CS588: Cryptography, Spring 2005

Problem Set 1 Out: 20 January 2005
Due: 3 February 2005
(beginning of class)
Collaboration Policy
You may discuss these problems with anyone you want. You should not take any written artifacts out of those discussions, however. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.Problem set answers may be handwritten, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear, elegant and concise.You may consult any outside resources you wish including books, papers, web sites and people; the only resources you may not use without explicit permission are materials from previous offerings of this couse. If you use resources other than the class materials, indicate what you used along with your answer.
1. Security Principles
a. (5) Use two examples from the Feynman story, Safecracker Meets Safecracker to illustrate the tradeoff between security and convenience.b. (5) What (if anything) should the army have done differently?
c. (5) Describe a realistic scenario in which a protocol that is insecure under the DolevYao threat model could be securely used?
2. Critters in the Middle
There is a problem with this question. It is removed from PS1. Suppose Alice and Bob know each other's public keys, and want to agree on a shared symmetric encryption key. Slimey Sally suggests they use the following fourstep key agreement protocol (based very loosely on the NeedhamSchroeder shared key protocol):
After receiving the message from B in step 4, A decrypts the message received and checks that the value matches N_{B}. If it doesn't, B worries that the protocol was compromised and does not trust K. Otherwise, B assumes K is a valid, secret key shared with A.
1. A → B: E_{KUB}(A, N_{A})
2. B → A: E_{KUA}(N_{B}, B, k_{B})
3. A → B: E_{KUB}(A, k_{A})At this point, both A and B can compute K ≡ k_{A} XOR k_{B}.4. B → A: E_{K}(N_{B})
Notation N_{A} — Alice's nonce
N_{B} — Bob's nonce
KU_{A} — Alice's public key
KU_{B} — Bob's public key
k_{A} — partial symmetric key (generated randomly by A)
k_{B} — partial symmetric key (generated randomly by B)
K — K ≡ k_{A} XOR k_{B} (the final shared symmetric key)a. (10) Suppose Sally is an active attacker (with the characteristics of Malice in the DolevYao threat model). Explain clearly how Sally can trick Bob into estalishing a key Bob thinks is shared with Alice, but is actually shared with Sally.
b. (10) Suggest a change to step 4 in the protocol (and no other steps) that prevents the attack in part a. Argue convincingly that the modified protocol is secure against an active attacker.
3. Bad Beats
Alice and Bob are playing an apparently friendly (but highstakes) game of TexasHoldEm poker. In this game, each player is initially dealt two cards face down (called the "hole cards") from a 52card deck (4 suits, 13 ranks in each suit). Then after a round of betting, three community cards are dealt face up (this is called the "flop"). After another round of betting a fourth (the "turn") community card is dealt, followed by another round of betting and a final (the "river") community card. At the end of the hand, each player makes the best possible fivecard hand using their hole cards and the community cards (it is not required that a player use any of their hole cards; for example, both players could make the same best possible hand using the 5 community cards, and then the pot would be split).For purposes of this question, we only consider two kinds of hands:
A full house beats a flush.
 A flush — five cards of the same suit (hearts, diamonds, clubs or spades)
 A full house — 3 cards of one rank and 2 cards of another rank (e.g., KH, KS, KD, 8C, 8D).
a. (5) After both players hole cards are dealt but no other cards, Alice has the Ace of Hearts and 6 of Hearts. What is the probability Alice will make a flush on the flop (the next 3 cards revealed)?
b. (5) What is the probability Alice will make a flush by the end of the hand?
c. (5) Suppose the flop is KH 7C 7H and the turn is 3H. After the turn, Bob goes all in (bets all his chips) and Alice calls. Bob reveals at KD 3S (giving him 2 pair which would lose to Alice's flush). What is the probability Bob wins the hand (by making a full house) on the final card?
d. (10) During the course of many days of uninterrupted poker play, Alice and Bob get into the same situation 10 times where Alice has a flush after 4 cards and Bob has 2 pairs needing to make a full house. How many times should Alice expect her flush to be outdrawn?
4. Entropy
a. (5) (Based on Exercise 7.3 in the text.) Prove the entropy of source S_{P} corresponding to a plaintext message is the same as the entropy of the source S_{C} corresponding to the ciphertext resulting from a simple (monoalphabetic) substitution cipher.b. (10) How much information can be transmitted with perfect secrecy using symbols from the English alphabet (26 letters) with a transposition cipher with block size 8 and a permutation choosen randomly from all possible permutations?
5. TwoTime Pads
Begining in the 1940s, the Soviet Union communicated with KGB agents using a cryptosystem that involved first encoding the message using a codebook, and then encrypting the result using a onetime pad. This should have been perfectly secure, except they made mistakes in constructing the onetime pad key and reused segments of the key. The VENONA project of the Signal Intelligence Service (later the NSA) successfully decoded many of these messages.a. (10) Prove that a twotime pad is not a perfect cipher (that is, it is not informationtheoretically secure). Assume the key K is perfectly random. The key is used to encrypt two messages M1 and M2, giving the attacker C1 = M1 XOR K and C2 = M2 XOR K.
b. (20) Ben Bitdiddle has foolishly used the same onetime pad to encrypt two messages. You have intercepted these two ciphertexts:
Knowing Ben's fondness for obscure quotations, you suspect both the message are quotations in English. It would be safe to assume that the message was encoded using 7bit ASCII (A = 65 = 1000001, Z = 90 = 1011010, a = 97, z = 122, space = 32).
 C1: http://www.cs.virginia.edu/~evans/cs588/ps/ps1/c1.txt
 C2: http://www.cs.virginia.edu/~evans/cs588/ps/ps1/c2.txt.
You may find this program (which we used to create the encodings) helpful: http://www.cs.virginia.edu/cs588/ps/ps1/Pad.java.
What is the message corresponding to C1? (Explain your approach to decrypting the message and include any code you wrote in your answer. Even if you are not able to break the message, you will receive partial credit for describing a reasonable approach.)
6. Padding Cakes
Maury Bond, Secret Agent 000, wants to give the directions to the super ray gun to his colleagues Sly McCraken, Cript O'Hacker and Trey Tor. The message M is nbits long. He suspects one of them may be a double agent, so he divides the message as follows:a. (5) How can Sly, Cript and Trey determine M?
 Sly gets K_1 an nbit random sequence.
 Cript gets K_2 an nbit random sequence.
 Trey gets C = K_1 XOR K_2 XOR M.
b. (10) Is the scheme secure? Argue convincingly that either (1) it is secure  no two people can determine any bit of M with probability greater than 1/2; or (2) is it insecure  two peoople can conspire to determine a bit of M with probability greater than 1/2.
c. (10) Sly, Cript and Trey gather in Borneo to combine their messages and track down the super ray gun. Sly reveals K_1, Cript reveals K_2, and Trey reveals a nbit random sequence. They combine the keys to determine M, but a meaningless bit sequence results. Sly and Cript leave the island befuddled, while Trey uses K_1, K_2 and C (which he kept to himself) to construct M and locate the super ray gun for himself. What could be done to prevent this?
7. Feedback
Your answers to these questions are optional and will not effect your grade in any way, but may help the course staff improve future problem sets.a. How long did you spend on this problem set?
b. Did any problem seem unfairly hard?
c. Did any problem seem like too much tedious work?
University of Virginia Department of Computer Science CS 588: Cryptology  Principles and Applications 
cs588–staff@cs.virginia.edu 