Crypto - Quiz

Question 1

Perfect secrecy

Q: Which assertion is correct? (Note: unconditional security = perfect secrecy)

A) A cipher is unconditionally secure implies that the secret key is at least as long as the plaintext.
B) A cipher is unconditionally secure as soon as the secret key is at least as long as the plaintext.
C) A cipher is unconditionally secure if and only if the secret key is at least as long as the plaintext.

Answer 1

The correct answer is A.

Question 2

Not-so-one-time pad

Q: What happens if the one-time pad is incorrectly used and two distinct plaintexts are encrypted with the same key?

A) The key is compromised.
B) The two plaintexts are revealed.
C) The difference between the two plaintexts is revealed.
D) The authenticity of the plaintext is compromised.

Answer 2

The correct answer is C.

Question 3

Computational security

Q: Assume an adversary performs an exhaustive key search on a huge network of 10⁹ computers, each capable of testing 10⁹ keys per second. After about how much time will a 128-bit key typically be found?

A) A few seconds.
B) A few days.
C) A few years.
D) A few centuries.
E) A few times the age of the universe.

Answer 3

The correct answer is E.

Question 4

Nonce

Q: What does “nonce” stand for?

A) Number used only once.
B) Non-committing encryption.
C) Network neutrality for confidentiality and encryption.

Answer 4

The correct answer is A.

Question 5

Semantic security / IND-CPA

Q: For a cipher to achieve semantic security (or equivalently, to be IND-CPA secure), which condition is necessary?

A) It must be randomized.
B) It must be randomized (if asymmetric) or the diversifier must be a nonce (if symmetric).
C) It must ensure that one cannot recognize whether two identical plaintexts were encrypted with the same key.
D) None of the above.

Answer 5

The correct answer is C.

Question 6

Authentication

Q: For an authentication scheme to be secure (EU-CMA), which condition is necessary?

A) It must be randomized.
B) It must be randomized (if asymmetric) or the diversifier must be a nonce (if symmetric).
C) It must ensure that one cannot tell whether two identical messages were signed/MAC’ed with the same key.
D) None of the above.

Answer 6

The correct answer is D.

Question 7

“Le Big-MAC”

Q: What happens if a MAC or a signature is too short? An attacker …

A) … can create a fraudulent message, randomly guess the tag and have some chance that it is valid.
B) … can modify a legitimate message, randomly guess the tag and have some chance that it is valid.
C) … can modify a legitimate message, keep the same tag and have some chance that it is valid.
D) … can recover the key too easily.
E) … can decrypt the message too easily.

Answer 7

The correct answer is A+B+C.

Question 8

Exhausted DES

Q: The DES has 56 bits of key. What is the complexity of exhaustive key search on it?

A) 2⁵⁶ operations.
B) 2⁵⁵ operations because it has (semi-)weak keys.
C) 2⁵⁵ operations because of the complementarity property.

Answer 8

The correct answer is C.

Question 9

Exhausted Double-DES

Q: To avoid exhaustive key search and have 112 bits of key, one can use DESk₁ ◦ DESk₂. What is the complexity of exhaustive key search on it?

A) 2¹¹² operations.
B) 2¹¹⁰ operations because of the complementarity property.
C) 2⁵⁷ operations and negligible memory.
D) 2⁵⁷ operations and 56 terabytes of memory.
E) 2⁵⁷ operations and 10⁸⁰ petabytes of memory.
F) None of the above.

Answer 9

The correct answer is E.

Question 10

Exhausted Triple-DES

Q: To avoid exhaustive key search and have 112 bits of key, one can use DESk₁ ◦ DESk₂ ◦ DESk₁. What is the complexity of exhaustive key search on it?

A) 2¹¹² operations.
B) 2¹¹² operations, but it is susceptible to differential cryptanalysis.
C) 2¹¹² operations, but it is susceptible to linear cryptanalysis.
D) 2¹¹⁰ operations because of the complementarity property.
E) 2⁵⁷ operations and 10⁸⁰ petabytes of memory.
F) None of the above.

Answer 10

The correct answer is A.

Question 11

Rijndael

Q: In Rijndael, if we change one byte in the input block, how many bytes are guaranteed to change in the state after 2 rounds?

A) 1
B) 4
C) 8
D) 16

Answer 11

The correct answer is D.

Question 12

Mode of operation

Q: What is a mode of operation?

A) The formal security requirements in which an encryption or authentication scheme must operate.
B) An algorithm that implements any type of scheme or another primitive by using a primitive as a black box.

Answer 12

The correct answer is B.

Question 13

Primitive

Q: In this course, how is a symmetric crypto primitive defined?

A) It is an algorithm whose security cannot be proven but must be tested with third-party cryptanalysis.
B) It is the set of elementary operations that must be performed in an encryption or authentication scheme.
C) It is a painter in the Renaissance.

Answer 13

The correct answer is A.

Question 14

Is your attack generic enough?

Q: In symmetric crypto, consider a scheme that is made of a mode of operation on top of a primitive. A generic attack is …

A) … an attack on the primitive that works independently of the mode of operation.
B) … an attack on the mode of operation that works independently of the primitive.

Answer 14

The correct answer is B.

Question 15

Birthday paradox

Q: If we draw 12-digit numbers at random (e.g., 805916763814) with replacement, after how many draws is it likely to have two identical such numbers in the list (i.e., a collision)?

A) After 10³ draws.
B) After 10⁶ draws.
C) After 10⁹ draws.
D) After 10¹² draws.

Answer 15

The correct answer is B.

Question 16

Salvaging ECB

Q: Assume a user encrypts plaintext using AES-ECB, and the plaintext is highly compressed data. Is this encryption secure in a known plaintext setting?

A) No, it is totally insecure.
B) Yes, it is secure, but up to the birthday bound (2⁶⁴ blocks).
C) Yes, it is secure all the way up to 2¹²⁸ blocks.

Answer 16

The correct answer is B.

Question 17

Inverse-less block ciphers

Q: In which of these block cipher-based modes is the implementation of the inverse block cipher not needed?

A) ECB.
B) CBC.
C) CTR.
D) CBC-MAC.

Answer 17

The correct answer is C and D.

Question 18

Sponges

Q: The sponge construction is

A) a mode on top of a keystream generator.
B) a mode on top of a block cipher.
C) a mode on top of a permutation.
D) a factory that produces kitchen appliances.

Answer 18

The correct answer is C.

Question 19

Sponges vs keyed sponges

Q: The difference between a sponge function and a keyed sponge function is:

A) The keyed sponge has one more input, the secret key, that is concatenated to the input string before being absorbed.
B) The keyed sponge allows to alternatively absorb input blocks and request output blocks.

Answer 19

The correct answer is A.

Question 20

Hashing more

Q: SHA-256 is a well-known hash function with 256 bits of output. Let us build the n = 512-bit hash function SHA-256+256 this way:

SHA-256+256(x) = SHA-256(x||0) || SHA-256(x||1).

What is the collision resistance of SHA-256+256?

A) 64 bits.
B) 128 bits.
C) 192 bits.
D) 256 bits.
E) 384 bits.
F) 512 bits.

Answer 20

The correct answer is B.

Question 21

MD4, MD5, SHA-1

Q: What is the status of these hash functions w.r.t. collision resistance?

A) SHA-1 is theoretically broken, but not MD4 nor MD5.
B) MD5 and SHA-1 are theoretically broken, but not MD4.
C) MD4, MD5 and SHA-1 are theoretically broken.
D) MD4, MD5 and SHA-1 are practically broken.

Answer 21

The correct answer is D.

Question 22

Indifferentiability

Q: Which statement(s) is/are correct?

A) SHA-1 …
B) SHA-256 and SHA-512 …
C) The Merkle-Damgård construction …
D) SHA-3 …
E) The sponge construction …

is/are indifferentiable from a random oracle up to complexity 2ⁿ/2 (A-C) or 2ᶜ/2 (D-E).

Answer 22

The only correct statement is E.

Question 23

KECCAK inverse

Q: When inverting KECCAK, which step is the most costly one?

A) θ
B) ρ
C) π
D) χ
E) ι
F) None of the above.

Answer 23

The correct answer is F.

Question 24

Web of trust

Q: I have the following public keys:

PKXavier checked and signed by me

PKYves and Signᵏₓ(Yves,PKYves)

PKZoë and Signᵏʸ(Yves,PKZoë)

Who do I have to trust so that I can trust Zoë’s public key?

A) Xavier only.
B) Yves only.
C) Both Xavier and Yves.

Answer 24

The correct answer is C.

Question 25

Hybrid encryption

Q: How does hybrid encryption work?

A) Alice sends a public key to Bob encrypted with her secret key, and she encrypts the plaintext with his public key.
B) Alice sends a secret key to Bob encrypted with his public key, and she encrypts the plaintext with the secret key.
C) Alice sends a public key to Bob encrypted with her private key, and she encrypts the plaintext with her public key.
D) Alice sends a private key to Bob encrypted with his public key, and she encrypts the plaintext with his public key.
E) Alice sends a secret key to Bob encrypted with her private key, and she encrypts the plaintext with the secret key.

Answer 25

The correct answer is B.

Question 26

RSA key generation

Q: In the scope of RSA, let n = pq be the product of two distinct large primes. How do the public and private exponents relate? (There can be more than one possible answer.)

A) ed ≡ 1 (mod n)
B) ed ≡ 1 (mod ϕ(n))
C) ed ≡ 1 (mod (p− 1)(q− 1))

Answer 26

The correct answers are B and C.

Question 27

RSA key length

Q: In the scope of RSA, let n = pq be the product of two distinct large primes. How large do the primes p and q need to be for a security level that matches the collision resistance of SHA-256?

A) p and q each have 64 bits.
B) p and q each have 128 bits.
C) p and q each have 256 bits.
D) p and q each have 1536 bits.
E) p and q each have 3072 bits.

Answer 27

The correct answer is D.

Question 28

RSA signature generation

Q: To sign a message m, I compute s and send (m, s). How should I compute s?

A) s = mᵈ mod n.
B) s = mᵉ mod n.
C) s = hash(m)ᵈ mod n.
D) s = hash(m)ᵉ mod n.

Answer 28

The correct answer is C.

Question 29

RSA signature verification

Q: To sign a message m, I compute s and send (m, s). How should someone verify my signature?

A) Accept m only if hash(s) = mᵈ mod n.
B) Accept m only if hash(s) = mᵉ mod n.
C) Accept m only if hash(m) = sᵈ mod n.
D) Accept m only if hash(m) = sᵉ mod n.
E) Accept m only if hash⁻¹(s) = mᵈ mod n.
F) Accept m only if hash⁻¹(s) = mᵉ mod n.

Answer 29

The correct answer is D.

Question 30

Discrete logarithm vs Diffie-Hellman problems

Q: What is the relationship between the discrete logarithm (DL) and the Diffie-Hellman (DH) problems?

A) An adversary who can solve the DL problem can also solve the DH problem, but not necessarily vice-versa.
B) An adversary who can solve the DH problem can also solve the DL problem, but not necessarily vice-versa.
C) Both problems are equivalent.

Answer 30

The correct answer is A.

Question 31

Generic security of the discrete logarithm problem

Q: Without knowing more about the group structure, which group can potentially yield a secure discrete logarithm problem? A group whose size is …

A) a prime number of the order of 2¹²⁸.
B) exactly 2¹²⁸.
C) a prime number of the order of 2²⁵⁶.
D) exactly 2²⁵⁶.
E) the product of two secret primes, each of the order of 2¹²⁸.

Answer 31

The correct answer is C.