šŸ”“
Cryptography
  • What's this
  • Chapter 1 - Introduction
    • Exercise 1.1
  • Chapter 3 - Private-Key Encryption
    • Exercise 3.1
  • Chapter 4 - Message Authentication Codes
    • Exercise 4.7
    • Exercise 4.8
    • Exercise 4.14
    • Exercise 4.15
    • Extra: Authenticated Encryption CBC-XOR
  • Chapter 5 - Hash Functions and Applications
    • Exercise 5.3
  • Chapter 8 - Number Theory and Cryptographic Hardness Assumptions
    • (Unresolved) Exercise 8.15
Powered by GitBook
On this page
  • Problem
  • Solution

Was this helpful?

  1. Chapter 4 - Message Authentication Codes

Exercise 4.8

Last updated 5 years ago

Was this helpful?

Problem

Let FFF be a pseudorandom function. Show that the following MAC for messages of length 2n2n2n is insecure: Gen outputs a uniform kāˆˆ{0,1}nk \in \{0, 1\}^nkāˆˆ{0,1}n. To authenticate a message m1āˆ£āˆ£m2m_1 || m_2m1ā€‹āˆ£āˆ£m2ā€‹ with āˆ£m1āˆ£=āˆ£m2āˆ£=n|m_1| = |m_2| = nāˆ£m1ā€‹āˆ£=āˆ£m2ā€‹āˆ£=n, compute the tag Fk(m1)āˆ£āˆ£Fk(Fk(m2))F_k(m_1) || F_k(F_k(m_2))Fkā€‹(m1ā€‹)āˆ£āˆ£Fkā€‹(Fkā€‹(m2ā€‹)).

Solution

Query

  • m1=m1āˆ—āˆ£āˆ£m1āˆ—m^1=m^*_1||m^*_1m1=m1āˆ—ā€‹āˆ£āˆ£m1āˆ—ā€‹, t1=t11āˆ£āˆ£t21=Fk(m1āˆ—)āˆ£āˆ£Fk(Fk(m1āˆ—))t^1= t^1_1||t^1_2 = F_k(m^*_1) || F_k(F_k(m^*_1)) t1=t11ā€‹āˆ£āˆ£t21ā€‹=Fkā€‹(m1āˆ—ā€‹)āˆ£āˆ£Fkā€‹(Fkā€‹(m1āˆ—ā€‹))

  • m2=m2āˆ—āˆ£āˆ£m2āˆ—m^2=m^*_2||m^*_2m2=m2āˆ—ā€‹āˆ£āˆ£m2āˆ—ā€‹, t2=t12āˆ£āˆ£t22=Fk(m2āˆ—)āˆ£āˆ£Fk(Fk(m2āˆ—))t^2= t^2_1 || t^2_2 = F_k(m^*_2) || F_k(F_k(m^*_2)) t2=t12ā€‹āˆ£āˆ£t22ā€‹=Fkā€‹(m2āˆ—ā€‹)āˆ£āˆ£Fkā€‹(Fkā€‹(m2āˆ—ā€‹))

Hence for māˆ—=m1āˆ—āˆ£āˆ£m2āˆ—m^*=m^*_1||m^*_2māˆ—=m1āˆ—ā€‹āˆ£āˆ£m2āˆ—ā€‹, tāˆ—=t11āˆ£āˆ£t22t^* = t^1_1||t^2_2tāˆ—=t11ā€‹āˆ£āˆ£t22ā€‹