⌘Ctrlk

Exercise 4.14

Problem

Prove that the following modifications of basic CBC-MAC do not yield a secure MAC (even for fixed-length messages):

Mac outputs all blocks $t_1, \ldots , t_l$ rather than just $t_l$ . (Verification only checks whether $t_l$ is correct.)
A random initial block is used each time a message is authenticated. That is, choose uniform $t \in \{0, 1\}^n$ , run basic CBC-MAC over the “message” $t_0,m_1, \ldots ,m_l$ , and output the tag $\langle t_0, t_l \rangle$ . Verification is done in the natural way.

Solution

Part 1

Query

$m^1 = B_0 || B_1$ , $t^1 = t_0 || t_1$
$m^2 = B_2 || B_3$ , $t^2 = t_2||t_3$

We know $F_k(B_0) = t_0$ and $F_k(B_2) = t_2$ . Hence

MAC_k(B_0 || B^*_2) = F_k(B_0) || F_k(F_k(B_0) \oplus B^*_2) = t_0 || F_k(t_0 \oplus B^*_2)

Let $t_0 \oplus B^*_2 = B_2$ , i.e., $B^*_2 = t_0 \oplus B_2$ . Then

MAC_k(B_0 || t_0 \oplus B_2) = t_0 || F_k(t_0 \oplus t_0 \oplus B_2) = t_0 || F_k(B_2) = t_0 || t_2

Therefore, $\langle B_0 || t_0 \oplus B_2, t_0 || t_2 \rangle$ is a valid pair of message and tag.

Part 2

Query

$m^1 = B_0 || B_1$ , $t^1 = \langle r_1, t_1 \rangle$
$m^2 = B_2 || B_3$ , $t^2 = \langle r_2, t_2 \rangle$

Hence for $m^* = B_0 || B_1 || t_2 \oplus r_2 || B_2 || B_3$ , $t^* = \langle r, t_2 \rangle$ should be a valid tag.

Last updated 6 years ago