The following guidance apply to all questions. Specific guidance to each question are given
within the question.
• In all questions, marks are awarded for the quality of your discussion and justification of
your assumptions, choices, and conclusions.
• In some questions, you are expected to research your answers and to cite appropriate
external sources if required; it is not sufficient to use only the module notes. References
must be listed at the end of the document and do not count towards page limits.
• You may need to make assumptions about a business scenario or design in order to
propose solutions; this is acceptable provided any such assumptions are explicitly and
clearly stated, the assumptions are required for your analysis, and there is no evidence
contradicting the assumptions in the given material.
• Appropriate use of visual aids, e.g., figures and tables, is encouraged. Any such aids must
be closely relevant to the text and act as complementary material to make your writing
more reader-friendly. They must be of good quality and made by the student, i.e., not
digitally copied, e.g., screen captured, from other sources. They do not count towards
• The IEEE style of citation and referencing must be used to cite papers or other sources
• As standard in modern cryptography, all algorithms are of public knowledge.
• The provided arguments should be succinct and logical.
Page 2 of 8
Question 1: Hash & MAC Security (30 Marks)
In a certain network protocol, each datagram consists of a 256-bit header and a 256-bit payload.
An organisation decides to store hashed datagrams for analytic purposes. These hash values
need to be calculated on resource-limited devices that can only process data in 256-bit chunks.
Thankfully, the devices have hardware implementations of the following cryptographic algorithms:
• SHACAL, a block cipher with 256-bit keys, 256-bit input blocks, and 256-bit outputs, and
• H, a secure internal hash function with 256-bit inputs and 128-bit outputs.
Since the internal hash function H cannot process entire datagrams, it is necessary to design a
hashing method that can compute datagram hashes based on the internally implemented
algorithms. The engineers come up with the following designs for hashing datagrams:
Design A: Hash separately, then XOR, i.e.,
Hash(datagram) := H(header)⊕H(payload) .
Design B: Hash separately, then hash the concatenated results, i.e.,
Hash(datagram) := H( H(header) ‖ H(payload) ) .
Design C: Apply SHACAL to the payload (as input block) using the header as key, then XOR
the result with the header, i.e.,
Hash(datagram) := SHACALheader(payload)⊕ header .
In these deigns, ⊕ denotes the bit-wise exclusive-or operation and ‖ denotes string
concatenation. The designed datagram-hashing method is called Hash to distinguish it from the
internal hash function H.
(i) [5 Marks] The organisation needs to develop a program that looks at the stored datagram
hash values and for any two hashed datagrams reliably distinguishes if the original
datagrams were identical or not. Identify the security requirement on datagram hashing in
this case, and briefly justify your answer.
(ii) [12 Marks] Consider the three candidate designs A, B, and C above. For each design,
discuss whether or not it satisfies the security requirement identified in part (i). In each
case, provide a convincing argument or an attack to support your answer.
Page 3 of 8
Now assume that beside calculating datagram hash values, the devices are to transmit the
datagrams to a central monitoring platform over a public network. The devices apply a
message-authentication code MAC to hashed datagrams and send the following information to
the monitoring platform.
datagram, MACK( Hash(datagram) )
Assume that MAC is secure and the MAC key K is securely pre-shared between a device and
the monitoring platform. Since datagrams are not required to remain confidential, no encryption
is used, and the above information is sent in the clear over the network. Hence, the network
communication might be observed, blocked, or modified by third parties. The monitoring platform
performs MAC verification upon receiving any communication and only accepts the incoming
communication if MAC verification succeeds.
(iii) [5 Marks] The authenticity and integrity of the received communication are important to
the monitoring platform. In other words, the platform needs to make sure any
communication it accepts is indeed from the device and that the information has not been
tampered with in transit. Identify the security requirement on the MAC component for the
above protocol to provide authenticity and integrity guarantees. Briefly justify your answer.
(iv) [8 Marks] Consider Designs B and C only. For each design when used in the protocol
above, discuss if the required goals of authenticity and integrity are met. In each case,
provide a convincing argument or an attack to support your answer.
Your answer to this question must not exceed 2 sides of A4 in total.
Page 4 of 8
Question 2: Encryption at YorCrypt (30 Marks)
You were recently hired as a Cryptography Engineer at YorCrypt, a local start-up company who
are specialising in building solutions to secure IoT devices. You are interested in securing the
communication between two small, resource-constrained IoT devices. Your goal is to secure the
communication between two parties who have already shared a private key, for example via a
(i) [4 Marks] What cryptographic primitive should you implement to secure the communication
channel between the devices? What notion of security should this primitive achieve?
(ii) [8 Marks] A former colleague had recommended using AES-CBC (i.e., CBC with AES as
the underlying block cipher), and incrementing the IV by a constant value ∆ at each
invocation. The latter choice was made in order to save on random-number generation.
Thus in this construction initially a random IV is chosen; subsequently at each new
invocation, the IV is updated via IV← IV+ ∆ and then used in AES-CBC to encrypt data.
Show that this is not a sound design by presenting a chosen-plaintext attack. (The
encryption scheme keeps IV as an internal state so that it can increment it by ∆ at each
(iii) [5 Marks] After long discussions, the implementers at YorCrypt finally agreed to use fresh
random IVs at each invocation. Does AES-CBC with fresh random IVs provide an
adequate level of security? Briefly justify your answer.
(iv) [5 Marks] Since the implementers at YorCrypt have developed their own in-house
implementation of AES-CBC, they are reluctant to switch to another mode of operation.
How can you transform AES-CBC (without modifying its internals) to a scheme that
provides the levels of security required in practice, and as identified in part (i)?
(v) [8 Marks] Had YorCrypt originally hired you for the Cryptography Engineer position, which
off-the-shelf solution would you have recommended YorCrypt to use? Justify your answer
by discussing various parameters that need to be considered when choosing a
cryptographic solution for this setting. (Consider security, efficiency and other aspects in
comparison to modified AES-CBC in part (iv).)
Your answer to this question must not exceed 3 sides of A4 in total.
Page 5 of 8
Question 3: Digital Documents (20 Marks)
Consider the following scenario. Two law firms used to manually exchange signed contracts.
Now they are deciding to “go digital.” Their requirement is that any document sent from one firm
(say, firm A) to the other (say, firm B) needs to be legally binding; that is, in case of a dispute,
firm B should be able to prove to a court that a document has been sent to them from firm A in
its exact form. In other words, if firm A sends a document to firm B, then firm A should not be
able to later deny sending the document.
The firms are looking to adopt a cryptographic solution to satisfy their requirement. They were
advised to choose a (nationally or internationally) standardised solution. Due to the nature of the
documents, the firms require that the solution they adopt is secure for up to 5 years. The firms
are based in the United States and the European Union; hence they were advised to follow NIST
2020 and ECRYPT-CSA 2018 recommendations for security levels and key sizes.
(i) [4 Marks] Identify the security property required by the firms and the cryptographic
primitive (algorithm) that would provide this property.
(ii) [4 Marks] Propose a standardised scheme to be adopted by the firms, citing the specific
standard recommending the algorithm.
(iii) [8 Marks] Considering the duration requirement of the firms, recommend a level of security
for the firms that satisfies both the NIST 2020 and ECRYPT-CSA 2018 recommendations,
and briefly justify your answer. Determine the recommended key sizes and hash digest
lengths for the algorithm proposed in part (ii).
(iv) [4 Marks] Considering the proposed solution, explain what preparations need to be made
in terms of generating and sharing cryptographic information between the two firms before
the proposed algorithm can be used for exchanging documents.
Your answer to this question must not exceed 2 sides of A4 in total. This does not include code
and any further supplementary information presented in appendices.
NIST stands for National Institute of Standards and Technology, and ECRYPT-CSA stands for
European Network of Excellence for Cryptology – Coordination & Support Action.
Page 6 of 8
NIST 2020 recommendations refer to: Recommendation for Key Management, Special
Publication 800-57, Part 1, Revision 5, NIST, May 2020.
ECRYPT-CSA 2018 recommendations refer to: Algorithms, Key Size and Protocols Report
(2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, February 2018.
Page 7 of 8
Question 4: Weak Keys in the Wild (20 Marks)
Read the following papers and write a summary of your understanding.
• “Ron was wrong, Whit is right” by Lenstra et al. presented at Crypto 2012.
Available at: https://eprint.iacr.org/2012/064.pdf
• “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” by
Heninger et al. presented at USENIX Security 2012.
Available at: https://factorable.net/weakkeys12.extended.pdf
Your summary must cover at least the following topics: some of the main vulnerabilities
discussed in these papers, the original cause(s) of these vulnerabilities, the security
consequences of these vulnerabilities, some of the main findings of the above papers in their
surveys of keys in the wild, some of the main lessons from these works for you as a future
Your answer to this question must not exceed 2 sides of A4 in total.
Good marks will be given to well-structured summaries that provide reasonable coverage and
demonstrate a good overall understanding of the vulnerabilities, their causes and consequences,
and practical lessons learned. You do not need to understand all the technical details such as
the mathematics of the more sophisticated attacks.
End of examination paper