Serious Cryptography Flashcards
1
Q
How many letters does cesar cypher shift?
A
3
2
Q
How do vigenere cipher works?
A
The key is not fixed like cesar, is defines a key using a word of N letters. This word is used to rotate every letter individually: CRYPTO encrypts to FLFSNV using DUH key.
3
Q
What are the steps needed to break vigenere cipher?
A
1- find the key length: find for repeated sequences of letters in the ciphertext.
2- determine the key using frecuence análisis: Most common letters of abecedary.
4
Q
Does classic ciphers operates with bits or letters?
A
Letters
5
Q
In symmetric ciphers, what is a permutation?
A
A function that transform an item (letter or set of bits ) such that item has a unique inverse.
6
Q
In symmetric ciphers, what is a mode of operation?
A
An algorithm that uses a permutation to process messages of arbitrary size. Mitigates exposure of duplicate letters in the plaintext by “scrumbling” all. (Confussion and difussion)
7
Q
What is a substitution cipher?
A
Replace letters with other letters
8
Q
When a permutation is secure?
A
When it satisfy 3 criteria:
1- The permutation should be determined by the key. ( in caesar is fixed and is 3)
2- Different keys should result in different permutations.
3- The permutation should look random. Knowing that A encrypts to B should not give you any other information.
9
Q
Why classical ciphers are insecure?
A
Because their are limited to operations that humans can perform with their head.
10
Q
Which cipher guaranties perfect secrecy?
A
One Time Pad
11
Q
What is the length of a one time pad cipher
A
as long as the message
12
Q
What an attacker can learn from a ciphertext computed with a one time pad?
A
The length of the message
13
Q
How many times can use a single key on one time pad?
A
Just once
14
Q
Why can´t we encrypt 2 message with the same key on one time pad?
A
Because of the XOR property. C1-xor-C2=(P1-xor-K)xor(P2-xor-K)=P1-xor-P2-xor-K-xor-K=P1-xor-P2
15
Q
Why One time pad is not used on real life?
A
Because to encrypt a 1 tera file you will need a 1 tera key. Is not applicable for long messages.
16
Q
Why is one time pad secure?
A
Shannon proof that if the key K is chosen randomly and that key is as long as the message, an attacker, even if he can proof all the possible keys, will now know nothing about the message, because it will have tons of valid messages.
17
Q
What is an attack model?
A
Assumptions about what an attacker can do to interact with a cipher. Does not have to reality exactly, is an approximation.
18
Q
What is a security goal?
A
Descriptions of what is considered a successful attack.
19
Q
What kerchoffs principle states?
A
The security of a cipher should rely only on the secrecy of the key and not on the secrecy of the cipher.
20
Q
What are the black box attack models ?
A
Models where the atacker only see what goes in and out the cipher.
21
Q
What is Ciphertext-only attack model?
A
Passive attack, can´t perform decrypt and encrypt queries. JUST OBSERVE CIPHERTEXTS.
22
Q
what is Known-plaintext attack model?
A
Passive attack, can´t perform decrypt or encrypt queries. OBSERVE CIPHERTEXTS AND THEIR ASOCIATED PLAINTEXTS. (the plaintexts are randomly chosen)
23
Q
What is chosen-plaintext attack model?
A
Active attack. Can perform encryption queries of plaintext of their choise.
24
Q
What is chosen-ciphertext attack model?
A
Active attack. Can perform encryption and decryption queries.
25
What are the grey-box attack models?
Models where an attacker also know the ciphers implementation.
26
What is an example of grey-box attack model?
Side channel attacks.
27
What is a side-channel attack?
Observe or measure analog characteristics of a ciphers implementation but do not alter the implementation. (non-invasive)
28
What are examples of side-channel attacks?
On software error messages, return values and on hardware measure of power consumption, electromagnetic emanations, etc.
29
What are the two main security goals?
Indistiguishability: Ciphertexts should be indistinguishalbe from random strings. Ej. If an attacker picks two plaintexts and the recieves a ciphertext of one of them, he should not know from which plaintext is.
Non-malleability: Given a ciphertext C1 it should be imposible to create another ciphertext C2 whose corresponding plaintext (P2) is related to (P1) in a meaningfull way.
30
What is a security notion?
Is a combination of a security goal and an attack model.
31
What is semantic security?
Is the same as IND-CPA. Ciphertexts should not leak any information about their plaintexts as long the key is secret. So, if an attacker can execute queries of encryption (CPA) two plaintexts that are equal should have different ciphertexts.
32
How can we achieve IND-CPA?
Using randomized encryption. Basically E(K,P,R) where R are random bits (IV,Tag).
33
If a cipher is IND-CCA implies that is IND-CPA as well?
Yes
34
If a cipher is NM-CCA implies that is NM-CPA as well?
Yes
35
If a cipher is IND-CPA implies that is NM-CPA as well?
No
36
If a cipher is NM-CPA implies that is IND-CPA as well?
Yes
37
What is the difference between symmetric and assymetric encryption?
Symmetric: One key that is shared between two parties.
Asymmetric: We have a pair of keys, priv and pub.
38
Can we derive a private key from a public key?
No
39
Can we derive a public key from a private key?
Yes
40
What is called encrypting with a public key?
Encryption, because only the holder of the private key can read it.
41
What is called encrypting with a private key?
Signature, because all with access to the public key, can read the message, so no confidentiality is gained.
42
What is authenticated encryption?
Is a type of symmetric encryption that outputs a ciphertext and a Tag. On the decryption process, the cipher takes K, C and T (the tag) and only returns a plaintext if the Tag matches the plaintext, if not, aborts.
43
What guaranties does authenticated encryption gives?
1- Integrity: The message is only decrypted if the Tag matches the plaintext.
2- Authentication: The person or process that sends the encrypted text, key and Tag gives more information about the authenticity.
44
What is an effective way to avoid a replay attack?
Set a counter, the evesdropper will not be able to forge the counter+1 message, so the reply will fail.
45
What is AEAD?
Authenticated encryption with adicional data is an extension of authenticated encryption where some part of the payload must be unencrypted.
46
What is format preserving encryption?
A type of encryption that creates ciphertexts that have the same format as the plaintext. Ej. Encrypt IP's to IP's, etc.
47
What is Fully homomorphic encryption (FHE)?
A type of encryption that let a user to update a ciphertext without decrypting it. It is useful on cloud scenarios, where you do not want you provider to know your encryption key, so you can send encrypted data and update other encrypted data without a key.
48
What is Searchable encryption?
Is a type of encryption that let you search for content without decrypting that content.
49
What is tweakable encryption?
Is a type of encryption that takes a key, a plaintext and a tweak. The tweak is a type of value that depends on the context, to avoid other contexts to decrypt that data. For example, on disk encryption, the tweak is set as the sector number or the block index.
50
What is identity-based-encryption?
Basically use email addresses in replace of public keys to encrypt a message. There is a central entity that handles the encryption keys and based on the identities generates privates keys to read the messages being sent (Generally using a PKG)
51
What is attribute based encryption?
Attribute-based encryption is a one-to-many public key encryption. Only the user, whose attributes satisfy the access policy set by the encryptor, can decrypt the ciphertext. This concept originates from identity-based encryption
52
What is oblivious transfer protocol?
In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece (if any) has been transferred. (https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec19.pdf)
53
What is functional encryption?
In a functional encryption system, a decryption key allows a user to learn a function of the encrypted data.
For example: As a concrete example, consider a cloud service storing encrypted images. Law enforcement may require the cloud to search for images containing a particular
face. Thus, the cloud needs a restricted secret key that decrypts images that contain the target face, but reveals nothing about other images. More generally, the secret key may only reveal a function of the plaintext
image, for example an image that is blurred everywhere except for the target face
54
Why padding is important on block ciphers?
Because the length of the plaintext should be a multiple of the block length. Padding is used to fill that gap.
55
What are padding examples?
Pkcs5, pkcs7, ansi x923, w3c padding, etc.
56
What is a uniform distribution?
Occurs when all probabilities in the distribution are equal, meaning that all outcomes are equaly likely to ocurre.
57
How is randomness linked to uniform distribution?
Any random process must produce outputs with the same probability of outcome: a uniform distribution.
58
What is entropy?
A measure of uncertainty, or a measure of information. Both are valid definitions.
59
What is the entropy of a 128 bits key generated with a uniform distribution function?
128 bits. Formula: 2^128 * (-2^128*log(2^-128))
60
What is the entropy of a fair toss coin?
1 bit. Formula: -1/2 * log(1/2) - (1/2) * log (1/2)
61
What is the entropy of a loaded coin with 1/4 prob of tails and 3/4 prob of heads?
0.81 bit. Formula: -1/4 * log (1/4) - 3/4 * log(3/4)
62
In which probability distribution, the entropy is maximized?
In a uniform distrubution.
63
Where true randomness is generated?
Can´t be generated in a computer because is a deterministic machine. It comes from RNG that usually are software or hardware that measure physical events.
64
What a hardware random number generator measure to produce random numbers?
Temperature, acustic noise, electrical static, quantum events.
65
What a software random number generator measure to produce random numbers?
Use attached sensors to measure events, I/O from mouse, packets from the network, disk activity, key pressing, etc.
66
Why we do not use RNG directly?
Because RNG measurements are slow and because they do not have a uniform distribution, meaning low entropy.
67
What are PRNG?
PRNG are algorithms that take RNGs inputs and produce random-looking bits in a deterministic way. (Using drng)
68
How PRNG works?
They take true random bits from a RNG, feed them into a DRNG that expands those bits into a much larger sequence.
69
What are the 3 main parts of any pseudo random number generator?
1- init() Initialize the entropy pool and the prng internal state (buffers, etc)
2- refresh(seed) updates the entropy pool using a specific seed.
3- next(n) runs the DRNG and return n pseudorandom bits and updates the entropy pool to make sure the next call will generate different sequences.
70
What properties must have a CSPRNG?
1- produce bits sequences with a uniform distribution.
2- backtracking resistance: if an attacker knows one bit sequence, he can’t deduce previous bits.
3- prediction resistance: If an attacker reads part of the stream, he can’t know without a seed, the next bits.
71
What is linear combination?
Xor combination of bits. This produce short equations and is why is not secure for cryptography in general.
72
What is non-linear combinations?
Adds AND combinations. This rise equations to exponential sizes, practically unsolvable.
73
What are statistical tests on PRNG?
Tests suites that produce samples of any specific PRNG and compute some statistics on its output distribution. The goal is compare this output with a uniform distribution. One example is amount of 0 and 1 on a stream.
74
What is the difference between /dev/random and /dev/urandom?
Random tries to estimate the entropy of the pool, and if is not sufficient it blocks the stream. Urandom do not check this bound, and sends the stream anyway.
75
What is rdrand?
Is an intel processor assembly instruction that generates pseudorandom bits.
76
How rdrand works?
It has a small hardware circuit that jumps between 1 and 0 depending on thermal noise flactuations, usually 800MHz.
77
From a performance view, is base64 or hexa a better encoding binary-to-text encoding to compare 2 digests?
Base64 because it provides less amount of characters than hexa to represent the same amount of information. This is why the text comparisons are more efficient.
78
What are the drawbacks of using base64 to represent a digest?
Base64 has characters like "+" or "=" that can break some contexts such as http query strings.
Base64 has min and mayus, this means that if a developer could make an error of passing to minus all before comparing, this could lead to problems.
79
What is perceptual hashing and piecewise hashing?
There are two types of hashes that gives information about the similarity of two inputs.
80
What is the difference between informational security and computational security?
Informational security is about theoretical impossibility whereas computational security is about practical impossibility.
81
When a cipher is informationally secure?
When even given unlimited time and resources it can not be broken.
82
When a cipher is computationally secure?
When it can not be broken with a reasonable amount of time and resources,
83
What means that a cipher is t-bit-secure?
Means that a successful attack needs at least t operations. 2^t operations are needed for a successful attack. It is an upper bound, the worst case scenario.
84
If we need 10000000 operations to break a cipher, what is the security level?
is log2(10000000) = 2^20 -> 20 bits security.
85
When a security level is lower than the key size?
1- When an attack could recover the key in less operations.
| 2- When speaking about public key algoritms.
86
What is the bit security level of RSA 2048?
100 bit security.
87
Say we have two 128 bits secure ciphers, but one is way slower than the other. Does this means that the slower one is more secure even if both are 128bits secure?
Yes
88
What factors affect the cost of a successful attack other than the t-bit security?
1- Parallelism: If the attack could be carried out in different cores, the security is lower, because the attack is faster.
2- Memory: The time and space that the algorithm takes to process must be taken into account.
3- Pre-computation: The security of a cipher diminish a lot if you can harvest pre work and use it on posterior attacks. Ej. Meet in the middle de 3DES.
4- Number of targets: If you have 1 128bit key target, you will need 2^128 operations, but if you are searching 100 128 bit keys, the cost is 100*2^128. If you are looking at least one key on a set of 2^16 128 bit keys, you will take 2^128-16 = 2^112 operations.
89
What Moore´s law state?
Computing efficiency doubles roughly every to years. We can think this as we loose 1 bit security every year.
90
What is provable Security?
An approach used to mathematically proof the security of an algorithm. Proofs that breaking the algorithm is at least as hard as solving another problem hard to solve. This means the crypto remains safe until that problem is solved, this is called reduction.
91
What approaches can we use to proof an algorithm is secure?
1- Relative to a math problem: Break an algorithm is as hard as resolve a math problem. (Prime number factorization)
2- Proofs relative to another crypto Problem: Compare with another crypto scheme, so if you can break that you can break this.
92
Are this proofs of security absoult?
No, there are cavets.
1- Some times resolve math problemas are easier than expected.
2- Although the proof is good, the implementation could be wrong.
93
What is heuristic security?
There are algorithms than can not be proved in a mathematical way. The only reason to trust this algorithms is because many skilled people tried to break it and failed.
94
What type of scheme is paillier cryptosystem?
Additive homomorphic cryptosystem
95
What are the 3 ways available to store a secret secure?
1-key wrapping: encrypting a key with a second key.
2- on the fly generation from a password: there is not key to store, because the key is derived from a password that lives on our brain. (ios pin iphone unlock)
3- storing a key on a hardware token with anti-tampering properties.
96
What means a block cipher to be secure?
It should be a pseudorandom permutation. This means that as long as the key remains secret, there is no way to get the input that produced some output.
97
What are the two most important sizes on a block cipher?
The block size and the key size.
98
What is the impact of huge blocks on block ciphers?
1- More ciphertext overhead.
| 2- more memory footpirnt.
99
In block cyphers, do block size affect performance?
Yes! 128 bit blocks are faster than 64bits depending on cpu arquitecture. There are native instructions like avx that made faster 128bits operations.
100
In block cipher, if blocks are very small, is there a problem?
Yes, they are vulnerable to codebook attacks!
101
What are codebook attacks?
If blocks are very small, say 16 bits, you can build a lookup table with all the 2^16 ciphertexts corresponding to every 16bit plaintext.
To decrypt you just find the corresponding input for the given output.
102
Speaking of codebook attacks against small block sizes on block ciphers, how much memory do you need to build the lookup table on 16bit, 32bit and 64bit blocks?
16bit: 2^16*16 = 2^20 = 128KB
32bit: 16 gigas
64: 128 hexabytes
103
What are DIEHARD, crypt-x, or. NIST-STS?
Statistical tests for randomness!
104
What is Multisig on a cryptocurrency space?
Is a protocol that requires more than 1 party to sign a transaction. This avoids that if a single priv key is leaked, the wallet is at risk.
Generally speaking, multisig is integrated with the cryptocurrency ledger, meaning that is not an agnostic of the cryptocurrency.
Bitcoin uses Schnorr signatures and Monero uses edwards25519.
105
What is Shamir Secret Sharing?
Shamir's Secret Sharing is used to secure a secret in a distributed way, most often to secure other encryption keys. The secret is split into multiple parts, called shares. These shares are used to reconstruct the original secret.
Require n participants to SEND the shares of the final key to the system.
The construction is based on that 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth.
106
What is a threshold in SSS?
A threshold is used to denote the minimum number of shares needed to unlock the secret. For example, you can generate 30 shares but need 20 to unlock the final key.
107
What are the variants VSSS and PSSS?
VSSS allows participants to verify that malicious shares are not being used, and PSSS allows participants to proactively rotate their shares.
108
What is native multisignature?
Require n participants to SIGN the same transaction and send the n signatures to the system. The system must verify all.
109
What is aggregated multisignature?
Require n participants to SIGN the same transaction and send the n signatures to an aggregator. The aggregator allow you to compress the n signatures in a single signature. THEN you send the signature to the system.
110
What is a sybil attack?
En un ataque Sybil, un atacante puede contaminar un sistema distribuido creando un gran número de identidades que aparenten ser independientes y usarlas para obtener una influencia desproporcionada, alterar rutas o modificar contenido almacenado de forma redundante.
111
What are examples of sybil resistant protocols?
Poof of work and proof of stake.
112
What is threshold secret signature? And what is the difference with the SSS?
Instead of sending the part of the secrets for a centralized entity transform them into the final key, you send signatures directly to this central entity and this entity will generate a new final signature based on the sum of the other signatures.
113
Which scheme is more “thresholdizing”, EdDSA or ECDSA? (Meaning that is more friendly with the concepto of devide the secret key in lots of shares)
EdDSA or pure Schnorr signatures, which
are relatively threshold-friendly thanks to the linearity of
their s computation.
114
What is called sharding in distributed key management?
Is the concept of generating one single key, brake it in multiple part, using for example, shamir secret sharing, and then store then separately on different shards.
115
What are hash levels?
Until now hash functions have generally been categorised as either cryptographic or non-cryptographic. However, there are several different hash function capabilities that are useful for different purposes.
116
What means to be level 1 hash?
It means non collision resistant and are useful for cases where there are absolutely no adversaries.
117
What means to be level 2 hash?
Level 2 hash functions usually receive a key as an input and can not produce a c-way multicollision.
118
What means multi-collision resistance?
Is a natural relaxation of fully collision resistance. Roughly speaking, a shrinking hash function is multi-collision-resistant if finding many (rather than two) inputs that hash to the same output is intractable.
The notion of multi-collision resistance provides a
framework for proving formal security guarantees for standard keyless hash functions, for example SHA-2
119
Can a keyless hash function achieve fully collision resistance?
No. Full collision resistance cannot be satisfied by any single (fixed) function. Indeed, for any shrinking function, there exist algorithms that can efficiently find collisions, by simply having such collisions hardwired in their code. Accordingly, in the theoretical treatment of collision-resistance, we consider keyed families of hash functions, requiring that efficient algorithms cannot find collisions when the key is chosen at random
120
What is fully collision resistance?
Is a stronger claim than collision resistance.
Full collision-resistance requires the intractability of finding collisions, EVEN with full-adaptive access to a collision-finding oracle, meaning:
Here, the adversary gets access to a collision-finding oracle, which outputs a collision for the adversarially chosen hash, but also keeps track of each of the queried and returned hash/message pairs (h, m) and (h, m0 ), using the list Q. The adversary wins, if it comes up with a hash/message pair (h∗ , m∗ ) colliding with (m0∗, r0∗), for the given public key, where (m0∗, r0∗) was never queried to or output from the collision-finding oracle.
121
What is the SAS 70 standard?
Is a set of best practices for root key ceremonies.
122
What is the difference between RSA-PSS and RSA-OAeP?
OAEP = Encryption , PSS signature!
123
What is zero knowledge proof?
In a zero-knowledge proof protocol, one party, the prover, proves to another party, the verifier, that a statement is true, while preserving confidentiality of information.
124
what is a Polynonce attack?
When using ECDSA, reusing a nonce for multiple signatures (because a bug or a bad PRNG) lead an attacker to obtain the private key just using a little number of signatures. https://eprint.iacr.org/2023/305.pdf
