Unformatted text preview: λ and computing
H (MK (m1 ), . . . , MK (mλ )). Prove that this composition is not generically secure, i.e. that
there exist secure H and M such that FK is not EUF-CMA secure.
(c) [Extra credit: 10 points] Prove, however, that if the hash function H in part (c) is modelled
as a random oracle, then the resulting MAC FK is EUF-CMA secure.
1 4. MACs and Encryption. [20 points]
(a) [10 points] Let Enc be an IND-CPA secure encryption scheme and M be a EUF-CMA secure
MAC. Deﬁne the composed encryption function EncM1 ,K2 (x) = EncK1 (x)||MK2 (x) (“encrypt
AND mac”). Prove that there exists an IND-CPA secure encryption scheme Enc and EUFCMA secure mac M such that EncM is not even IND-CPA secure.
(b) [10 points] Since a block cipher in CBC mode can be used to build both an IND-CPA secure
encryption scheme and a EUF-CMA secure block, a common mistake made in “roll-your-own”
cryptosystems is to try to use the last ciphertext block to compute a MAC on the plaintext,
e.g. to encrypt the message m, we compute the ciphertext c...
View Full Document
- Spring '14
- Cryptography, hash function, Cryptographic hash function, Block cipher, tail length