This preview shows page 1. Sign up to view the full content.
Unformatted text preview: λ and computing
H (MK (m1 ), . . . , MK (mλ )). Prove that this composition is not generically secure, i.e. that
there exist secure H and M such that FK is not EUFCMA secure.
(c) [Extra credit: 10 points] Prove, however, that if the hash function H in part (c) is modelled
as a random oracle, then the resulting MAC FK is EUFCMA secure.
1 4. MACs and Encryption. [20 points]
(a) [10 points] Let Enc be an INDCPA secure encryption scheme and M be a EUFCMA secure
MAC. Deﬁne the composed encryption function EncM1 ,K2 (x) = EncK1 (x)MK2 (x) (“encrypt
K
AND mac”). Prove that there exists an INDCPA secure encryption scheme Enc and EUFCMA secure mac M such that EncM is not even INDCPA secure.
(b) [10 points] Since a block cipher in CBC mode can be used to build both an INDCPA secure
encryption scheme and a EUFCMA secure block, a common mistake made in “rollyourown”
cryptosystems is to try to use the last ciphertext block to compute a MAC on the plaintext,
e.g. to encrypt the message m, we compute the ciphertext c...
View
Full
Document
This document was uploaded on 04/03/2014.
 Spring '14

Click to edit the document details