Prof. Martin Hofmann Ludwig-Maximilians-Universit¨ at M¨ unchen

(1)

Prof. Martin Hofmann Ludwig-Maximilians-Universit¨ at M¨ unchen

Dr. Ulrich Sch¨ opp Institut f¨ ur Informatik

Summer 2017

Cryptography

Exercise Sheet 7

Exercise 7-1 Suppose F is a pseudo-random function.

Define a fixed-length message-authentication code (Gen, MAC) as follows: The key generation function Gen takes as argument the security parameter n and returns a random key of length n.

The function MAC takes as input the key of length n and a message m of length 2n − 2. It splits the message m into two halves m

₀

and m

₁

and outputs F

_k

(0m

₀

) k F

_k

(1m

₁

).

Is this scheme secure? Prove your answer.

Exercise 7-2 Recall from the lecture that CBC-MAC computes a message-authentication code from a message consisting of L equal-sized blocks m = m

₁

m

₂

. . . m

_L

using a pseudo- random function F as follows:

t

0

= F

k

(L)

t

_i+1

= F

_k

(t

_i

⊕ m

_i

) for i = 0, . . . , L − 1.

The message-authentication code for m is t

_L

.

Show that this scheme becomes insecure if the code is taken to be t

₀

k t

₁

k . . . k t

_L

instead.

Exercise 7-3 Consider the following changes to the Merkle-Damg˚ ard construction. In which of these cases does the construction still produce a collision-resistant hash function?

a) The message length L is not appended in the last step, i.e. the output is z

B

instead of h

_s

(z

_B

k L).

b) Instead of letting z

0

be a word of all zeros, one chooses some random word IV and sets z

₀

:= IV . Then one computes z

_B

as before, i.e. z

_i

= h

_s

(z

i−1

k x

_i

) for i = 1 . . . , B, and returns IV k h

s

(z

B

k L) as the final output.

c) One completeley omits the inital value z

₀

and starts computation with z

₁

:= x

₁

. This

means that one computes z

i

= h

s

(z

i−1

k x

i

) for i = 2 . . . , B, and then returns h

s

(z

B

Prof. Martin Hofmann Ludwig-Maximilians-Universit¨ at M¨ unchen

Prof. Martin Hofmann Ludwig-Maximilians-Universit¨ at M¨ unchen

Dr. Ulrich Sch¨ opp Institut f¨ ur Informatik

Summer 2017

Cryptography

Exercise Sheet 7

Exercise 7-1 Suppose F is a pseudo-random function.

Define a fixed-length message-authentication code (Gen, MAC) as follows: The key generation function Gen takes as argument the security parameter n and returns a random key of length n.

The function MAC takes as input the key of length n and a message m of length 2n − 2. It splits the message m into two halves m

and m

and outputs F

(0m

) k F

(1m

).

Is this scheme secure? Prove your answer.

Exercise 7-2 Recall from the lecture that CBC-MAC computes a message-authentication code from a message consisting of L equal-sized blocks m = m

m

. . . m

using a pseudo- random function F as follows:

t

= F

(L)

t

= F

(t

⊕ m

) for i = 0, . . . , L − 1.

The message-authentication code for m is t

.

Show that this scheme becomes insecure if the code is taken to be t

k t

k . . . k t

instead.

Exercise 7-3 Consider the following changes to the Merkle-Damg˚ ard construction. In which of these cases does the construction still produce a collision-resistant hash function?

a) The message length L is not appended in the last step, i.e. the output is z

instead of h

(z

k L).

b) Instead of letting z

be a word of all zeros, one chooses some random word IV and sets z

:= IV . Then one computes z

as before, i.e. z

= h

(z

k x

) for i = 1 . . . , B, and returns IV k h

(z

k L) as the final output.

c) One completeley omits the inital value z

and starts computation with z

:= x

. This

means that one computes z

= h

(z

k x

) for i = 2 . . . , B, and then returns h

(z

k L)

as the output.