465 Test 1

Why does a Feistel cipher require more rounds than one like AES, where all operations are reversible? - Because a Feistel cipher uses a smaller key size - Because a Feistel cipher only operates on half the bits in each round - Because a Feistel cipher is less secure - Because a Feistel cipher uses a smaller block size

Because a Feistel cipher only operates on half the bits in each round

Suppose you wanted to use multiple processors to speed up encryption of a large message, assigning blocks round robin among the processors. Which encryption mode would NOT work for this purpose? - ECB - Randomized ECB - CBC - CTR

CBC

Why does AES use more rounds when the key is longer? - Because there needs to be enough rounds to use all of the bits of the key in at least one round - Because the number of rounds is designed to match the security of brute force search of the key space - Because if people cared about performance, they'd use the smallest key size (128 bits) - The number of rounds has to be equal to the number of octets in the key

Because the number of rounds is designed to match the security of brute force search of the key space

If Alice creates a MAC on a message, using a key shared with Bob, which of the following statements is not true - Bob can be assured the message came from Alice - Bob can be assured that the message hasn't been modified - Bob can prove to Carol that the message came from Alice

Bob can prove to Carol that the message came from Alice

If you have a good 128-bit hash function H (assume for this exercise it's a random oracle), and you need a 256-bit hash function, you can hash a message m with H, getting H(m) and then hash m concatenated with a constant, say 5, and calculate H(m | 5), and concatenate the two results (obtaining H(m) | H(m | 5)), and this will be as secure as a good 256-bit hash function. (in other words, there is no experiment involving less than 2^256 hashes that would let someone figure out whether it is a 256-bit random oracle or not. - True - False

False

Why does the Davies-Meyer construction do an XOR operation after each block? - It prevents someone from doing an append attack - It prevents a meet-in-the-middle attack that lowers the security of the hash - It makes it less likely that two messages will accidentally hash to the same value - It ensures that all the bits of the message affect the hash

It prevents a meet-in-the-middle attack that lowers the security of the hash

What is the purpose of the IV in CBC mode? - It makes encryption more efficient - It prevents someone from knowing whether the first block of two different messages are equal - It serves as a cryptographic integrity check - It avoids infringing on the ECB patent

It prevents someone from knowing whether the first block of two different messages are equal

What does randomized ECB (as described in section 4.2.2.1) accomplish? - It allows a decryptor to notice lost blocks - It prevents someone who sees the ciphertext from knowing when two plaintext blocks were equal - It enables someone (who knows the cryptographic key) to detect modification of the ciphertext - It enables the ciphertext to be smaller than the plaintext

It prevents someone who sees the ciphertext from knowing when two plaintext blocks were equal

Why is elliptic curve cryptography important? - It avoids the RSA patent - It uses smaller key sizes than RSA for the same security strength - It is quantum resistant

It uses smaller key sizes than RSA for the same security strength

How does CBC accomplish what randomized ECB accomplishes? - It uses the previous ciphertext block as the random number for the next plaintext block - It uses two different encryption algorithms - It includes a cryptographic integrity check

It uses the previous ciphertext block as the random number for the next plaintext block

A block cipher - Must use the same size encryption key as the block size - Must use a key size that is bigger than the block size - Can be securely used with very small block sizes (e.g., 16 bits), provided the encryption key is large enough - Takes an input block of n bits and a key of size k, and outputs ciphertext of size n+k - Takes an input block of n bits and a key size of size k, and outputs ciphertext of size n

Takes an input block of n bits and a key size of size k, and outputs ciphertext of size n

What design feature of a Feistel cipher enables decryption, despite having some irreversible operations? - Decryption uses the same key as encryption - The (irreversible) mangler function never needs to be computed in the reverse direction - It uses both S-boxes and P-boxes - There is only a single key that would map a given plaintext block to a given ciphertext block

The (irreversible) mangler function never needs to be computed in the reverse direction

How do you know the S-boxes in DES are not reversible? - They have more input bits than output bits, so there are multiple inputs that map to the same output - Because DES uses a Feistel cipher - Because a cipher would not be secure if its S-boxes were reversible - Because DES's key size is too small

They have more input bits than output bits, so there are multiple inputs that map to the same output

Public key cryptography - Is not as secure as secret key cryptography, because the keys are not kept secret - Uses a single public key for all users, but each user has their own private key - Uses two mathematically related keys for each user; the public key, and the private key - Is usually faster than secret key cryptography - Is where encryption and decryption are done with the private key. Signatures and signature verification are done with the public key.

Uses two mathematically related keys for each user; the public key, and the private key

The usual effect of a DOS attack is that the attacker: - Steals sensitive data - Corrupts data - Uses up resources so that legitimate users cannot use the service - Impersonates a legitimate user and uses a service for free

Uses up resources so that legitimate users cannot use the service

Which of the following is not true of a MAC? - It is computed based on both a secret key and the plaintext - It can be computed on an unencrypted message - Someone that can verify the MAC can also forge a message - Without knowing the secret key, it is possible to modify a few blocks of a message without changing the MAC

Without knowing the secret key, it is possible to modify a few blocks of a message without changing the MAC

As described in Chapter 2.4.4 Efficient Digital Signatures, it is common, for performance reasons, to sign a hash of a message rather than the message itself. Why is it so important that it be difficult to find two messages with the same hash?

You can sign a hash of a message instead of the message itself since it is more efficient. It is important that it be difficult to find two messages with the same hash because if you are signing a hash which has two messages, you are signing both messages. Most likely you will not know the other message so this can be dangerous. Once Alice has signed a hash of a message, she has signed all messages that have that hash

A stream cipher - Can only encrypt fixed-sized messages - Can only encrypt audio or video - Deterministically calculates a stream of bits from a secret seed, and XOR's the result with the message to do encryption or decryption - Can only be used for short messages - Can be used by Alice to send Bob an encrypted message, even if Bob does not know the seed Alice used

Deterministically calculates a stream of bits from a secret seed, and XOR's the result with the message to do encryption or decryption

Suppose in a Feistel cipher, the mangler function mapped every 32-bit value to zero, regardless of the value of its input. What function would encryption compute if there was only one round? What function would encryption compute if there were eight rounds?

Each round would swap the left and right 32 bit values of the input. So after one round, the right and left parts would be swapped. If there were 8 rounds, the initial 64 bit value would be the result. Reversing left and right half. (after 1 round of Feistel) After 8 rounds, the identity

Why is it possible to decrypt, in parallel, blocks of ciphertext that were encrypted using CBC mode, but it is not possible to encrypt, in parallel, blocks of plaintext with CBC mode?

Encrypting each plaintext block requires knowing the ciphertext value in the previous block so it can't encrypt multiple blocks at once without the previous value. Decryption of ciphertext block n only depends on ciphertext blocks n and n-1, whereas encryption ofplaintext block n depends on ciphertext block n-1, which can only be known after encrypting from the beginning.

How many square roots of 1 are there mod 77?

4

How many square roots of 1 are there mod 91?

4

What is the key size in DES? - 56 bits - 80 bits - 96 bits - 128 bits

56 bits

What is the block size in 3DES? - 56 bits - 64 bits - 128 bits - 168 bits

64 bits

What is the block size in DES? - 56 bits - 64 bits - 128 bits - Variable length, chosen by the implementation, and can be any size, between 56 bits and 256 bits

64 bits

Which of the following is not a legal key size in AES? - 64 bits - 128 bits - 192 bits - 256 bits

64 bits

Select all of the following pairs of numbers that are relatively prime - 15,21 - 8,21 - 15,49 - 9,15 - 11,21

- 8,21 - 15,49 - 11,21

What is Φ(21)? - 15 - 12 - 8 - 14

12

What block size does AES use when using 256 bit keys? - 64 bits - 128 bits - 192 bits - 256 bits

128 bits

How many messages of length 1000 bits are likely to have a given 256-bit hash? - 2^256 - 2^512 - 2^744 - 2^1000

2^744

If Alice and Bob are communicating with a secure session, good security practice recommends: - Alice and Bob should use the same cryptographic keys for encryption and integrity protection as they used the previous time they communicated - For each secure session, Alice and Bob should establish a new single secret that will be used for encryption (in both directions) and integrity protection (for both directions) - Traffic from Alice to Bob should not be cryptographically protected, but traffic from Bob to Alice should be encrypted and integrity protected - Alice and Bob might establish several cryptographic keys for each secure session, and use different encryption keys in each direction, and different integrity protection keys in each direction.

Alice and Bob might establish several cryptographic keys for each secure session, and use different encryption keys in each direction, and different integrity protection keys in each direction.

Which of these is a way for Alice and Bob to do a coin flip over the telephone in a way that neither can cheat? - Alice flips the coin, but doesn't tell Bob at first what the result is. Bob then calls "heads" or "tails", and Alice then tells Bob whether he won or not. - Alice flips the coin, Bob decides which he wants but doesn't tell Alice. Alice then informs Bob of which was chosen (let's say "heads"), and Bob then says whether that is what he chose - Alice sends a random number R, to Bob. Bob tells Alice "heads" or "tails", and Alice hashes R and sends it to Bob. If h(R) is even, the result is "heads". If h(R) is odd, the result was "tails". - Alice chooses a random number R, and sends h(R) to Bob. Bob then declares whether he chooses "heads" or "tails". Alice then sends R. If R is even, the result was heads, and if R is odd, the result is tails.

Alice chooses a random number R, and sends h(R) to Bob. Bob then declares whether he chooses "heads" or "tails". Alice then sends R. If R is even, the result was heads, and if R is odd, the result is tails.

An ACL (access control list) - Is associated with a resource, and lists who is allowed to access that resource - Can list not only who is allowed to access the resource, but what they can do (e.g., read/write/execute) - Can be made more scalable by including a group or role, which separately lists the individuals - All of the above

All of the above

What can cryptography provide for data - Reassurance of the identity of the sender - Reassurance that the data has not been modified in transit - Preventing an eavesdropper from reading the data - All of the above

All of the above

What properties must a good cryptographic hash function have? - It must be computationally infeasible to find two messages with the same hash - It must be computationally infeasible, given a value H, to find a message that hashes to H - Given a message M1 with hash h(M1), it must be computationally infeasible to find a different message M2 with h(M2) = h(M1). - All of the above

All of the above

A NAT box - Detects fraudulent packets and deletes them - Allows a portion of the Internet to use non-globally unique addresses - Reads the content of packets to detect viruses

Allows a portion of the Internet to use non-globally unique addresses

Why is it safe to sign a hash of a message rather than the actual message? - No two messages have the same hash, so it makes no difference which is signed - A valid signature must have both the message and the hash signed - Although there are many messages that have the same hash, it is extremely improbable to ever find another message with the same hash - The same signature works whether it is the actual message that was signed, or the hash

Although there are many messages that have the same hash, it is extremely improbable to ever find another message with the same hash

All the hash functions (MD4, MD5, SHA-1, and SHA2) have the same sort of construction, consisting of an intermediate state the size of the hash, and at each stage of the algorithm, feeding in the next block of the message and the intermediate state into a compression function, which yields the next intermediate state. A method of creating a MAC is a keyed hash, doing a hash of a secret concatenated with the message. (h(secret | m )) . What vulnerability is there in using this as a MAC (assuming an attacker sees the message and the MAC)? - An attacker will be able to compute the secret. - An attacker will be able to append extra data to the message, and be able to create a new MAC for the modified message, even though the attacker does not know the secret - An attacker will be able to create a 2nd message that has the same MAC as the first - An attacker will be able to verify the MAC even if the attacker does not know the secret.

An attacker will be able to append extra data to the message, and be able to create a new MAC for the modified message, even though the attacker does not know the secret

Why doesn't a secret key MAC provide non-repudiation? - A MAC can be forged by anyone - A message can be modified by anyone, with the MAC remaining valid - Anyone who can verify the MAC can forge the MAC, so they could have composed the message - A MAC does not depend on the contents of the message

Anyone who can verify the MAC can forge the MAC, so they could have composed the message

Suppose Carol acts as a MITM in a conversation between Alice and Bob - Alice and Bob must have given permission for Carol to do this, and Carol is helping Alice and Bob communicate - This is an example of Carol carrying out a passive attack - Carol can read all the messages that Alice sends to Bob (and that Bob sends to Alice), and forwards everything transmitted by Bob or Alice to the other side, without modifying the messages, or injecting extra messages - Carol impersonates Bob to Alice, and impersonates Alice to Bob. If encryption is used, a different key will be established between Alice and Carol than between Carol and Bob. - Alice and Bob can detect if there is a MITM by sending questions to each other that only the other side knows the answer to

Carol impersonates Bob to Alice, and impersonates Alice to Bob. If encryption is used, a different key will be established between Alice and Carol than between Carol and Bob.

It is common for banks to communicate with each other using a CBC-residue on messages as an integrity check. Banks A and B would share a secret key KAB. Messages do not need to be encrypted; just integrity protected, so A would send a message to B unencrypted, but with the CBC-residue of the message (computed with KAB) appended as an integrity check. There was an email standard where an unencrypted, integrity protected message from Alice to Bob consisted of Alice sending a secret key S for that message, encrypted with Bob's public key, and Alice would use her RSA private key to sign the CBC-residue. So the message from Alice to Bob consists of {S}Bob ; S encrypted with Bob's public key Message (unencrypted) [CBC-residue of message using S as the key]signed by Alice This is insecure. Why is that?

If Trudy sees a message that Alice sent to Bob, she can then forge additional messages to Bob pretending to be Alice. She would do this by choosing her own secret S', encrypting it with Bob's public key. She would copy the CBC-residue signed by Alice from Alice's original message. Then she would construct a message with a matching CBC residue (which is possible if she can choose all of the message but one block and then compute what the block has to be computing the CBC forwards and backwards as in last week's homework). This assumes there is some comment or other field in the message that can be distorted without causing the overall message to be rejected

The primary difference between a DDOS attack and a DOS attack is - In a DDOS attack, there are many attackers, whereas a DOS attack is generally a single attacker - With a DDOS attack is it easier to catch the perpetrator - A DDOS attack can be defended against by ensuring that clients can receive at the IP address from which a request was sent - In a DDOS attack, it is easier to prosecute the owner of a machine from which a bogus request is made

In a DDOS attack, there are many attackers, whereas a DOS attack is generally a single attacker

Which numbers, mod n, have multiplicative inverses? - The integers less than n - All integers other than 0 - Integers that are relatively prime to n - Integers that are relatively prime to Φ(n)

Integers that are relatively prime to n

Which numbers, mod n, have exponentiative inverses? - All integers less than n - All integers other than 0 - Integers that are relatively prime to n - Integers that are relatively prime to Φ(n)

Integers that are relatively prime to Φ(n)

The work factor of a cryptographic algorithm - Is a measure of how difficult it is to implement the algorithm - Is a measure of how computationally expensive it is to perform encryption and decryption - Is a measure of how difficult it is to break the algorithm - Is a measure of how difficult it was to design the algorithm

Is a measure of how difficult it is to break the algorithm

A web cookie - Is a string created by a client, stored by the server on behalf of that client, and sent to that client when that client sends an HTTP request to the server - Is a string created by a server, sent to a client when that client connects to the server, and returned by the client each time the client sends an HTTP request to the server - Is a string that is understandable by both the server and the client - Has a syntax that is standardized, so that all servers use cookies the same way

Is a string created by a server, sent to a client when that client connects to the server, and returned by the client each time the client sends an HTTP request to the server

A cryptographic integrity check on data - Is usually done by storing the data in multiple places, and comparing them to see if they have been modified - Is only used for transmitting data across a network - Is extra data associated with the original data that is a function of the data and a secret - Cannot be used if the data is encrypted

Is extra data associated with the original data that is a function of the data and a secret

Why is modular arithmetic commonly used in cryptographic algorithms rather than integer arithmetic? - It is faster than integer arithmetic - It allows numbers to be expressed in a fixed number of bits - It is more expensive to break encryption if it uses modular arithmetic - It is less complicated to implement because there are no negative numbers

It allows numbers to be expressed in a fixed number of bits

Why does RSA use a non-prime modulus? - It is easy for anyone to calculate exponentiative inverses in a prime modulus - So that all elements have multiplicative inverses - To make it efficient to compute digital signatures - At that size of numbers, it would be too hard to find primes.

It is easy for anyone to calculate exponentiative inverses in a prime modulus

Why might an implementation that stores a database of hashed passwords choose to use a 128-bit hash function applied, say, 100 times? - h^100 adds 100 bits more security to the 128-bit hash function h. - It makes brute force search of the password database 100 times slower. - It makes brute force search of the password database 2^100 - It gives the security of a 256-bit hash function, but at higher performance.

It makes brute force search of the password database 100 times slower.

Assume a cryptographic algorithm in which the performance for the good guys (the ones that know the key) grows linearly with the length of the key, and for which the only way to break it is a brute-force attack of trying all possible keys. Suppose the performance at a certain key-size is adequate for the good guys (e.g., encryption end decryption can be done as fast as the bits can be transmitted over the wire). Then suppose advances in computer technology make computers twice as fast. Given that both the good guys and the bad guys get faster computers, does this advance in computer speed work to the advantage of the good guys, the bad guys, or does it not make any difference?

It works to the advantage of the good guys. After the advance in technology, the good guys can just double their key length which will take the same amount of time as before on the old computer. The bad guys would have to try way more than double the numbers than before, so they would be way slower, even with the increased speed with the new computer. It works to the advantage of the good guys, since the work to do encryption/decryption knowing the key should be linear in the length of the key, and brute force should be double the work with each extra bit of the key. So, for instance, going from a 100 to 200 bit key should be double the work for the good guys, and 2^100 times the work for the bad guys

A passive attack differs from an active attack because in a passive attack, the attacker - Has no hostile intent - Listens to messages but does not inject or modify messages - Cannot do any harm - Is hired by a company to test their own security

Listens to messages but does not inject or modify messages

How much bigger is the ciphertext in CBC than ECB? - It is the same size - About 10% bigger - One block bigger - Twice as big

One block bigger

In DNS, a root server - Knows all DNS names that have been assigned - Alerts an administrator if the same name is assigned within two different top level domains (e.g., bigbank.com, and bigbank.org) - Only stores information about servers for each top level domain - Maintains the largest database among all DNS servers

Only stores information about servers for each top level domain

What is the Chinese Remainder Theorem? - A way of calculating greatest common divisors - A way of finding large primes - Proof that any number 0 < x < n can be uniquely represented as x mod n, or as xp mod p and xq mod q (where n = p*q, and p & q are relatively prime) - A method of determining who in the dinner group should get the last egg roll

Proof that any number 0 < x < n can be uniquely represented as x mod n, or as xp mod p and xq mod q (where n = p*q, and p & q are relatively prime)

Suppose you want to replace block #n, in the middle of a CBC-encrypted file, with a new value for block #n. What do you need to do? - Encrypt the new block with the key, and overwrite that block in the correct place in the file - Read the entire file, including the IV, decrypt it, change the one plaintext block to the new block, and re-encrypt the entire file. - Read the IV, use the IV to CBC-encrypt the new block n, and write the newly-encrypted block in into the ciphertext - Read the ciphertext starting with block n-1, decrypt starting at block n+1, use ciphertext block n-1 as the IV, and encrypt the new block n plaintext followed by the remaining blocks in the plaintext.

Read the ciphertext starting with block n-1, decrypt starting at block n+1, use ciphertext block n-1 as the IV, and encrypt the new block n plaintext followed by the remaining blocks in the plaintext.

Suppose one had a piece of hardware that did 3DES implemented using EDE. How could you use that hardware to implement DES?

Since 3DES is just DES run three times with 3 keys, to implement DES, you would just have to run it once with one key. Feed the single key into the hardware as K1, K2, and K3.

Why is it usual to sign a hash of a message instead of the actual large message? - So the message can be efficiently retrieved from a database using its hash - It wouldn't be legally binding unless the signature is on the hash - A signature on the actual message would divulge too much information about the message - Since hash algorithms are much faster than public key signatures, it is more efficient to sign a smaller thing

Since hash algorithms are much faster than public key signatures, it is more efficient to sign a smaller thing

Why is it important that an encryption algorithm be reversible? - So that an implementation can be reverse-engineered to prove it is following the specification - It will be more secure if it is reversible - To avoid infringing on patents - So that decryption is possible

So that decryption is possible

Random J. Protocol-Designer has been told to design a scheme to prevent messages from being modified by an intruder. Random J. decides to append to each message a hash of that message. Why doesn't this solve the problem?

Someone could just modify the message and the hash at the end. Anyone can modify the message and calculate the hash of the new message. The only way to make this sort of thing secure is to make the integrity check a function of a secret that an unauthorized guy won't know

Assume a cryptographic algorithm in which the performance for the good guys (the ones that know the key) grows linearly with the length of the key, and for which the only way to break it is a brute-force attack of trying all possible keys. Suppose computers get ten times as fast as before, and both the good guys and bad guys have access to faster computers, and the good guys make their keys ten times as long as before. What effect, if any, does this have on the security of cryptographic algorithms? - The cryptographic algorithm will be even more secure than before against brute force search - It will be easier for the bad guys to do a brute force search for keys - It doesn't matter how fast computers are, because good guys and bad guys will have access to the same types of computers

The cryptographic algorithm will be even more secure than before against brute force search

How many rounds should there be in a block cipher? - The number of rounds should equal the number of bits in the key - The number of rounds should equal the number of bits in a block - The number of rounds should be such that the easiest way to break the cipher is with brute force search of all the keys - It will always be more secure to add more rounds, so the number of rounds should be as much as performance issues will allow

The number of rounds should be such that the easiest way to break the cipher is with brute force search of all the keys

Suppose you use four polarizing filters, with each one 30° off from the previous one. What percentage of photons would pass through the four filters?

The probability of a random photon passing through the first filter is ½. The probability of the now polarized photon passing through the next filter is cos2 30° = ¾. So, the probability of a random photon passing through all four filters is ½ x (¾)^3 = 27/128 = 21.09375%, which is more than the 1/8 = 12.5% that passed through 3 filters

A secret key algorithm is one in which - The design must be kept secret - The same key is used for encryption as decryption - Uses two keys; one to encrypt, and one to decrypt - It is only useful for encryption (and cannot be used for authentication or integrity protection)

The same key is used for encryption as decryption

Suppose Alice, Bob, and Carol want to use secret key technology to authenticate each other. If they all used the same secret Key K, then Bob could impersonate Carol to Alice (actually any of the three can impersonate the other to the third). Suppose instead that each had their own secret key, so Alice uses KA, Bob uses KB, and Carol uses KC. This means that each of Alice, Bob, and Carol, to prove his or her identity, responds to a challenge with a function of his or her secret key and the challenge. Is this more secure than having them all use the same secret key K? (Hint: What does Alice need to know in order to verify Carol's answer to Alice's challenge?)

This is not more secure because to verify Carol's answer, Alice would need to know her secret key. If they all know each other's secret keys it is the same as having the same secret key. In order to verify a response to a challenge, each of them needs to know the other side's secret, so all 3 would have to know the secrets of all 3. And any of them can impersonate the other 2. So no, it's not any more secure than having all 3 of them share a single secret.

Why do we need cryptographic modes? - To allow implementations of a block cipher to be optimized for different types of hardware - To allow encryption of messages larger than a block size - To make block ciphers more convenient for certain programming languages - To make brute force search of the key space more difficult

To allow encryption of messages larger than a block size

One defense against a DOS attack is for a server that is being swamped - To avoid keeping state about a connection until a requester can prove it can receive packets from the IP address which is the source address of a request - To report the attack to an administrator - For the server to reboot

To avoid keeping state about a connection until a requester can prove it can receive packets from the IP address which is the source address of a request

What is the purpose of the key expansion step in block ciphers? - To enable a different variation of the key to be used in each round, which avoids attacks where the same key is used in each round - To enable an implementation with an n-bit key to be as secure as an implementation with a much larger key - To enable a key to be encoded in a more convenient way for a person to type it in

To enable a different variation of the key to be used in each round, which avoids attacks where the same key is used in each round

Which is computationally easiest? - Given a value V, to find a message M such that h(M)=V - To find two messages M1 and M2, such that h(M1) = h(M2) - Given a message M1 where h(M1) = V, to find a 2nd message M2, such h(M2)=V

To find two messages M1 and M2, such that h(M1) = h(M2)

If you have a good 256-bit hash function, and you need a 128-bit hash function, you can use the 256-bit hash function, but only use the first 128 bits of the hash, and that will be a secure 128-bit hash function - True - False

True

How much bigger is the ciphertext in randomized ECB than in ECB? - It is the same size - About 10% bigger - One block bigger - Twice as big

Twice as big

Keeping in mind that a useful encryption algorithm requires the ability to decrypt, which of the following are possible? Write your thoughts on each of list. a) An encryption algorithm for which there are two tuples, (key1,block1) and (key2,block2), that map to the same ciphertext block. b) An encryption algorithm for which there are two tuples, (key1,block1) and (key1,block2), that map to the same ciphertext block. c) An encryption algorithm that maps plaintext blocks of size k bits to ciphertext blocks of size j bits. Is this possible if k < j? How about if k > j? d) An encryption algorithm that takes as input a triple (key, plaintext block of size k, random number R), and outputs (R, ciphertext block of size k) (where the ciphertext depends on all three inputs).

a) only one input value should map to any given output value otherwise decryption is impossible so this is not possible. b) same as above, only one input to one output so this is not possible. c) you can encrypt messages larger than the block size with modes of operation so k < j is possible d) it is possible. use the key and plaintext to create the ciphertext, the random number stays the same a. Yes, this is possible. In fact, for any ciphertext block, and any key, there will be a plaintext block that maps to it. Very rarely, but still possible, would be two keys that map the same plaintext block to the same ciphertext block b. This is not possible, since if that did happen, attempting to decrypt would be ambiguous c. We really should just expect the students to answer "yes" and "no". To elaborate (which we should do in class), an IV or integrity check can increase the size of the ciphertext. If it's an IV, then every ciphertext will decrypt. If it's an integrity check, then not all ciphertexts will decrypt d. Yes

Suppose there is a file with 8 blocks that is represented by a hash (Merkle) tree. Suppose one block, say b6, is modified. What items in the hash tree need to be modified? (image 1 saved, hw4) - Root and b6 - b6, X1, X2, X3, X4, X5, X6 - b6, X5, X2, Root - b6, X6, X1, Root

b6, X5, X2, Root