Problem
Let F be a pseudorandom function. Show that the following MAC for messages of length 2n is insecure: Gen outputs a uniform k∈{0,1}n. To authenticate a message m1​∣∣m2​ with ∣m1​∣=∣m2​∣=n, compute the tag Fk​(m1​)∣∣Fk​(Fk​(m2​)).
Solution
Query
m1=m1∗​∣∣m1∗​, t1=t11​∣∣t21​=Fk​(m1∗​)∣∣Fk​(Fk​(m1∗​))
m2=m2∗​∣∣m2∗​, t2=t12​∣∣t22​=Fk​(m2∗​)∣∣Fk​(Fk​(m2∗​))
Hence for m∗=m1∗​∣∣m2∗​, t∗=t11​∣∣t22​