Add to collection(s) Add to saved
  1. No category

CIS 5371 Cryptography

advertisement 
CIS 5371 Cryptography
Home Assignment 5 – with answers
Due: At the beginning of the class on March 24, 2016 (March 29
if you have a presentation that day)
Exercises taken from the course textbook. Jonathan Katz and Yehuda Lindell, Introduction to
Modern Cryptography.
1. Let (Gen1 , H1 ) and (Gen2 , H2 ) be two hash functions. Define (Gen, H) so that Gen
runs Gen1 and Gen2 to obtain keys s1 and s2 , respectively. Then define H s1 ,s2 (x) =
H1s1 (x)||H2s2 (x).
(a) Prove that if at least one of (Gen1 , H1 ) and (Gen2 , H2 ) is collision resistant, then
(Gen, H) is collision resistant.
Answer: Let A be an adversary that with probability ε(n) outputs a pair x, x0 such
that H s1 ,s2 (x) = H s1 ,s2 (x0 ). In such a case, by the definition of H, we have that
H s1 (x) = H s1 (x0 ) and H s2 (x) = H s2 (x0 ). Thus, A finnds a collision in both H1 and
H2 with probability ε.
(b) Determine whether an analogous claim holds for second pre-image resistance.
Answer: An analogous claim does hold for second pre-image resistance. Informally,
this is again because a collision in H yields a collision in both H1 and H2 . A formal
proof is straightforward.
2. Before HMAC was invented, it was quite common to define a MAC by M ack (m) =
H s (k||m) where H is a collision-resistant hash function. Show that this is not a secure
MAC when H is constructed via the Merkle-Damgaard transform.
[Hint: Suppose that H is constructed via the Merkle-Damgaard transform, and that a
fixed-length collision-resistant hash function (Gen, h) with input length 2` and output
length ` is used. Let t = hs (k||m). Then,
M ack (m||m0 ) = H s (k||m||m0 ) = hs (hs (k||m)||m0 ) = hs (t||m0 ) = t0 .
Which message must the adversary A query for a MAC so that A can forge the MAC of
another message? (list both messages and explain!)]
Answer. Say H is constructed via the Merkle-Damgard transform, starting from a fixedlength collision-resistant hash function (Gen, h) that has input length 2` and output length
` (this is just for simplicity).
Then, an adversary AA can ask for a MAC of any message m of length 2` − |k|; denote the
resulting tag by t. Given t, A can compute t0 = hs (t||m0 ) for any m0 of length `. Finally,
A outputs message m||m0 and tag t0 . Observe that
M ack (m||m0 ) = H s (k||m||m0 ) = hs (hs (k||m)||m0 ) = hs (t||m0 ) = t0
and thus the tag is valid.
3. Show that if any message authentication code having unique tags is used in the encryptand-authenticate approach, the resulting combination is not CPA-secure.
Answer. If the MAC has unique tags then two encryptions of the same message will have
the same tag. Thus, a CPA adversary A can output any pair of messages m0 , m1 and then
ask for an encryption of m0 . If the tag portion of the ciphertext of the encryption of m0
is the same as in the challenge ciphertext, then A outputs b0 = 0; otherwise it outputs
b0 = 1. A succeeds in this game with probability 1.
Mike Burmester
Related documents
CIS 5371 Cryptography
CIS 5371 Cryptography
CIS 5371 Cryptography QUIZ 10 (5 minutes only) –with answwers
CIS 5371 Cryptography QUIZ 10 (5 minutes only) –with answwers
CIS 5371 Cryptography QUIZ 11 (5 minutes only)
CIS 5371 Cryptography QUIZ 11 (5 minutes only)
CIS 5371 Cryptography 4b. Collision Resistant Hash Functions B
CIS 5371 Cryptography 4b. Collision Resistant Hash Functions B
CIS 5371 Cryptography QUIZ 4 (5 minutes only)
CIS 5371 Cryptography QUIZ 4 (5 minutes only)
CIS 5371 Cryptography QUIZ 11 (5 minutes only) –with answers
CIS 5371 Cryptography QUIZ 11 (5 minutes only) –with answers
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz
Final Exam Review
Final Exam Review
Download
advertisement