Exercise 4.15

Problem

Show that appending the message length to the end of the message before applying basic CBC-MAC does not result in a secure MAC for arbitrary-length messages.

Solution

Query

  • m1=B0∣∣B1m_1 = B_0 || B_1, t1=MACk(m1∣∣⟨∣m1∣⟩)t_1 = MAC_k(m_1 || \langle |m_1| \rangle)

  • m1∗=B0∗∣∣B1∗m^*_1 = B^*_0 || B^*_1, t1∗=MACk(m1∗∣∣⟨∣m1∗∣⟩)t^*_1 = MAC_k(m^*_1 || \langle |m^*_1| \rangle)

    • ∣m1∗∣=∣m1∣ |m^*_1| = |m_1|

  • m2=m1∣∣⟨∣m1∣⟩∣∣B2∣∣B3m_2 = m_1 || \langle |m_1| \rangle || B_2 || B_3, t2=MAC(m2∣∣⟨∣m2∣⟩)t_2 = MAC(m_2 || \langle |m_2| \rangle)

To be specific, the process of computing t2t_2 for message m2m_2 is listed below:

  • c0=Fk(B0)c_0=F_k(B_0)

  • c1=Fk(c0⊕B1)c_1=F_k(c_0 \oplus B_1)

  • t1=Fk(c1⊕⟨∣m1∣⟩) t_1=F_k(c_1 \oplus \langle |m_1| \rangle)

  • c3=Fk(t1⊕B2) c_3=F_k(t_1 \oplus B_2)

  • c4=Fk(c3⊕B3) c_4=F_k(c_3 \oplus B_3)

  • t=Fk(c4⊕⟨∣m2∣⟩) t=F_k(c_4 \oplus \langle | m_2 | \rangle)

Hence, if we change m1m_1 to m1∗ m^*_1 ,

  • c0∗=Fk(B0∗)c^*_0=F_k(B^*_0)

  • c1∗=Fk(c0∗⊕B1∗)c^*_1=F_k(c^*_0 \oplus B^*_1)

  • t1∗=Fk(c1∗⊕⟨∣m1∗∣⟩) t^*_1=F_k(c^*_1 \oplus \langle |m^*_1| \rangle)

In order to keep the result of MAC, it must hold that t1⊕B2=t1∗⊕B2∗ t_1 \oplus B_2 = t_1^* \oplus B^*_2. Thus

B2∗=t1⊕B2⊕t1∗ B^*_2 = t_1 \oplus B_2 \oplus t_1^*

Therefore

  • c3∗=Fk(t1∗⊕B2∗)=Fk(t1∗⊕t1⊕B2⊕t1∗)=Fk(t1⊕B2)=c3 c^*_3=F_k(t^*_1 \oplus B^*_2) = F_k(t^*_1 \oplus t_1 \oplus B_2 \oplus t_1^*) = F_k(t_1 \oplus B_2) = c_3

  • c4∗=Fk(c3∗⊕B3)=Fk(c3⊕B3)=c4 c^*_4 = F_k(c^*_3 \oplus B_3) = F_k(c_3 \oplus B_3) = c_4

  • t∗=Fk(c4∗⊕⟨∣m2∗∣⟩)=Fk(c4⊕⟨∣m2∣⟩)=t t^* = F_k(c^*_4 \oplus \langle | m^*_2 | \rangle) = F_k(c_4 \oplus \langle | m_2 | \rangle) =t

    • ∣m2∗∣=∣m2∣ |m^*_2|=|m_2| can be easily get since ∣m1∗∣=∣m1∣ |m^*_1| = |m_1|

Hence we get a message and its valid tag ⟨m∗,t∗⟩\langle m^*, t^* \rangle where

m∗:=m1∗∣∣⟨∣m1∗∣⟩∣∣t1⊕B2⊕t1∗∣∣B3t∗=tm^* := m^*_1 || \langle | m^*_1| \rangle || t_1 \oplus B_2 \oplus t_1^* || B_3 \\ t^* = t

Last updated

Was this helpful?