Consider that we train a regression model and run Best Subset selection to obtain a model

(a) What is the main difference between a block cipher and a stream cipher? (b) Give a formal definition of a block cipher. Your answer should make reference to the block size n and the key size k. (c) In the context of a block cipher, explain what is meant by the following terms: (i) known plain text attack; (ii) chosen plain text attack; known cipher text attack. (d) To what extent are the three different attack models above realistic? Illustrate your answer with an example for each model.[6 marks] (e) You are given the task of selecting a block cipher to be used in an app that will run on smart phones. The block cipher will be used to encrypt users' passwords as they are sent from the phone to a remote server. Which block cipher would you choose for this purpose, and why?[4 marks] (f) Explain why modes of operation are usually needed when using block ciphers. (g) Define Counter (CTR) mode encryption. (h) Explain what the principal security requirement for using CTR mode is. Describe two different methods by which this requirement can be met, commenting briefly on any issues that may arise with each method.[5 marks] (i) CTR mode is vulnerable to "bit flipping" attacks. Explain, in general terms, what is meant by this statement, and which security property the attack violates (beyond confidentiality).[2 marks]

(a) What is the main difference between a block cipher and a stream cipher? (b) Give a formal definition of a block cipher. Your answer should make reference to the block size n. and the key size k. (c) In the context of a block cipher, explain what is meant by the following terms: (i) known plain text attack; (ii) chosen plain text attack; (iii) known cipher text attack. (d) To what extent are the three different attack models above realistic? Illustrate your answer with an example for each model. (e) You are given the task of selecting a block cipher to be used in an app that will run on smart phones. The block cipher will be used to encrypt users' passwords as they are sent from the phone to a remote server. Which block cipher would you choose for this purpose, and why?[4 marks] (f) Explain why modes of operation are usually needed when using block ciphers. (g) Define Counter (CTR) mode encryption. (h) Explain what the principal security requirement for using CTR mode is. Describe two different methods by which this requirement can be met, commenting briefly on any issues that may arise with each method. (i) CTR mode is vulnerable to "bit flipping" attacks. Explain, in general terms, what is meant by this statement, and which security property the attack violates (beyond confidentiality).[2 marks]

Congratulations! You have just been appointed as the new head of cryptographic engineering at softoo.com, an online retailer specialising in soft toys. Since its foundation in Surrey, five years ago, the company has grown to have an annual revenue in the billions and more than 100 million regular customers. The company is very proud of its green credentials, specialising in reducing and recycling toy packaging. You set about conducting an internal review of the company's cryptographic infras-tructure. You find that the company authenticates its customers to the website using a standard username/password approach, with MD5 hashes of the passwords being stored alongside usernames in a back-end database. The entire softoo.com site is served over http instead of https because your predecessor was concerned about the costs of supporting encryption. After recovering from the shock of realising that your predecessor was likely to have very limited knowledge of cryptographic security best practices, you decide to writea briefing note for the Chief Information Security Officer (CISO) of softoo.com. This note will describe the problems you've found, along with their likely security impacts and possible consequences for the business. It will also recommend remediations for these problems, including rationale for these recommendations. Your note will include timelines for implementing the remediations and any costs that you anticipate. Your task in this question is to produce the first draft of this note. Keep in mind that the CISO is smart, but cryptographically rusty, so your note will need to provide an appropriate level of detail for any solutions you propose.

(a) An Authenticated Encryption (AE) scheme consists of a triple of algorithms,(KGen, Enc, Dec). Describe the function of each of these algorithms and explain what is meant by the correctness of an AE scheme.[4 marks] (b) Security for AE schemes is defined in terms of the combination of two security notions: indistinguish ability under chosen plain text attacks (IND-CPA security), and integrity of cipher texts (INT-CTXT security). Give informal descriptions of these two notions, using diagrams to illustrate your answer if you wish. For both notions, state what it means for an AE scheme to be[8 marks]secure. (c) AE schemes can be built using generic composition of symmetric encryption schemes and MAC schemes. There are three principal methods for doing so, known as EtM,MtE and E&M. Briefly describe each of these three methods, and comment on their AE security when instantiated using an IND-CPA secure encryption scheme and a strongly unforgeable MAC scheme. In each case, justify your answer.[12 marks] (d) In applications, we are often interested in simultaneously providing confidentiality and integrity for some data but only integrity for other, associated data. An Authenticated Encryption with Associated Data (AEAD) scheme meets this goal. Define the syntax of an AEAD scheme and show how to extend the generic EtM construction of an AE scheme to obtain an AEAD scheme. Use a diagram to illustrate the second part of your answer.[6 marks] (e) Nonce-based AEAD is a further extension of the AEAD paradigm. Explain what is meant by nonce-based AEAD and why it is a good primitive to offer to software developers.[4 marks]

You've been head of cryptographic engineering at Orinoco Web Services (OWS) fora year now. OWS is a cloud service provider that started out as an online retailer specialising in soft toys, but which came to realise there was more money to be made from the cloud than in selling goods online. Still the company is very proud of its roots in Wimbledon, south-west London, and of its green credentials, specialising in reducing and recycling toy packaging.In the existing file storage service offered by OWS, customers store files in a standard Unix file format on OWS servers. There is a strict access control policy in place for these files, based on user accounts. These accounts can only be accessed over SS Husing public key authentication methods (no username/password access is allowed).Files can also be uploaded and downloaded using the SSH File Transfer Protocol (essentially, FTP running over SSH), using the same authentication mechanism. However,in the existing service, there is no further security applied for the data at rest: files are stored "in the clear" on OWS servers. Users are responsible for providing enhanced security if they want it. OWS has recently decided to offer its customers a secure version of its data storage service. Because OWS customers are not very good at looking after cryptographic keys, nor using cryptographic algorithms correctly, the decision has already been made to manage the keys on behalf of customers, and to provide "cryptography as a service".This means that customers should be provided with a simple interface to, for example,encrypt and decrypt files, without having to worry about keys, algorithms, or anything else too technical. The authentication mechanisms that are already in place will be extended to provide access control for all of the cryptographic services. The project is code-named TOMSK (Total Orinoco Management of Secure Keys). Which security services the system will offer (and why). Which cryptographic primitive(s) will be used to support these services (and why). • What specific algorithms will be employed (and why). • How any randomness, nonces or state needed in the cryptographic algorithms will be managed. How the system will manage customers' keys. (You may consider the use of specialised hardware to help with secure key storage, but the hardware is expensive and needs to be used sparingly, so some kind of key derivation may be necessary.) • What the overall key lifecycle will look like. • Where any sensitive cryptographic operations will be carried out. • What kind of Application Programming Interface (API) will be offered by the service. . How any potential availability or performance issues will be handled. • How potential compromises of the service will be handled. Additional credit may be given for coverage of further topics that relate directly to thecryptographic and key management aspects of the service.[34 marks]

Task 4. Using Miller-Rabin prove that 149 is a prime number for witnesses a + 3 and b +4, where a is the 3rd digit of your student code, b is the 4th digit of your student code.

Question 5: Explain the difference between authentication and access control. What are the three authentication mechanisms used to confirm author's identity? Give two advantages of each these authentication mechanisms. Which way, according to you, is the most secure way of user authentication?

(a) The ephemeral Diffie-Hellman Key Exchange (DHKE) protocol allows two parties to agree on keying material in the presence of an adversary. The protocol assumes the two parties already agreed on two primes p, q such that q divides p - 1 and a value> 1 such that of 1 mod n From this starting point, describe the remainder of the protocol, recalling that the ephemeral version of the protocol involves the exchange of fresh Diffie-Hellman values.[6 marks] (b) Assuming that the adversary is passive (i.e. acts only as an eavesdropper), identify the computational problem underlying the security of this protocol. How does it relate to the Discrete Logarithm Problem (DLP) in the given setting? [4 marks] (c) How large should p and q be so that the ephemeral DHKE protocol in your answer to Question 4(a) is secure against an adversary willing to expend an effort of 280 basic operations? What if the adversary is willing to expend an effort of 2128 basic operations? Justify your answers with reference to algorithms for solving the DLPin the given setting.[6 marks] (d) Discuss the security weaknesses of ephemeral DHKE in the situation where the adversary is an active party. (e) Explain how you might modify the ephemeral DHKE protocol to avoid the weak-nesses identified in your answer to Question 4(d).[4 marks] (f) The ElGamal Public key encryption (PKE) scheme is derived from the Diffie-Hellman key exchange algorithm. Describe the El Gamal algorithm, and the relationship be-tween DHKE and the EI Gamal PKE.[4 marks] (g) Public key encryption can also be used to establish keying material in the presence of an adversary. (i) Describe a simple protocol for achieving this. (ii) Compare and contrast the approaches based on PKE and ephemeral DHKE[4 marks]in terms of security and efficiency.

Question 1 (total of 6 marks) Critique the following statement: We achieve security by obscurity: by keeping our algorithms secret we obtain the best guarantee of security. Your answer should cover roughly half a page of A4 paper. (6 marks) (ps: You are strongly encouraged to answer this question using a word processing / typesetting program, e.g., LaTex, Word. Please avoid submitting it handwritten.)