Problem
Let F be a pseudorandom function. Show that the following MAC for messages of length 2n is insecure: Gen outputs a uniform kā{0,1}n. To authenticate a message m1āā£ā£m2ā with ā£m1āā£=ā£m2āā£=n, compute the tag Fkā(m1ā)ā£ā£Fkā(Fkā(m2ā)).
Solution
Query
m1=m1āāā£ā£m1āā, t1=t11āā£ā£t21ā=Fkā(m1āā)ā£ā£Fkā(Fkā(m1āā))
m2=m2āāā£ā£m2āā, t2=t12āā£ā£t22ā=Fkā(m2āā)ā£ā£Fkā(Fkā(m2āā))
Hence for mā=m1āāā£ā£m2āā, tā=t11āā£ā£t22ā