CS783: Theoretical Foundations of Cryptography Fall 2024

Mid-Term Exam
September 19, 2024
Full marks: 40, Time: 2 hours
Instructor: Chethan Kamath

Roll Number: Name:

1. Please enter your roll number and name in the answer booklet.

2. There are eight problems. Answer problems 1-2 in the same page of the answer
booklet and use separate pages for the rest.

3. Problems 1-2 are all or nothing: you get the full marks only if your answer is the
exact subset. If you think the correct answers are 1 and 3, just write “1, 3”

4. Answer using a pen. Pencils are not allowed.

Problem 1 (3 marks). Consider the following randomised encryption scheme Π =

(Enc, Dec) related to one-time pad:
ˆ Enc(m, k; r) := (m ⊕ k, k ⊕ r), where m, k, r ∈ {0, 1}n and r denotes the random
coins used by Enc

ˆ Dec(c =: (c1 , c2 ), k) := c1 ⊕ k

Select the true statement(s) about Π.

1. Π is not perfectly secure

2. Π is perfectly secure

3. Π is perfectly secure even when the eavesdropper is given the coins r used to encrypt

4. Π becomes insecure when the eavesdropper is given the coins r used to encrypt

Problem 2 (4 marks). Recall that for a collision-resistant hash function (CRHF)

{H : K × {0, 1}∗ → {0, 1}n } with key generation algorithm Gen, the following is negligible
for every efficient F:
Pr n [H(k, x1 ) = H(k, x2 )].
k←Gen(1 )
(x1 ,x2 )←F(k)

Given below are four hash functions H′ defined using H with Gen′ := Gen. Select the
collision resistant one(s).
1. Hash-then-flip: H′ (k, x) := H(k, x) ⊕ 1n

CS783 Page 1 of 3 Mid-Term Exam

 2. Hash-then-append: H′ (k, x) := H(k, x)∥1n

3. Truncate-then-hash: H′ (k, x) := H(k, x1 ∥ · · · ∥xℓ−1 ), where x := x1 ∥ · · · ∥xℓ−1 ∥xℓ

4. Hash-then-truncate: H′ (k, x) := y1 ∥ · · · ∥yn−1 , where y1 ∥ · · · ∥yn−1 ∥yn := H(k, x)

Problem 3 (4 marks). Consider the message authentication code (Gen, Tag, Ver) con-
structed below using a pseudo-random function (PRF) {F : {0, 1}n × {0, 1}n → {0, 1}n }.

ˆ Gen(1n ): Output k1 , k2 ← {0, 1}n

ˆ Tag(k1 ∥k2 , m1 ∥m2 ) := F(k1 , m1 )∥F(k2 , m2 ), where |m1 | = |m2 | = n

ˆ Ver(k1 ∥k2 , t, m1 ∥m2 ): accept if F(k1 , m1 )∥F(k2 , m2 ) = t.

Note that the message space is {0, 1}2n . Describe an attack that shows the scheme is not
EU-CMA secure. (Hint: you need to query the tag oracle twice.)

Problem 4 (4 marks). Let f = {fn : {0, 1}n → {0, 1}n } be any one-way permutation
(OWP). For n := |x|, consider the n-time self-composition of f

fn′ (x) := fn (fn (· · · (fn (fn (x))).

| {z }
n

Is f ′ = {fn′ : {0, 1}n → {0, 1}n } always a OWP? Come up either with

ˆ a counter-example f that is a OWP but such that f ′ is not a OWP; or

ˆ a brief security proof that f ′ is a OWP (describe your reduction in full detail, and
then briefly analyse why it works).

Problem 5 (4 marks). Let {F : {0, 1}n × {0, 1}n → {0, 1}n } be any PRF. Consider the
following construction of pseudo-random generator (PRG) G using F:

G(s) := F(1, s)∥F(2, s) · · · ∥F(|s| − 1, s)∥F(|s|, s),

i.e., evaluate the seed s on fixed keys 1, . . . , |s|. Note that G expands its seed s to |s|2
bits. Is G always a PRG? Come up either with

ˆ a counter-example F that is a PRF but such that G is not a PRG; or

ˆ a brief security proof that G is a PRG (describe your reduction in full detail, and
then briefly analyse why it works).

Problem 6 (2+3=5 marks). You are given a public-key encryption scheme Σ = (Gen, Enc, Dec)
that is IND-CPA-secure. Using Σ, construct a two-message (i.e., one-round) key-exchange
protocol Π.

CS783 Page 2 of 3 Mid-Term Exam

 1. Describe your protocol Π: specify what Alice’s and Bob’s messages are.

2. Formally prove that if Σ is IND-CPA-secure then Π is secure against eavesdroppers.

Recall that in the security experiment for key-exchange protocol Π, the eavesdropper
Eve should not be able to distinguish the real key from a random key given the
transcript of the protocol Π.

Problem 7 (3+3=6 marks). You are given a one-time EU-CMA-secure digital signature
scheme Σ = (Gen, Sign, Ver) that can sign one-bit messages. Using Σ, construct a one-way
function f.

1. Describe your one-way function f.

2. Formally prove that if Σ is one-time EU-CMA-secure then f is one-way. Recall that

in the one-time EU-CMA security experiment for digital signature Σ on one-bit
messages, the forger Tam is given the public key, access to a signature of a bit b of
her choice and must forge signature on b̄.

Problem 8 (4+3+3=10 marks). Let H : K × {0, 1}n+1 → {0, 1}n be a collision-resistant

compression function. Recall the Merkle-Damgård transform, which uses H to construct
a compression function H′ : K × {0, 1}ℓ(n) → {0, 1}n for any polynomial ℓ, ℓ(n) > n + 1
(and with the same key generation algorithm):

Construction 1. H′ (k, x)

ˆ Parse the input x ∈ {0, 1}ℓ(n) as x1 ∥ · · · ∥xℓ(n) , where each xi ∈ {0, 1}

ˆ Set y1 := H(k, 0n ∥x1 )

ˆ For each i ∈ [2, ℓ(n)], set yi := H(k, yi−1 ∥xi )

ˆ Output yℓ(n)

We proved in class that H′ is a collision-resistant compression function. Now answer the

following questions about Construction 1.

1. Design an H such that H′ is not collision-resistant when used with inputs over the
domain {0, 1}≤ℓ(n) , i.e., strings of length at most ℓ(n). Write down your collision
(which must be of different length).

2. Describe a fix for Construction 1 so that it works for {0, 1}∗ . (Hint: you need to
pad your input appropriately.)

3. Prove security of the fixed construction.

CS783 Page 3 of 3 Mid-Term Exam