encryption assuming PKCS #5 padding is used to pad
messages to a multiple of the block length before encrypting.
The CTR-mode decryption works according to this
formula: Mi= Fk(ctr+1) xor Ci. According to PKCS padding, the message ends with a number n between 0 and b, with b equal to the blocksize, L equal to the message length and n equal to b- Lmodb, so that L+n is a multiple of b, and n is repeated n consecutive times. By flipping the first bits of Ci we can have information on the padding. The moment the oracle gives a padding error, it is known that we arrived to the padding, so depending on the distance from the end of the message it is easy to tell which is n. Known n, we can now go as for CBC mode and xor ci with 00...0 followed by b times b, so that the padding goes to 0, then xor it again with 0...0i followed by b+1 repeated b times, so that it will end with b+1 as padding and the byte in the left of the padding will give a padding error till we find an i that brings to a match. Then we can continue like this recursively, requiring at most 256 attemps.
2- Prove that the following modifications of basic
CBC-MAC do not yield a secure MAC (even for fixed-length messages), below m1,...,ml denotes the message to be authenticated.
a- Mac outputs all blocks t1,...,tl, rather
than just tl.
In this case it can be proved that CBC-MAC
modified this way does not yeld a secure MAC by showing an attack that can be performed using the information about the intermediate states given by t1,...,tl in the output. Let's have a message splitted in two blocks m1 and m2. Trying to encrypt them would result in t1, t2 as output. The second step can be encrypting a message in the form m1||t1, so that as output we would have t1,Fk(0^n). Then it is possible to try encrypting 0^n||m2 xor t1 xor Fk(0^n), that would have Fk(0^n),t2 as output and would authenticate a completely different message from the original one.
b- Mac samples a random initial vector each
time a message is authenticated and XORs it to the first block. That is, choose a uniform IV ←{0,1}n, and then run CBC-MAC on the message m0 = IV ⊕m1,m2,...,ml, and output the tag (IV,tl). Verification is like for the CBC-MAC where one checks if t` is a valid tag for m0.
An easy modification to show this wouldn't
be a secure MAC can be applying xor to IV and m1 with the same constant, so that tl would stay the same and a modified message would be authenticated.
3- Recall that the basic CBC-MAC is a mode of
operation that uses a secure PRF F : {0,1}n ×{0,1}n →{0,1}n to construct a secure PRF {0,1}n ×{0,1}`·n →{0,1}n, that is, a PRF for inputs of length ` · n for any fixed ` ∈ N (as a PRF is a MAC, this constitutes also a MAC for messages of length `·n). Show that this construction is not necessarily a secure MAC if F is only a MAC (for messages of fixed length n) and not a PRF.
Let's build an F like the description requires.
Starting from a PRF F0 which is a secure MAC as well, we can still have a secure MAC which is not a PRF such as Fk(mL||mR) = mR||F0(mL||mR). The information about the message are already known, so as discussed during the tutorial this keeps being a secure MAC. With a message splitted into two blocks, a query containing a message ad 0^n||0^n would result into t = Fk(Fk(m1)⊕m2) = Fk(Fk(0n)) = Fk(0n/2||F0 k(0n)) = F0 k(0n) || F0 k(0n/2||F0 k(0n) and knowing F0 k(0n), we can forge a tag for the message m∗ = 0n || t∗, since Fk(Fk(0n)⊕t∗) = Fk(Fk(0n)⊕Fk(0n)) = Fk(0n) = t
New Classes of Public Key Cryptosystem K (XVI) SE (1) PKC Constructed Based On Reed-Solomon Code Over Extension Field of M 8 and K (XVI) SE (2) PKC, Based On Binary Cyclic Code