Exam 1
CS 6260, Fall 2012
These solutions are being provided for your personal use only. They are not to be shared with, or used
by, anyone outside this class (Fall 2012 section of Georgia Tech CS 6260). Deviating from this policy will be
considered a vio
Applied Cryptography
Georgia Tech, Fall 2012
Homework 2
Instructor: Chris Peikert
Student: SOLUTIONS
These solutions are being provided for your personal use only. They are not to be shared with, or used
by, anyone outside this class (Fall 2012 section of
CS 6260: Applied Cryptography
August 29, 2013
Homework 1
Lecturer: Sasha Boldyreva
Due: September 5, 2013
The skills practiced: understanding the perfect secrecy and its limitations, understanding weaknesses of particular schemes, good technical/mathemati
CS 6260: Applied Cryptography
September 19, 2013
Homework 3
Lecturer: Sasha Boldyreva
Due: September 26, 2013
Skills tested: writing proofs by reduction, understanding the IND-CPA and INDCCA denitions, breaking insecure schemes.
The notation used in diere
CS 6260: Applied Cryptography
September 10, 2013
Homework 2
Lecturer: Sasha Boldyreva
Due: September 19, 2013
The goal of this homework is to practice understanding of the PRF and IND-CPA
security denitions and the ability to write attacks under these den
Applied Cryptography
Georgia Tech, Fall 2012
Homework 4
Instructor: Chris Peikert
Student: YOUR NAME HERE
These solutions are being provided for your personal use only. They are not to be shared with, or used
by, anyone outside this class (Fall 2012 secti
Applied Cryptography
Georgia Tech, Fall 2012
Instructor: Chris Peikert
Student: SOLUTIONS
Homework 3
These solutions are being provided for your personal use only. They are not to be shared with, or used
by, anyone outside this class (Fall 2012 section of
CS 6260: Applied Cryptography
November 14, 2013
Homework 6
Lecturer: Sasha Boldyreva Due: Nov.21 for in-class submissions, Nov.22 is you want to submit online.
The skills practiced:
Problem 6.1, 15 points. Assume there exists a polynomial-time algorithm A
Applied Cryptography
Georgia Tech, Fall 2012
Instructor: Chris Peikert
Student: SOLUTIONS
Homework 1
These solutions are being provided for your personal use only. They are not to be shared with, or used
by, anyone outside this class (Fall 2012 section of
CS 6260: Applied Cryptography
October 8, 2013
Homework 4
Lecturer: Sasha Boldyreva
Due: October 22, 2013
The skills practiced: understanding the security notion for MACs, security of authenticated encryption schemes, good technical/mathematical writing.
P
Plain RSA encryption scheme
AlgorithmK
$
(N , e), (N , p, q, d ) K $
rsa
Return (N , e), (N , d )
Algorithm E(N ,e)(M )
C M e mod N
Return C
Algorithm D(N ,d )(C)
M Cd mod N
Return M
Plain RSA is not secure
Under the RSA assumption it is hard to recover a
Signature schemes variations
Multisignatures: several signers create a signature on a single
message, that is shorter and faster to verify than when a
standard signature scheme is used in a straightforward way.
Aggregate signatures: similar to multisignat
The RSA system. The basics.
Def. Let N,f 1 be integers. The RSA function associated to
N,f is the function RSAN,f : Z Z defined by
N
N
RSAN,f (w) = wf mod N for all w ZN.
Claim. Let N 2 and e,d Z(N) be integers such that ed 1
(mod (N). Then the RSA functi
CS 6260
Number-theoretic primitives
As no encryption scheme besides the
OneTimePad is unconditionally secure, we need
to find some building blocks - hard problems
(assumptions) to base security of our new
encryption schemes on.
Block ciphers and their PRF
Chapter 3
Pseudorandom Functions
Pseudorandom functions (PRFs) and their cousins, pseudorandom permutations (PRPs), gure as
central tools in the design of protocols, especially those for shared-key cryptography. At one level,
PRFs and PRPs can be used to
Chapter 4
Symmetric Encryption
The symmetric setting considers two parties who share a key and will use this key to imbue communicated data with various security attributes. The main security goals are privacy and authenticity
of the communicated data. Th
CS 6260
Applied Cryptography
Message Authentication Codes (MACs).
New cryptographic goals
Data privacy is not the only important
cryptographic goal
It is also important that a receiver is assured
that the data it receives has come from the
sender and has
We studied several definitions of security of asymmetric
encryption schemes (IND-CPA, IND-CCA).
Recall that the definitions consider a single user (a person
with a public key).
This single-user setting is different from practice
Real world is more comple
Digital signature schemes
Let's study the problem of data authentication and integrity in the asymmetric (public-key) setting. A sender needs to be assured that a message came from the legitimate sender and was not modified on the way. MACs solved this
Hybrid encryption
Asymmetric encryption uses number-theoretic operations and
is slower than symmetric encryption that often uses block
ciphers.
Also we often want to encrypt long messages.
In practice one usually
1. encrypts a randomly chosen symmetric ke
CS 6260: Applied Cryptography
September 15, 2016
Solutions to Homework 3
Lecturer: Sasha Boldyreva
Problem 3.1, 10 points.
Let H be a hash function constructed via the Merkle-Damgard transform. We define
a MAC M ACK (M ) = H(KkM ), where K is a random 160
CIS 5371 Cryptography
Home Assignment 2 wt Answers
Due: At the beginning of the class on February 18, 2016
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to Modern
Cryptography.
Prove or refute: Every encryption
CIS 5371 Cryptography
Home Assignment 4 with answers
Due: At the beginning of the class on March 17, 2016
Exercises taken from the course textbook. J. Katz and Y. Lindell, Introduction to Modern Cryptography.
1. Consider the following fixed-length M AC fo
CIS 5371 Cryptography
Home Assignment 3 with answers
Due: At the beginning of the class on February 25, 2016
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to Modern Cryptography.
1. Let G be a pseudorandom genera
U.C. Berkeley CS276: Cryptography
Luca Trevisan
Handout N9
February 17, 2009
Notes for Lecture 9
Notes scribed by Joel Weinberger, posted March 1, 2009
Summary
Last time, we showed that combining a CPA-secure encryption with a secure MAC
gives a CCA-secur
U.C. Berkeley CS276: Cryptography
Luca Trevisan
Handout N7
February 10, 2009
Notes for Lecture 7
Scribed by Mark Landry, posted February 15, 2009
Summary
Today we start to talk about message authentication codes (MACs). The goal of a
MAC is to guarantee t
U.C. Berkeley CS276: Cryptography
Luca Trevisan
Handout N8
February 12, 2009
Notes for Lecture 8
Scribed by James Cook, posted February 18, 2009
Summary
Last time we described a secure MAC (message authentication code) based on pseudorandom functions. Its
CIS 5371 Cryptography
Home Assignment 1 wt Answers
Due: At the beginning of the class on Feb 11, 2016
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to
Modern Cryptography.
1.3 Consider an improved version of the
CS 6260: Applied Cryptography
September 15, 2016
Solutions to Homework 2
Lecturer: Sasha Boldyreva
The skills practiced: understanding PRF and IND-CPA definitions, proving schemes
insecure.
Problem 2.1, 20 points. Let F : cfw_0, 1k cfw_0, 1m cfw_0, 1n be