--------------------------- NP-Completeness: Background --------------------------- Problem 0. Find the smallest 3CNF formula phi such that phi is NOT (Nov 7) satisfiable. Prove that this is the smallest such formula. Problem 1. Suppose I give you black box that solves the (Nov 13) 3SAT decision problem. Give an algorithm (that uses this black box) to find a satisfying formula to an input formula phi. How many calls to the black box do you need? Problem 2. Specify a TM that, when started on a blank tape, visits (Nov 14) every single tape cell. (Assume a two-way infinite tape.) --------------------------- NP-Completeness: Reductions --------------------------- Problem 3. Show that the following problem is NP-complete: (Nov 21) SAT2 Instance: A Boolean formula phi Question: Does phi have at least two different satisfying assignments? Problem 4. Show that HC-undirected < HC-directed (Nov 21) (Hamiltonian cycle problem for undirected graphs, and Hamiltonian cycle problem for directed graphs) Problem 5. Show that HC-directed < HC-undirected. (Nov 21) Problem 6. Show that G3C < 3SAT. (Show this directly -- don't use (Nov 28) the Cook-Levin theorem.) Problem 7. Show that the following problem is NP-Complete using a (Nov 28) reduction from 3SAT. INTERSECT Instance: Numbers k,n,m and subsets A_1, ..., A_n, B_1, ..., B_m of the universe U = {1, 2, ..., k} Question: Is there a set T such that | T intersect A_i | >= 1 for all i=1,2,...,n, and | T intersect B_i | <= 1 for all i=1,2,...,m Problem 8. Show that the following problem is NP-complete: (Nov 28) SPLIT Instance: k,n and a subsets C_1, .., C_n of U = {1,...,k} Question: Can you color the points of U red-or-blue so that no C_i has all of its elements colored the same color? Problem 9. Refer to Problem 5. Several students gave reductions in (Nov 29) which each vertex x is split into vertices (x',x''), an edge {x,x'} is added, and then an edge {x'',y'} is added for each directed edge (x,y). Show that this reduction does NOT work. Problem 10. Show tha the following problem, PICTURE, is NP-Complete. (Dec 12) You may use the NP-Completeness of any problem that you know: 3SAT, HC, CLIQUE, SUBSET SUM, VC, TSP. Instance: A "picture" of made up of line segments, and a set of (wooden) matches, each match i having some length L_i. -- /\ - eg: | \ -------- | |------ -- | | | ------ ----------- ------ picture matches Question: Can you draw the picture using your matches? (Note: you may not lay one match on top of another; they can only touch at a single point. It is ok if you have unused matches. You may not break a match to make it shorter.) ------------ Cryptography ------------ Problem 11. Implement the Rijndael block cipher (forward direction only) (Jan 8) for a keysize of 128 and a blocksize of 128. Your code takes a 16-byte key and a 16-byte plaintext and returns a 16-byte ciphertext. Optimize your code to minimize the size of the executable image: in particular, your implementation may use no large tables (a 256-byte table for the S-box is is fine, as is a 11*16=176 byte table of subkeys). Implement by directly following the Rijndael spec. You are forbidden to make use in your code of any existing implementations of Rijndael that you find on the Web. Show me that your code works by having your code compute AES_K(M) where K=M=0x0123456789abcdef0123456789abcdef Problem 12. [Probability practice] Alice roles a fair die ({1,2,3,4,5,6} (Jan 15) are equally likely) and Bob rolls an "irregular" die: {1,3,4,5,6,7}. What is the probability that Alice rolls a bigger number? Problem 13. [Probability practice] Consider the following game: (Jan 15) flip a fair coin until you have gotten at least one head and at least one tail. Then stop. Let X be the number of coin flips you use in this game. Calculate: (a) The probability that X=3: Pr[X = 3] (b) The expected value of X: E[X] Problem 14. [Probability practice] An "irregular die" has arbitrary numbers (Jan 15) {a1, a2, a3, a4, a5, a6} on it. Say that irregular die A is greater than irregular die B (write A > B) if Pr[(a random element of A) > (a random element of B)] > 1/2. Design three die, A, B, C, such that A>B, B>C, C>A. Show your calculations. Problem 15. [Advantage] Consider the following block cipher on 2 bits: (Jan 18) key 1: 0 1 2 3 key 2: 3 0 1 2 key 3: 2 3 0 1 key 4: 1 2 3 0 key 5: 0 3 2 1 key 6: 1 0 3 2 key 7: 2 1 0 3 key 8: 3 2 1 0 Compute the maximal advantage an adversary can get: with 1 query (easy); with 4 queries (easy); and with 2 queries (harder). Problem 16. Design a block cipher E: {0,1}^128 x {0,1}^128 -> {0,1}^128 (Jan 18) which is provably secure (up to a large number of queries) against non-adaptive adversaries, but is completely insecure (even for two queries) against an adaptive adversary. (A non-adaptive adversary readies all her questions M_1, ..., M_q in advance, and gets back E_K(M_1), ..., E_K(M_q). An adaptive adversary is the sort we defined in class: each query may depend on prior answers.) Problem 17. There are four people in a room. Each was born on a random (Jan 23) day of the week. What is the probability that two (or more) of the people were born on the same day? Problem 18. Consider the following variant of our definition, suggested by (Feb 2) Ron Rivest: Let Pi=(K,E,D) be a (probabilistic, symmetric) encryption scheme, and let A be an adversary. Define rr2 Adv (A) = Pr [ k <- K; A^{E_K(.), E_K(.)} = 1] - Pi Pr [ k <- K; A^{E_K(.), E_K($^|.|)} = 1] Show that this notion is essentially equivalent to Adv_pi^rr; namely, given an adversary that does well in one of these sense, that adversary can be turned into an adversary that does well in another one of these sense. Problem 19. Let N = 419 * 449. For this group, what's the smallest (Feb 5) possible RSA encryption exponent e? Find its corresponding decryption exponent d. Problem 20. Compute 7^22 mod 23. Your method should be as efficient (Feb 5) as you can make it. Show your work. Problem 21. We showed that in RSA Digital Signatures produced according (Feb 10) to PCKS #1, fixed padding (FF...FF) is used. For encryption, random padding was used. Try to explain why, for digital signatures, fixed padding makes more sense than random padding. Problem 22. Let M be a message which is a positive number of n-bit blocks, (Feb 13) M= M[1]... M[m]. Consider authenticating M by applying the basic CBC MAC and then xoring an additional n-bit key, K'. Show how to break this MAC. Problem 23. Let M be a message which is a positive number of n-bit blocks, (Feb 13) M= M[1]... M[m]. Consider authenticating M by appending 0^n and then applying the basic CBC MAC. Show how to break this MAC. Problem 24. Fred encrypts and authenticates a message M using key (K,K') by (Feb 13) E_K(M) || MAC_K' (M) George encrypts and authenticates a message M using key (K,K') by E_K(M || MAC_K' (M)) Helen encrypts and authenticates a message M using key (K,K') by C=E_K(M) || MAC_K' (C)) Why is right and who is wrong? The goal is privacy+authenticity, assuming that the encryption scheme and MAC scheme meet our definitions of security. -------------------------------------------------------------------------------- :-) END OF PROBLEMS :-) --------------------------------------------------------------------------------