Unformatted text preview: λ and computing
H (MK (m1 ), . . . , MK (mλ )). Prove that this composition is not generically secure, i.e. that
there exist secure H and M such that FK is not EUFCMA secure.
(c) [Extra credit: 10 points] Prove, however, that if the hash function H in part (c) is modelled
as a random oracle, then the resulting MAC FK is EUFCMA secure.
1 4. MACs and Encryption. [20 points]
(a) [10 points] Let Enc be an INDCPA secure encryption scheme and M be a EUFCMA secure
MAC. Deﬁne the composed encryption function EncM1 ,K2 (x) = EncK1 (x)MK2 (x) (“encrypt
K
AND mac”). Prove that there exists an INDCPA secure encryption scheme Enc and EUFCMA secure mac M such that EncM is not even INDCPA secure.
(b) [10 points] Since a block cipher in CBC mode can be used to build both an INDCPA secure
encryption scheme and a EUFCMA secure block, a common mistake made in “rollyourown”
cryptosystems is to try to use the last ciphertext block to compute a MAC on the plaintext,
e.g. to encrypt the message m, we compute the ciphertext c...
View
Full Document
 Spring '14
 Cryptography, hash function, Cryptographic hash function, Block cipher, tail length

Click to edit the document details