# Cryptography I Coursera Quiz Answers – Networking Funda

## All Weeks Cryptography I Coursera Quiz Answers

Cryptography is an indispensable tool for protecting information in computer systems. In this course, you will learn the inner workings of cryptographic systems and how to correctly use them in real-world applications.

The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two parties generate a shared secret key.

Throughout the course, participants will be exposed to many exciting open problems in the field and work on fun (optional) programming projects. In a second course (Crypto II) we will cover more advanced cryptographic tasks such as zero-knowledge, privacy mechanisms, and other forms of encryption.

## Cryptography I Coursera Quiz Answers

### Week 1 – Problem Set

Q1. Data compression is often used in data storage and transmission. Suppose you want to use data compression in conjunction with encryption. Does it make more sense to:

• The order does not matter — either one is fine.
• The order does not matter — neither one will compress the data.
• Encrypt then compress.
• Compress then encrypt.

Q2. Let G:\{0,1\}^s \to \{0,1\}^nG:{0,1}s→{0,1}n be a secure PRG. Which of the following is a secure PRG (there is more than one correct answer):

• G'(k)=G(k⊕1^s) (here 1^s means 1s)
• G'(k1,k2)=G(k1)||G(k2) (here || denotes concatenation)
• G'(k)=reverse(G(k)), where reverse(x) reverses the string x so that the first bit of x is the last bit of reverse(x), the second bit of x is the second to last bit of reverse(x), and so on.

Q3. Let G:K \to \{0,1\}^nG:K→{0,1}n be a secure PRG.

Define G'(k_1,k_2) = G(k_1) \;\bigwedge\; G(k_2)G′(k1​,k2​)=G(k1​)⋀G(k2​) where \bigwedge⋀ is the bit-wise AND function. Consider the following statistical test AA on \{0,1\}^n{0,1}n:

A(x)A(x) outputs \text{LSB}(x)LSB(x), the least significant bit of xx.

You may assume that \text{LSB}(G(k))LSB(G(k)) is 0 for exactly half the seeds kk in KK.

Note: Please enter the advantage as a decimal between 0 and 1 with a leading 0. If the advantage is 3/4, you should enter it as 0.75.

Q4. Let (E,D)(E,D) be a (one-time) semantically secure cipher with keyspace K = \{0,1\}^\ellK={0,1}ℓ. A bank wishes to split a decryption key k \in \{0,1\}^\ellk∈{0,1}ℓ into two pieces p_1p1​ and p_2p2​ so that both are needed for decryption. The piece p_1p1​ can be given to one executive and p_2p2​ to another so that both must contribute their pieces for decryption to proceed.

The bank generates random k_1k1​ in \{0,1\}^\ell{0,1}ℓ and sets k_1′ \gets k \oplus k_1k1′​←kk1​. Note that k_1 \oplus k_1′ = kk1​⊕k1′​=k. The bank can give k_1k1​ to one executive and k_1′k1′​ to another. Both must be present for decryption to proceed since, by itself, each piece contains no information about the secret key kk (note that each piece is one-time pad encryption of kk).

Now, suppose the bank wants to split kk into three pieces p_1,p_2,p_3p1​,p2​,p3​ so that any two of the pieces enable decryption using kk. This ensures that even if one executive is out sick, decryption can still succeed. To do so the bank generates two random pairs (k_1,k_1′)(k1​,k1′​) and (k_2,k_2′)(k2​,k2′​) as in the previous paragraph so that k_1 \oplus k_1′ = k_2 \oplus k_2′ = kk1​⊕k1′​=k2​⊕k2′​=k.

How should the bank assign pieces so that any two pieces enable decryption using kk, but no single piece can decrypt?

• p1=(k1,k2), p2=(k1,k2), p3=(k2′)
• p1=(k1,k2), p2=(k1′,k2′), p3=(k2′)
• p1=(k1,k2), p2=(k1′,k2), p3=(k2′)
• p1=(k1,k2), p2=(k2,k2′), p3=(k2′)
• p1=(k1,k2), p2=(k1′), p3=(k2′)

Q5. Let M=C=K=\{0,1,2,\ldots,255\}M=C=K={0,1,2,…,255}

and consider the following cipher defined over (K,M,C)(K,M,C):

E(k,m) = m+k \pmod{256} \qquad;\qquad D(k,c) = c-k \pmod{256} \ .E(k,m)=m+k(mod256);D(k,c)=ck(mod256) .

Does this cipher have perfect secrecy?

• No, only the One Time Pad has perfect secrecy.
• No, there is a simple attack on this cipher.
• Yes.

Q6. Let (E,D)(E,D) be a (one-time) semantically secure cipher where the message and ciphertext space is \{0,1\}^n{0,1}n. Which of the following

encryption schemes are (one-time) semantically secure?

• E'(k, m)=E(0n, m)
• E'((k,k’), m)=E(k,m)||E(k’, m)
• E'(k,m)=E(k,m)||LSB(m)
• E'(k,m)=0||E(k,m) (i.e. prepend 0 to the ciphertext)
• E'(k,m)=E(k,m)||k
• E'(k,m)=reverse(E(k,m))

Q7. Suppose you are told that the one-time pad encryption of the message “attack at dawn” is 6c73d5240a948c86981bc294814d

(the plaintext letters are encoded as 8-bit ASCII and the given ciphertext is written in hex). What would be the one-time pad encryption of the message “attack at dusk” under the same OTP key?

• Ans: 6c73d5240a948c86981bc2808548L

Q8. The movie industry wants to protect digital content distributed on

DVDs. We develop a variant of a method used to protect Blu-ray disks called AACS.

Suppose there are at most a total of nn DVD players in the

world (e.g. n = 2^{32}n=232). We view these nn players as the leaves

of a binary tree of height \log_2{n}log2​n. Each node in this binary

tree contains an AES key k_iki​. These keys are kept secret from

consumers and are fixed for all time. At manufacturing time each DVD

player is assigned a serial number i \in [0, n − 1]i∈[0,n−1]. Consider the

set of nodes S_iSi​ along the path from the root to leaf number ii

in the binary tree. The manufacturer of the DVD player embeds in

player number ii the keys associated with the nodes in the

set S_iSi​. A DVD movie mm is encrypted as

E(k_{\text{root}},k) \big\| E(k,m)E(kroot​,k)∥∥∥​E(k,m)

where kk is a random AES key called a content-key and

k_{\text{root}}kroot​ is the key

associated with the root of the tree. Since all DVD players have the

key k_{\text{root}}kroot​ all players can decrypt the movie mm. We

refer to E(k_{\text{root}},k)E(kroot​,k) as the header and E(k,m)E(k,m) as the

body. In what follows the DVD header may contain multiple ciphertexts

where each ciphertext is the encryption of the content-key kk under

some key k_iki​ in the binary tree.

Suppose the keys embedded in DVD player number rr are exposed

by hackers and published on the Internet. In this problem we show that when the movie industry distributes a new

DVD movie, they can encrypt the contents of the DVD using a slightly

larger header (containing about \log_2 nlog2​n keys) so that all DVD

players, except for player number rr, can decrypt the movie. In

effect, the movie industry disables player number rr without

affecting other players.

As shown below, consider a tree with n=16n=16 leaves. Suppose the leaf node labeled 25 corresponds to an exposed DVD player key. Check the set of keys below under which to encrypt the key kk so that every player other

than player 25 can decrypt the DVD. Only four keys are needed.

• 26
• 1
• 11
• 23
• 17
• 6
• 16
• 0

Q9. Continuing with the previous question, if there are nn DVD players, what is the number of keys under which the content key kk must be encrypted if exactly one DVD player’s key needs to be revoked?

• n – 1
•  √n
•  n/2
•  2
•  log2n

10. Continuing with question 8, suppose the leaf nodes labeled 16, 18, and 25 correspond to exposed DVD player keys. Check the smallest set of keys under which to encrypt the key k so that every player other than players 16,18,25 can decrypt the DVD. Only six keys are needed.

• 26
• 17
• 29
• 0
• 11
• 4
• 15
• 6
• 1

### Week 2 – Problem Set

Q1. Consider the following five events:

1. Correctly guessing a random 128-bit AES key on the first try.
2. Winning a lottery with 1 million contestants (the probability is 1/10^6\ 1/106 ).
3. Winning a lottery with 1 million contestants 5 times in a row (the probability is (1/10^6)^5\ (1/106)5 ).
4. Winning a lottery with 1 million contestants 6 times in a row.
5. Winning a lottery with 1 million contestants 7 times in a row.

What is the order of these events from most likely to least likely?

• 2, 3, 4, 1, 5
• 2, 3, 1, 5, 4
• 3, 2, 5, 4, 1
• 2, 3, 5, 4, 1

Q2. Suppose that using commodity hardware it is possible to build a computer for about $200 that can brute force about 1 billion AES keys per second. Suppose an organization wants to run an exhaustive search for a single 128-bit AES key and was willing to spend 4 trillion dollars to buy these machines (this is more than the annual US federal budget). How long would it take the organization to brute force this single 128-bit AES key with these machines? Ignore additional costs such as power and maintenance.1 point • More than a week but less than a month • More than a month but less than a year • More than an hour but less than a day • More than a million years but less than a billion (10^9109) years • More than a billion (10^9109) years Q3. Let F:{0,1}n×{0,1}n→{0,1}n be a secure PRF (i.e. a PRF where the keyspace, input space, and output space are all {0,1}n) and say n=128. Which of the following is a secure PRF (there is more than one correct answer): • F′(k, x)={F(k,x) when x≠0n ; 0n otherwise • F′(k,x)=F(k,x)[0,…,n−2] (i.e., F′(k,x) drops the last bit of F(k,x)) • F′((k1,k2), x)=F(k1,x)||F(k2,x) (here || denotes concatenation) • F′(k, x)=k⨁x • F′(k,x)=F(k, x)⨁F(k, x⊕1n) • F′(k,x)=F(k, x⨁1n) Q4. Recall that the Luby-Rackoff theorem discussed in The Data Encryption Standard lecture states that applying a three-round Feistel network to a secure PRF gives a secure block cipher. Let’s see what goes wrong if we only use a two-round Feistel. Let F:K×{0,1}32)→{0,1}32) be a secure PRF Recall that a 2-round Feistel defines the following PRP F2:K2×{0,1}64)→{0,1}64): • On input 064 the output is “7b50baab 07640c3d”. On input 132032 the output is “ac343a22 cea46d60”. • On input 064 the output is “4af53267 1351e2e1”. On input 132032 the output is “87a40cfa 8dd39154”. • On input 064 the output is “5f67abaf 5210722b”. On input 132032 the output is “bbe033c0 0bc9330e”. • On input 064 the output is “9f970f4e 932330e4”. On input 132032 the output is “6068f0b1 b645c008”. ### Week 3 – Problem Set Q1. Any private-key encryption scheme that is CPA-secure must also be computationally indistinguishable: • True • False Q2. Any private-key encryption scheme that is CCA-secure must also be perfectly secret: • True • False Q3. Any private-key encryption scheme that is CCA-secure must also be CPA-secure: • True • False Q4. Let F be a block cipher with 128-bit block length. Consider the following encryption scheme for 256-bit messages: to encrypt message M=m1∥m2 using key k (where |m1|=|m2|=128), choose random 128-bit r and compute the ciphertext r∥Fk(r)⊕m1∥Fk(m1)⊕m2. Which strategy would lead to a valid chosen-plaintext attack? • Let m1 and m2 be arbitrary but distinct. Using the encryption oracle, obtain an encryption r∥c1∥c2 of m1∥m2. Output messages M0=m1∥m2 and M1=m2∥m1. Output 0 if the third block of the challenge ciphertext is c2. • There is no attack; this scheme is randomized, so it is CPA-secure. • Let m; and m2 be arbitrary but distinct. Using the encryption oracle, obtain an encryption rc1 C2 of m2 m2. Output messages Mo = m m , and M = m m2. Output o if the third block of the challenge ciphertext is cz. = mm. • Choose random r and let m be arbitrary but not equal to r. Output messages Mo = rm and M Output 0 if the second block of the challenge ciphertext is all-Os. Q5. Let F be a pseudorandom function with 128-bit key and 256-bit block length. The following functions G are pseudorandom generators: • G(x)=Fx(0…0), where x is a 128-bit input. • G(x)=Fx(0…0)∥Fx(1…1), where x is a 128-bit input. • G(x) = Fo…0(2)||F11(2), where r is a 256-bit input. • G(x) = F.0…0)||F:(1…1), where x is a 128-bit input. Q6) Define the keyed function F as follows: Fk(x)=k⊕x. Which of the following distinguishers demonstrates that F is not a pseudorandom function? • Given access to an oracle g, query y0=g(0…0) and y1=g(1…1). Then output 1 if and only if y0⊕y1=1…1. • Given access to an oracle g. query g(0…0). Then output 1 because we now have the key. • Given access to an oracle g. query y= g(0…0). Then output 1 if and only if the first bit of y is equal to 1. • Given access to an oracle g. query y = g(0…0) and y’ = g(0…0). Then output 1 if and only if y=y. Q7. Say we use CBC-mode encryption based on a block cipher with 256-bit key length and 128-bit block length to encrypt a 512-bit message. How long is the resulting ciphertext? • 640 bits • 512 bits • 768 bits • Not enough information to determine. Q8. Assume CTR-mode encryption with PKCS #5 padding and a block cipher with 8-byte block length. Say a 4-byte message is encrypted, resulting in ciphertext 0x00 01 02 03 04 05 06 07 00 01 02 03 04 05 06 07. Which of the following ciphertexts will NOT yield an error upon decryption? • 0x00 01 02 03 04 05 06 07 00 01 02 04 04 05 06 07 • 0x00 01 02 03 04 05 06 07 00 01 02 03 04 05 07 07 • 0x00 01 02 03 04 05 06 07 00 01 02 03 05 05 06 07 • Ox00 01 02 03 04 05 06 07 00 01 02 03 04 05 06 F7 Q9. Assume an honest user wants to send an 8-bit integer to their bank indicating how much money should be transferred to the bank account of an attacker. The user uses CTR-mode encryption based on a block cipher F with 8-bit block length. (Yes, this is a made-up example.) The attacker knows that the amount of money the user wants to transfer is exactly$16, and has compromised a router between the user and the back. The attacker receives the ciphertext 10111100 01100001 (in binary) from the user. What ciphertext should the attacker forward to the bank to initiate a transfer of exactly \$32? (Recall that CTR-mode decryption of a ciphertext c0,c1 using key k is done by outputting c1⊕Fk(c0+1).)

• 01100001 10111100
• 10001100 01100001
• 1011100 00100000
• 10111100 01010001

Q10. Let F be a block cipher with n-bit block length. Consider the following encryption scheme: to encrypt a message viewed as a sequence of n-bit blocks m1,m2,…,mt using a key k, choose a random n-bit value r and then output the ciphertext r,Fk(r+1+m1),Fk(r+2+m2),…,Fk(r+t+mt), where addition is done modulo 2n. Which of the following attackers demonstrates that this scheme is not computationally indistinguishable:

• Let m be an arbitrary n-bit block, and output M0=m,m and M1=m,m−1. Given challenge ciphertext r,c1,c2, output 1 if and only if c1=c2.
•  Choose random n-bit blocks m and m’, and output Mo = m,m and M T, C1, C2, output 1 if and only if c = 62.
•  Choose random n-bit blocks mi, m2, m3, 74, and output Mo = m, m2 and M:=m3, m. Given challenge ciphertext r, C1, C2, output o ifr=0…0, and output 1 otherwise.
•  Let m be an arbitrary n-bit block, and output Mo = m and M = m, m. Given a challenge ciphertext, output o if the challenge ciphertext contains 2 blocks, and output 1 otherwise.
##### Cryptography I Coursera Course Review:

In our experience, we suggest you enroll in the Cryptography I courses and gain some new skills from Professionals completely free and we assure you will be worth it.

Cryptography I course is available on Coursera for free, if you are stuck anywhere between quiz or graded assessment quiz, just visit Networking Funda to get cryptography I Coursera Quiz Answers.

##### Conclusion:

I hope this Cryptography I Quiz Answers would be useful for you to learn something new from this Course. If it helped you then don’t forget to bookmark our site for more Coursera Quiz Answers.

This course is intended for audiences of all experiences who are interested in learning about new skills in a business context; there are no prerequisite courses.

Keep Learning!

Find more quiz answers

All Coursera Quiz Answers

error: Content is protected !!