Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推薦該書正版。
4.1 Say Π=(Gen,Mac,Vrfy) is a secure MAC, and for k∈{0,1}n the tag-generation algorithm Mack always outputs tags of length t(n). Prove that t must be super-logarithmic or, equivalently, that if t(n)=O(logn) then Π cannot be a secure MAC.
4.2 Consider the following fixed-length MAC for messages of length ℓ(n)=2n−2 using a pseudorandom function F: On input a message m0∣∣m1 (with ∣m0∣=∣m1∣=n−1) and key k∈{0,1}n, algorithm Mac outputs t=Fk(0∣∣m0)∣∣Fk(1∣∣m1). Algorithm Vrfy is defined in the natural way. Is (Gen,Mac,Vrfy) existentially unforgeable under a chosen-message attack? Prove your answer.
4.3 Let F be a pseudorandom function. Show that the following MAC for messages of length 2n is insecure: The shared key is a random k∈{0,1}n. To authenticate a message m1∣∣m2 with ∣m1∣=∣m2∣=n, compute the tag ⟨Fk(m1),Fk(Fk(m2))⟩.
4.4 Let F be a pseudorandom function. Show that each of the following message authentication codes is insecure. (In each case the shared key is a random k∈{0,1}n.)
To authenticate a message m=m1∣∣⋯∣∣mℓ, where mi∈{0,1}n, compute t:=Fk(m1)⊕⋯⊕Fk(mℓ).
To authenticate a message m=m1∣∣⋯∣∣mℓ, where mi∈{0,1}n, choose r←{0,1}n at random, compute t:=Fk(r)⊕Fk(m1)⊕⋯⊕Fk(mℓ), and send ⟨r,t⟩.
To authenticate a message m=m1∣∣⋯∣∣mℓ, where mi∈{0,1}n/2, choose r←{0,1}n at random, compute t:=Fk(r)⊕Fk(⟨1⟩∣∣m1)⊕⋯⊕Fk(⟨ℓ⟩∣∣mℓ)
where ⟨i⟩ is an n/2-bit encoding of the interger i, and send ⟨r,t⟩.
4.5 Consider an extension of the definition of secure message authentication where the adversary is provided with both a Mac and a Vrfy oracle.
Provide a formal definition of security in this case, and explain what real-world adversarial actions are modeled by providing the adversary with a Vrfy oracle.
Show that if Π has unique tags (c.f. Section 4.8), then Π satisfies your definition if it satisfies Definition 4.2.
Show that if Π does not have unique tags, then Π may satisfy Definition 4.2 but not your definition.
對Definition 4.2作出輕微修改,考慮如下實驗Mac-forgeA,Π(λ):
A random key k is generated by running Gen(1λ).
The adversary A is given input 1λ and oracle access to Mack(⋅) and Vrfyk(⋅). The adversary eventually outputs a pair (m∗,t∗). Let Q denote the set of all queries that A asked to oracle Mack(⋅). OMac(m): given a message m, output a tag t on m. OVrfy(m,t): given a pair (m,t), output a bit b.
The output of the experiment is defined to be 1 if and only if (1) Vrfyk(m∗,t∗)=1 and (2) m∗∈/Q.
(Definition) Amessage authentication code Π=(Gen,Mac,Vrfy) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probabilistic polynomial-time adversaries A, there exists a negligible function negl such that Pr[Mac-forgeA,Π(λ)=1]≤negl(λ).
4.7 Prove that Construction 4.5 is secure if it is changed as follows: Instead of including ℓ in every block, set ti:=Fk(r∥b∥i∥mi) where b is a single bit such that b=0 in all blocks but the last one, and b=1 in the last block. What is the advantage of this modification?
4.8 Show that the basic CBC-MAC construction is not secure when used to authenticate messages of different lengths.
回顧Construction 4.9,算法Mac工作如下:
Parse m as m=m1,…,mℓ where each mi is of length n, and set t0:=0λ.
For i=1 to ℓ, set ti:=Fk(ti−1⊕mi).
Output tℓ as the tag.
當消息長度∣m∣不定時,敵手A可通過訪問兩次OMac諭言機完成攻擊:
第一次設置m(1)=m得到t(1)=Fk(0λ⊕m);
第二次設置m(2)=t(1)得到t(2)=Fk(0λ⊕t(1));
最終輸出僞造(m∗=m∥0λ,t∗=t(2))。
附加題:Show that appending the message length to the end of the message before applying basic CBC-MAC does not result in a secure MAC for arbitrary-length messages.
4.9 Prove that the following modifications of CBC-MAC do not yield a secure fixed-length MAC:
Modify CBC-MAC so that a random IV is used each time a tag is computed (and the IV is output along with tℓ). I.e., t0←{0,1}n is chosen uniformly at random rather than being fixed to 0n, and the tag is t0,tℓ.
Modify CBC-MAC so that all blocks t1,…,tℓ are output (rather than just tℓ).