Lecture 5

Question 1

What are some key qualities of nonce-based CBC?

Answer 1

nonce is unique, and you use two keys (one to encrypt the nonce to create a unique IV and one to do the rest of the encryption)

Question 2

Why do you need extra encryption of nonce with independent key for nonce based cbc?

Answer 2

To prevent CPA attack..predictable IV will leak plaintext information

Question 3

When is CBC padding needed?

Answer 3

When the message doesn’t fit the multiple of the block cipher block length

Question 4

What is the problem with cbc padding?

Answer 4

You will need to pad an extra block after filling in the padding so that during decryption, message doesn’t get confused with padding (dummy block is major overhead)

Question 5

Randomized CTR mode

Answer 5

Requires passing IV to the PRF when generating the pseudorandom pad for increased randomization (also no padding needed since no fixed block length)

Question 6

Nonce CTR-mode

Answer 6

IV in this case is made up of nonce+counter. Tradeoff: constrained by how many counters

Question 7

CTR vs CBC

Answer 7

CTR allows for parallel processing and doesn’t need padding and the error term is smaller so we have to change the key less often

Question 8

Recap: examples of many-time key

Answer 8

Randomized cbc and Randomized ctr mode

Question 9

One-time key examples

Answer 9

stream ciphers and deterministic CTR-mode

Question 10

Message authentication code (MAC)

Answer 10

Has a signing and verification algorithm (create and verify the tag)
If you verify a tag with the same key you signed with, it should return true

Question 11

How is MAC secure against CPA?

Answer 11

If Eve can’t produce a valid tag for a new message or a new tag for the same message

Question 12

How can MAC be used for protecting system files?

Answer 12

If system gets hacked, you can recompute tags to make sure files are not modified. To make sure file order hasn’t been swapped, you can include filename in the tags.

Question 13

Examples of MAC stemming from prf vs MACs from compression functions

Answer 13

CBC-MAC, NMAC, PMAC VS HMAC

Question 14

What makes a MAC insecure?

Answer 14

If the tag is too short then Eve can guess it easily. Output of PRF needs to be large

Question 15

NMAC

Answer 15

a key + first block of message produces ciphertext and we feed that to the next step as a key

Question 16

Cascade NMAC

Answer 16

Insecure version of NMAC where extension attack can happen (you need to pad the last output and apply a diff key to for the finally tag encryption)

Question 17

Encrypted CBC Mac (ECBC)

Answer 17

XOR function chains

Question 18

NMAC vs ECBC MAC

Answer 18

NMAC is not used with AES or 3DES because key changes on EVERY block which means you have to recompute key expansion every time
ECBC-MAC commonly used as an AES-based MAC

Question 19

CMAC

Answer 19

uses a randomized padding function so you can avoid having to add a dummy block (XOR final step with k1 if you have padding and k2 if you don’t have padding)

Question 20

PMAC (parallel mac)

Answer 20

Parallel processing of message blocks to produce tag

Question 21

What are cryptographic hash functions?

Answer 21

One way functions with three properties: pre-image resistance (given h=H(x) it is difficult to determine x) , second pre-image resistance (given x can’t find y where H(x) = H(y)) , collision resistance (difficult to find two different messages x,y such that H(x) = H(y))

Question 22

MAC security for collision resistance

Answer 22

If small mac is secure, large mac will be secure

Question 23

What is the birthday paradox?

Answer 23

In a group of 23 people, 50% that two share a bday (OR if you sample a certain number of hashes, you’ll have a 50% chance of finding a collision)
(means that a generic algorithm to find a collision is O(2^n/2) and going through the algo twice can result in collision because of birthday paradox