Chapter 2 Quiz: Cryptographic Foundations

Chapter 2 Quiz: Cryptographic Foundations

Multiple Choice Questions

1. What is the output size of SHA-256 regardless of the input size?

a) 128 bits b) 256 bits c) 512 bits d) Proportional to the input size

Answer: b) 256 bits. SHA-256 always produces a 256-bit (32-byte) output, displayed as 64 hexadecimal characters. This fixed output size is a defining property of the function — whether you hash a single character or a 10 GB file, the result is always exactly 256 bits.

2. Which property of a cryptographic hash function ensures that given a hash output, you cannot find the original input?

a) Collision resistance b) Determinism c) Preimage resistance d) Avalanche effect

Answer: c) Preimage resistance. This is the "one-way" property: given h = hash(m), it is computationally infeasible to find m. This property is what makes proof-of-work possible — miners cannot reverse the hash to find the needed nonce; they must guess and check.

3. The avalanche effect in SHA-256 means that:

a) Each input bit always changes exactly one output bit b) Changing one input bit changes approximately 50% of the output bits c) Larger inputs produce larger changes in the output d) The hash computation takes exponentially longer for longer inputs

Answer: b) Changing one input bit changes approximately 50% of the output bits. The avalanche effect is a design goal of SHA-256: every output bit depends on every input bit, so changing even a single bit in the input produces a hash that appears completely unrelated, with roughly half the bits flipped.

4. The birthday paradox tells us that finding a collision in SHA-256 requires approximately:

a) 2^256 operations b) 2^128 operations c) 2^64 operations d) 2^32 operations

Answer: b) 2^128 operations. The birthday paradox reduces the collision search from 2^n to approximately 2^(n/2). For SHA-256 (n = 256), this gives approximately 2^128 operations. While this is a significant reduction from 2^256, 2^128 is still astronomically large and considered computationally infeasible.

5. In public-key cryptography, which key is used to create a digital signature?

a) The public key b) The private key c) A shared symmetric key d) The hash of the message

Answer: b) The private key. Digital signatures are created using the private key and verified using the public key. This is opposite to encryption, where the public key encrypts and the private key decrypts. The critical point: only the holder of the private key can create a valid signature.

6. Why do blockchains use Elliptic Curve Cryptography (ECC) rather than RSA?

a) ECC is more mathematically elegant b) RSA has been broken by quantum computers c) ECC achieves equivalent security with much smaller key sizes d) ECC was invented specifically for blockchain

Answer: c) ECC achieves equivalent security with much smaller key sizes. A 256-bit ECC key provides approximately the same security as a 3072-bit RSA key. Since blockchain transactions include public keys and signatures, and millions of transactions are stored permanently, the size reduction (roughly 12x) has significant practical implications.

7. The secp256k1 curve used by Bitcoin is defined by the equation:

a) y^2 = x^3 + x b) y^2 = x^3 + 7 c) y^2 = x^3 - x + 1 d) y^2 = x^2 + 7

Answer: b) y^2 = x^3 + 7. The secp256k1 curve has parameters a = 0 and b = 7 in the general elliptic curve equation y^2 = x^3 + ax + b, computed over a specific 256-bit prime finite field. The "sec" stands for Standards for Efficient Cryptography, "p" for prime field, "256" for 256-bit, and "k1" for Koblitz curve variant 1.

8. What catastrophic vulnerability results from reusing an ECDSA nonce?

a) The signature becomes invalid b) The message can be decrypted c) The private key can be extracted from two signatures d) The public key changes

Answer: c) The private key can be extracted from two signatures. When the same nonce k is used for two different signatures, the system of equations becomes solvable. An attacker can compute k from the two signature values, and then compute the private key from k and any one of the signatures. This is not theoretical — it was exploited in the 2013 Android Bitcoin wallet vulnerability.

9. In a Merkle tree with 1024 transactions, how many hashes are needed in a Merkle proof?

a) 1 b) 10 c) 512 d) 1024

Answer: b) 10. A Merkle proof requires one hash per level of the tree. For 1024 leaves, the tree has log2(1024) = 10 levels above the leaves. The proof contains one sibling hash from each level — a total of 10 hashes (320 bytes) instead of all 1024 transaction hashes.

10. In Bitcoin's block structure, the Merkle root is stored in:

a) Each transaction b) The block body c) The block header d) The UTXO set

Answer: c) The block header. The Merkle root is included in the 80-byte block header, along with the previous block hash, timestamp, difficulty target, and nonce. This allows the compact header to commit to all transactions in the block without including them directly.

11. A trapdoor function is:

a) A function that is slow to compute in both directions b) A function that is easy to compute forward but infeasible to reverse without a secret c) A function that only works for prime numbers d) A function with exactly one collision

Answer: b) A function that is easy to compute forward but infeasible to reverse without a secret. Trapdoor functions are the mathematical foundation of public-key cryptography. For ECDSA: point multiplication (forward) is fast; finding the scalar given the result point (reverse) is the ECDLP, which is computationally infeasible without the private key.

12. When Bitcoin hashes transaction data, it uses:

a) Single SHA-256 b) Double SHA-256 (SHA-256 applied twice) c) SHA-512 d) RIPEMD-160

Answer: b) Double SHA-256. Bitcoin applies SHA-256 twice for most hashing operations: SHA-256(SHA-256(data)). This provides defense-in-depth against potential weaknesses in the compression function and protects against length-extension attacks.

13. What happens when a Merkle tree has an odd number of leaves?

a) The tree cannot be constructed b) The last leaf is duplicated and paired with itself c) The last leaf is discarded d) An empty node is added

Answer: b) The last leaf is duplicated and paired with itself. Bitcoin's Merkle tree implementation duplicates the last hash when there is an odd number at any level. This ensures every node has a pair for hashing. Other implementations (like Ethereum's Merkle Patricia Trie) use different approaches.

14. Grover's quantum algorithm would reduce SHA-256's security level to approximately:

a) 0 bits (completely broken) b) 64 bits c) 128 bits d) 192 bits

Answer: c) 128 bits. Grover's algorithm provides a quadratic speedup for brute-force search, effectively halving the security level of hash functions. SHA-256's preimage resistance would go from 2^256 to 2^128 operations. This is still considered sufficient security, which is one reason SHA-256 was chosen.

15. Which of the following is NOT a use of hash functions in blockchain?

a) Linking blocks together in a chain b) Encrypting transaction data for privacy c) Proof-of-work mining d) Creating transaction identifiers

Answer: b) Encrypting transaction data for privacy. Hash functions are one-way and cannot be used for encryption (you cannot recover the input from the output). Blockchain transactions are not encrypted — they are publicly visible. Hash functions in blockchain serve for linking, mining, identification, and Merkle trees, but never for encryption.

True/False Questions

16. A hash function's output is always shorter than its input.

False. A hash function produces a fixed-size output (256 bits for SHA-256) regardless of input size. If the input is shorter than 256 bits (e.g., hashing a single character), the output is actually longer than the input. The "compression" property only applies statistically — most real-world inputs are longer than 256 bits.

17. If two SHA-256 hashes are similar (e.g., differ by only a few characters), the original inputs must be similar.

False. Due to the avalanche effect, there is no correlation between the similarity of inputs and the similarity of their hashes. Two nearly identical inputs produce hashes that look completely unrelated. Conversely, two completely different inputs could, by chance, produce similar-looking hashes. The hash reveals nothing about the input.

18. A digital signature can only be verified by the person who created it.

False. A digital signature is created using the private key but verified using the public key. Since the public key is, by definition, public, anyone can verify the signature. This is exactly the point — the entire network verifies transaction signatures without needing access to the signer's private key.

19. The Merkle root changes if any single transaction in the block is modified.

True. Changing any leaf (transaction) changes its hash, which changes its parent node, which propagates upward through the tree until the root changes. This is the tamper-evidence property: the Merkle root is a compact commitment to the exact contents of every transaction.

20. Post-quantum cryptography would make SHA-256 obsolete for blockchain use.

False. Quantum computers primarily threaten public-key cryptographic schemes (RSA, ECDSA) via Shor's algorithm. Hash functions are more resistant to quantum attacks. Grover's algorithm provides only a quadratic speedup against hash functions, reducing SHA-256 from 256-bit to 128-bit security — still considered adequate. The main post-quantum concern for blockchain is replacing ECDSA signatures, not SHA-256 hashing.

Code-Reading Questions

21. What does this code output?

import hashlib

a = hashlib.sha256(b"hello").hexdigest()
b = hashlib.sha256(b"hello").hexdigest()
c = hashlib.sha256(b"Hello").hexdigest()

print(a == b)
print(a == c)
print(len(a))

Answer:

True
False
64

Explanation: The first comparison is True because hash functions are deterministic — the same input always produces the same output. The second is False because "hello" and "Hello" differ (the capital H), and the avalanche effect ensures the hashes are completely different. The length is 64 because SHA-256 produces 256 bits = 32 bytes = 64 hexadecimal characters.

22. What does this code demonstrate, and what is the expected output?

from ecdsa import SECP256k1, SigningKey, BadSignatureError
import hashlib

key = SigningKey.generate(curve=SECP256k1)
pub = key.get_verifying_key()

msg1 = b"Send 5 BTC to Bob"
sig1 = key.sign(msg1, hashfunc=hashlib.sha256)

msg2 = b"Send 5 BTC to Bob"
sig2 = key.sign(msg2, hashfunc=hashlib.sha256)

print(sig1.hex() == sig2.hex())

msg3 = b"Send 50 BTC to Bob"
try:
    pub.verify(sig1, msg3, hashfunc=hashlib.sha256)
    print("VALID")
except BadSignatureError:
    print("INVALID")

Answer:

True
INVALID

Explanation: The first output is True because the ecdsa library uses RFC 6979 deterministic nonces — the same private key and message always produce the same signature. This eliminates the risk of nonce reuse. The second output is INVALID because the signature for "Send 5 BTC to Bob" does not verify against the tampered message "Send 50 BTC to Bob" — this demonstrates the integrity property of digital signatures.

23. There is a bug in this Merkle proof verification code. Identify it and explain the consequence.

def verify_proof_buggy(data, proof, root):
    current_hash = hashlib.sha256(data.encode()).hexdigest()
    for sibling_hash, direction in proof:
        # Bug is here
        combined = current_hash + sibling_hash
        current_hash = hashlib.sha256(combined.encode()).hexdigest()
    return current_hash == root

Answer: The bug is that the code ignores the direction parameter and always places current_hash on the left. In a correct implementation, when direction == 'left', the sibling should be on the left: combined = sibling_hash + current_hash. When direction == 'right', the sibling should be on the right: combined = current_hash + sibling_hash.

Consequence: This buggy function would produce incorrect Merkle roots for any proof where a sibling is on the left side. It would reject valid proofs and potentially accept invalid ones. In a blockchain context, this could cause a light client to incorrectly reject legitimate transactions or, worse, accept fraudulent ones. The ordering of children in hash concatenation is not commutative — SHA-256(A + B) != SHA-256(B + A) — so getting the direction wrong produces an entirely different hash.