Cryp Essay

1833 Words Mar 7th, 2014 8 Pages
Homework 5
4.2 Consider a "CCA-type" extension of the definition of secure message authentication codes where the adversary is provided with both a Mac and Vrfy oracle. (a) Provide a formal definition and explain why such a notion may make sense. (b) Show that when the Mac scheme is deterministic, your definition is equivalent to Definition 4.2. (c) Show that when the Mac scheme may be probabilistic, the definitions are not equivalent. (That is, show that there exists a probabilistic scheme that is secure by Definition 4.2 but not by your definition.) Consideration The message authentication experiment Mac-forge, Π(n):

1. A random key k ← {0, 1}n is chosen. 2. The adversary is given oracle access to Mack (·) and Vrfyk (·, ·) and outputs a
…show more content…
Note that in this case the Vrfy oracle behaves exactly the same to the actual Vrfy alogrithm, and the adversary cannot use the Vrfy oracle to increase its probability of success (see comparison below for further clarification). To rephrase this, an oracle access to Vrfy does not augment the adversary’s power. If the Mac scheme is probabilistic there exist muiltple tags that one message can possibly correspond to. Hence, in sharp contrast to the deterministic case, the adversary cannot be certain of exactly which tag corresponds the message. Now, with an oracle access to Vrfy, the adversary can simply query this oracle to eliminate some of the possible tags, therefore dramatically increase the probability of success (Roughly speaking, multiplied by the number of all possible corresponding tags. But this is limited to polynomial many). That being said, an adversary with oracle access to Vrfy is more powerful than one without such access. (The adversary can still output any message m previously queried to the oracle! The definition says nothing about this.) Therefore, This definition differs from Definition 4.2. 1

4.3 Prove that Construction 4.5 remains secure for each of the following modifications: (a) Instead of using a pseudorandom function, use any fixed-length MAC with the appropriate parameters. (b) Instead of including d in every block, set t i = Fk (r ||b ||i ||m i ) where b is a single bit such that b = 0 in all blocks but the last one, and b =

More about Cryp Essay