CIS 5371 Cryptography
Home Assignment 5
Due: At the beginning of the class on March 24, 2016 (March 29
if you have a presentation that day)
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to
Modern Cryptography.
1. Let (Gen1 , H1 ) and (Gen2 , H2 ) be two hash functions. Define (Gen, H) so that Gen
runs Gen1 and Gen2 to obtain keys s1 and s2 , respectively. Then define H s1 ,s2 (x) =
H1s1 (x)||H2s2 (x).
(a) Prove that if at least one of (Gen1 , H1 ) and (Gen2 , H2 ) is collision resistant, then
(Gen, H) is collision resistant.
(b) Determine whether an analogous claim holds for second pre-image resistance.
2. Before HMAC was invented, it was quite common to define a MAC by M ack (m) =
H s (k||m) where H is a collision-resistant hash function. Show that this is not a secure
MAC when H is constructed via the Merkle-Damgaard transform.
[Hint: Suppose that H is constructed via the Merkle-Damgaard transform, and that a
fixed-length collision-resistant hash function (Gen, h) with input length 2` and output
length ` is used. Let t = hs (k||m). Then,
M ack (m||m0 ) = H s (k||m||m0 ) = hs (hs (k||m)||m0 ) = hs (t||m0 ) = t0 .
Which message must the adversary A query for a MAC so that A can forge the MAC of
another message? (list both messages and explain!)]
3. Show that if any message authentication code having unique tags is used in the encryptand-authenticate approach, the resulting combination is not CPA-secure.
Mike Burmester