Computer Science and Engineering, UCSD
Spring 11
CSE 207:
Modern Cryptography
Instructor:
Mihir Bellare
Problem Set 4 Solutions
May 4, 2011
Problem Set 4 Solutions
Problem 1. [30 points]
Let
E
:
{
0
,
1
}
k
×{
0
,
1
}
l
→{
0
,
1
}
l
be a block cipher. Let
D
be the set of
all strings whose length is a positive multiple of
l
.
1.
[10 points]
Define the hash function
H
1
:
{
0
,
1
}
k
×
D
→{
0
,
1
}
l
via the CBC construction, as
follows:
algorithm
H
1
(
K,M
)
M
[1]
M
[2]
...M
[
n
]
←
M
C
[0]
←
0
l
For
i
= 1
,...,n
do
C
[
i
]
←
E
(
K,C
[
i
−
1]
⊕
M
[
i
])
Return
C
[
n
]
Show that
H
1
is not collision-resistant.
Here is an adversary that easily finds collisions:
adversary
A
1
(
K
)
Let
M
1
[1]
,M
2
[1] be some distinct
l
bit strings
C
1
[1]
←
E
(
K,M
1
[1]) ;
C
2
[1]
←
E
(
K,M
2
[1])
M
1
←
M
1
[1]
C
2
[1] ;
M
2
←
M
2
[1]
C
1
[1]
Return
M
1
,M
2
Adversary
A
1
has advantage 1 because
H
1
(
K,M
1
) and
H
1
(
K,M
2
) both equal
E
(
K,C
1
[1]
⊕
C
2
[1]) even though
M
1
negationslash
=
M
2
.
The time-complexity of the adversary is about that of two
computations of
E
.
2.
[20 points]
Define the hash function
H
2
:
{
0
,
1
}
k
×
D
→{
0
,
1
}
l
as follows:
algorithm
H
2
(
K,M
)
M
[1]
M
[2]
...M
[
n
]
←
M
C
[0]
←
0
l
For
i
= 1
,...,n
do
B
[
i
]
←
E
(
K,C
[
i
−
1]
⊕
M
[
i
]) ;
C
[
i
]
←
E
(
K,B
[
i
]
⊕
M
[
i
])
Return
C
[
n
]
Is
H
2
collision-resistant? If you say NO, present an attack. If YES, explain your answer, or,
better yet, prove it.
This construct might look secure at first glance because it seems to prevent an attack of the
type we gave on
H
1
, but it turns out there is another attack. Here is an adversary that finds
collisions for
H
2
:
1