Introductionto Modern Cryptograph 第四章部分課後題答案（上）

Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推薦該書正版。

4.1 Say $\Pi = (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ is a secure MAC, and for $k \in \{0, 1\}^n$ the tag-generation algorithm $\mathsf{Mac}_k$ always outputs tags of length $t(n)$. Prove that $t$ must be super-logarithmic or, equivalently, that if $t(n) = \mathcal{O}(\mathsf{log} ~ n)$ then $\Pi$ cannot be a secure MAC.

假設$t(n) = \mathcal{O}(\mathsf{log} ~ n)$，那麼存在常數$c$使得$t(n) = c \cdot \mathsf{log} ~ n$，即$\mathsf{Mac}$算法的輸出共有$2^{c \cdot log ~n} = n^c$種可能，敵手$\mathcal{A}$在挑戰遊戲中隨機挑選消息$m^*$，設置$t^* \gets \{0, 1\}^{t(n)}$，成功使得$\mathsf{Mac}_k(m^*) = t^*$的概率爲$1 / n^c$，而$1 / n^c > \mathsf{negl}(n)$，顯然方案$\Pi$不安全。

---

4.2 Consider the following fixed-length MAC for messages of length $\ell(n) = 2n-2$ using a pseudorandom function $F$: On input a message $m_0 || m_1$ (with $|m_0| = |m_1| = n-1$) and key $k \in \{0, 1\}^n$, algorithm $\mathsf{Mac}$ outputs $t = F_k(0 || m_0) || F_k(1 || m_1)$. Algorithm $\mathsf{Vrfy}$ is defined in the natural way. Is $(\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ existentially unforgeable under a chosen-message attack? Prove your answer.

方案$\Pi$依舊不安全，直覺上其安全性證明無法正確規約到相關困難問題假設上。接下來舉一個例子來具體說明爲何$\Pi$不安全：敵手$\mathcal{A}$挑選$m = m_0 || m_1$提交給諭言機得到$t = F_k(0 || m_0) || F_k(1 || m_1)$，接下來$\mathcal{A}$挑選$m' = m'_0 || m'_1$提交給諭言機得到$t' = F_k(0 || m'_0) || F_k(1 || m'_1)$，最後，$\mathcal{A}$提交$m^* = m_0 || m'_1$與$t^* = F_k(0 || m_0) || F_k(1 || m'_1)$作爲有效僞造。

---

4.3 Let $F$ be a pseudorandom function. Show that the following MAC for messages of length $2n$ is insecure: The shared key is a random $k \in \{0, 1\}^n$. To authenticate a message $m_1 || m_2$ with $|m_1| = |m_2| = n$, compute the tag $\big< F_k(m_1), F_k \big( F_k(m_2) \big) \big>$.

類似題目4.2，首先，$\mathcal{A}$提交$m = m_1 || m_2$得到$t = \big<t_1, t_2 \big>$，然後提交$m' = m'_1 || m'_2$得到$t' = \big< t'_1, t'_2 \big>$，最後提交$m^* = m_1 || m'_2$與$t^* = \big< t_1, t'_2 \big>$作爲有效僞造。

---

4.4 Let $F$ be a pseudorandom function. Show that each of the following message authentication codes is insecure. (In each case the shared key is a random $k \in \{0, 1\}^n$.)

• To authenticate a message $m = m_1 || \cdots || m_\ell$, where $m_i \in \{0, 1\}^n$, compute $t := F_k(m_1) \oplus \cdots \oplus F_k(m_\ell)$.
• To authenticate a message $m = m_1 || \cdots || m_\ell$, where $m_i \in \{0, 1\}^n$, choose $r \gets \{0, 1\}^n$ at random, compute $t := F_k(r) \oplus F_k(m_1) \oplus \cdots \oplus F_k(m_\ell)$, and send $\big< r, t \big>$.
• To authenticate a message $m = m_1 || \cdots || m_\ell$, where $m_i \in \{0, 1\}^{n/2}$, choose $r \gets \{0, 1\}^n$ at random, compute
  $t:=F_k(r) \oplus F_k(\big<1\big>||m_1) \oplus \cdots \oplus F_k(\big<\ell\big> || m_\ell)$
  where $\big<i\big>$ is an $n/2$-bit encoding of the interger $i$, and send $\big<r, t\big>$.

注意MAC的輸入是任意長度的消息$m \in \{0, 1\}^*$。
第一種情形，$\mathcal{A}$向諭言機問詢$m=m_1||m_2$得到$t=F_k(m_1)\oplus F_k(m_2)$，隨後提交$m^* = m_2 || m_1$與$t^* = t$。
第二種情形，攻擊跟第一種情形類似。
第三種情形，加入了$\big<i\big>$防止$\mathcal{A}$打亂消息塊的順序，但仍然存在缺陷，注意消息$m$是任意長度，$\mathcal{A}$可以設置$m^* = m_1$，$t^* = \big< \big<1\big>||m_1, 0^n \big>$，直接輸出僞造。

---

4.5 Consider an extension of the definition of secure message authentication where the adversary is provided with both a $\mathsf{Mac}$ and a $\mathsf{Vrfy}$ oracle.

• Provide a formal definition of security in this case, and explain what real-world adversarial actions are modeled by providing the adversary with a $\mathsf{Vrfy}$ oracle.
• Show that if $\Pi$ has unique tags (c.f. Section 4.8), then $\Pi$ satisfies your definition if it satisfies Definition 4.2.
• Show that if $\Pi$ does not have unique tags, then $\Pi$ may satisfy Definition 4.2 but not your definition.

對Definition 4.2作出輕微修改，考慮如下實驗$\mathsf{Mac}\text{-}\mathsf{forge}_{\mathcal{A}, \Pi}(\lambda)$：

1. A random key $k$ is generated by running $\mathsf{Gen}(1^\lambda)$.
2. The adversary $\mathcal{A}$ is given input $1^\lambda$ and oracle access to $\mathsf{Mac}_k(\cdot)$ and $\mathsf{Vrfy}_k(\cdot)$. The adversary eventually outputs a pair $(m^*, t^*)$. Let $\mathcal{Q}$ denote the set of all queries that $\mathcal{A}$ asked to oracle $\mathsf{Mac}_k(\cdot)$.
   $\mathcal{O}_\mathsf{Mac}(m)$: given a message $m$, output a tag $t$ on $m$.
   $\mathcal{O}_\mathsf{Vrfy}(m, t)$: given a pair $(m, t)$, output a bit $b$.
3. The output of the experiment is defined to be $1$ if and only if (1) $\mathsf{Vrfy}_k(m^*, t^*) = 1$ and (2) $m^* \notin \mathcal{Q}$.

(Definition) Amessage authentication code $\Pi = (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$, there exists a negligible function $\mathsf{negl}$ such that
$\mathrm{Pr} [ \mathsf{Mac}\text{-}\mathsf{forge}_{\mathcal{A}, \Pi}(\lambda) = 1 ] \leq \mathsf{negl}(\lambda).$

考慮側信道攻擊環境下的諭言機$\mathcal{O}_{\mathsf{Vrfy}}(\cdot)$，假設此時敵手不僅可以獲知$\mathsf{Vrfy}$的輸出$b$，並且可以獲知算法運行時間。接下來舉一個例子。當MAC採用確定性算法時，算法$\mathsf{Vrfy}(k, m, t)$工作如下：計算$\tilde{t} := \mathsf{Mac}(k, m)$，比較$\tilde{t} \overset{?}{=} t$，輸出布爾變量$b$，比較$(\tilde{t}, t)$時使用C語言函數strcmp。思考C語言對於布爾表達式False & True的判斷，strcmp算法對於不同的$t$會有不同的運行時間，敵手監聽運行MAC算法的智能家電用具，對消息$m$僞造$t = 0^\lambda$，跟着根據strcmp算法的運行時間，逐次修改特定比特位，此時僅需訪問$\lambda$次$\mathcal{O}_{\mathsf{Vrfy}}$。上述例子就是$\mathcal{O}_{\mathsf{Vrfy}}$的意義，同時可見本題所給定義仍然不夠strong（推薦反覆思考書中關於安全定義是否太過strong的原話，以進一步加深理解）。

當算法$\mathsf{Mac}$是確定性算法時（即對於一條密鑰$k$一個消息$m$僅有一個有效標籤$t$），上述定義中僅輸出$b$值的諭言機$\mathcal{O}_{\mathsf{Vrfy}}$對於敵手$\mathcal{A}$來說意義不大，$\mathcal{A}$完全不能從$\mathcal{O}_{\mathsf{Vrfy}}$中學到新的知識。

思考如下方案$\Pi' = (\mathsf{Gen}', \mathsf{Mac}', \mathsf{Vrfy}')$，它滿足安全定義Definition 4.2，但不滿足本題安全定義。

假設$\Pi = (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$是滿足安全定義Definition 4.2的消息鑑別碼方案。

• $\mathsf{Gen}'(1^\lambda) \to k$：運行$k \gets \mathsf{Gen}(1^\lambda)$，設置$k' := k$並輸出。
• $\mathsf{Mac}'(k', m) \to t'$：運行$t := \mathsf{Mac}(k, m)$，設置$t' := t || \big<0\big>$並輸出（注意本算法符號$\gets$和符號$:=$的運用）。
• $\mathsf{Vrfy}'(k', m, t') \to b'$：解析$t' = t || \big<i\big>$，運行$b \gets \mathsf{Vrfy}(k, m, t)$，若$b = 1$且$i = 0$，設置$b' := b$並輸出；若$b = 1$且$i > 0$，設置$b' := k[i]$並輸出（其中$k[i]$表示密鑰$k$的第$i$個比特）；否則設置$b' := 0$並輸出。

算法正確性易分析，滿足定義4.2同樣易證明。

敵手有了驗證諭言機後，先訪問標籤生成諭言機得到$(m, t||\big<0\big>)$，再通過修改$\big<i\big>$訪問$\lambda - 1$次驗證諭言機可恢復出密鑰$k$。

---

4.7 Prove that Construction 4.5 is secure if it is changed as follows: Instead of including $\ell$ in every block, set $t_i := F_k(r \| b \| i \| m_i)$ where $b$ is a single bit such that $b = 0$ in all blocks but the last one, and $b=1$ in the last block. What is the advantage of this modification?

本題安全性證明與Construction 4.5大同小異，易證$\mathcal{A}$的$q(\lambda)$次諭言機訪問出現重複的$r$的概率可忽略，假設$\mathcal{A}$最終輸出有效僞造$(m^*, t^*)$，分爲3種情況：

（1）$r^*$與$q(\lambda)$次諭言機訪問中的$r$都不相同，那麼$(r^* \| 0 \| 1 \| m^*_1, t^*_1)$可作爲$\Pi'$的有效僞造；
（2）$r^*$與$q(\lambda)$次諭言機訪問中的某個$r$相同，而$|m^*|$與該$r$對應的$|m|$不相同，那麼$b$值爲$1$的$(r^* \| 1 \| i \| m_i, t^*_i)$可作爲$\Pi'$的有效僞造；
（3）$r^*$與$q(\lambda)$次諭言機訪問中的某個$r$相同，且$|m^*|$與該$r$對應的$|m|$相同，又$m^*$不等於$m$，必存在$i$使得$r \| b \| i \| m_i$不等於$r^*_i \| b \| i \| m^*_i$，則$(r^*_i \| b \| i \| m^*_i, t^*_i)$可作爲$\Pi'$的有效僞造。

無論上述哪一種情況，只要$\mathcal{A}$最終輸出針對$\Pi$的有效僞造，那麼必然可以找到針對$\Pi'$的有效僞造，這與前提$\Pi'$是安全的相矛盾，故該構造是安全的。

---

4.8 Show that the basic CBC-MAC construction is not secure when used to authenticate messages of different lengths.

回顧Construction 4.9，算法$\mathsf{Mac}$工作如下：

• Parse $m$ as $m = m_1, \dots, m_\ell$ where each $m_i$ is of length $n$, and set $t_0 := 0^\lambda$.
• For $i=1$ to $\ell$, set $t_i := F_k(t_{i-1} \oplus m_i)$.
• Output $t_\ell$ as the tag.

當消息長度$|m|$不定時，敵手$\mathcal{A}$可通過訪問兩次$\mathcal{O}_{\mathsf{Mac}}$諭言機完成攻擊：

• 第一次設置$m^{(1)} = m$得到$t^{(1)} = F_k(0^\lambda \oplus m)$；
• 第二次設置$m^{(2)} = t^{(1)}$得到$t^{(2)} = F_k(0^\lambda \oplus t^{(1)})$；
• 最終輸出僞造$(m^* = m \| 0^\lambda, t^* = t^{(2)})$。

---

附加題：Show that appending the message length to the end of the message before applying basic CBC-MAC does not result in a secure MAC for arbitrary-length messages.

敵手$\mathcal{A}$僅需訪問3次諭言機$\mathcal{O}_{\mathsf{Mac}}$即可完成攻擊：

• 第一次提交$m_1$，得到$t := F_k(F_k(m_1) \oplus 1)$；
• 第二次提交$m'_1$，得到$t' := F_k(F_k(m'_1) \oplus 1)$；
• 第三次提交$m_1 \| 1 \| m''_3$，得到$t'' :=F_k(F_k(F_k(F_k(m_1) \oplus 1) \oplus m''_3) \oplus 3)$。

從上述三個式子，有$t'' =F_k(F_k(t \oplus m''_3) \oplus 3)$，而$t \oplus m''_3 = t \oplus m''_3 \oplus t' \oplus t'$，設$m^*_3 = t \oplus m''_3 \oplus t'$，有$t'' = F_k(F_k(t' \oplus m^*_3) \oplus 3)$，即當$m^* := m'_1 \| 1 \| m^*_3$時，有$t^* := t''$。

---

4.9 Prove that the following modifications of CBC-MAC do not yield a secure fixed-length MAC:

• Modify CBC-MAC so that a random $IV$ is used each time a tag is computed (and the $IV$ is output along with $t_\ell$). I.e., $t_0 \gets \{0, 1\}^n$ is chosen uniformly at random rather than being fixed to $0^n$, and the tag is $t_0, t_\ell$.
• Modify CBC-MAC so that all blocks $t_1, \dots, t_\ell$ are output (rather than just $t_\ell$).

第一種情形，$\mathcal{A}$提交$m := 0^{\ell n}$得到$t = \big<t_0, t_\ell\big>$，此時$\mathcal{A}$可僞造$m^* := t_0 \| 0^{(\ell - 1)n}$，$t^* := \big<0^n, t_\ell\big>$。 留意，$F_k(m_1 \oplus t_0) = t_1 = F_k(m^*_1 \oplus t^*_0)$。

第二種情形，$\mathcal{A}$提交$m:=m_1 \| m_2 \| \dots \| m_\ell$，得到$t = \big< t_1, t_2, \dots, t_\ell\big>$，接着提交$m':=m'_1 \| m'_2 \| \dots \| m'_\ell$，得到$t' = \big< t'_1, t'_2, \dots, t'_\ell\big>$，最後僞造$m^* := m_1 \| (m'_2 \oplus t'_1 \oplus t_1) \| m'_3 \| \dots m'_\ell$，$t^* := \big<t_1, t'_2, t'_3, \dots, t'_\ell\big>$。

---

附加題（原書第2版題目）：Show that Construction 4.18 might not be CCA-secure if it is instantiated with a secure MAC that is not strongly secure.

回顧strongly secure MAC的定義，遊戲輸出1的條件改爲“$\mathsf{Vrfy}_k(m^*, t^*)=1$且$(m^*, t^*) \notin \mathcal{Q}$”，歷史記錄列表形式改爲$\mathcal{Q}=(m, t)$。

參考題目4.5第3小題的方案構造，它依舊不滿足strong secure MAC的定義，具體來說，$\mathcal{A}$提交$m^*$給$\mathcal{O}_{\mathsf{Mac}}$得到$t = t' \| \big<0\big>$，隨機挑選$i^* \gets [\lambda]$，$(m^*, t^*=t' \| \big<i^*\big>)$有效的概率爲$1/\lambda$。若Construction 4.18中的MAC方案採用該構造，那麼在CCA-secure安全遊戲中，$\mathcal{A}$易得到MAC的密鑰$k$，這樣$\mathcal{A}$就可以對挑戰密文做邏輯修改，並且有效訪問解密諭言機，與Construction 4.18的設計初衷相違背。

原書第2版題目4.23解題思路亦類似。