Consider the following simple protocol intended to allow an RFID reader to authenticate an RFID tag. The protocol assumes that the tag can store a 32-bit secret key 's', shared with the reader, perform XOR operations, and receive and transmit 32-bit values. The reader generates a random 32-bit challenge 'x' and transmits y-xs to the tag. The tag com putes z-ys and sends it to the reader. The reader authenticates the tag ifzx. Q3.1 Show that a passive eavesdropper that observes a single execution of the protocol can recover key s and impersonate the tag. Demonstrate this by recovering the key s from y 0x3344ffac and z 0x11 00ddod. Now consider the following variation of the protocol. The reader and the tag share two different secret keys: sand $2. The reader sends to the tag a challenge y-xs, and the tag responds with z = xs2 after recovering x-ysi. 3.2 Can a passive eavesdropper learn the secret keys from observing a single execution of the protocol? Q3.3 Does the answer change if the attacker can observe multiple executions of the protocol? Briefly justify all your answers. Note:"B" denotes a bitwise XOR of two binary numbers. For two bits bi and ba we have XOR(b -0 if b,-b, and XOR(bab.) = 1 ifb, # b2. Consider the following simple protocol intended to allow an RFID reader to authenticate an RFID tag. The protocol assumes that the tag can store a 32-bit secret key 's', shared with the reader, perform XOR operations, and receive and transmit 32-bit values. The reader generates a random 32-bit challenge 'x' and transmits y-xs to the tag. The tag com putes z-ys and sends it to the reader. The reader authenticates the tag ifzx. Q3.1 Show that a passive eavesdropper that observes a single execution of the protocol can recover key s and impersonate the tag. Demonstrate this by recovering the key s from y 0x3344ffac and z 0x11 00ddod. Now consider the following variation of the protocol. The reader and the tag share two different secret keys: sand $2. The reader sends to the tag a challenge y-xs, and the tag responds with z = xs2 after recovering x-ysi. 3.2 Can a passive eavesdropper learn the secret keys from observing a single execution of the protocol? Q3.3 Does the answer change if the attacker can observe multiple executions of the protocol? Briefly justify all your answers. Note:"B" denotes a bitwise XOR of two binary numbers. For two bits bi and ba we have XOR(b -0 if b,-b, and XOR(bab.) = 1 ifb, # b2