Prof. Martin Hofmann Ludwig-Maximilians-Universit¨at M¨unchen
Dr. Ulrich Sch¨opp Institut f¨ur Informatik
Summer 2017
Cryptography
Exercise Sheet 7
Exercise 7-1 SupposeF is a pseudo-random function.
Define a fixed-length message-authentication code (Gen,MAC) as follows: The key generation functionGentakes as argument the security parameternand returns a random key of lengthn.
The functionMAC takes as input the key of lengthn and a message m of length 2n−2. It splits the messagem into two halves m0 andm1 and outputs Fk(0m0)kFk(1m1).
Is this scheme secure? Prove your answer.
Solution (Sketch):
Recall the definition of “secure” from the lecture notes.
The message authentication experiment Mac-forge_{A,Pi}(n):
Pi = (Gen,Mac) a MAC, A an adversary, n the security parameter 1. A random key k is generated with Gen(n).
2. The adversary is given n and oracle access to Mac_k(), i.e. it can request arbitrary tags w.r.t k. The adversary eventually outputs a pair (m,t).
3. The output of the experiment is defined to be 1 if
(1) Mac_k(m)=t and (2) m has not previously been queried by A.
We define a MAC to be secure if for all adversaries the probability that Mac-forge yields 1 is negligible.
We can define an adversary A that succeeds in the experiment Mac-forgeA,Π(n) with non- negligible probability.
The attacker requests the Mac for the two messages 0n−11n−1 and 1n−10n−1. It will therefore be givenFk(00n−1)kFk(11n−1) andFk(01n−1)kFk(10n−1).
This means, in particular, that the attacker has learnedFk(00n−1) andFk(10n−1).
The attacker then outputs the pair (m, t) consisting of m = 0n−10n−1 and t = Fk(00n−1)kFk(10n−1).
The attacker thus wins with probability 1, since the messagemhad not been used previously, and the Mac is correct.
Exercise 7-2 Recall from the lecture that CBC-MAC computes a message-authentication code from a message consisting of L equal-sized blocks m = m1m2. . . mL using a pseudo- random function F as follows:
t0=Fk(L)
ti+1=Fk(ti⊕mi) fori= 0, . . . , L−1.
The message-authentication code for m is tL.
Show that this scheme becomes insecure if the code is taken to be t0kt1k. . . ktLinstead.
Solution (Sketch): Construct an attacker as follows.
Choose two wordsx and y of length nat random.
Request the CBC-MAC for xy from the oracle. This gives us t0 = Fk(2), t1 = Fk(t0 ⊕x), t2 =Fk(t1⊕y).
Request the CBC-MAC fort0y from the oracle. This gives ust00 =Fk(2), t01 =Fk(t00⊕t0) = Fk(0n),t2 =Fk(t01⊕y). Note: t0 =t00.
We now know:t0t01 will produce t000 = Fk(2), t001 = Fk(t000 ⊕t0) = Fk(0n), t2 = Fk(t001 ⊕t01) = Fk(Fk(0n)⊕Fk(0n)) =Fk(0n). Note:t0 =t000 and t001 =t01.
Hence we output messaget0t01 and hash (t0kFk(0n)kFk(0n)).
This works if x 6= t0 and y 6= t01. But the probability of x being Fk(2) is 1/2n and the probability of y being Fk(0n) is also 1/2n. But the adversary needs to win only with non- negligible probability, so this is still more than enough.
Exercise 7-3 Consider the following changes to the Merkle-Damg˚ard construction. In which of these cases does the construction still produce a collision-resistant hash function?
a) The message lengthL is not appended in the last step, i.e. the output iszB instead of hs(zBkL).
Solution (Sketch): This is not collision-resistant in general.
Consider the message 1k of lengthk < l(n) (wherel(n) is the length of a single block).
In the construction, the last block is padded with zeros. In this case, x1 = 1k0l(n)−k. But the message 1k0l(n)−k of length l(n) (this is a different message!) would have the same hash.
For messages that need not be padded, the scheme would be collision-resistant.
b) Instead of lettingz0 be a word of all zeros, one chooses some random wordIV and sets z0 := IV. Then one computeszB as before, i.e.zi = hs(zi−1kxi) for i= 1. . . , B, and returns IV khs(zBkL) as the final output.
Solution (Sketch): We show that a collision for H (the function defined in this exercise) leads to a collision for hs. So if an attacker could find a collision for H, then he could also find one forhs. Ifhsis collision resistant, then the probability of this must be low. So the probability of finding a collision for H must also have been low.
Suppose H(x) = H(x0) with x 6= x0. By definition, this means IV khs(zBkL) = IV0khs(zB0 kL0). In particular, IV = IV0 and hs(zBkL) = hs(z0Bk, L0). So we are essentially in the same situation as in the original definition of MD (only with IV instead of 0n in the initial step).
We can now construct a collision just like in the lecture.
• If L6=L0, then we have found a collision.
• Otherwise L=L0.
– IfzB6=zB0 , then we have found a collision.
– If zB = zB0 , then we unfold the definitions zB = hs(zB−1kxB) and zB0 = hs(zB−10 kx0B) to get hs(zB−1kxB) = hs(zB−10 kx0B). Now, if xB 6= x0B or zB−1 6= z0B−1, then we have found a collision. Otherwise zB−1 = zB−10 , and we repeat this last step again. Since x 6= x0, we will eventually arrive at a collision.
c) One completeley omits the inital value z0 and starts computation withz1 := x1. This means that one computeszi=hs(zi−1kxi) fori= 2. . . , B, and then returnshs(zBkL) as the output.
Solution (Sketch): This scheme is also collision-resistant.
Consider the proof from b). If the messages x andx0 differ in a block after the last, we will find a collision just like there. The last step in the proof there amounts to showing that if zi = zi0 then one either has a collision or zi−1 = zi−10 , first for i = B, then i = B−1, and so on until i = 1. Since in b) we have z0 = z00 = 0n, we must find a collision at some i≥1.
Here, we can proceed in exactly the same way, first for i=B, then i=B−1, and so on until i= 2. If we arrive ati= 2, then we must find a collision there, for otherwise we would have z1 =z10. This is not possible: If we have not found a collision up until this point, then would mean that xi=x0i for alli= 2, . . . , B. But sincex6=x0, then we must have x1 6=x01. But we also have z1 =x1 and z01 =x01 by definition, so we cannot have z1=z10.