happens if the one-time pad is incorrectly used and two distinct plaintexts are encrypted with the same key?

A) The key is compromised.
B) The two plaintexts are revealed.
C) The difference between the two plaintexts is revealed.
D) The authenticity of the plaintext is compromised.

A

The correct answer is C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Computational security

Q: Assume an adversary performs an exhaustive key search on a huge network of 10⁹ computers, each capable of testing 10⁹ keys per second. After about how much time will a 128-bit key typically be found?

A) A few seconds.
B) A few days.
C) A few years.
D) A few centuries.
E) A few times the age of the universe.

A

The correct answer is E.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Nonce

Q: What does “nonce” stand for?

A) Number used only once.
B) Non-committing encryption.
C) Network neutrality for confidentiality and encryption.

A

The correct answer is A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Semantic security / IND-CPA

Q: For a cipher to achieve semantic security (or equivalently, to be IND-CPA secure), which condition is necessary?

A) It must be randomized.
B) It must be randomized (if asymmetric) or the diversifier must be a nonce (if symmetric).
C) It must ensure that one cannot recognize whether two identical plaintexts were encrypted with the same key.
D) None of the above.

A

The correct answer is C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Authentication

Q: For an authentication scheme to be secure (EU-CMA), which condition is necessary?

A) It must be randomized.
B) It must be randomized (if asymmetric) or the diversifier must be a nonce (if symmetric).
C) It must ensure that one cannot tell whether two identical messages were signed/MAC’ed with the same key.
D) None of the above.

A

The correct answer is D.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

“Le Big-MAC”

Q: What happens if a MAC or a signature is too short? An attacker …

A) … can create a fraudulent message, randomly guess the tag and have some chance that it is valid.
B) … can modify a legitimate message, randomly guess the tag and have some chance that it is valid.
C) … can modify a legitimate message, keep the same tag and have some chance that it is valid.
D) … can recover the key too easily.
E) … can decrypt the message too easily.

A

The correct answer is A+B+C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Exhausted DES

Q: The DES has 56 bits of key. What is the complexity of exhaustive key search on it?

A) 2⁵⁶ operations.
B) 2⁵⁵ operations because it has (semi-)weak keys.
C) 2⁵⁵ operations because of the complementarity property.

A

The correct answer is C.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Exhausted Double-DES

Q: To avoid exhaustive key search and have 112 bits of key, one can use DESk₁ ◦ DESk₂. What is the complexity of exhaustive key search on it?

A) 2¹¹² operations.
B) 2¹¹⁰ operations because of the complementarity property.
C) 2⁵⁷ operations and negligible memory.
D) 2⁵⁷ operations and 56 terabytes of memory.
E) 2⁵⁷ operations and 10⁸⁰ petabytes of memory.
F) None of the above.

A

The correct answer is E.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Exhausted Triple-DES

Q: To avoid exhaustive key search and have 112 bits of key, one can use DESk₁ ◦ DESk₂ ◦ DESk₁. What is the complexity of exhaustive key search on it?

A) 2¹¹² operations.
B) 2¹¹² operations, but it is susceptible to differential cryptanalysis.
C) 2¹¹² operations, but it is susceptible to linear cryptanalysis.
D) 2¹¹⁰ operations because of the complementarity property.
E) 2⁵⁷ operations and 10⁸⁰ petabytes of memory.
F) None of the above.

A

The correct answer is A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Rijndael

Q: In Rijndael, if we change one byte in the input block, how many bytes are guaranteed to change in the state after 2 rounds?

A) 1
B) 4
C) 8
D) 16

A

The correct answer is D.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Mode of operation

Q: What is a mode of operation?

A) The formal security requirements in which an encryption or authentication scheme must operate.
B) An algorithm that implements any type of scheme or another primitive by using a primitive as a black box.

A

The correct answer is B.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Primitive

Q: In this course, how is a symmetric crypto primitive defined?

A) It is an algorithm whose security cannot be proven but must be tested with third-party cryptanalysis.
B) It is the set of elementary operations that must be performed in an encryption or authentication scheme.
C) It is a painter in the Renaissance.

A

The correct answer is A.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Is your attack generic enough?

Q: In symmetric crypto, consider a scheme that is made of a mode of operation on top of a primitive. A generic attack is …

A) … an attack on the primitive that works independently of the mode of operation.
B) … an attack on the mode of operation that works independently of the primitive.

A

The correct answer is B.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Birthday paradox

Q: If we draw 12-digit numbers at random (e.g., 805916763814) with replacement, after how many draws is it likely to have two identical such numbers in the list (i.e., a collision)?

A) After 10³ draws.
B) After 10⁶ draws.
C) After 10⁹ draws.
D) After 10¹² draws.

A

The correct answer is B.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Salvaging ECB

Q: Assume a user encrypts plaintext using AES-ECB, and the plaintext is highly compressed data. Is this encryption secure in a known plaintext setting?

A) No, it is totally insecure.
B) Yes, it is secure, but up to the birthday bound (2⁶⁴ blocks).
C) Yes, it is secure all the way up to 2¹²⁸ blocks.

A

The correct answer is B.

17
Q

Inverse-less block ciphers

Q: In which of these block cipher-based modes is the implementation of the inverse block cipher not needed?

A) ECB.
B) CBC.
C) CTR.
D) CBC-MAC.

A

The correct answer is C and D.

18
Q

Sponges

Q: The sponge construction is

A) a mode on top of a keystream generator.
B) a mode on top of a block cipher.
C) a mode on top of a permutation.
D) a factory that produces kitchen appliances.

A

The correct answer is C.

19
Q

Sponges vs keyed sponges

Q: The difference between a sponge function and a keyed sponge function is:

A) The keyed sponge has one more input, the secret key, that is concatenated to the input string before being absorbed.
B) The keyed sponge allows to alternatively absorb input blocks and request output blocks.

A

The correct answer is A.

20
Q

Hashing more

Q: SHA-256 is a well-known hash function with 256 bits of output. Let us build the n = 512-bit hash function SHA-256+256 this way:

SHA-256+256(x) = SHA-256(x||0) || SHA-256(x||1).

What is the collision resistance of SHA-256+256?

A) 64 bits.
B) 128 bits.
C) 192 bits.
D) 256 bits.
E) 384 bits.
F) 512 bits.

A

The correct answer is B.

21
Q

MD4, MD5, SHA-1

Q: What is the status of these hash functions w.r.t. collision resistance?

A) SHA-1 is theoretically broken, but not MD4 nor MD5.
B) MD5 and SHA-1 are theoretically broken, but not MD4.
C) MD4, MD5 and SHA-1 are theoretically broken.
D) MD4, MD5 and SHA-1 are practically broken.

A

The correct answer is D.

22
Q

Indifferentiability

Q: Which statement(s) is/are correct?

A) SHA-1 …
B) SHA-256 and SHA-512 …
C) The Merkle-Damgård construction …
D) SHA-3 …
E) The sponge construction …

is/are indifferentiable from a random oracle up to complexity 2ⁿ/2 (A-C) or 2ᶜ/2 (D-E).

A

The only correct statement is E.

23
Q

KECCAK inverse

Q: When inverting KECCAK, which step is the most costly one?

A) θ
B) ρ
C) π
D) χ
E) ι
F) None of the above.

A

The correct answer is F.

24
Q

Web of trust

Q: I have the following public keys:

PKXavier checked and signed by me

PKYves and Signᵏₓ(Yves,PKYves)

PKZoë and Signᵏʸ(Yves,PKZoë)

Who do I have to trust so that I can trust Zoë’s public key?

A) Xavier only.
B) Yves only.
C) Both Xavier and Yves.

A

The correct answer is C.

25
Q

Hybrid encryption

Q: How does hybrid encryption work?

A) Alice sends a public key to Bob encrypted with her secret key, and she encrypts the plaintext with his public key.
B) Alice sends a secret key to Bob encrypted with his public key, and she encrypts the plaintext with the secret key.
C) Alice sends a public key to Bob encrypted with her private key, and she encrypts the plaintext with her public key.
D) Alice sends a private key to Bob encrypted with his public key, and she encrypts the plaintext with his public key.
E) Alice sends a secret key to Bob encrypted with her private key, and she encrypts the plaintext with the secret key.

A

The correct answer is B.

26
Q

RSA key generation

Q: In the scope of RSA, let n = pq be the product of two distinct large primes. How do the public and private exponents relate? (There can be more than one possible answer.)

A) ed ≡ 1 (mod n)
B) ed ≡ 1 (mod ϕ(n))
C) ed ≡ 1 (mod (p− 1)(q− 1))

A

The correct answers are B and C.

27
Q

RSA key length

Q: In the scope of RSA, let n = pq be the product of two distinct large primes. How large do the primes p and q need to be for a security level that matches the collision resistance of SHA-256?

A) p and q each have 64 bits.
B) p and q each have 128 bits.
C) p and q each have 256 bits.
D) p and q each have 1536 bits.
E) p and q each have 3072 bits.

A

The correct answer is D.

28
Q

RSA signature generation

Q: To sign a message m, I compute s and send (m, s). How should I compute s?

A) s = mᵈ mod n.
B) s = mᵉ mod n.
C) s = hash(m)ᵈ mod n.
D) s = hash(m)ᵉ mod n.

A

The correct answer is C.

29
Q

RSA signature verification

Q: To sign a message m, I compute s and send (m, s). How should someone verify my signature?

A) Accept m only if hash(s) = mᵈ mod n.
B) Accept m only if hash(s) = mᵉ mod n.
C) Accept m only if hash(m) = sᵈ mod n.
D) Accept m only if hash(m) = sᵉ mod n.
E) Accept m only if hash⁻¹(s) = mᵈ mod n.
F) Accept m only if hash⁻¹(s) = mᵉ mod n.

A

The correct answer is D.

30
Q

Discrete logarithm vs Diffie-Hellman problems

Q: What is the relationship between the discrete logarithm (DL) and the Diffie-Hellman (DH) problems?

A) An adversary who can solve the DL problem can also solve the DH problem, but not necessarily vice-versa.
B) An adversary who can solve the DH problem can also solve the DL problem, but not necessarily vice-versa.
C) Both problems are equivalent.

A

The correct answer is A.

31
Q

Generic security of the discrete logarithm problem

Q: Without knowing more about the group structure, which group can potentially yield a secure discrete logarithm problem? A group whose size is …

A) a prime number of the order of 2¹²⁸.
B) exactly 2¹²⁸.
C) a prime number of the order of 2²⁵⁶.
D) exactly 2²⁵⁶.
E) the product of two secret primes, each of the order of 2¹²⁸.

A

The correct answer is C.