Serious Cryptography

Question 1

How many letters does cesar cypher shift?

Answer 1

3

Question 2

How do vigenere cipher works?

Answer 2

The key is not fixed like cesar, is defines a key using a word of N letters. This word is used to rotate every letter individually: CRYPTO encrypts to FLFSNV using DUH key.

Question 3

What are the steps needed to break vigenere cipher?

Answer 3

1- find the key length: find for repeated sequences of letters in the ciphertext.
2- determine the key using frecuence análisis: Most common letters of abecedary.

Question 4

Does classic ciphers operates with bits or letters?

Answer 4

Letters

Question 5

In symmetric ciphers, what is a permutation?

Answer 5

A function that transform an item (letter or set of bits ) such that item has a unique inverse.

Question 6

In symmetric ciphers, what is a mode of operation?

Answer 6

An algorithm that uses a permutation to process messages of arbitrary size. Mitigates exposure of duplicate letters in the plaintext by “scrumbling” all. (Confussion and difussion)

Question 7

What is a substitution cipher?

Answer 7

Replace letters with other letters

Question 8

When a permutation is secure?

Answer 8

When it satisfy 3 criteria:

1- The permutation should be determined by the key. ( in caesar is fixed and is 3)
2- Different keys should result in different permutations.
3- The permutation should look random. Knowing that A encrypts to B should not give you any other information.

Question 9

Why classical ciphers are insecure?

Answer 9

Because their are limited to operations that humans can perform with their head.

Question 10

Which cipher guaranties perfect secrecy?

Answer 10

One Time Pad

Question 11

What is the length of a one time pad cipher

Answer 11

as long as the message

Question 12

What an attacker can learn from a ciphertext computed with a one time pad?

Answer 12

The length of the message

Question 13

How many times can use a single key on one time pad?

Answer 13

Just once

Question 14

Why can´t we encrypt 2 message with the same key on one time pad?

Answer 14

Because of the XOR property. C1-xor-C2=(P1-xor-K)xor(P2-xor-K)=P1-xor-P2-xor-K-xor-K=P1-xor-P2

Question 15

Why One time pad is not used on real life?

Answer 15

Because to encrypt a 1 tera file you will need a 1 tera key. Is not applicable for long messages.

Question 16

Why is one time pad secure?

Answer 16

Shannon proof that if the key K is chosen randomly and that key is as long as the message, an attacker, even if he can proof all the possible keys, will now know nothing about the message, because it will have tons of valid messages.

Question 17

What is an attack model?

Answer 17

Assumptions about what an attacker can do to interact with a cipher. Does not have to reality exactly, is an approximation.

Question 18

What is a security goal?

Answer 18

Descriptions of what is considered a successful attack.

Question 19

What kerchoffs principle states?

Answer 19

The security of a cipher should rely only on the secrecy of the key and not on the secrecy of the cipher.

Question 20

What are the black box attack models ?

Answer 20

Models where the atacker only see what goes in and out the cipher.

Question 21

What is Ciphertext-only attack model?

Answer 21

Passive attack, can´t perform decrypt and encrypt queries. JUST OBSERVE CIPHERTEXTS.

Question 22

what is Known-plaintext attack model?

Answer 22

Passive attack, can´t perform decrypt or encrypt queries. OBSERVE CIPHERTEXTS AND THEIR ASOCIATED PLAINTEXTS. (the plaintexts are randomly chosen)

Question 23

What is chosen-plaintext attack model?

Answer 23

Active attack. Can perform encryption queries of plaintext of their choise.

Question 24

What is chosen-ciphertext attack model?

Answer 24

Active attack. Can perform encryption and decryption queries.

Question 25

What are the grey-box attack models?

Answer 25

Models where an attacker also know the ciphers implementation.

Question 26

What is an example of grey-box attack model?

Answer 26

Side channel attacks.

Question 27

What is a side-channel attack?

Answer 27

Observe or measure analog characteristics of a ciphers implementation but do not alter the implementation. (non-invasive)

Question 28

What are examples of side-channel attacks?

Answer 28

On software error messages, return values and on hardware measure of power consumption, electromagnetic emanations, etc.

Question 29

What are the two main security goals?

Answer 29

Indistiguishability: Ciphertexts should be indistinguishalbe from random strings. Ej. If an attacker picks two plaintexts and the recieves a ciphertext of one of them, he should not know from which plaintext is.
Non-malleability: Given a ciphertext C1 it should be imposible to create another ciphertext C2 whose corresponding plaintext (P2) is related to (P1) in a meaningfull way.

Question 30

What is a security notion?

Answer 30

Is a combination of a security goal and an attack model.

Question 31

What is semantic security?

Answer 31

Is the same as IND-CPA. Ciphertexts should not leak any information about their plaintexts as long the key is secret. So, if an attacker can execute queries of encryption (CPA) two plaintexts that are equal should have different ciphertexts.

Question 32

How can we achieve IND-CPA?

Answer 32

Using randomized encryption. Basically E(K,P,R) where R are random bits (IV,Tag).

Question 33

If a cipher is IND-CCA implies that is IND-CPA as well?

Answer 33

Yes

Question 34

If a cipher is NM-CCA implies that is NM-CPA as well?

Answer 34

Yes

Question 35

If a cipher is IND-CPA implies that is NM-CPA as well?

Answer 35

No

Question 36

If a cipher is NM-CPA implies that is IND-CPA as well?

Answer 36

Yes

Question 37

What is the difference between symmetric and assymetric encryption?

Answer 37

Symmetric: One key that is shared between two parties.
Asymmetric: We have a pair of keys, priv and pub.

Question 38

Can we derive a private key from a public key?

Answer 38

No

Question 39

Can we derive a public key from a private key?

Answer 39

Yes

Question 40

What is called encrypting with a public key?

Answer 40

Encryption, because only the holder of the private key can read it.

Question 41

What is called encrypting with a private key?

Answer 41

Signature, because all with access to the public key, can read the message, so no confidentiality is gained.

Question 42

What is authenticated encryption?

Answer 42

Is a type of symmetric encryption that outputs a ciphertext and a Tag. On the decryption process, the cipher takes K, C and T (the tag) and only returns a plaintext if the Tag matches the plaintext, if not, aborts.

Question 43

What guaranties does authenticated encryption gives?

Answer 43

1- Integrity: The message is only decrypted if the Tag matches the plaintext.
2- Authentication: The person or process that sends the encrypted text, key and Tag gives more information about the authenticity.

Question 44

What is an effective way to avoid a replay attack?

Answer 44

Set a counter, the evesdropper will not be able to forge the counter+1 message, so the reply will fail.

Question 45

What is AEAD?

Answer 45

Authenticated encryption with adicional data is an extension of authenticated encryption where some part of the payload must be unencrypted.

Question 46

What is format preserving encryption?

Answer 46

A type of encryption that creates ciphertexts that have the same format as the plaintext. Ej. Encrypt IP’s to IP’s, etc.

Question 47

What is Fully homomorphic encryption (FHE)?

Answer 47

A type of encryption that let a user to update a ciphertext without decrypting it. It is useful on cloud scenarios, where you do not want you provider to know your encryption key, so you can send encrypted data and update other encrypted data without a key.

Question 48

What is Searchable encryption?

Answer 48

Is a type of encryption that let you search for content without decrypting that content.

Question 49

What is tweakable encryption?

Answer 49

Is a type of encryption that takes a key, a plaintext and a tweak. The tweak is a type of value that depends on the context, to avoid other contexts to decrypt that data. For example, on disk encryption, the tweak is set as the sector number or the block index.

Question 50

What is identity-based-encryption?

Answer 50

Basically use email addresses in replace of public keys to encrypt a message. There is a central entity that handles the encryption keys and based on the identities generates privates keys to read the messages being sent (Generally using a PKG)

Question 51

What is attribute based encryption?

Answer 51

Attribute-based encryption is a one-to-many public key encryption. Only the user, whose attributes satisfy the access policy set by the encryptor, can decrypt the ciphertext. This concept originates from identity-based encryption

Question 52

What is oblivious transfer protocol?

Answer 52

In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece (if any) has been transferred. (https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec19.pdf)

Question 53

What is functional encryption?

Answer 53

In a functional encryption system, a decryption key allows a user to learn a function of the encrypted data.
For example: As a concrete example, consider a cloud service storing encrypted images. Law enforcement may require the cloud to search for images containing a particular
face. Thus, the cloud needs a restricted secret key that decrypts images that contain the target face, but reveals nothing about other images. More generally, the secret key may only reveal a function of the plaintext
image, for example an image that is blurred everywhere except for the target face

Question 54

Why padding is important on block ciphers?

Answer 54

Because the length of the plaintext should be a multiple of the block length. Padding is used to fill that gap.

Question 55

What are padding examples?

Answer 55

Pkcs5, pkcs7, ansi x923, w3c padding, etc.

Question 56

What is a uniform distribution?

Answer 56

Occurs when all probabilities in the distribution are equal, meaning that all outcomes are equaly likely to ocurre.

Question 57

How is randomness linked to uniform distribution?

Answer 57

Any random process must produce outputs with the same probability of outcome: a uniform distribution.

Question 58

What is entropy?

Answer 58

A measure of uncertainty, or a measure of information. Both are valid definitions.

Question 59

What is the entropy of a 128 bits key generated with a uniform distribution function?

Answer 59

128 bits. Formula: 2^128 * (-2^128*log(2^-128))

Question 60

What is the entropy of a fair toss coin?

Answer 60

1 bit. Formula: -1/2 * log(1/2) - (1/2) * log (1/2)

Question 61

What is the entropy of a loaded coin with 1/4 prob of tails and 3/4 prob of heads?

Answer 61

0.81 bit. Formula: -1/4 * log (1/4) - 3/4 * log(3/4)

Question 62

In which probability distribution, the entropy is maximized?

Answer 62

In a uniform distrubution.

Question 63

Where true randomness is generated?

Answer 63

Can´t be generated in a computer because is a deterministic machine. It comes from RNG that usually are software or hardware that measure physical events.

Question 64

What a hardware random number generator measure to produce random numbers?

Answer 64

Temperature, acustic noise, electrical static, quantum events.

Question 65

What a software random number generator measure to produce random numbers?

Answer 65

Use attached sensors to measure events, I/O from mouse, packets from the network, disk activity, key pressing, etc.

Question 66

Why we do not use RNG directly?

Answer 66

Because RNG measurements are slow and because they do not have a uniform distribution, meaning low entropy.

Question 67

What are PRNG?

Answer 67

PRNG are algorithms that take RNGs inputs and produce random-looking bits in a deterministic way. (Using drng)

Question 68

How PRNG works?

Answer 68

They take true random bits from a RNG, feed them into a DRNG that expands those bits into a much larger sequence.

Question 69

What are the 3 main parts of any pseudo random number generator?

Answer 69

1- init() Initialize the entropy pool and the prng internal state (buffers, etc)
2- refresh(seed) updates the entropy pool using a specific seed.
3- next(n) runs the DRNG and return n pseudorandom bits and updates the entropy pool to make sure the next call will generate different sequences.

Question 70

What properties must have a CSPRNG?

Answer 70

1- produce bits sequences with a uniform distribution.
2- backtracking resistance: if an attacker knows one bit sequence, he can’t deduce previous bits.
3- prediction resistance: If an attacker reads part of the stream, he can’t know without a seed, the next bits.

Question 71

What is linear combination?

Answer 71

Xor combination of bits. This produce short equations and is why is not secure for cryptography in general.

Question 72

What is non-linear combinations?

Answer 72

Adds AND combinations. This rise equations to exponential sizes, practically unsolvable.

Question 73

What are statistical tests on PRNG?

Answer 73

Tests suites that produce samples of any specific PRNG and compute some statistics on its output distribution. The goal is compare this output with a uniform distribution. One example is amount of 0 and 1 on a stream.

Question 74

What is the difference between /dev/random and /dev/urandom?

Answer 74

Random tries to estimate the entropy of the pool, and if is not sufficient it blocks the stream. Urandom do not check this bound, and sends the stream anyway.

Question 75

What is rdrand?

Answer 75

Is an intel processor assembly instruction that generates pseudorandom bits.

Question 76

How rdrand works?

Answer 76

It has a small hardware circuit that jumps between 1 and 0 depending on thermal noise flactuations, usually 800MHz.

Question 77

From a performance view, is base64 or hexa a better encoding binary-to-text encoding to compare 2 digests?

Answer 77

Base64 because it provides less amount of characters than hexa to represent the same amount of information. This is why the text comparisons are more efficient.

Question 78

What are the drawbacks of using base64 to represent a digest?

Answer 78

Base64 has characters like “+” or “=” that can break some contexts such as http query strings.
Base64 has min and mayus, this means that if a developer could make an error of passing to minus all before comparing, this could lead to problems.

Question 79

What is perceptual hashing and piecewise hashing?

Answer 79

There are two types of hashes that gives information about the similarity of two inputs.

Question 80

What is the difference between informational security and computational security?

Answer 80

Informational security is about theoretical impossibility whereas computational security is about practical impossibility.

Question 81

When a cipher is informationally secure?

Answer 81

When even given unlimited time and resources it can not be broken.

Question 82

When a cipher is computationally secure?

Answer 82

When it can not be broken with a reasonable amount of time and resources,

Question 83

What means that a cipher is t-bit-secure?

Answer 83

Means that a successful attack needs at least t operations. 2^t operations are needed for a successful attack. It is an upper bound, the worst case scenario.

Question 84

If we need 10000000 operations to break a cipher, what is the security level?

Answer 84

is log2(10000000) = 2^20 -> 20 bits security.

Question 85

When a security level is lower than the key size?

Answer 85

1- When an attack could recover the key in less operations.

2- When speaking about public key algoritms.

Question 86

What is the bit security level of RSA 2048?

Answer 86

100 bit security.

Question 87

Say we have two 128 bits secure ciphers, but one is way slower than the other. Does this means that the slower one is more secure even if both are 128bits secure?

Answer 87

Yes

Question 88

What factors affect the cost of a successful attack other than the t-bit security?

Answer 88

1- Parallelism: If the attack could be carried out in different cores, the security is lower, because the attack is faster.
2- Memory: The time and space that the algorithm takes to process must be taken into account.
3- Pre-computation: The security of a cipher diminish a lot if you can harvest pre work and use it on posterior attacks. Ej. Meet in the middle de 3DES.
4- Number of targets: If you have 1 128bit key target, you will need 2^128 operations, but if you are searching 100 128 bit keys, the cost is 100*2^128. If you are looking at least one key on a set of 2^16 128 bit keys, you will take 2^128-16 = 2^112 operations.

Question 89

What Moore´s law state?

Answer 89

Computing efficiency doubles roughly every to years. We can think this as we loose 1 bit security every year.

Question 90

What is provable Security?

Answer 90

An approach used to mathematically proof the security of an algorithm. Proofs that breaking the algorithm is at least as hard as solving another problem hard to solve. This means the crypto remains safe until that problem is solved, this is called reduction.

Question 91

What approaches can we use to proof an algorithm is secure?

Answer 91

1- Relative to a math problem: Break an algorithm is as hard as resolve a math problem. (Prime number factorization)
2- Proofs relative to another crypto Problem: Compare with another crypto scheme, so if you can break that you can break this.

Question 92

Are this proofs of security absoult?

Answer 92

No, there are cavets.

1- Some times resolve math problemas are easier than expected.
2- Although the proof is good, the implementation could be wrong.

Question 93

What is heuristic security?

Answer 93

There are algorithms than can not be proved in a mathematical way. The only reason to trust this algorithms is because many skilled people tried to break it and failed.

Question 94

What type of scheme is paillier cryptosystem?

Answer 94

Additive homomorphic cryptosystem

Question 95

What are the 3 ways available to store a secret secure?

Answer 95

1-key wrapping: encrypting a key with a second key.
2- on the fly generation from a password: there is not key to store, because the key is derived from a password that lives on our brain. (ios pin iphone unlock)
3- storing a key on a hardware token with anti-tampering properties.

Question 96

What means a block cipher to be secure?

Answer 96

It should be a pseudorandom permutation. This means that as long as the key remains secret, there is no way to get the input that produced some output.

Question 97

What are the two most important sizes on a block cipher?

Answer 97

The block size and the key size.

Question 98

What is the impact of huge blocks on block ciphers?

Answer 98

1- More ciphertext overhead.

2- more memory footpirnt.

Question 99

In block cyphers, do block size affect performance?

Answer 99

Yes! 128 bit blocks are faster than 64bits depending on cpu arquitecture. There are native instructions like avx that made faster 128bits operations.

Question 100

In block cipher, if blocks are very small, is there a problem?

Answer 100

Yes, they are vulnerable to codebook attacks!

Question 101

What are codebook attacks?

Answer 101

If blocks are very small, say 16 bits, you can build a lookup table with all the 2^16 ciphertexts corresponding to every 16bit plaintext.

To decrypt you just find the corresponding input for the given output.

Question 102

Speaking of codebook attacks against small block sizes on block ciphers, how much memory do you need to build the lookup table on 16bit, 32bit and 64bit blocks?

Answer 102

16bit: 2^16*16 = 2^20 = 128KB
32bit: 16 gigas
64: 128 hexabytes

Question 103

What are DIEHARD, crypt-x, or. NIST-STS?

Answer 103

Statistical tests for randomness!

Question 104

What is Multisig on a cryptocurrency space?

Answer 104

Is a protocol that requires more than 1 party to sign a transaction. This avoids that if a single priv key is leaked, the wallet is at risk.

Generally speaking, multisig is integrated with the cryptocurrency ledger, meaning that is not an agnostic of the cryptocurrency.

Bitcoin uses Schnorr signatures and Monero uses edwards25519.

Question 105

What is Shamir Secret Sharing?

Answer 105

Shamir’s Secret Sharing is used to secure a secret in a distributed way, most often to secure other encryption keys. The secret is split into multiple parts, called shares. These shares are used to reconstruct the original secret.

Require n participants to SEND the shares of the final key to the system.

The construction is based on that 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth.

Question 106

What is a threshold in SSS?

Answer 106

A threshold is used to denote the minimum number of shares needed to unlock the secret. For example, you can generate 30 shares but need 20 to unlock the final key.

Question 107

What are the variants VSSS and PSSS?

Answer 107

VSSS allows participants to verify that malicious shares are not being used, and PSSS allows participants to proactively rotate their shares.

Question 108

What is native multisignature?

Answer 108

Require n participants to SIGN the same transaction and send the n signatures to the system. The system must verify all.

Question 109

What is aggregated multisignature?

Answer 109

Require n participants to SIGN the same transaction and send the n signatures to an aggregator. The aggregator allow you to compress the n signatures in a single signature. THEN you send the signature to the system.

Question 110

What is a sybil attack?

Answer 110

En un ataque Sybil, un atacante puede contaminar un sistema distribuido creando un gran número de identidades que aparenten ser independientes y usarlas para obtener una influencia desproporcionada, alterar rutas o modificar contenido almacenado de forma redundante.

Question 111

What are examples of sybil resistant protocols?

Answer 111

Poof of work and proof of stake.

Question 112

What is threshold secret signature? And what is the difference with the SSS?

Answer 112

Instead of sending the part of the secrets for a centralized entity transform them into the final key, you send signatures directly to this central entity and this entity will generate a new final signature based on the sum of the other signatures.

Question 113

Which scheme is more “thresholdizing”, EdDSA or ECDSA? (Meaning that is more friendly with the concepto of devide the secret key in lots of shares)

Answer 113

EdDSA or pure Schnorr signatures, which
are relatively threshold-friendly thanks to the linearity of
their s computation.

Question 114

What is called sharding in distributed key management?

Answer 114

Is the concept of generating one single key, brake it in multiple part, using for example, shamir secret sharing, and then store then separately on different shards.

Question 115

What are hash levels?

Answer 115

Until now hash functions have generally been categorised as either cryptographic or non-cryptographic. However, there are several different hash function capabilities that are useful for different purposes.

Question 116

What means to be level 1 hash?

Answer 116

It means non collision resistant and are useful for cases where there are absolutely no adversaries.

Question 117

What means to be level 2 hash?

Answer 117

Level 2 hash functions usually receive a key as an input and can not produce a c-way multicollision.

Question 118

What means multi-collision resistance?

Answer 118

Is a natural relaxation of fully collision resistance. Roughly speaking, a shrinking hash function is multi-collision-resistant if finding many (rather than two) inputs that hash to the same output is intractable.

The notion of multi-collision resistance provides a
framework for proving formal security guarantees for standard keyless hash functions, for example SHA-2

Question 119

Can a keyless hash function achieve fully collision resistance?

Answer 119

No. Full collision resistance cannot be satisfied by any single (fixed) function. Indeed, for any shrinking function, there exist algorithms that can efficiently find collisions, by simply having such collisions hardwired in their code. Accordingly, in the theoretical treatment of collision-resistance, we consider keyed families of hash functions, requiring that efficient algorithms cannot find collisions when the key is chosen at random

Question 120

What is fully collision resistance?

Answer 120

Is a stronger claim than collision resistance.

Full collision-resistance requires the intractability of finding collisions, EVEN with full-adaptive access to a collision-finding oracle, meaning:

Here, the adversary gets access to a collision-finding oracle, which outputs a collision for the adversarially chosen hash, but also keeps track of each of the queried and returned hash/message pairs (h, m) and (h, m0 ), using the list Q. The adversary wins, if it comes up with a hash/message pair (h∗ , m∗ ) colliding with (m0∗, r0∗), for the given public key, where (m0∗, r0∗) was never queried to or output from the collision-finding oracle.

Question 121

What is the SAS 70 standard?

Answer 121

Is a set of best practices for root key ceremonies.

Question 122

What is the difference between RSA-PSS and RSA-OAeP?

Answer 122

OAEP = Encryption , PSS signature!

Question 123

What is zero knowledge proof?

Answer 123

In a zero-knowledge proof protocol, one party, the prover, proves to another party, the verifier, that a statement is true, while preserving confidentiality of information.

Question 124

what is a Polynonce attack?

Answer 124

When using ECDSA, reusing a nonce for multiple signatures (because a bug or a bad PRNG) lead an attacker to obtain the private key just using a little number of signatures. https://eprint.iacr.org/2023/305.pdf