This preview shows page 1. Sign up to view the full content.
Unformatted text preview: = CBCEncryptE (m), let c∗ be
K
the last block, compute tag τ = EK (c∗ ). and use c, τ as an “authenticated encryption”
scheme. Prove that this scheme fails to provide chosenciphertext security.
(c) [Extra Credit: 10 points] In several encryption standards, ciphertexts may optionally be protected by a MAC. The entire ciphertext is accompanied by metadata specifying information
such as which keys and encryption algorithms to use; if a MAC is used the tag is computed
over this “associated data” as well. Suppose that a ciphertext is encrypted using an implementation that is vulnerable to chosen ciphertext attack (such as the CBC padding attack),
and a MAC is used to protect against this attack. (i) Show how the ciphertext can still be
attacked. (ii) Assuming that the unauthenticated encryption option must still be supported,
how would you design the authenticated encryption scheme to avoid this kind of attack?
Prove that your design is secure.
5. Hash cycles. [25 points] For a given hash function h, a hash chain starting from x is recursively
deﬁned as follows:
H0 = x
Hi = h...
View
Full
Document
This document was uploaded on 04/03/2014.
 Spring '14

Click to edit the document details