Exercises on cryptography

We can say that for sure c1 is the encryption of alpha and c2 of bravo because the last digits of the two ciphertext are different, they would have been the same with the encryptions of gamma and delta (since both end with an a).

We can find the key as alpha $\oplus$ c1 = bravo $\oplus$ c2 = 1001100000010101101111000111111111100111.

We recall that for every $m \in \lbrace 0, 1 \rbrace^\lambda$ the function EAVESDROP(m) is the uniform distribution on $\lbrace 0, 1 \rbrace^\lambda$. Hence, for all $m, m' \in \lbrace 0, 1 \rbrace^\lambda$ the distributions EAVESDROP(m) and EAVESDROP(m') are identical.

EAVESDROP'(m) returns also the key $k$ which can be used to decrypt the ciphertext in less than polynomial time.

False. The size of the key cannot be used as a direct comparison criterion because RSA is asymmetric, whereas AES is symmetric.

False. The one-time pad is invulnerable because each ciphertext decrypts to every possible plaintext.

False. Generally, a cryptosystem is broken if there is any attack faster than brute force to obtain either the key or the plaintext.

The two libraries are not interchangeable because they return the key k that we can use to decrypt the ciphertext and find which message was decrypted.

This is the definition of a one time pad perfect cipher. If we take a look at the definition of the VERNAM cipher we extract the key randomply (either $G_1$ or $G_2$ is PRG) and then we xor it with the message (either $G_1$ or $G_2$, the one which is not the PRG) to obtain a ciphertext, which will be a PRG.

Lets imagine a string splitted only in $x_1$ and $x_2$. The xor of the chain is between a controllable variable $x_2$ and the output of the hash function on $x_1$: $H^*(x_1,x_2) = H(x_2 \oplus H(x_1))$.

To find a collision $H(x_1)=H(x_2)$ we need to find $x_2$ s.t. $x_2 \oplus H(x_1) = x_1$, then $x_2 = x_1 \oplus H(x_1)$.

This is feasible because $x_1$ is controllable and we can first calculate $H^*(x_1)=H(x_1)$ then $x_2 = x_1 \oplus H(x_1)$ is a collision because $H^*(x_1)=H^*(x_2)$.

For example if $x_1=aaaa$ and $H(x_1)=cccc$, to find a collision we must find $x_2$ s.t. $x_2 \oplus cccc = aaaa$ which means that $x_2 = cccc \oplus aaaa$.

We can iterate this procedure for a sting of arbitrary length.

We can see that $m^* = m_1 \oplus m_2 \oplus ... \oplus m_l$ because it is initialized to all zeros and then xored to all $m_i$.

We can show that two different input can have the same MAC, for example $MAC(k, 0000 0000)$ and $MAC(k, 1111 1111)$ both will have the same MAC $F(k, 0000)$.

This is mecause for $0000 0000$, $m^* = 0000 \oplus 0000 \oplus 0000$ and for $1111 1111$, $m^* = 0000 \oplus 1111 \oplus 1111$.