Broken MACS, Hashes HW

E that there exist secure h and m such that fk is not

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: λ and computing H (MK (m1 ), . . . , MK (mλ )). Prove that this composition is not generically secure, i.e. that there exist secure H and M such that FK is not EUF-CMA secure. (c) [Extra credit: 10 points] Prove, however, that if the hash function H in part (c) is modelled as a random oracle, then the resulting MAC FK is EUF-CMA secure. 1 4. MACs and Encryption. [20 points] (a) [10 points] Let Enc be an IND-CPA secure encryption scheme and M be a EUF-CMA secure MAC. Define the composed encryption function EncM1 ,K2 (x) = EncK1 (x)||MK2 (x) (“encrypt K AND mac”). Prove that there exists an IND-CPA secure encryption scheme Enc and EUFCMA secure mac M such that EncM is not even IND-CPA secure. (b) [10 points] Since a block cipher in CBC mode can be used to build both an IND-CPA secure encryption scheme and a EUF-CMA secure block, a common mistake made in “roll-your-own” cryptosystems is to try to use the last ciphertext block to compute a MAC on the plaintext, e.g. to encrypt the message m, we compute the ciphertext c...
View Full Document

This document was uploaded on 04/03/2014.

Ask a homework question - tutors are online