Introductionto Modern Cryptograph 第四章部分课后题答案（上）

Acknowledge
致敬Katz J, Lindell Y. Introduction to modern cryptography[M]. Chapman and Hall/CRC, 2014. 推荐该书正版。

4.1 Say $\Pi = (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ is a secure MAC, and for $k \in \{0, 1\}^n$ the tag-generation algorithm $\mathsf{Mac}_k$ always outputs tags of length $t(n)$. Prove that $t$ must be super-logarithmic or, equivalently, that if $t(n) = \mathcal{O}(\mathsf{log} ~ n)$ then $\Pi$ cannot be a secure MAC.

假设$t(n) = \mathcal{O}(\mathsf{log} ~ n)$，那么存在常数$c$使得$t(n) = c \cdot \mathsf{log} ~ n$，即$\mathsf{Mac}$算法的输出共有$2^{c \cdot log ~n} = n^c$种可能，敌手$\mathcal{A}$在挑战游戏中随机挑选消息$m^*$，设置$t^* \gets \{0, 1\}^{t(n)}$，成功使得$\mathsf{Mac}_k(m^*) = t^*$的概率为$1 / n^c$，而$1 / n^c > \mathsf{negl}(n)$，显然方案$\Pi$不安全。

---

4.2 Consider the following fixed-length MAC for messages of length $\ell(n) = 2n-2$ using a pseudorandom function $F$: On input a message $m_0 || m_1$ (with $|m_0| = |m_1| = n-1$) and key $k \in \{0, 1\}^n$, algorithm $\mathsf{Mac}$ outputs $t = F_k(0 || m_0) || F_k(1 || m_1)$. Algorithm $\mathsf{Vrfy}$ is defined in the natural way. Is $(\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ existentially unforgeable under a chosen-message attack? Prove your answer.

方案$\Pi$依旧不安全，直觉上其安全性证明无法正确规约到相关困难问题假设上。接下来举一个例子来具体说明为何$\Pi$不安全：敌手$\mathcal{A}$挑选$m = m_0 || m_1$提交给谕言机得到$t = F_k(0 || m_0) || F_k(1 || m_1)$，接下来$\mathcal{A}$挑选$m' = m'_0 || m'_1$提交给谕言机得到$t' = F_k(0 || m'_0) || F_k(1 || m'_1)$，最后，$\mathcal{A}$提交$m^* = m_0 || m'_1$与$t^* = F_k(0 || m_0) || F_k(1 || m'_1)$作为有效伪造。

---

4.3 Let $F$ be a pseudorandom function. Show that the following MAC for messages of length $2n$ is insecure: The shared key is a random $k \in \{0, 1\}^n$. To authenticate a message $m_1 || m_2$ with $|m_1| = |m_2| = n$, compute the tag $\big< F_k(m_1), F_k \big( F_k(m_2) \big) \big>$.

类似题目4.2，首先，$\mathcal{A}$提交$m = m_1 || m_2$得到$t = \big<t_1, t_2 \big>$，然后提交$m' = m'_1 || m'_2$得到$t' = \big< t'_1, t'_2 \big>$，最后提交$m^* = m_1 || m'_2$与$t^* = \big< t_1, t'_2 \big>$作为有效伪造。

---

4.4 Let $F$ be a pseudorandom function. Show that each of the following message authentication codes is insecure. (In each case the shared key is a random $k \in \{0, 1\}^n$.)

• To authenticate a message $m = m_1 || \cdots || m_\ell$, where $m_i \in \{0, 1\}^n$, compute $t := F_k(m_1) \oplus \cdots \oplus F_k(m_\ell)$.
• To authenticate a message $m = m_1 || \cdots || m_\ell$, where $m_i \in \{0, 1\}^n$, choose $r \gets \{0, 1\}^n$ at random, compute $t := F_k(r) \oplus F_k(m_1) \oplus \cdots \oplus F_k(m_\ell)$, and send $\big< r, t \big>$.
• To authenticate a message $m = m_1 || \cdots || m_\ell$, where $m_i \in \{0, 1\}^{n/2}$, choose $r \gets \{0, 1\}^n$ at random, compute
  $t:=F_k(r) \oplus F_k(\big<1\big>||m_1) \oplus \cdots \oplus F_k(\big<\ell\big> || m_\ell)$
  where $\big<i\big>$ is an $n/2$-bit encoding of the interger $i$, and send $\big<r, t\big>$.

注意MAC的输入是任意长度的消息$m \in \{0, 1\}^*$。
第一种情形，$\mathcal{A}$向谕言机问询$m=m_1||m_2$得到$t=F_k(m_1)\oplus F_k(m_2)$，随后提交$m^* = m_2 || m_1$与$t^* = t$。
第二种情形，攻击跟第一种情形类似。
第三种情形，加入了$\big<i\big>$防止$\mathcal{A}$打乱消息块的顺序，但仍然存在缺陷，注意消息$m$是任意长度，$\mathcal{A}$可以设置$m^* = m_1$，$t^* = \big< \big<1\big>||m_1, 0^n \big>$，直接输出伪造。

---

4.5 Consider an extension of the definition of secure message authentication where the adversary is provided with both a $\mathsf{Mac}$ and a $\mathsf{Vrfy}$ oracle.

• Provide a formal definition of security in this case, and explain what real-world adversarial actions are modeled by providing the adversary with a $\mathsf{Vrfy}$ oracle.
• Show that if $\Pi$ has unique tags (c.f. Section 4.8), then $\Pi$ satisfies your definition if it satisfies Definition 4.2.
• Show that if $\Pi$ does not have unique tags, then $\Pi$ may satisfy Definition 4.2 but not your definition.

对Definition 4.2作出轻微修改，考虑如下实验$\mathsf{Mac}\text{-}\mathsf{forge}_{\mathcal{A}, \Pi}(\lambda)$：

1. A random key $k$ is generated by running $\mathsf{Gen}(1^\lambda)$.
2. The adversary $\mathcal{A}$ is given input $1^\lambda$ and oracle access to $\mathsf{Mac}_k(\cdot)$ and $\mathsf{Vrfy}_k(\cdot)$. The adversary eventually outputs a pair $(m^*, t^*)$. Let $\mathcal{Q}$ denote the set of all queries that $\mathcal{A}$ asked to oracle $\mathsf{Mac}_k(\cdot)$.
   $\mathcal{O}_\mathsf{Mac}(m)$: given a message $m$, output a tag $t$ on $m$.
   $\mathcal{O}_\mathsf{Vrfy}(m, t)$: given a pair $(m, t)$, output a bit $b$.
3. The output of the experiment is defined to be $1$ if and only if (1) $\mathsf{Vrfy}_k(m^*, t^*) = 1$ and (2) $m^* \notin \mathcal{Q}$.

(Definition) Amessage authentication code $\Pi = (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$ is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probabilistic polynomial-time adversaries $\mathcal{A}$, there exists a negligible function $\mathsf{negl}$ such that
$\mathrm{Pr} [ \mathsf{Mac}\text{-}\mathsf{forge}_{\mathcal{A}, \Pi}(\lambda) = 1 ] \leq \mathsf{negl}(\lambda).$

考虑侧信道攻击环境下的谕言机$\mathcal{O}_{\mathsf{Vrfy}}(\cdot)$，假设此时敌手不仅可以获知$\mathsf{Vrfy}$的输出$b$，并且可以获知算法运行时间。接下来举一个例子。当MAC采用确定性算法时，算法$\mathsf{Vrfy}(k, m, t)$工作如下：计算$\tilde{t} := \mathsf{Mac}(k, m)$，比较$\tilde{t} \overset{?}{=} t$，输出布尔变量$b$，比较$(\tilde{t}, t)$时使用C语言函数strcmp。思考C语言对于布尔表达式False & True的判断，strcmp算法对于不同的$t$会有不同的运行时间，敌手监听运行MAC算法的智能家电用具，对消息$m$伪造$t = 0^\lambda$，跟着根据strcmp算法的运行时间，逐次修改特定比特位，此时仅需访问$\lambda$次$\mathcal{O}_{\mathsf{Vrfy}}$。上述例子就是$\mathcal{O}_{\mathsf{Vrfy}}$的意义，同时可见本题所给定义仍然不够strong（推荐反复思考书中关于安全定义是否太过strong的原话，以进一步加深理解）。

当算法$\mathsf{Mac}$是确定性算法时（即对于一条密钥$k$一个消息$m$仅有一个有效标签$t$），上述定义中仅输出$b$值的谕言机$\mathcal{O}_{\mathsf{Vrfy}}$对于敌手$\mathcal{A}$来说意义不大，$\mathcal{A}$完全不能从$\mathcal{O}_{\mathsf{Vrfy}}$中学到新的知识。

思考如下方案$\Pi' = (\mathsf{Gen}', \mathsf{Mac}', \mathsf{Vrfy}')$，它满足安全定义Definition 4.2，但不满足本题安全定义。

假设$\Pi = (\mathsf{Gen}, \mathsf{Mac}, \mathsf{Vrfy})$是满足安全定义Definition 4.2的消息鉴别码方案。

• $\mathsf{Gen}'(1^\lambda) \to k$：运行$k \gets \mathsf{Gen}(1^\lambda)$，设置$k' := k$并输出。
• $\mathsf{Mac}'(k', m) \to t'$：运行$t := \mathsf{Mac}(k, m)$，设置$t' := t || \big<0\big>$并输出（注意本算法符号$\gets$和符号$:=$的运用）。
• $\mathsf{Vrfy}'(k', m, t') \to b'$：解析$t' = t || \big<i\big>$，运行$b \gets \mathsf{Vrfy}(k, m, t)$，若$b = 1$且$i = 0$，设置$b' := b$并输出；若$b = 1$且$i > 0$，设置$b' := k[i]$并输出（其中$k[i]$表示密钥$k$的第$i$个比特）；否则设置$b' := 0$并输出。

算法正确性易分析，满足定义4.2同样易证明。

敌手有了验证谕言机后，先访问标签生成谕言机得到$(m, t||\big<0\big>)$，再通过修改$\big<i\big>$访问$\lambda - 1$次验证谕言机可恢复出密钥$k$。

---

4.7 Prove that Construction 4.5 is secure if it is changed as follows: Instead of including $\ell$ in every block, set $t_i := F_k(r \| b \| i \| m_i)$ where $b$ is a single bit such that $b = 0$ in all blocks but the last one, and $b=1$ in the last block. What is the advantage of this modification?

本题安全性证明与Construction 4.5大同小异，易证$\mathcal{A}$的$q(\lambda)$次谕言机访问出现重复的$r$的概率可忽略，假设$\mathcal{A}$最终输出有效伪造$(m^*, t^*)$，分为3种情况：

（1）$r^*$与$q(\lambda)$次谕言机访问中的$r$都不相同，那么$(r^* \| 0 \| 1 \| m^*_1, t^*_1)$可作为$\Pi'$的有效伪造；
（2）$r^*$与$q(\lambda)$次谕言机访问中的某个$r$相同，而$|m^*|$与该$r$对应的$|m|$不相同，那么$b$值为$1$的$(r^* \| 1 \| i \| m_i, t^*_i)$可作为$\Pi'$的有效伪造；
（3）$r^*$与$q(\lambda)$次谕言机访问中的某个$r$相同，且$|m^*|$与该$r$对应的$|m|$相同，又$m^*$不等于$m$，必存在$i$使得$r \| b \| i \| m_i$不等于$r^*_i \| b \| i \| m^*_i$，则$(r^*_i \| b \| i \| m^*_i, t^*_i)$可作为$\Pi'$的有效伪造。

无论上述哪一种情况，只要$\mathcal{A}$最终输出针对$\Pi$的有效伪造，那么必然可以找到针对$\Pi'$的有效伪造，这与前提$\Pi'$是安全的相矛盾，故该构造是安全的。

---

4.8 Show that the basic CBC-MAC construction is not secure when used to authenticate messages of different lengths.

回顾Construction 4.9，算法$\mathsf{Mac}$工作如下：

• Parse $m$ as $m = m_1, \dots, m_\ell$ where each $m_i$ is of length $n$, and set $t_0 := 0^\lambda$.
• For $i=1$ to $\ell$, set $t_i := F_k(t_{i-1} \oplus m_i)$.
• Output $t_\ell$ as the tag.

当消息长度$|m|$不定时，敌手$\mathcal{A}$可通过访问两次$\mathcal{O}_{\mathsf{Mac}}$谕言机完成攻击：

• 第一次设置$m^{(1)} = m$得到$t^{(1)} = F_k(0^\lambda \oplus m)$；
• 第二次设置$m^{(2)} = t^{(1)}$得到$t^{(2)} = F_k(0^\lambda \oplus t^{(1)})$；
• 最终输出伪造$(m^* = m \| 0^\lambda, t^* = t^{(2)})$。

---

附加题：Show that appending the message length to the end of the message before applying basic CBC-MAC does not result in a secure MAC for arbitrary-length messages.

敌手$\mathcal{A}$仅需访问3次谕言机$\mathcal{O}_{\mathsf{Mac}}$即可完成攻击：

• 第一次提交$m_1$，得到$t := F_k(F_k(m_1) \oplus 1)$；
• 第二次提交$m'_1$，得到$t' := F_k(F_k(m'_1) \oplus 1)$；
• 第三次提交$m_1 \| 1 \| m''_3$，得到$t'' :=F_k(F_k(F_k(F_k(m_1) \oplus 1) \oplus m''_3) \oplus 3)$。

从上述三个式子，有$t'' =F_k(F_k(t \oplus m''_3) \oplus 3)$，而$t \oplus m''_3 = t \oplus m''_3 \oplus t' \oplus t'$，设$m^*_3 = t \oplus m''_3 \oplus t'$，有$t'' = F_k(F_k(t' \oplus m^*_3) \oplus 3)$，即当$m^* := m'_1 \| 1 \| m^*_3$时，有$t^* := t''$。

---

4.9 Prove that the following modifications of CBC-MAC do not yield a secure fixed-length MAC:

• Modify CBC-MAC so that a random $IV$ is used each time a tag is computed (and the $IV$ is output along with $t_\ell$). I.e., $t_0 \gets \{0, 1\}^n$ is chosen uniformly at random rather than being fixed to $0^n$, and the tag is $t_0, t_\ell$.
• Modify CBC-MAC so that all blocks $t_1, \dots, t_\ell$ are output (rather than just $t_\ell$).

第一种情形，$\mathcal{A}$提交$m := 0^{\ell n}$得到$t = \big<t_0, t_\ell\big>$，此时$\mathcal{A}$可伪造$m^* := t_0 \| 0^{(\ell - 1)n}$，$t^* := \big<0^n, t_\ell\big>$。 留意，$F_k(m_1 \oplus t_0) = t_1 = F_k(m^*_1 \oplus t^*_0)$。

第二种情形，$\mathcal{A}$提交$m:=m_1 \| m_2 \| \dots \| m_\ell$，得到$t = \big< t_1, t_2, \dots, t_\ell\big>$，接着提交$m':=m'_1 \| m'_2 \| \dots \| m'_\ell$，得到$t' = \big< t'_1, t'_2, \dots, t'_\ell\big>$，最后伪造$m^* := m_1 \| (m'_2 \oplus t'_1 \oplus t_1) \| m'_3 \| \dots m'_\ell$，$t^* := \big<t_1, t'_2, t'_3, \dots, t'_\ell\big>$。

---

附加题（原书第2版题目）：Show that Construction 4.18 might not be CCA-secure if it is instantiated with a secure MAC that is not strongly secure.

回顾strongly secure MAC的定义，游戏输出1的条件改为“$\mathsf{Vrfy}_k(m^*, t^*)=1$且$(m^*, t^*) \notin \mathcal{Q}$”，历史记录列表形式改为$\mathcal{Q}=(m, t)$。

参考题目4.5第3小题的方案构造，它依旧不满足strong secure MAC的定义，具体来说，$\mathcal{A}$提交$m^*$给$\mathcal{O}_{\mathsf{Mac}}$得到$t = t' \| \big<0\big>$，随机挑选$i^* \gets [\lambda]$，$(m^*, t^*=t' \| \big<i^*\big>)$有效的概率为$1/\lambda$。若Construction 4.18中的MAC方案采用该构造，那么在CCA-secure安全游戏中，$\mathcal{A}$易得到MAC的密钥$k$，这样$\mathcal{A}$就可以对挑战密文做逻辑修改，并且有效访问解密谕言机，与Construction 4.18的设计初衷相违背。

原书第2版题目4.23解题思路亦类似。