University of Virginia, Department of Computer Science
CS588: Cryptography, Spring 2005


Out: Tuesday, 3 May 2005
Due: Saturday, 7 May 2005, 3:55pm

Turn in your exam to the folder outside my office, Olsson 236A. I am leaving for a conference on Sunday, 8 May. If I do not have your exam before 3:55pm Saturday, you will not receive a grade in CS588.


Work alone. Do not talk to anyone about this final or content related to this course between receiving this exam and 5:00pm Saturday.

You may use any non-human resources you want. Remember to cite any outside resources you use. You may use the course notes, readings and web. This is not meant to be a research project, you should be able to answer this question well based on what you already know from the class.

There is no time limit. But, it is unlikely to be helpful to spend inordinate amounts of time on this. I recommend reading the question right away and thinking about it, and not spending more than 4 hours on your responses.

Please staple your answers and make sure to mark your final answers clearly (e.g., draw a box around them). You may download this exam from

RSA Key Chains

1. With an RSA key chain, the next value in the hash chain is computed by encrypting the current value using the public key instead of using a cryptographic hash function. That is,
Ki + 1 = Kid mod n

a. (10) Explain how a client who knows K0 and the public key (e and n) can verify a newly received K1 is authentic.

b. (5) Identify one advantage of using an RSA key chain over a standard cryptographic hash chain.

c. (5) Identify one disadvantage of using an RSA key chain over a standard cryptographic hash chain.


There is no clear answer to that question. Younger and aggressive (or American) players tend to favour the Rock crushing Scissors view. More liberal-minded players take the view that scissors are dulled by the Rock. The World RPS Society created a task force in 1987 with a hope of eventually resolving the issue but it has been locked in debate and we no longer hold much hope of quick resolution.
World Rock Paper Scissors Society, Frequently Asked Questions answer to the question,
Does Rock crush Scissors or is Scissors dulled by Rock?

2. (20) Alice and Bob would like to play a high-stakes game of "Rock, Paper, Scissors" over the telephone. Describe a protocol they could use to play a fair game. Your protocol should not require a trusted third party.

To play "Rock, Paper, Scissors", each player selects a symbol from the set { "Rock", "Paper", "Scissors" }. The players simultaneously reveal their symbols. Rules determine the winner given the two symbols selected. For example, if Alice selects "Paper" and Bob selects "Scissors", then Bob wins becase scissors cut paper.

Ticket Tracking

3. (30) Apparently, FIFA decided broadcasting the purchasers name and passport number on their ticket RFID tags was a bad idea, and have decided to instead only transmit a non-identifiable number. Design a system that has these properties:
  1. Each ticket contains a read-only RFID tag that transmits a 128-bit value. This value should convey no information to an unauthorized reader (other than the presence of that ticket).
  2. A ticket taker at a stadium entrance can use an off-line reader to easily determine if a ticket is legitimate (or a copy of a legitimate ticket). The ticket taker's reader may contain a small amount of persistent memory, but does not interact with a network in checking a ticket.
  3. If FIFA learns that a ticket has been sold to a criminal, it can put a special alert on that ticket's RFID code and prevent its holder from entering the stadium. This must be done before people begin entering the stadium. The ticket takers' RFID readers can be physically connected to a network to download new data before each game.
  4. If a ticket taker is corrupt and sells a ticket reading machine to criminal who can extract every bit that is stored on the machine, the criminal should not be able to obtain enough information to forge a ticket.
Your design should be as simple as possible, while providing the necessary properties. Describe your design in a clear way and explain why it has the desired security properties.

Security Analysis

Answer either one of the following two questions. If you answer both questions, I will choose one of your answers to grade at random. You should submit an answer to either 4V or 4W but not both.

4V. (30) Whipple's Wisdom

Imagine you have been appointed by the House of Delegates to the Virginia as a citizen member with computer security expertise to the Joint Subcommittee on Voting Equipment Certification. Write a short essay for the legislators explaining the issues involved in using software-based systems and cryptography in conducting elections. Your essay should help legislators with no background in software, security or cryptography grasp the most important issues they need to consider in certifying a voting machine and process.

4W (30). Germany 1, USA 0

After the 1994 World Cup draw placed the host USA in a very difficult group, the USA coach, Bora Milutinovic, is reputed to have complained that the US organizing committee was so incompetent they couldn't even rig the draw properly. For purposes of this question, assume the DFB (German soccer federation) which is hosting the 2006 World Cup does not suffer from such incompetence.

The draw assigns each qualified team to a group (one of eight, A-H) and position (1-4). For example, in the 2002 draw the USA was assigned D3. The host country is placed into position A1.

The protocol for the draw for the 2006 World Cup finals has not been announced yet, but assume it will follow a protocol similar to this one which was used in 2002:

    Before the draw event:
  1. The name of each finalist (except the host country which is placed in position A1) is printed on a slip of paper which is placed in a white, spherical ball. The ball is made of two hemispheres that connect to each other, and can be separated to insert or remove the paper. The balls are placed into different bowls based on a partitioning determined by FIFA.
  2. The letter name to identify each group (A, B, C, D, E, F, G, H) is printed on a slip of paper and placed in a red, spherical ball. All the red balls are placed in a bowl.
  3. The position number (1, 2, 3, 4) is printed on a slip of paper and placed in a blue, spherical ball. There are eight bowls of the four numbers, one corresponding to each group A-H. (In the bowl for A, only three balls with numbers 2, 3 and 4 are used, since the host country was preassigned to position A1).

    At the draw event:

  4. A well-known celebrity picks a white ball from one of the country bowls and hands it to Sepp Blatter, the President of FIFA.
  5. Blatter unscrews the ball, extracts the slip of paper, reads the country name, and holds it up so everyone can see. After reading the slip, it is placed in a trash bin that is not examined after the draw.
  6. A different well-known celebrity picks a red ball from the group bowl and hand it to Blatter.
  7. Blatter unscrews the ball, extracts the slip of paper, reads the group name, and holds it up so everyone can see.
  8. A different well-known celebrity picks a blue ball from the positions bowl corresponding to the selected group and hand it to Blatter.
  9. Blatter unscrews the ball, extracts the slip of paper, reads the position number, and holds it up so everyone can see.
Note that at the end of the draw, all balls have been opened. It is a check on the protocol that all positions, groups and countries have been seen by the end. The actual slips of paper are destroyed (without examination) after the draw.

You should assume both the DFB who is hosting the draw, and Sepp Blatter, are both highly motivated to rig the results to ensure an easy path to the second round for the host country. Well-known celebrities are used to pick the balls to ensure a low likelihood that a selector can be corrupted. The pre-draw steps are done in secret by the DFB. The draw event itself is witnessed by thousands of people live and in person and approximately a billion people live on TV around the world (it is the world's most watched televised event that is not a soccer game).

Analyze the security of the World Cup draw procedure as described above. Either describe tactics the DFB could use to improve the likelihood that Germany get a favorable draw, or argue that the procedure is secure and there is no reasonable way of effecting the result. If you identify security weaknesses in the draw protocol, suggest modifications that would make it more secure.

For inspiration, you may want to read Bruce Schneier's Hacking the Papal Election analysis of the Papal election procedure.

(Note: this question should in no way be interpreted as questioning the integrity of FIFA or the DFB, especially if they are using RFID tags to track my tickets' whereabouts.)

5. (Optional, no credit) The goal of this course is to teach students to understand how and why cryptography works and how to use it to construct secure systems. The goal of this exam is to measure how well you have done that so I can fairly determine your final grade. If you feel your answers on this exam will not adequately demonstrate what you have learned, or that I should take other things into account in determining your final grade, explain why.

CS 655 University of Virginia
Department of Computer Science
CS 588: Cryptology - Principles and Applications