Cryptography Foundations Check

Covers: one-way-functions, symmetric-encryption, hash-functions, macs, public-key-crypto, digital-signatures, tls-handshake

You design a system where users commit to a bid by publishing f(bid). Later they reveal the bid and everyone verifies f(bid) matches. An attacker wants to find the bid from f(bid) before the reveal. Which property of f makes this scheme secure? f is a trapdoor function — only the bid holder has the secret to invert it f is a one-way function — computing f(bid) is easy but inverting it is computationally infeasible f uses symmetric encryption — without the key, the output is random f is bijective — every output maps to exactly one input

The commitment scheme relies on the one-way property: given f(bid), an attacker cannot feasibly recover bid. A trapdoor function would actually weaken this scheme — the trapdoor holder could invert it. Symmetric encryption would require key management the scheme doesn't describe. Bijectivity alone says nothing about computational difficulty.

A developer encrypts user profile images with AES in ECB mode. Each 16-byte block is encrypted independently. Why is this a problem? ECB is slower than other modes because it cannot parallelize ECB requires a nonce and the developer forgot to include one Identical plaintext blocks produce identical ciphertext blocks, leaking structural patterns in the image ECB only works with text data, not binary image data

ECB encrypts each block independently with the same key, so identical plaintext blocks yield identical ciphertext. For structured data like images, this preserves visual patterns — the classic "ECB penguin" problem. ECB actually does parallelize well, does not use a nonce, and works on any binary data. The fix is a mode like CBC or CTR that chains or varies the encryption per block.

A system stores password hashes. An attacker finds two different passwords that produce the same hash. Which hash function property has been broken? Preimage resistance — the attacker recovered a password from its hash Second preimage resistance — given one password, the attacker found another with the same hash Collision resistance — the attacker found any two distinct inputs with the same output Avalanche property — similar inputs produced similar outputs

Finding any two distinct inputs that hash to the same value is a collision attack. Preimage resistance means recovering any input from a given hash. Second preimage resistance means given a specific input, finding a different input with the same hash — a harder bar than a free collision. The scenario describes a free collision: the attacker chose both inputs.

An IoT device encrypts sensor readings with AES-CTR and sends them to a server. An attacker intercepts a ciphertext, flips specific bits, and forwards the modified ciphertext. The server decrypts it without error but gets wrong data. What is missing? A longer encryption key — 256-bit AES would prevent bit flipping A digital signature on each message from the server A key exchange protocol to establish a session key A MAC or authenticated encryption mode — encryption alone does not guarantee integrity

AES-CTR provides confidentiality but no integrity protection. Because CTR mode is a stream cipher, flipping a ciphertext bit flips the corresponding plaintext bit — the attacker can make targeted modifications without knowing the key. Adding a MAC (or using an AEAD mode like AES-GCM) lets the receiver detect tampering before acting on the decrypted data.

During a TLS 1.3 handshake, the client and server perform an ephemeral Diffie-Hellman key exchange even though the server has a long-lived RSA key pair. Why use ephemeral keys instead of just encrypting a session key with the server's RSA public key? RSA encryption is too slow for key exchange in TLS 1.3 The server's RSA key cannot encrypt data, only sign it Ephemeral keys provide forward secrecy — if the server's long-lived key is later compromised, past sessions remain protected Diffie-Hellman produces longer keys than RSA encryption can

Forward secrecy means that compromising a long-lived key does not expose past session keys. With ephemeral Diffie-Hellman, each session generates a fresh key pair that is discarded after use. Even if the server's RSA key is later stolen, an attacker cannot decrypt recorded traffic because the ephemeral keys no longer exist. This is why TLS 1.3 mandates ephemeral key exchange and removed static RSA key transport entirely.