CIS 5371 Cryptography
Home Assignment 4 – with answers
Due: At the beginning of the class on March 17, 2016
Exercises taken from the course textbook. J. Katz and Y. Lindell, Introduction to Modern Cryptography.
1. Consider the following fixed-length M AC for messages of length `(n) = 2n − 2 using a pseudorandom function F : On input a message m0 ||m1 (with |m0 | = |m1 | = n − 1) and key k ∈ {0, 1}n ,
algorithm Mack outputs t = Fk (0||m0 )||Fk (1||m1 ). Algorithm Vrfy is defined in the natural way. Is
(Gen, Mac, Vrfy) existentially unforgeable under a chosen-message attack? Prove your answer.
Answer. This scheme is not secure. Let A be an adversary that queries its oracle with two messages
m = m0 ||m1 and m0 = m00 ||m01 , where m0 6= m00 and m1 6= m01 . Let t = t0 ||t1 and t0 = t00 ||t01 be the
respective responses from its oracle. A then outputs the message m̄ = m0 ||m01 and tag t̄ = t0 ||t01 .
By the definition of Mac, it follows that t̄ is a correct tag for m̄ and thus Vrfyk (m̄, t̄) = 1 always.
Furthermore, since m0 6= m00 and m1 6= m01 we have that m̄ 6∈ Q. Thus A succeeds with probability
1 and the scheme is not secure.
2. Let F be a pseudorandom function. Show that the following M AC for messages of length 2n is
insecure: The shared key is a random k ∈ {0, 1}n . To authenticate a message m1 ||m2 with |m1 | =
|m2 | = n, compute the tag hFk (m1 ), Fk (Fk (m2 ))i.
Answer. The idea for this solution is exactly the same as for the previous exercise. Other attacks
are also possible.
3. Let F be a pseudorandom function. Show that each of the following message authentication codes is
insecure. (In each case the shared key is a random k ∈ {0, 1}n .)
(a) To authenticate a message m = m1 || · · · ||m` , where mi ∈ {0, 1}n , compute t := Fk (m1 ) ⊕ · · · ⊕
Fk (m` ).
(b) To authenticate a message m = m1 || · · · ||m` , where mi ∈ {0, 1}n , choose r ← {0, 1}n at random,
compute t := Fk (r) ⊕ Fk (m1 ) ⊕ · · · ⊕ Fk (m` ), and send hr, ti.
(c) To authenticate a message m = m1 || · · · ||m` , where mi ∈ {0, 1}n/2 , choose r ← {0, 1}n at
random, compute
t := Fk (r) ⊕ Fk (h1i||m1 ) ⊕ · · · ⊕ Fk (h`i||m` ),
(where hii is the n/2-bit encoding of the integer i), and send hr, ti.
Answer.
(a) Let m1 ||m2 be any message with m1 , m2 ∈ {0, 1}n . Then, the tag on m1 ||m2 is identical to the
tag on m2 ||m1 . Thus, an adversary A can ask for a tag on m1 ||m2 and output the message
m2 ||m1 together with the tag it received.
(b) As with the previous item, the tag hr, ti on m1 ||m2 is acceptable also for m2 ||m1 .
(c) There is an attack on this scheme that does not request any tags. Let m1 ∈ {0, 1}n/2 be
arbitrary, and set r := h1i||m1 . Then hr, 0n i is a valid tag on m1 .
4. Prove that the following modification of CBC-MAC does not yield a secure fixed-length MAC:
Modify CBC-MAC so that a random IV is used each time a tag is computed (and the IV is output
along with t` ). I.e., t0 ← {0, 1}n is chosen uniformly at random rather than being fixed to 0n , and
the tag is t0 , t` .
Answer. The scheme is not secure. In particular, let m be a one-block message and let (IV, t) be its
MAC-tag received from the oracle. Then, the tag (m, t) is a valid MAC for the message IV . (More
generally, for any m0 the tag (IV ⊕ m0 , t) is a valid MAC for the message m ⊕ m0 . This means that
it is possible to generate a forgery for any desired single-block message.)
Mike Burmester