Advanced Cryptography Instructor: Chris Peikert

University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE

This homework is due by 7pm on February 26 via the course Canvas page. Start early!
Instructions. Solutions must be typed, preferably in LATEX (a template for this homework is available on the
course web page). Your work will be graded on correctness, clarity, and concision. You should only submit
work that you believe to be correct; if you cannot solve a problem completely, you will get significantly more
partial credit if you clearly identify the gap(s) in your solution. It is good practice to start any long solution
with an informal (but accurate) “proof summary” that describes the main idea.
You may collaborate with others on this problem set and consult external sources. However, you must write
your own solutions and list your collaborators/sources for each problem.
1. Let F be a pseudorandom function mapping n-bit inputs to n-bit outputs. Show that each of the following
MAC candidates is forgeable under chosen-message attack, even if only used to authenticate fixed-length
messages (so all queries and the forgery messages should be the same length of your choice):
(a) On message m = m1 k · · · km` where each mi ∈ {0, 1}n/2 , output tag
t := Fk (h1ikm1 ) ⊕ · · · ⊕ Fk (h`ikm` ),
where hii ∈ {0, 1}n/2 is the binary encoding of integer i.

Solution: We describe an efficient forger F. The forger first chooses m1 , m2 , m3 , m4 ∈

{0, 1}n/2 such that m1 6= m4 and m2 6= m3 and queries the tag oracle on m1 km2 , m1 km3 ,
and m4 km2 . The oracle responds with corresponding tags:

t1 = Tagk (m1 km2 ) = Fk (h1ikm1 ) ⊕ Fk (h2ikm2 )

t2 = Tagk (m1 km3 ) = Fk (h1ikm1 ) ⊕ Fk (h2ikm3 )
t3 = Tagk (m4 km2 ) = Fk (h1ikm4 ) ⊕ Fk (h2ikm2 ).

The attacker then forges the tag for m4 km3 by outputting (m4 km3 , t1 ⊕ t2 ⊕ t3 ). Observe that:

t1 ⊕ t2 ⊕ t3 = Fk (h1ikm4 ) ⊕ Fk (h2ikm3 ) = Tagk (m4 km3 ).

Also notice that none of the three queries to the tag oracle is equal to m4 km3 , therefore
Advuf-cma (F) = 1, which is non-negligible.

(b) On message m = m1 k · · · km` where each mi ∈ {0, 1}n , choose a uniformly random r ← {0, 1}n
and output tag rkt, where
t := Fk (r) ⊕ Fk (m1 ) ⊕ Fk (Fk (m2 )) ⊕ · · · ⊕ Fk` (m` ).

Solution: We describe an efficient forger F. The attacker first chooses an arbitrary m ∈ {0, 1}n
and queries the tag oracle on m. The oracle responds with rkt. Then F forges for message
m0 = r by outputting tag mkt. Observe that
Fk (m) ⊕ Fk (m0 ) = Fk (m) ⊕ Fk (r) = t.
Furthermore, m0 = m if and only if r = m, which happens with probability 1
2n . Therefore,
Advuf-cma (F) ≥ 1 − 21n , which is non-negligible.
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE

2. In this problem you will prove that the following modification of CBC-MAC is unforgeable under
chosen-message attack, even for messages of varying lengths. (For simplicity, throughout this problem
we assume that all messages are a positive multiple of the block length.)
To tag a message m, first compute k` = Fk (h`i), where ` is the number of blocks in m. Then compute
and output the standard CBC-MAC tag on message m using key k` .
(a) First consider a hybrid UF-CMA attack game in which the Tag oracle instead computes k` = U (h`i)
for a uniformly random function U . Prove formally (via reduction) that the advantage of any
efficient forger F in this game is only negligibly different from its advantage in the real game.

Solution: Let H0 be the real game and H1 be the modified game which uses a uniformly
random function U instead of Fk . Using F we build a distinguisher A against the pseudoran-
domness of F . Formally, given an oracle O, A runs F and when F queries its tag oracle on
a message m, A computes k` = O(h`i) and then returns the basic CBC-MAC tag using k` .
Finally, A accepts if F outputs a valid forgery (m∗ , t∗ ), which A can test (by querying O if
necessary); otherwise it rejects. We have:

Pr[AFk = 1] = AdvH0 (F) = Advuf-cma (F)

k
Pr[AU = 1] = AdvH1 (F).
U

Therefore, AdvF (A) = Advuf-cma (F) − AdvH1 (F). Since F is a pseudorandom function,
AdvF (A) = negl(n), which proves the claim.

(b) Consider an efficient forger F that runs in time p(n) = poly(n). In particular, the message m∗ in
its attempted forgery is at most p(n) blocks long. Prove that there exists some i ∈ {1, . . . , p(n)}
such that the probability that F successfully forges on a message m∗ of length exactly i blocks is at
least Advuf-cma (F)/p(n).

Solution: For i ∈ {1, . . . , p(n)} define qi to be the probability that F successfully forges and
its forged message m∗ has length exactly i blocks. Because these events are mutually disjoint,
p(n)
X
uf-cma
Adv (F) = qi
i=1
≤ p(n) · max qi .
i

Therefore maxi qi ≥ Advuf-cma (F)/p(n).

(c) Using the previous parts, complete the proof of the claim. (You can rely on the fact that CBC-MAC
itself is unforgeable for messages of any fixed length.)

Solution: Let F be an efficient forger running in time p(n) = poly(n). By the previous
parts, there is some i ∈ {1, . . . , p(n)} such that with probability at least (Advuf-cma (F) −
negl(n))/p(n), F successfully forges in game H1 and its forged message m∗ has length
exactly i blocks.
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE

We use F to construct an efficient forger F 0 that plays the UF-CMA attack game against CBC-
MAC for messages of length exactly i blocks. It works as follows: F has an tag oracle Tagk (·)
for CBC-MAC (for some random key k), and runs F (which expects to play experiment H1 ).
When F queries a message m of length ` blocks, if ` = i then F 0 queries t ← Tagk (m) and
returns t to F; otherwise, F 0 lets k` = U (h`i) for a uniformly random function U that it (lazily)
chooses itself, and returns to F the CBC-MAC of m under key k` . Finally, when F 0 outputs a
(potential) forgery (m∗ , t∗ ), F outputs the same as its attempted forgery.
One can verify that because U is a uniformly random function, and the CBC-MAC key k in
F’s game is also uniformly random, F 0 perfectly simulates game H1 to F. Moreover, F 0 wins
its forgery game with exactly the same probability that F forges in game H1 and its forged
message m∗ has length exactly i blocks. Therefore,
0
Advuf-cma
CBC-MAC (F ) ≥ (Adv
uf-cma
(F) − negl(n))/p(n).

Because CBC-MAC is UF-CMA secure for messages of any fixed length (by hypothesis),
the left-hand side is negligible. Rearranging terms tells yields Advuf-cma (F) = negl(n), as
desired.

3. In this problem you will show a separation between authenticated and IND-CCA-secure encryption, i.e.,
a scheme that satisfies the latter but not the former. (Recall that the former implies the latter.)
Let F be a strong pseudorandom permutation on n-bit inputs.1 Define the following encryption scheme
for n/2-bit messages: to encrypt a message m ∈ {0, 1}n/2 , choose a uniformly random r ∈ {0, 1}n/2
and output ciphertext c := Fk (mkr). Decryption works in the expected way.
(a) Show that the above is not a secure authenticated encryption scheme.

Solution: We describe an efficient forger F, which just outputs an arbitrary string c ∈ {0, 1}n
without making any queries. Let Fk−1 (c) = m0 km1 . It is easy to check that the decrypting c
outputs m0 6= ⊥, so c counts as a valid forgery.

(b) Prove (by hybrid argument and reduction) that the above scheme is IND-CCA secure, assuming
that F is a strong PRP.

Solution: Let Enck and Deck denote the encryption and decryption algorithms in this scheme.
Define EncP and DecP −1 to be the same as Enck and Deck except that instead of using Fk and
Fk−1 they use a permutation P and its inverse P −1 . Define the following hybrid games:

• H0 is the IND-CCA game in which the encryption, decryption and challenge oracles are:
hEnck (·), Deck (·), Ek0 (·, ·)i where k ← K is chosen uniformly at random. (This is the
“left” game in the IND-CCA definition.)

• H1 is the game in which the encryption, decryption and challenge oracles are:
hEncP (·), DecP −1 (·), EP0 (·, ·)i where P is a uniformly random permutation.

1
Recall that for a strong PRP, oracle access to Fk (·) and Fk−1 (·) for random key k is indistinguishable from oracle access to P (·)
and P −1 (·) for a uniformly random permutation P .
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE

• H2 is the game in which the encryption, decryption and challenge oracles are:
hEncP (·), DecP −1 (·), EP1 (·, ·)i where P is a uniformly random permutation.

• H3 is the game in which the encryption, decryption and challenge oracles are:
hEnck (·), Deck (·), Ek1 (·, ·)i where k ← K is chosen uniformly at random. (This is the
“right” game in the IND-CCA definition.)

By definition, for any adversary A we have

AdvH0 ,H4 (A) = AdvH0 ,H1 (A) + AdvH1 ,H2 (A) + AdvH2 ,H3 (A) + AdvH3 ,H4 (A).

We show that each term on the right-hand side is negligible.

H0 and H1 are computationally indistinguishable. Since F is a strong pseudorandom permuta-
tion this follows by a straightforward reduction: given access to two oracles O, O−1 which are
either Fk , Fk−1 or P, P −1 for a uniformly random permutation P , the reduction can simulate
either H0 or H1 (respectively) by running EncO , DecO−1 to answer queries to its oracles.
H1 and H2 are statistically indistinguishable. We claim that H1 and H2 are identical, as long
as certain “bad” events, i.e., queries to P and P −1 , do not occur. Specifically, let r ∈ {0, 1}n/2
be the randomness chosen by the EP0 oracle on challenge messages m0 , m1 . The “bad” events
are that a query to EncP results in querying P on rkm0 or rkm1 ; and a query to DecP −1 results
in querying P −1 on y0 = P (rkm0 ) or y1 = P (rkm1 ).
The games are identical subject to these “bad” events not occurring, because we can swap y0 , y1
as the respective outputs of P (rkm0 ) and P (rkm1 ), thus switching from game H1 to H2 , yet
all the adversary’s queries are answered in exactly the same way. (Note that this would not be
true if one of the “bad” queries occurred.)
Now we bound the probability that a “bad” query occurs, even for an adversary that may try
to make it happen. By the union bound, the probability that EncP ever chooses the same r
that EP0 chose is poly(n)/2n/2 = negl(n). By definition of the CCA attack, the adversary
may not query DecP −1 on y0 . Finally, the probability that the adversary queries DecP −1
on y1 = P (rkm1 ) is negligible, because it must guess y1 to do so, and y1 is a uniformly
random string that is different from all other outputs of EncP and EP0 that the adversary sees.
Therefore, the probability that a “bad” event occurs is negligible, and the claim follows.
H2 and H3 are computationally indistinguishable. This follows by repeating the arguments
made above. This completes the proof.