Consider that we train a regression model and run Best Subset selection to obtain a model

(a) What is the main difference between a block cipher and a stream cipher? (b) Give a formal definition of a block cipher. Your answer should make reference to the block size n. and the key size k. (c) In the context of a block cipher, explain what is meant by the following terms: (i) known plain text attack; (ii) chosen plain text attack; (iii) known cipher text attack. (d) To what extent are the three different attack models above realistic? Illustrate your answer with an example for each model. (e) You are given the task of selecting a block cipher to be used in an app that will run on smart phones. The block cipher will be used to encrypt users' passwords as they are sent from the phone to a remote server. Which block cipher would you choose for this purpose, and why?[4 marks] (f) Explain why modes of operation are usually needed when using block ciphers. (g) Define Counter (CTR) mode encryption. (h) Explain what the principal security requirement for using CTR mode is. Describe two different methods by which this requirement can be met, commenting briefly on any issues that may arise with each method. (i) CTR mode is vulnerable to "bit flipping" attacks. Explain, in general terms, what is meant by this statement, and which security property the attack violates (beyond confidentiality).[2 marks]

Congratulations! You have just been appointed as the new head of cryptographic engineering at softoo.com, an online retailer specialising in soft toys. Since its foundation in Surrey, five years ago, the company has grown to have an annual revenue in the billions and more than 100 million regular customers. The company is very proud of its green credentials, specialising in reducing and recycling toy packaging. You set about conducting an internal review of the company's cryptographic infras-tructure. You find that the company authenticates its customers to the website using a standard username/password approach, with MD5 hashes of the passwords being stored alongside usernames in a back-end database. The entire softoo.com site is served over http instead of https because your predecessor was concerned about the costs of supporting encryption. After recovering from the shock of realising that your predecessor was likely to have very limited knowledge of cryptographic security best practices, you decide to writea briefing note for the Chief Information Security Officer (CISO) of softoo.com. This note will describe the problems you've found, along with their likely security impacts and possible consequences for the business. It will also recommend remediations for these problems, including rationale for these recommendations. Your note will include timelines for implementing the remediations and any costs that you anticipate. Your task in this question is to produce the first draft of this note. Keep in mind that the CISO is smart, but cryptographically rusty, so your note will need to provide an appropriate level of detail for any solutions you propose.

(a) An Authenticated Encryption (AE) scheme consists of a triple of algorithms,(KGen, Enc, Dec). Describe the function of each of these algorithms and explain what is meant by the correctness of an AE scheme.[4 marks] (b) Security for AE schemes is defined in terms of the combination of two security notions: indistinguish ability under chosen plain text attacks (IND-CPA security), and integrity of cipher texts (INT-CTXT security). Give informal descriptions of these two notions, using diagrams to illustrate your answer if you wish. For both notions, state what it means for an AE scheme to be[8 marks]secure. (c) AE schemes can be built using generic composition of symmetric encryption schemes and MAC schemes. There are three principal methods for doing so, known as EtM,MtE and E&M. Briefly describe each of these three methods, and comment on their AE security when instantiated using an IND-CPA secure encryption scheme and a strongly unforgeable MAC scheme. In each case, justify your answer.[12 marks] (d) In applications, we are often interested in simultaneously providing confidentiality and integrity for some data but only integrity for other, associated data. An Authenticated Encryption with Associated Data (AEAD) scheme meets this goal. Define the syntax of an AEAD scheme and show how to extend the generic EtM construction of an AE scheme to obtain an AEAD scheme. Use a diagram to illustrate the second part of your answer.[6 marks] (e) Nonce-based AEAD is a further extension of the AEAD paradigm. Explain what is meant by nonce-based AEAD and why it is a good primitive to offer to software developers.[4 marks]

You've been head of cryptographic engineering at Orinoco Web Services (OWS) fora year now. OWS is a cloud service provider that started out as an online retailer specialising in soft toys, but which came to realise there was more money to be made from the cloud than in selling goods online. Still the company is very proud of its roots in Wimbledon, south-west London, and of its green credentials, specialising in reducing and recycling toy packaging.In the existing file storage service offered by OWS, customers store files in a standard Unix file format on OWS servers. There is a strict access control policy in place for these files, based on user accounts. These accounts can only be accessed over SS Husing public key authentication methods (no username/password access is allowed).Files can also be uploaded and downloaded using the SSH File Transfer Protocol (essentially, FTP running over SSH), using the same authentication mechanism. However,in the existing service, there is no further security applied for the data at rest: files are stored "in the clear" on OWS servers. Users are responsible for providing enhanced security if they want it. OWS has recently decided to offer its customers a secure version of its data storage service. Because OWS customers are not very good at looking after cryptographic keys, nor using cryptographic algorithms correctly, the decision has already been made to manage the keys on behalf of customers, and to provide "cryptography as a service".This means that customers should be provided with a simple interface to, for example,encrypt and decrypt files, without having to worry about keys, algorithms, or anything else too technical. The authentication mechanisms that are already in place will be extended to provide access control for all of the cryptographic services. The project is code-named TOMSK (Total Orinoco Management of Secure Keys). Which security services the system will offer (and why). Which cryptographic primitive(s) will be used to support these services (and why). • What specific algorithms will be employed (and why). • How any randomness, nonces or state needed in the cryptographic algorithms will be managed. How the system will manage customers' keys. (You may consider the use of specialised hardware to help with secure key storage, but the hardware is expensive and needs to be used sparingly, so some kind of key derivation may be necessary.) • What the overall key lifecycle will look like. • Where any sensitive cryptographic operations will be carried out. • What kind of Application Programming Interface (API) will be offered by the service. . How any potential availability or performance issues will be handled. • How potential compromises of the service will be handled. Additional credit may be given for coverage of further topics that relate directly to thecryptographic and key management aspects of the service.[34 marks]

(a) A public key encryption (PKE) scheme consists of a triple of algorithms (KGen, Enc, Dec).Describe the function of each of these algorithms and explain what is meant by the correctness of a PKE scheme.[4 marks] (b) The standard notion of security for a PKE scheme is indistinguishability under chosen cipher text attack, or IND-CCA for short. Give an informal description of this security notion and explain why it is important in practice that a PKE scheme should meet it. You may use a diagram to illustrate your answer.[6 marks] (c) The naïve RSA-based encryption scheme has ciphertexts C' in which C = MC mod N. Here M is a message interpreted as a number between 0 and N−1; (N, e) is the public encryption key; d is the private decryption key; and N modulus, that is, a product of two large primes p and q.=pq is an RSA (i) Describe the algorithm Dec for this scheme. (ii) Explain why, if an attacker can factorise N, he can then efficiently recover the private decryption key d. Illustrate your answer for N = 15 and e = 3. [4 marks] (iii) What bit-size should p, q, and N have in order to make the cost of factorisation on the order of 280 operations? Justify your answer.[3 marks] (d) The naïve RSA-based encryption scheme is usually replaced with one that uses randomised encoding before application of the RSA encryption operation. Explain why.[4 marks] (e) Consider the following RSA-based encryption algorithm for encrypting 256-bit mes-sages m: suppose N has n > 257 bits. We place m as the least significant 256 bits of M, and fill up the next (n-1) - 256 bits of M with a random bit-string R. Thus,M has n - 1 bits and (thinking of M as a bit-string with most significant bits on the left), we have M = R||m. We then interpret M as an integer in the usual way and compute C = M mod N as in naïve RSA. (i) Describe a suitable decryption algorithm for this scheme. (ii) Explain why the most significant bit of M is equal to 0 with probability 1/2.[1 marks] (iii) Suppose C* is a cipher text encrypting some unknown 256-bit message m*.Using a decryption oracle, show how to recover 255 bits of m* with probability 1/2. You are not permitted to query C* itself to the decryption oracle. [4 marks] o(f) Suppose the same RSA key-pair is used for both naïve RSA-based encryption and for creating Full-Domain Hash RSA signatures (in which = H (m) mod N).Suppose further that an attacker has a decryption oracle for the encryption scheme.What impact, if any, does this have on the security of the signature scheme? Justify your answer.[4 marks]

Task 4. Using Miller-Rabin prove that 149 is a prime number for witnesses a + 3 and b +4, where a is the 3rd digit of your student code, b is the 4th digit of your student code.

Question 5: Explain the difference between authentication and access control. What are the three authentication mechanisms used to confirm author's identity? Give two advantages of each these authentication mechanisms. Which way, according to you, is the most secure way of user authentication?

(a) An Authenticated Encryption (AE) scheme consists of a triple of algorithms,(KGen, Enc, Dec). Describe the function of each of these algorithms and explain what is meant by the correctness of an AE scheme.[4 marks] (b) Security for AE schemes is defined in terms of the combination of two security notions: indistinguishability under chosen plain text attacks (IND-CPA security), and integrity of ciphertexts (INT-CTXT security). Give informal descriptions of these two notions, using diagrams to illustrate your answer if you wish. For both notions, state what it means for an AE scheme to be[8 marks]secure. (c) AE schemes can be built using generic composition of symmetric encryption schemes and MAC schemes. There are three principal methods for doing so, known as EtM,MtE and E&M. Briefly describe each of these three methods, and comment on their AE security when instantiated using an IND-CPA secure encryption scheme and a strongly unforgeable MAC scheme. In each case, justify your answer.[12 marks] (d) In applications, we are often interested in simultaneously providing confidentiality and integrity for some data but only integrity for other, associated data. An Authenticated Encryption with Associated Data (AEAD) scheme meets this goal. Define the syntax of an AEAD scheme and show how to extend the generic EtM construction of an AE scheme to obtain an AEAD scheme. Use a diagram to illustrate the second part of your answer.[6 marks] (e) Nonce-based AEAD is a further extension of the AEAD paradigm. Explain what is meant by nonce-based AEAD and why it is a good primitive to offer to software developers.[4 marks]

Question 1 (total of 6 marks) Critique the following statement: We achieve security by obscurity: by keeping our algorithms secret we obtain the best guarantee of security. Your answer should cover roughly half a page of A4 paper. (6 marks) (ps: You are strongly encouraged to answer this question using a word processing / typesetting program, e.g., LaTex, Word. Please avoid submitting it handwritten.)