search

Exercise 4.8

hashtag
Problem

Let FF be a pseudorandom function. Show that the following MAC for messages of length 2n2n is insecure: Gen outputs a uniform k∈{0,1}nk \in \{0, 1\}^n. To authenticate a message m1∣∣m2m_1 || m_2 with ∣m1∣=∣m2∣=n|m_1| = |m_2| = n, compute the tag Fk(m1)∣∣Fk(Fk(m2))F_k(m_1) || F_k(F_k(m_2)).

hashtag
Solution

Query

  • m1=m1∗∣∣m1∗m^1=m^*_1||m^*_1, t1=t11∣∣t21=Fk(m1∗)∣∣Fk(Fk(m1∗))t^1= t^1_1||t^1_2 = F_k(m^*_1) || F_k(F_k(m^*_1))

  • m2=m2∗∣∣m2∗m^2=m^*_2||m^*_2, t2=t12∣∣t22=Fk(m2∗)∣∣Fk(Fk(m2∗))t^2= t^2_1 || t^2_2 = F_k(m^*_2) || F_k(F_k(m^*_2))

Hence for m∗=m1∗∣∣m2∗m^*=m^*_1||m^*_2, t∗=t11∣∣t22t^* = t^1_1||t^2_2

Last updated