1- Describe a padding-oracle attack on CTR-mode

encryption assuming PKCS #5 padding is used to pad

messages to a multiple of the block length
before encrypting.

The CTR-mode decryption works according to this

formula: Mi= Fk(ctr+1) xor Ci. According to PKCS
padding, the message ends with a number n between
0 and b, with b equal to the blocksize, L equal to
the message length and n equal to b- Lmodb, so that
L+n is a multiple of b, and n is repeated n
consecutive times. By flipping the first bits of Ci
we can have information on the padding. The moment
the oracle gives a padding error, it is known that
we arrived to the padding, so depending on the
distance from the end of the message it is easy to
tell which is n.
Known n, we can now go as for CBC mode and xor ci
with 00...0 followed by b times b, so that the
padding goes to 0, then xor it again with 0...0i
followed by b+1 repeated b times, so that it will end
with b+1 as padding and the byte in the left of the
padding will give a padding error till we find an i
that brings to a match.
Then we can continue like this recursively, requiring
at most 256 attemps.

2- Prove that the following modifications of basic

CBC-MAC do not yield a secure MAC (even for
fixed-length messages), below m1,...,ml denotes
the message to be authenticated.

a- Mac outputs all blocks t1,...,tl, rather

than just tl.

In this case it can be proved that CBC-MAC

modified this way does not yeld a secure
MAC by showing an attack that can be
performed using the information about the
intermediate states given by t1,...,tl in
the output. Let's have a message splitted
in two blocks m1 and m2. Trying to encrypt
them would result in t1, t2 as output.
The second step can be encrypting a message
in the form m1||t1, so that as output we
would have t1,Fk(0^n). Then it is possible
to try encrypting 0^n||m2 xor t1 xor Fk(0^n),
that would have Fk(0^n),t2 as output and
would authenticate a completely different
message from the original one.

b- Mac samples a random initial vector each

time a message is authenticated and XORs
 it to the first block. That is, choose a
uniform IV ←{0,1}n, and then run CBC-MAC
on the message m0 = IV ⊕m1,m2,...,ml,
and output the tag (IV,tl). Verification
is like for the CBC-MAC where one checks
if t` is a valid tag for m0.

An easy modification to show this wouldn't

be a secure MAC can be applying xor to IV
and m1 with the same constant, so that tl
would stay the same and a modified message
would be authenticated.

3- Recall that the basic CBC-MAC is a mode of

operation that uses a secure PRF
F : {0,1}n ×{0,1}n →{0,1}n to construct a
secure PRF {0,1}n ×{0,1}`·n →{0,1}n, that is,
a PRF for inputs of length ` · n for any fixed
` ∈ N (as a PRF is a MAC, this constitutes also
a MAC for messages of length `·n). Show that
this construction is not necessarily a secure
MAC if F is only a MAC
(for messages of fixed length n) and not a PRF.

Let's build an F like the description requires.

Starting from a PRF F0 which is a secure MAC as
well, we can still have a secure MAC which is
not a PRF such as Fk(mL||mR) = mR||F0(mL||mR).
The information about the message are already
known, so as discussed during the tutorial this
keeps being a secure MAC.
With a message splitted into two blocks, a query
containing a message ad 0^n||0^n would result into
t = Fk(Fk(m1)⊕m2) = Fk(Fk(0n)) =
Fk(0n/2||F0 k(0n)) = F0 k(0n) || F0 k(0n/2||F0 k(0n)
and knowing F0 k(0n), we can forge a tag for the
message m∗ = 0n || t∗, since Fk(Fk(0n)⊕t∗) =
Fk(Fk(0n)⊕Fk(0n)) = Fk(0n) = t