nadim/appliedcryptography
SHA256
1
Fork 0
Code Wiki Activity

Migrate back to Git LFS

Browse source
This commit is contained in:
Nadim Kobeissi 2025-06-26 12:19:00 +02:00
parent 6b34b62aa2
commit 4b6498ede3
Signed by: nadim
SSH key fingerprint: SHA256:o0JJHYcP8LVBoARMU+JjVbzJxL3HxW2F+C0yu/5zPgc
237 changed files with 36953 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
assignments/problem-sets/Makefile Normal file
View file

@ -0,0 +1,13 @@
all:
@make problem-set-1
@make problem-set-2
@make problem-set-3
problem-set-1:
@export SOURCE_DATE_EPOCH=1700000000 && tectonic -o ../../website/problem-sets "problem-set-1.tex"
problem-set-2:
@export SOURCE_DATE_EPOCH=1700000000 && tectonic -o ../../website/problem-sets "problem-set-2.tex"
problem-set-3:
@export SOURCE_DATE_EPOCH=1700000000 && tectonic -o ../../website/problem-sets "problem-set-3.tex"

28
assignments/problem-sets/NOTES.md Normal file
View file

@ -0,0 +1,28 @@
# Ideas for later problem sets
```latex
\item (5 points) \textbf{TLS Under Attack:}
An advanced persistent threat (APT) group has compromised several Certificate Authorities and can issue valid certificates for any domain.
\begin{enumerate}
\item Analyze exactly how this compromise allows attacks against TLS connections, even when users see the "secure" padlock icon.
\item Design countermeasures that could be deployed by browser vendors to detect and prevent these attacks. Consider both technical and usability constraints.
\item Evaluate certificate pinning as a solution: when does it work, when does it fail, and how should it be deployed?
\item Compare your solutions to Certificate Transparency. What attacks does CT prevent, and what attacks does it miss?
\end{enumerate}
\item (5 points) \textbf{Signal's Double Ratchet Design Challenge:}
You're designing the next version of Signal's messaging protocol and want to improve upon the current Double Ratchet algorithm.
\begin{enumerate}
\item Analyze the trade-off between security and performance in the current design: why does Signal perform a new DH exchange for each message direction rather than just once per conversation?
\item Design an optimization that reduces the number of DH operations while maintaining the same security properties. What compromises would you accept?
\item Consider a group messaging scenario with 100 participants. How would you adapt your design to provide forward secrecy and post-compromise security for group conversations?
\end{enumerate}
\item (5 points) \textbf{Quantum Timeline Decision Making:}
You're the CTO of a company building a secure messaging app expected to launch in 2028 and remain secure until 2040. Intelligence reports suggest large-scale quantum computers might exist by 2035, but with significant uncertainty (could be 2030 or 2045).
\begin{enumerate}
\item Design a migration strategy that balances current performance needs with future quantum threats. What algorithms do you deploy now, and when do you plan upgrades?
\item Analyze the "harvest now, decrypt later" threat: what data in your system needs protection beyond 2035, and how does this influence your cryptographic choices?
\item Evaluate the trade-offs between early adoption of post-quantum cryptography (larger keys, unproven security) versus delayed migration (quantum vulnerability risk).
\end{enumerate}
```

5
assignments/problem-sets/README.md Normal file
View file

@ -0,0 +1,5 @@
# Problem Sets
- Problem Set 1: Covering lectures 1-1, 1-2 and 1-3.
- Problem Set 2: Covering lectures 1-4, 1-5 and 1-6.
- Problem Set 2: Covering lectures 1-7 and 1-8.

342
assignments/problem-sets/problem-set-1.tex Normal file
View file

@ -0,0 +1,342 @@
\documentclass[10pt,a4paper,american]{article}
\newcommand{\aublogopath}{../../website/res/img/aub_black.png}
\usepackage{../../misc/macros/joc}
\usepackage{../../misc/fonts/fonts}
\usepackage{../../misc/macros/classhandout}
\begin{document}
\classhandoutheader
\section*{Problem Set 1: Provable Security Foundations}
\begin{tcolorbox}[colframe=OliveGreen!30!white,colback=OliveGreen!5!white]
\textbf{Instructions:} This problem set covers the foundations of provable security from parts 1.1\footnote{\url{https://appliedcryptography.page/slides/1-1.pdf}}, 1.2\footnote{\url{https://appliedcryptography.page/slides/1-2.pdf}} and 1.3\footnote{\url{https://appliedcryptography.page/slides/1-3.pdf}} of the course. Submit your solutions as a neatly formatted PDF. You are encouraged to collaborate with classmates in studying the material, but your submitted solutions must be your own work. For proofs, clearly state your assumptions, steps, and conclusions.
\end{tcolorbox}
\section{Cryptographic Foundations (20 points)}
\subsection{Basic Concepts (10 points)}
\begin{enumerate}
\item (3 points) Define the three primary security goals of cryptography in your own words and provide a real-world example for each that wasn't explicitly mentioned in the lectures.
\item (3 points) Explain Kerckhoff's principle and why it remains fundamental to modern cryptography. Provide an example of a security system that violates this principle and describe the potential consequences.
\item (4 points) Compare and contrast symmetric and asymmetric cryptography:
\begin{enumerate}
\item Explain the fundamental difference in their key management approach.
\item For each type, identify which mathematical or computational assumptions their security typically relies on.
\item Describe a scenario where one would be clearly preferable to the other.
\end{enumerate}
\end{enumerate}
\subsection{Perfect Secrecy (10 points)}
\begin{enumerate}
\item (3 points) Consider a modified one-time pad where we use the bitwise AND ($\land$) operation instead of XOR ($\oplus$):
$\textsf{Enc}(K, M) = K \land M$ and $\textsf{Dec}(K, C) = ?$
\begin{enumerate}
\item Is this scheme correct? If yes, specify the decryption function. If not, explain why.
\item Does this scheme provide perfect secrecy? Justify your answer.
\end{enumerate}
\item (4 points) Consider the following variant of a one-time pad operating on decimal digits (0-9):
$\textsf{Enc}(K, M) = (K + M) \bmod 10$ and $\textsf{Dec}(K, C) = (C - K) \bmod 10$
where $K, M, C \in \{0, 1, 2, \ldots, 9\}$.
\begin{enumerate}
\item Prove that this scheme is correct.
\item Prove that this scheme provides perfect secrecy, assuming $K$ is chosen uniformly at random.
\end{enumerate}
\item (3 points) Consider a one-time pad where the key length is half the message length:
$\textsf{Enc}(K, M) = (K \oplus M_1, K \oplus M_2)$ where $M = (M_1, M_2)$ and $|M_1| = |M_2| = |K|$.
Provide a specific attack that breaks the confidentiality of this scheme, showing clearly the information an attacker can extract from the ciphertext.
\end{enumerate}
\section{Provable Security (20 points)}
\subsection{Libraries and Interchangeability (10 points)}
\begin{enumerate}
\item (5 points) Consider the following libraries:
\begin{center}
\sslinked{
\sslibrary{}{1}{
\sslibrarysubroutine{init}{}{
$K \twoheadleftarrow \bits^n$
}{1}\\[1em]
\sslibrarysubroutine{query}{M}{
return $K \oplus M$
}{1}
}{1}
}{\approxeq}{
\sslibrary{}{2}{
\sslibrarysubroutine{init}{}{
$R_1 \twoheadleftarrow \bits^n$ \\
$R_2 \twoheadleftarrow \bits^n$
}{1}\\[1em]
\sslibrarysubroutine{query}{M}{
if $M = R_1$ return $R_2$ \\
else return $M \oplus R_1 \oplus R_2$
}{1}
}{1}
}
\end{center}
Are these libraries interchangeable? Either prove they are interchangeable or provide a distinguisher program that can tell them apart with non-negligible probability.
\item (5 points) For each of the following pairs of libraries, state whether they are interchangeable and briefly justify your answer:
\begin{enumerate}
\item
\begin{center}
\sslinked{
\sslibrary{}{A}{
\sslibrarysubroutine{f}{x}{
$y \twoheadleftarrow \bits^n$ \\
return $y$
}{1}
}{1}
}{\approxeq}{
\sslibrary{}{B}{
\sslibrarysubroutine{f}{x}{
$y \twoheadleftarrow \bits^n$ \\
$z \twoheadleftarrow \bits^n$ \\
return $y$
}{1}
}{1}
}
\end{center}
\item
\begin{center}
\sslinked{
\sslibrary{}{C}{
$K \twoheadleftarrow \bits^n$\\[1em]
\sslibrarysubroutine{enc}{M}{
$C \coloneq K \oplus M$ \\
return $C$
}{1}\\[1em]
\sslibrarysubroutine{dec}{C}{
$M \coloneq K \oplus C$ \\
return $M$
}{1}
}{1}
}{\approxeq}{
\sslibrary{}{D}{
\sslibrarysubroutine{enc}{M}{
$C \twoheadleftarrow \bits^n$ \\
return $C$
}{1}\\[1em]
\sslibrarysubroutine{dec}{C}{
$M \twoheadleftarrow \bits^n$ \\
return $M$
}{1}
}{1}
}
\end{center}
\end{enumerate}
\end{enumerate}
\subsection{Security Proofs (10 points)}
\begin{enumerate}
\item (5 points) Let $\Sigma = (\textsf{KeyGen}, \textsf{Enc}, \textsf{Dec})$ be a secure encryption scheme for messages in $\bits^n$. Consider the following modified scheme $\Sigma' = (\textsf{KeyGen}', \textsf{Enc}', \textsf{Dec}')$:
\begin{align*}
\textsf{KeyGen}'() & = K \twoheadleftarrow \textsf{KeyGen}() \\
\textsf{Enc}'(K, M) & = (C_1, C_2) \text{ where } C_1 \twoheadleftarrow \textsf{Enc}(K, M) \text{ and } C_2 \twoheadleftarrow \textsf{Enc}(K, M \oplus 1^n) \\
\textsf{Dec}'(K, (C_1, C_2)) & = \textsf{Dec}(K, C_1)
\end{align*}
Determine whether $\Sigma'$ is a secure encryption scheme. If it is secure, provide a formal proof. If it is not secure, describe a concrete attack that breaks its confidentiality and explain why the attack works.
\item (5 points) Consider the following game between a challenger and an adversary $\mathcal{A}$:
\begin{enumerate}
\item The adversary selects two messages $M_0$ and $M_1$ of the same length.
\item The challenger selects a uniform random bit $b \twoheadleftarrow \bits$ and a uniform random key $K \twoheadleftarrow \bits^n$.
\item The challenger computes $C = K \oplus M_b$ and gives $C$ to the adversary.
\item The adversary outputs a bit $b'$ as its guess for $b$.
\end{enumerate}
Prove that for any adversary $\mathcal{A}$, the probability that $b' = b$ is exactly $1/2$. Explain what this result tells us about the security of the one-time pad.
\end{enumerate}
\section{Computational Cryptography (30 points)}
\subsection{Computational Security Concepts (15 points)}
\begin{enumerate}
\item (5 points) Explain why computational security is important in practice despite the existence of information-theoretic security. Discuss the limitations of both approaches.
\item (4 points) Consider a brute-force attack on AES-128:
\begin{enumerate}
\item Using the monetary cost table provided in the lecture, estimate how much it would cost to try all possible keys.
\item Discuss whether the computational approach to security makes sense in light of this cost.
\end{enumerate}
\item (3 points) Define a negligible function formally. Then determine which of the following functions are negligible (where $\lambda$ is the security parameter):
\begin{enumerate}
\item $f_1(\lambda) = 2^{-\lambda}$
\item $f_2(\lambda) = \lambda^{-\log \lambda}$
\item $f_3(\lambda) = 2^{-\sqrt{\lambda}}$
\item $f_4(\lambda) = \frac{1}{\lambda \cdot 2^{\lambda/2}}$
\end{enumerate}
\item (3 points) The ``birthday paradox'' is crucial for understanding many cryptographic attacks. If a hash function produces outputs of length $n$ bits:
\begin{enumerate}
\item Approximately how many random inputs would you need to hash before finding a collision with 50\% probability?
\item How many bits of output would a hash function need to be reasonably secure against birthday attacks for the next decade?
\end{enumerate}
\end{enumerate}
\subsection{Distinguishability and Bad Events (15 points)}
\begin{enumerate}
\item (6 points) Consider the following two libraries that implement a 256-bit hash function:
\begin{center}
\sslinked{
\sslibrary{}{real}{
\sslibrarysubroutine{hash}{X}{
return SHA-256(x)
}{1}
}{1}
}{\approxeq}{
\sslibrary{}{rand}{
$L \coloneq$ [\ ]\\[1em]
\sslibrarysubroutine{hash}{X}{
if $L[X]$ undefined:\\
\quad $L[X] \twoheadleftarrow \bits^{256}$\\
return $L[X]$
}{1}
}{1}
}
\end{center}
\begin{enumerate}
\item Describe the ``bad event'' that would allow these libraries to be distinguished.
\item If an adversary is limited to $q$ queries, what is the probability of triggering this bad event?
\item Using the ``bad event'' proof technique, show that these libraries are computationally indistinguishable when $q$ is polynomial in the security parameter.
\end{enumerate}
\item (4 points) Consider the following two libraries:
\begin{center}
\sslinked{
\sslibrary{}{1}{
\sslibrarysubroutine{sample}{}{
$X \twoheadleftarrow \bits^n$ \\
$Y \coloneq X \oplus 1^n$ \\
return $(X, Y)$
}{1}
}{1}
}{\approxeq}{
\sslibrary{}{2}{
\sslibrarysubroutine{sample}{}{
$Y \twoheadleftarrow \bits^n$ \\
$X \coloneq Y \oplus 1^n$ \\
return $(X, Y)$
}{1}
}{1}
}
\end{center}
Use the hybrid proof technique to show these libraries are interchangeable. Clearly describe each intermediate hybrid library.
\item (5 points) Consider a PRF $F: \bits^n \times \bits^n \rightarrow \bits^n$ and the following two libraries:
\begin{center}
\sslinked{
\sslibrary{}{{\text{PRF}}}{
$K \twoheadleftarrow \bits^n$\\[1em]
\sslibrarysubroutine{query}{x}{
return $F(K, X)$
}{1}
}{1}
}{\approxeq}{
\sslibrary{}{rand}{
$L \coloneq$ [\ ]\\[1em]
\sslibrarysubroutine{query}{x}{
if $L[X]$ undefined:\\
\quad $L[X] \twoheadleftarrow \bits^n$\\
return $L[X]$
}{1}
}{1}
}
\end{center}
Suppose we have a program $\mathcal{A}$ that can distinguish between these libraries with advantage $\varepsilon$. Construct a program $\mathcal{B}$ that uses $\mathcal{A}$ as a subroutine to distinguish a PRF from a truly random function with the same advantage $\varepsilon$.
\end{enumerate}
\section{Application of Cryptographic Principles (30 points)}
\begin{enumerate}
\item (10 points) \textbf{Block Cipher Mode Analysis}
The lecture demonstrated how ECB mode reveals patterns in the plaintext. For each of the following block cipher modes, explain:
\begin{enumerate}
\item How the encryption and decryption work.
\item What would happen if the same key and IV (when applicable) were reused for multiple messages.
\item A specific real-world situation where this mode would be most appropriate.
\end{enumerate}
Modes to analyze:
\begin{enumerate}
\item Cipher Block Chaining (CBC)
\item Counter Mode (CTR)
\end{enumerate}
\item (10 points) \textbf{One-Time Pad in the Real World}
A startup claims to have developed a ``quantum-resistant ultra-secure messaging system'' based on the one-time pad. They provide the following details:
\begin{itemize}
\item The system uses a hardware random number generator to produce one-time pads.
\item Each user receives a 1TB USB drive containing pre-generated pad data during account registration.
\item When sending a message, the app encrypts it with a portion of the pad, marks that portion as used, and sends the ciphertext.
\item When the user has used 80\% of their pad, the app automatically requests a new USB drive.
\end{itemize}
Provide a detailed critique of this system:
\begin{enumerate}
\item Identify at least three practical problems with this implementation.
\item Explain how each problem compromises security or usability.
\item Suggest improvements to address each issue while maintaining the theoretical security of OTP.
\end{enumerate}
\item (10 points) \textbf{Symmetric Encryption Protocol Analysis}
A software company is implementing a secure communication protocol for their instant messaging application. They propose the following scheme:
\begin{itemize}
\item Each user generates a random 128-bit key $K$ during account creation.
\item To send a message $M$, the sender computes $C = K \oplus M$ and transmits $C$.
\item When two users want to communicate, they first exchange their keys through a ``top secret channel'' established by the company's server.
\item The company claims their protocol is ``as secure as one-time pad'' because they use the XOR operation.
\end{itemize}
Address the following aspects of this system:
\begin{enumerate}
\item Using the provable security framework discussed in class, analyze whether this scheme provides the confidentiality properties claimed by the company.
\item Identify at least three major security vulnerabilities in the described approach.
\item The company is considering having users generate new keys daily instead of just once. Explain whether this modification would address the vulnerabilities you identified.
\item Propose a modified protocol that would significantly improve security while still using only symmetric cryptography concepts covered in class so far. Justify your choices using the security principles we've discussed.
\end{enumerate}
\end{enumerate}
\begin{tcolorbox}[colframe=EarthBrown!30!white,colback=EarthBrown!5!white]
\textbf{Bonus Challenge (20 extra points):} The discrete logarithm problem is fundamental to many cryptographic systems. Consider a cyclic group $G$ of prime order $p$ with generator $g$. The discrete logarithm problem is: given $h \in G$, find $x$ such that $g^x = h$.
Imagine a scenario where the discrete logarithm problem could be solved efficiently. Select one modern cryptographic protocol that relies on the hardness of this problem, and analyze:
\begin{enumerate}
\item The specific impact on the protocol's security.
\item How the protocol would need to be modified to remain secure.
\item Whether any alternative mathematical problems could serve as suitable replacements.
\end{enumerate}
Your answer should demonstrate deep understanding of both the protocol and the underlying mathematical principles.
\end{tcolorbox}
\end{document}

259
assignments/problem-sets/problem-set-2.tex Normal file
View file

@ -0,0 +1,259 @@
\documentclass[10pt,a4paper,american]{article}
\newcommand{\aublogopath}{../../website/res/img/aub_black.png}
\usepackage{../../misc/macros/joc}
\usepackage{../../misc/fonts/fonts}
\usepackage{../../misc/macros/classhandout}
\begin{document}
\classhandoutheader
\section*{Problem Set 2: Symmetric Cryptography}
\begin{tcolorbox}[colframe=OliveGreen!30!white,colback=OliveGreen!5!white]
\textbf{Instructions:} This problem set covers topics in provable security from parts 1.4\footnote{\url{https://appliedcryptography.page/slides/1-4.pdf}}, 1.5\footnote{\url{https://appliedcryptography.page/slides/1-5.pdf}} and 1.6\footnote{\url{https://appliedcryptography.page/slides/1-6.pdf}} of the course. Submit your solutions as a neatly formatted PDF. You are encouraged to collaborate with classmates in studying the material, but your submitted solutions must be your own work. For proofs, clearly state your assumptions, steps, and conclusions.
\end{tcolorbox}
\section{Pseudorandomness (20 points)}
\subsection{Pseudorandom Generators (10 points)}
\begin{enumerate}
\item (3 points) Explain the limitations of the one-time pad for practical encryption and why pseudorandom generators (PRGs) are needed in modern cryptographic systems.
\item (3 points) Analyze the security implications of the following PRG construction, where $G$ is a secure PRG:
\begin{align*}
H(S) = A \| B \| C \| D \text{ where } A \| B = G(S) \text{ and } C \| D = G(B)
\end{align*}
Determine whether $H$ is a secure PRG. If not, provide a distinguisher that can tell apart $H(S)$ from a truly random string with non-negligible advantage.
\item (4 points) Consider the stream cipher RC4:
\begin{enumerate}
\item Describe the key components of RC4's design and how it generates a pseudorandom keystream.
\item Explain two significant weaknesses that led to RC4 being considered cryptographically broken today.
\item What modern alternatives would you recommend as replacements for RC4, and why?
\end{enumerate}
\end{enumerate}
\subsection{Pseudorandom Functions and Permutations (10 points)}
\begin{enumerate}
\item (3 points) Consider the following PRF construction: $F(K, X) = G(K) \oplus X$, where $G$ is a secure PRG.
\begin{enumerate}
\item Is $F$ a secure PRF? If not, describe a distinguisher that can effectively tell $F$ apart from a random function.
\item Explain how this example illustrates the ``Golden Rule of PRFs.''
\end{enumerate}
\item (4 points) For Feistel ciphers:
\begin{enumerate}
\item Explain why a 2-round Feistel cipher cannot be a secure pseudorandom permutation (PRP).
\item Prove that Feistel ciphers are always permutations, regardless of the security of their round functions.
\end{enumerate}
\item (3 points) Compare and contrast PRFs and PRPs:
\begin{enumerate}
\item Explain the key differences in their definitions and properties.
\item Describe how PRPs can be ``downgraded'' to PRFs, but not necessarily vice versa.
\item Explain why collisions are inevitable for PRFs but not for PRPs.
\end{enumerate}
\end{enumerate}
\section{Chosen-Plaintext and Chosen-Ciphertext Attacks (20 points)}
\subsection{CPA Security (10 points)}
\begin{enumerate}
\item (5 points) Consider the CPA security definition:
\begin{center}
\sslinked{
\sslibrary{\Sigma}{cpa-real}{
$K \twoheadleftarrow \Sigma.\mathcal{K}$\\[1em]
\sslibrarysubroutine{cpa.enc}{M}{
$C \coloneq \Sigma.\texttt{Enc}(K, M)$\\
return $C$
}{1}
}{0.8}
}{\approxeq}{
\sslibrary{\Sigma}{cpa-rand}{
\sslibrarysubroutine{cpa.enc}{M}{
$C \twoheadleftarrow \Sigma.\mathcal{C}(|M|)$\\
return $C$
}{1}
}{0.8}
}
\end{center}
\begin{enumerate}
\item Explain why deterministic encryption schemes always fail CPA security.
\item Construct a simple distinguisher program that can break the CPA security of any deterministic encryption scheme.
\item Analyze what practical security vulnerabilities exist in systems that use non-CPA-secure encryption.
\end{enumerate}
\item (5 points) For each of the following encryption schemes, determine whether it achieves CPA security. If not, provide a specific attack:
\begin{enumerate}
\item $\textsf{Enc}(K, M) = (R, F(K, R) \oplus M)$ where $R \twoheadleftarrow \{0,1\}^{\lambda}$ and $F$ is a secure PRF.
\item $\textsf{Enc}(K, M) = (R, F(K, M) \oplus R)$ where $R \twoheadleftarrow \{0,1\}^{\lambda}$ and $F$ is a secure PRF.
\item AES in Electronic Codebook (ECB) mode.
\item AES in Counter (CTR) mode with a randomly chosen IV.
\end{enumerate}
\end{enumerate}
\subsection{CCA Security and Authenticated Encryption (10 points)}
\begin{enumerate}
\item (3 points) Format oracle attacks:
\begin{enumerate}
\item Explain how the null-oracle attack works against CTR mode encryption and why it's devastating despite CTR mode being CPA-secure.
\item Describe a real-world scenario where a format oracle might be inadvertently exposed in a cryptographic system.
\item Calculate the approximate number of oracle queries needed to recover a 1 KB file using the null-oracle attack, and explain why this is practical for an attacker.
\end{enumerate}
\item (4 points) For the following encryption scheme constructions, determine whether each provides CCA security and/or authenticated encryption (AE). Justify your answers with brief explanations:
\begin{enumerate}
\item Encrypt-then-MAC: $C = \textsf{Enc}(K_e, M)$, $T = \textsf{MAC}(K_m, C)$, output $(C, T)$
\item Encrypt-and-MAC: $C = \textsf{Enc}(K_e, M)$, $T = \textsf{MAC}(K_m, M)$, output $(C, T)$
\item MAC-then-encrypt: $T = \textsf{MAC}(K_m, M)$, $C = \textsf{Enc}(K_e, M\|T)$, output $C$
\item Explain a scenario where replay attacks could succeed even against a system using authenticated encryption, and how associated data (AD) addresses this vulnerability.
\end{enumerate}
\item (3 points) AES-GCM (Galois/Counter Mode):
\begin{enumerate}
\item Explain how AES-GCM combines CTR mode encryption with Galois field multiplication for authentication. What security advantages does this provide over using separate encryption and MAC algorithms?
\item Describe the critical security implications of nonce reuse in AES-GCM. What specific vulnerabilities arise when the same nonce is used for multiple messages?
\item AES-GCM is sometimes implemented with different tag lengths. Analyze the security tradeoffs when using 128-bit tags versus 64-bit or 32-bit tags.
\item Aside from nonce reuse, what is an unexpected vulnerability in AES-GCM that developers and engineers might not be aware of, but that might significantly impact the security of their software?
\end{enumerate}
\end{enumerate}
\section{Collision-Resistant Hash Functions (30 points)}
\subsection{Hash Function Properties (15 points)}
\begin{enumerate}
\item (5 points) Collision resistance:
\begin{enumerate}
\item Explain why collisions must exist in any hash function that maps arbitrary-length inputs to fixed-length outputs.
\item Using the birthday paradox, calculate approximately how many hashes must be computed to find a collision with 50\% probability in a 256-bit secure hash function.
\item Describe a practical attack scenario where finding hash collisions would compromise a security system.
\end{enumerate}
\item (5 points) Hash function construction:
\begin{enumerate}
\item Compare and contrast the Merkle-Damgård construction (used in SHA-2) and the Sponge construction (used in SHA-3).
\item Explain how length extension attacks work against Merkle-Damgård hash functions and why the Sponge construction is resistant to these attacks.
\item Describe the HMAC construction and explain how it protects against length extension attacks.
\end{enumerate}
\item (5 points) Hash function evolution:
\begin{enumerate}
\item Describe the successful attacks against MD5 and SHA-1 that led to their deprecation.
\item Explain the concept of chosen-prefix collisions and why they are particularly dangerous for certificate authorities.
\item Compare the security of SHA-2 and SHA-3 against known cryptanalytic techniques.
\end{enumerate}
\end{enumerate}
\subsection{Password Hashing (15 points)}
\begin{enumerate}
\item (5 points) For each of the following password storage approaches, analyze the security implications if a server database is compromised:
\begin{enumerate}
\item Storing passwords in plaintext.
\item Encrypting passwords with a key stored on the same server.
\item Storing unsalted SHA-256 hashes of passwords.
\item Storing salted SHA-256 hashes of passwords.
\item Using a specialized password hashing function like Scrypt.
\end{enumerate}
\item (5 points) Salting:
\begin{enumerate}
\item Explain how salt protects against precomputation attacks like rainbow tables.
\item Calculate the storage requirements for properly salted password hashes, assuming 10,000 users, 16-byte salts, and 32-byte hash outputs.
\item Describe best practices for generating and storing salts.
\end{enumerate}
\item (5 points) Specialized password hashing functions:
\begin{enumerate}
\item Explain why memory-hard functions like Scrypt provide better protection against specialized hardware attacks compared to PBKDF2.
\item Describe how each of Scrypt's parameters (N, r, p) affect its security and performance.
\item Compare the relative speeds of SHA-256, PBKDF2, and Scrypt for password hashing, and explain the security implications of these speed differences.
\end{enumerate}
\end{enumerate}
\section{Applied Cryptography Case Studies (30 points)}
\begin{enumerate}
\item (10 points) \textbf{Block Cipher Modes Analysis}
With reference to the block cipher modes covered in lectures 1-4, 1-5, and 1-6, analyze the following scenarios:
\begin{enumerate}
\item A secure file storage application needs to encrypt user files at rest. Compare CBC, CTR, and AES-GCM modes for this application, discussing:
\begin{itemize}
\item Performance implications for large files.
\item Error propagation if parts of the ciphertext are corrupted.
\item The security implications of IV/nonce reuse.
\item Data integrity guarantees and the advantages of authenticated encryption with AES-GCM.
\end{itemize}
\item A real-time messaging application needs to encrypt short messages with minimal latency. Compare CBC, CTR, and AES-GCM modes for this application, discussing:
\begin{itemize}
\item Parallelizability for encryption/decryption.
\item Suitability for streaming data.
\item Protection against chosen-ciphertext attacks.
\item How AES-GCM addresses authentication needs compared to unauthenticated modes.
\end{itemize}
\item For AES-GCM specifically:
\begin{itemize}
\item Explain the security impact of nonce reuse in AES-GCM compared to nonce reuse in CTR mode.
\item Discuss the performance tradeoffs of AES-GCM compared to using separate encryption (CTR mode) and authentication (HMAC).
\item Explain how AES-GCM's authenticated encryption properties protect against attacks that would succeed against CBC or CTR modes.
\end{itemize}
\end{enumerate}
\item (10 points) \textbf{Hash Function Security Analysis}
A software update system uses hash functions to verify the integrity of downloads. The system works as follows:
\begin{itemize}
\item The software vendor posts SHA-1 hashes of legitimate update files on their HTTPS website.
\item Users download the update file over HTTP (not HTTPS) for bandwidth efficiency.
\item The update client verifies the downloaded file by computing its SHA-1 hash and comparing it to the hash obtained from the HTTPS website.
\item If the hashes match, the update is installed automatically.
\end{itemize}
Analyze this system:
\begin{enumerate}
\item Identify at least three security vulnerabilities in this design.
\item For each vulnerability, describe a specific attack scenario.
\item Propose improvements to address each vulnerability while maintaining performance and usability.
\item Design a more secure alternative system using modern cryptographic primitives discussed in class.
\end{enumerate}
\item (10 points) \textbf{Password Management System Design}
You are designing a password management system for a new web application with the following requirements:
\begin{itemize}
\item Users must be able to securely recover their account if they forget their password.
\item The system must be resistant to offline dictionary attacks if the database is compromised.
\item The system must support high-performance authentication for a large user base.
\item The system should detect and prevent credential stuffing attacks.
\end{itemize}
Design and analyze a complete solution:
\begin{enumerate}
\item Specify which cryptographic primitives you would use for password storage and why.
\item Describe your password recovery mechanism and analyze its security properties.
\item Explain how your system balances security and performance requirements.
\item Analyze potential vulnerabilities in your design and how they are mitigated.
\end{enumerate}
\end{enumerate}
\begin{tcolorbox}[colframe=EarthBrown!30!white,colback=EarthBrown!5!white]
\textbf{Bonus Challenge (20 extra points):} The security of AES and other block ciphers depends on their resistance to various forms of cryptanalysis. Research and analyze one of the following advanced attacks:
\begin{enumerate}
\item \textbf{Side-channel attacks}: Explain how timing attacks, power analysis, or cache attacks can leak information about encryption keys in practical implementations of AES.
\item \textbf{Related-key attacks}: Describe how related-key attacks work against block ciphers and why they are significant even when normal usage involves only unrelated keys.
\item \textbf{Quantum attacks}: Analyze the impact of Grover's algorithm on the security of AES with different key sizes (128, 192, 256 bits) and discuss appropriate post-quantum key length recommendations.
\end{enumerate}
Your answer should include: a description of the attack, its practical feasibility, relevant examples of successful implementations against real systems, and appropriate countermeasures.
\end{tcolorbox}
\end{document}

225
assignments/problem-sets/problem-set-3.tex Normal file
View file

@ -0,0 +1,225 @@
\documentclass[10pt,a4paper,american]{article}
\newcommand{\aublogopath}{../../website/res/img/aub_black.png}
\usepackage{../../misc/macros/joc}
\usepackage{../../misc/fonts/fonts}
\usepackage{../../misc/macros/classhandout}
\begin{document}
\classhandoutheader
\section*{Problem Set 3: Asymmetric Cryptography}
\begin{tcolorbox}[colframe=OliveGreen!30!white,colback=OliveGreen!5!white]
\textbf{Instructions:} This problem set covers topics in provable security from parts 1.7\footnote{\url{https://appliedcryptography.page/slides/1-7.pdf}} and 1.8\footnote{\url{https://appliedcryptography.page/slides/1-8.pdf}} of the course. Submit your solutions as a neatly formatted PDF. You are encouraged to collaborate with classmates in studying the material, but your submitted solutions must be your own work. For proofs, clearly state your assumptions, steps, and conclusions.
\end{tcolorbox}
\section{Cryptographic Hardness and Real-World Implications (20 points)}
\subsection{Breaking Cryptography: Attack Scenarios (10 points)}
\begin{enumerate}
\item (5 points) \textbf{The Cryptographic Apocalypse Scenario:}
Imagine you wake up tomorrow to headlines: \textit{``Breakthrough Algorithm Solves P vs NP - Computer Scientists Prove P = NP!''}
\begin{enumerate}
\item As the Chief Security Officer of a major bank, write a crisis response memo outlining which systems fail immediately, which have grace periods, and what emergency measures you would implement.
\item Design an alternative security model for online banking that could work in a post-P=NP world. What assumptions would you rely on instead?
\item Analyze why NP-complete problems, despite being \textit{``hard,''} wouldn't save us in this scenario. What's the fundamental difference between NP-complete hardness and cryptographic hardness?
\end{enumerate}
\item (5 points) \textbf{The Weak DH Parameters Problem:}
A security researcher discovers that a popular cryptographic library has been generating Diffie-Hellman parameters where the prime $p$ satisfies $p-1$ having many small factors, making 75\% of generated groups vulnerable to Pohlig-Hellman attacks that reduce the discrete log problem to much smaller subgroups.
\begin{enumerate}
\item Evaluate whether this discovery completely breaks Diffie-Hellman or only partially weakens it. Consider both the mathematical impact and practical deployment consequences.
\item Design a strategy for systems using this library: should they immediately regenerate all parameters, implement parameter validation, or pursue a different approach?
\item Compare this scenario to a hypothetical breakthrough that reduces the discrete logarithm problem in prime-order groups by a factor of $2^{20}$ but still leaves it exponential. Which vulnerability would be more urgent to address and why?
\end{enumerate}
\end{enumerate}
\subsection{Discrete Logarithm Security Architecture (10 points)}
\begin{enumerate}
\item (5 points) \textbf{The Weak Parameter Disaster:}
Your security audit discovers that a legacy system has been using $p = 2047$ (which factors as $23 \times 89$) for Diffie-Hellman key exchange, and the generator $g = 2$.
\begin{enumerate}
\item Analyze exactly why this parameter choice is catastrophically weak. Estimate how long it would take an attacker with a modern laptop to break this system.
\item Design an emergency response plan: how do you migrate users to secure parameters while maintaining service availability?
\item Compare the security implications if the system had instead used a proper 2048-bit prime but with a generator that only generates a small subgroup.
\end{enumerate}
\item (5 points) \textbf{Elliptic Curve vs. Finite Field Trade-off Analysis:}
You're designing a cryptographic protocol for IoT devices with severe computational and bandwidth constraints.
\begin{enumerate}
\item Compare elliptic curve and finite field DLP for your use case: which offers better security per bit of key size, and which offers better computational performance?
\item Analyze why index calculus attacks work against finite fields but not elliptic curves. How does this fundamental difference affect your security margins?
\item Design a hybrid approach that uses both elliptic curves and finite fields strategically. When might this provide benefits over using just one?
\end{enumerate}
\end{enumerate}
\section{Diffie-Hellman in Hostile Environments (20 points)}
\subsection{Attack and Defense Scenarios (10 points)}
\begin{enumerate}
\item (5 points) \textbf{The Perfect Man-in-the-Middle:}
An attacker has complete control over the network between Alice and Bob, can modify any message, and can initiate connections that appear to come from either party.
\begin{enumerate}
\item Design the most effective man-in-the-middle attack against unauthenticated Diffie-Hellman. Your attack should be undetectable to Alice and Bob during the key exchange.
\item Alice and Bob have never met but each has the other's public key fingerprint written on a piece of paper. Design an authentication protocol that defeats your attack using only these fingerprints.
\item Compare your fingerprint-based solution to certificate authorities and web-of-trust models. What are the usability and security trade-offs?
\item The attacker now has quantum capabilities. How does this change your attack and defense strategies?
\end{enumerate}
\item (5 points) \textbf{The Paranoid Whistleblower Scenario:}
A whistleblower needs to securely communicate with a journalist. They assume the government monitors all internet traffic, has compromised most Certificate Authorities, and can perform man-in-the-middle attacks on any connection.
\begin{enumerate}
\item Design a key exchange protocol for this scenario using only methods available to ordinary civilians (no specialized hardware or pre-shared secrets).
\item Analyze what happens if the government can also compromise one of their devices after the key exchange. How can you provide forward secrecy?
\item Compare your solution to existing tools like Tor, Signal, and SecureDrop. What additional protection does your design provide?
\end{enumerate}
\end{enumerate}
\subsection{Protocol Design Challenge (10 points)}
\begin{enumerate}
\item (10 points) \textbf{SSH Trust-on-First-Use Analysis:}
Your organization wants to deploy SSH across 10,000 servers, but the current TOFU model creates security and usability problems at scale.
\begin{enumerate}
\item Analyze specific attack scenarios where the TOFU model fails in practice. When are users most vulnerable?
\item Design an improved authentication model that maintains SSH's simplicity while providing better security guarantees than pure TOFU.
\item Compare your solution to proposals like DNS-based SSH public key distribution (SSHFP records) and OAuth-based SSH certificates. What are the deployment challenges for each approach?
\end{enumerate}
\end{enumerate}
\clearpage
\section{Elliptic Curve Security Engineering (30 points)}
\subsection{Curve Selection Under Pressure (15 points)}
\begin{enumerate}
\item (5 points) \textbf{The Government Backdoor Controversy:}
You're the security architect for a new messaging app. Cryptographers are debating whether NIST P-256 contains a government backdoor, while Curve25519 offers better security properties but less widespread hardware support.
\begin{enumerate}
\item Analyze the specific concerns about NIST curves: what would a backdoor look like, and how could it be exploited without breaking the underlying mathematical problems?
\item Design a risk assessment framework for choosing between P-256 and Curve25519. What factors should influence your decision?
\item Your legal team reports that several countries require NIST-compliant cryptography for government sales. How does this constraint affect your technical decision?
\item Propose a solution that addresses both the backdoor concerns and the compliance requirements. What compromises would you make?
\end{enumerate}
\item (5 points) \textbf{The Invalid Curve Attack Scenario:}
A security researcher discovers that your ECDH implementation doesn't validate input points, making it vulnerable to invalid curve attacks.
\begin{enumerate}
\item Design a specific attack exploiting this vulnerability. What information can an attacker extract, and how long would the attack take?
\item Analyze why this attack works: what mathematical properties of elliptic curves does it exploit?
\item Develop a comprehensive input validation strategy that prevents this attack class. What performance impact does your solution have?
\item Compare this vulnerability to other implementation mistakes like reusing nonces in ECDSA. Which class of error is more dangerous in practice?
\end{enumerate}
\item (5 points) \textbf{Mobile Performance Optimization Challenge:}
Your mobile app needs to perform thousands of ECDH operations per minute on low-end smartphones, but battery life and performance are critical concerns.
\begin{enumerate}
\item Compare the performance characteristics of different elliptic curves for your use case. Consider both computational cost and memory usage.
\item Design an optimization strategy that balances security and performance. Would you use precomputed tables, special curve forms, or other techniques?
\item Analyze the security implications of your optimizations: what new attack surfaces do they create?
\item Evaluate whether quantum resistance should influence your current design decisions, given the mobile hardware lifecycle.
\end{enumerate}
\end{enumerate}
\subsection{Implementation Vulnerability Analysis (15 points)}
\begin{enumerate}
\item (5 points) \textbf{The PlayStation 3 Forensics Challenge:}
You're a digital forensics expert investigating cryptocurrency theft. You discover that the thief's wallet software reused nonces in ECDSA signatures, similar to the PlayStation 3 vulnerability.
\begin{enumerate}
\item Design a forensic analysis procedure to recover the private key from blockchain transaction signatures. What information do you need, and how would you process it?
\item Estimate how many transactions with reused nonces you would need to guarantee key recovery. How does this depend on the specific nonce reuse pattern?
\item Develop a tool to scan existing blockchains for this vulnerability. What would you look for, and how would you optimize the search?
\item Analyze the broader implications: if wallet software commonly had this bug, what percentage of cryptocurrency could be at risk?
\end{enumerate}
\item (5 points) \textbf{Side-Channel Attack Laboratory:}
You're tasked with testing an embedded device's ECDSA implementation for side-channel vulnerabilities.
\begin{enumerate}
\item Design a timing attack against variable-time scalar multiplication. What information would you measure, and how would you extract the private key?
\item Develop countermeasures that maintain performance while resisting your attack. What constant-time techniques would you implement?
\item Analyze power analysis attacks: how would an attacker use power consumption traces to recover cryptographic keys?
\item Evaluate the trade-offs between security and performance for different countermeasures. Which threats should you prioritize defending against?
\end{enumerate}
\item (5 points) \textbf{The Ed25519 Validation Crisis:}
You discover that two widely-used Ed25519 libraries accept different signatures as valid for the same message and public key, breaking interoperability.
\begin{enumerate}
\item Investigate what causes this inconsistency: what validation steps do different implementations handle differently?
\item Analyze the security implications: could an attacker exploit these differences to create practical attacks?
\item Design a test suite to identify which Ed25519 implementations are compatible with each other. What edge cases would you test?
\item Propose a strategy for the cryptographic community to resolve this issue without breaking existing deployments.
\end{enumerate}
\end{enumerate}
\section{Applied Cryptography Case Studies (30 points)}
\begin{enumerate}
\item (10 points) \textbf{Key Exchange Protocol Design}
You are designing a secure messaging application that needs to establish encrypted communication channels between users who have never communicated before. The application must work on mobile devices with limited computational resources and intermittent network connectivity.
\begin{enumerate}
\item Design a complete key exchange protocol using the cryptographic primitives from lectures 1.7 and 1.8. Your design should address:
\begin{itemize}
\item Initial key establishment between strangers
\item Authentication to prevent man-in-the-middle attacks
\item Forward secrecy for long-term security
\item Efficiency for mobile devices
\end{itemize}
\item Analyze the security properties of your protocol. What attacks does it defend against, and what are its limitations?
\item Discuss how your protocol would handle practical issues like key fingerprint verification and key rotation.
\end{enumerate}
\item (10 points) \textbf{Cryptocurrency Signature Scheme Analysis}
A new cryptocurrency project is choosing between ECDSA and Ed25519 for transaction signatures. The system requirements include:
\begin{itemize}
\item High transaction throughput (thousands of signatures per second)
\item Long-term security (system should remain secure for decades)
\item Compatibility with hardware wallets and mobile devices
\item Deterministic transaction signing for reproducibility
\end{itemize}
Analyze this decision:
\begin{enumerate}
\item Compare ECDSA and Ed25519 for each requirement above. Which algorithm better meets each criterion and why?
\item Discuss the implications of signature malleability. How does this affect each algorithm and why might it matter for cryptocurrency applications?
\item Analyze the quantum resistance of both options. What migration path would you recommend for long-term security?
\item Consider the ecosystem effects: existing wallet software, hardware support, and developer familiarity. How do these practical factors influence the decision?
\item Make a final recommendation with justification, considering both technical and practical factors.
\end{enumerate}
\item (10 points) \textbf{Secure Communication System Architecture}
You are architecting a secure communication system for a large organization (10,000+ employees) that needs to protect against both external attackers and potential insider threats. The system must support real-time messaging, file sharing, and voice calls.
Design and analyze a complete solution:
\begin{enumerate}
\item Specify your cryptographic algorithm choices for:
\begin{itemize}
\item Key exchange protocols
\item Digital signature schemes
\item Symmetric encryption algorithms
\item Hash functions and MACs
\end{itemize}
\item Describe your key management architecture. How do you bootstrap trust, distribute keys, and handle key rotation?
\item Analyze your system's security properties against various attack scenarios:
\begin{itemize}
\item Network eavesdropping
\item Server compromise
\item Endpoint compromise
\item Insider attacks
\end{itemize}
\item Discuss the performance implications of your design choices and how you would optimize for a large-scale deployment.
\item Evaluate your system's compliance with modern security standards and its readiness for post-quantum cryptography migration.
\end{enumerate}
\end{enumerate}
\begin{tcolorbox}[colframe=EarthBrown!30!white,colback=EarthBrown!5!white]
\textbf{Bonus Challenge (20 extra points):} The transition to post-quantum cryptography will require replacing current elliptic curve systems with quantum-resistant alternatives. Research and analyze one of the following aspects of this transition:
\begin{enumerate}
\item \textbf{NIST Post-Quantum Standards}: Analyze the recently standardized ML-KEM and ML-DSA algorithms. How do their key sizes, performance characteristics, and security assumptions compare to current ECC systems?
\item \textbf{Hybrid Classical/Post-Quantum Systems}: Describe approaches for combining classical and post-quantum algorithms during the transition period. What are the benefits and challenges of hybrid systems?
\item \textbf{Migration Timeline and Challenges}: Analyze the practical challenges of migrating existing systems (browsers, mobile apps, IoT devices) from ECC to post-quantum cryptography. What factors determine the migration timeline?
\end{enumerate}
Your answer should include: current standardization status, performance comparisons with existing systems, deployment challenges, and recommendations for practitioners preparing for the post-quantum transition. Check the Optional Readings under the topic listing for the Post-Quantum Cryptography on the course website for helpful references!
\end{tcolorbox}
\end{document}