Professional Documents
Culture Documents
This homework is due by 7pm on February 26 via the course Canvas page. Start early!
Instructions. Solutions must be typed, preferably in LATEX (a template for this homework is available on the
course web page). Your work will be graded on correctness, clarity, and concision. You should only submit
work that you believe to be correct; if you cannot solve a problem completely, you will get significantly more
partial credit if you clearly identify the gap(s) in your solution. It is good practice to start any long solution
with an informal (but accurate) “proof summary” that describes the main idea.
You may collaborate with others on this problem set and consult external sources. However, you must write
your own solutions and list your collaborators/sources for each problem.
1. Let F be a pseudorandom function mapping n-bit inputs to n-bit outputs. Show that each of the following
MAC candidates is forgeable under chosen-message attack, even if only used to authenticate fixed-length
messages (so all queries and the forgery messages should be the same length of your choice):
(a) On message m = m1 k · · · km` where each mi ∈ {0, 1}n/2 , output tag
t := Fk (h1ikm1 ) ⊕ · · · ⊕ Fk (h`ikm` ),
where hii ∈ {0, 1}n/2 is the binary encoding of integer i.
The attacker then forges the tag for m4 km3 by outputting (m4 km3 , t1 ⊕ t2 ⊕ t3 ). Observe that:
Also notice that none of the three queries to the tag oracle is equal to m4 km3 , therefore
Advuf-cma (F) = 1, which is non-negligible.
(b) On message m = m1 k · · · km` where each mi ∈ {0, 1}n , choose a uniformly random r ← {0, 1}n
and output tag rkt, where
t := Fk (r) ⊕ Fk (m1 ) ⊕ Fk (Fk (m2 )) ⊕ · · · ⊕ Fk` (m` ).
Solution: We describe an efficient forger F. The attacker first chooses an arbitrary m ∈ {0, 1}n
and queries the tag oracle on m. The oracle responds with rkt. Then F forges for message
m0 = r by outputting tag mkt. Observe that
Fk (m) ⊕ Fk (m0 ) = Fk (m) ⊕ Fk (r) = t.
Furthermore, m0 = m if and only if r = m, which happens with probability 1
2n . Therefore,
Advuf-cma (F) ≥ 1 − 21n , which is non-negligible.
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE
2. In this problem you will prove that the following modification of CBC-MAC is unforgeable under
chosen-message attack, even for messages of varying lengths. (For simplicity, throughout this problem
we assume that all messages are a positive multiple of the block length.)
To tag a message m, first compute k` = Fk (h`i), where ` is the number of blocks in m. Then compute
and output the standard CBC-MAC tag on message m using key k` .
(a) First consider a hybrid UF-CMA attack game in which the Tag oracle instead computes k` = U (h`i)
for a uniformly random function U . Prove formally (via reduction) that the advantage of any
efficient forger F in this game is only negligibly different from its advantage in the real game.
Solution: Let H0 be the real game and H1 be the modified game which uses a uniformly
random function U instead of Fk . Using F we build a distinguisher A against the pseudoran-
domness of F . Formally, given an oracle O, A runs F and when F queries its tag oracle on
a message m, A computes k` = O(h`i) and then returns the basic CBC-MAC tag using k` .
Finally, A accepts if F outputs a valid forgery (m∗ , t∗ ), which A can test (by querying O if
necessary); otherwise it rejects. We have:
Therefore, AdvF (A) = Advuf-cma (F) − AdvH1 (F). Since F is a pseudorandom function,
AdvF (A) = negl(n), which proves the claim.
(b) Consider an efficient forger F that runs in time p(n) = poly(n). In particular, the message m∗ in
its attempted forgery is at most p(n) blocks long. Prove that there exists some i ∈ {1, . . . , p(n)}
such that the probability that F successfully forges on a message m∗ of length exactly i blocks is at
least Advuf-cma (F)/p(n).
Solution: For i ∈ {1, . . . , p(n)} define qi to be the probability that F successfully forges and
its forged message m∗ has length exactly i blocks. Because these events are mutually disjoint,
p(n)
X
uf-cma
Adv (F) = qi
i=1
≤ p(n) · max qi .
i
(c) Using the previous parts, complete the proof of the claim. (You can rely on the fact that CBC-MAC
itself is unforgeable for messages of any fixed length.)
Solution: Let F be an efficient forger running in time p(n) = poly(n). By the previous
parts, there is some i ∈ {1, . . . , p(n)} such that with probability at least (Advuf-cma (F) −
negl(n))/p(n), F successfully forges in game H1 and its forged message m∗ has length
exactly i blocks.
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE
We use F to construct an efficient forger F 0 that plays the UF-CMA attack game against CBC-
MAC for messages of length exactly i blocks. It works as follows: F has an tag oracle Tagk (·)
for CBC-MAC (for some random key k), and runs F (which expects to play experiment H1 ).
When F queries a message m of length ` blocks, if ` = i then F 0 queries t ← Tagk (m) and
returns t to F; otherwise, F 0 lets k` = U (h`i) for a uniformly random function U that it (lazily)
chooses itself, and returns to F the CBC-MAC of m under key k` . Finally, when F 0 outputs a
(potential) forgery (m∗ , t∗ ), F outputs the same as its attempted forgery.
One can verify that because U is a uniformly random function, and the CBC-MAC key k in
F’s game is also uniformly random, F 0 perfectly simulates game H1 to F. Moreover, F 0 wins
its forgery game with exactly the same probability that F forges in game H1 and its forged
message m∗ has length exactly i blocks. Therefore,
0
Advuf-cma
CBC-MAC (F ) ≥ (Adv
uf-cma
(F) − negl(n))/p(n).
Because CBC-MAC is UF-CMA secure for messages of any fixed length (by hypothesis),
the left-hand side is negligible. Rearranging terms tells yields Advuf-cma (F) = negl(n), as
desired.
3. In this problem you will show a separation between authenticated and IND-CCA-secure encryption, i.e.,
a scheme that satisfies the latter but not the former. (Recall that the former implies the latter.)
Let F be a strong pseudorandom permutation on n-bit inputs.1 Define the following encryption scheme
for n/2-bit messages: to encrypt a message m ∈ {0, 1}n/2 , choose a uniformly random r ∈ {0, 1}n/2
and output ciphertext c := Fk (mkr). Decryption works in the expected way.
(a) Show that the above is not a secure authenticated encryption scheme.
Solution: We describe an efficient forger F, which just outputs an arbitrary string c ∈ {0, 1}n
without making any queries. Let Fk−1 (c) = m0 km1 . It is easy to check that the decrypting c
outputs m0 6= ⊥, so c counts as a valid forgery.
(b) Prove (by hybrid argument and reduction) that the above scheme is IND-CCA secure, assuming
that F is a strong PRP.
Solution: Let Enck and Deck denote the encryption and decryption algorithms in this scheme.
Define EncP and DecP −1 to be the same as Enck and Deck except that instead of using Fk and
Fk−1 they use a permutation P and its inverse P −1 . Define the following hybrid games:
• H0 is the IND-CCA game in which the encryption, decryption and challenge oracles are:
hEnck (·), Deck (·), Ek0 (·, ·)i where k ← K is chosen uniformly at random. (This is the
“left” game in the IND-CCA definition.)
• H1 is the game in which the encryption, decryption and challenge oracles are:
hEncP (·), DecP −1 (·), EP0 (·, ·)i where P is a uniformly random permutation.
1
Recall that for a strong PRP, oracle access to Fk (·) and Fk−1 (·) for random key k is indistinguishable from oracle access to P (·)
and P −1 (·) for a uniformly random permutation P .
Advanced Cryptography Instructor: Chris Peikert
University of Michigan, Winter 2016 Homework 4 Student: YOUR NAME HERE
• H2 is the game in which the encryption, decryption and challenge oracles are:
hEncP (·), DecP −1 (·), EP1 (·, ·)i where P is a uniformly random permutation.
• H3 is the game in which the encryption, decryption and challenge oracles are:
hEnck (·), Deck (·), Ek1 (·, ·)i where k ← K is chosen uniformly at random. (This is the
“right” game in the IND-CCA definition.)
AdvH0 ,H4 (A) = AdvH0 ,H1 (A) + AdvH1 ,H2 (A) + AdvH2 ,H3 (A) + AdvH3 ,H4 (A).