Search for question
Question

(a) What security service is a Message Authentication Code (MAC) intended to provide? (b) A MAC scheme consists of a pair of algorithms (Tag, Vrf). Describe the function of each of these algorithms and explain what is meant by the correctness of a MACscheme.[4 marks] (c) The standard notion of security for a MAC scheme is existential unforgeability under chosen message attack, or EUF-CMA security for short. Give a description of this security notion. You may use a diagram to illustrate your answer.[6 marks] ==(d) Suppose (Tag, Vrf) is an EUF-CMA-secure MAC scheme. Consider the MAC scheme (Tag', Vrf') in which Tag (m) = Tag (m)||m, where || denotes concate-nation of strings, mo denotes the first bit of m, and in which Vrf' is defined in the obvious way. (i) Provide a brief argument to show that (Tag', Vrf') is also EUF-CMA-secure. (ii) What can you conclude about the confidentiality that is provided by an EUF-CMA-secure MAC scheme for its input messages m?[1 marks] (iii) Consider combining this MAC scheme with an IND-CPA-secure symmetric encryption scheme in an "Encrypt & MAC" construction to obtain an Authenticated Encryption (AE) scheme. Describe the ciphertexts in this scheme. What can you say about the security offered by this construction? What can you conclude about the generic security of the "Encrypt & MAC"approach to building AE?[3 marks] (e) Consider the following MAC scheme, based on an n-bit hash function H: let the key K also have n bits; define Tag (m) := +K; Vrf' is defined in the obviousway. (i) Show that this MAC algorithm is vulnerable to a key recovery attack. State the resources that your attack consumes, in terms of calls to the oracles in the EUF-CMA security definition.[3 marks] (ii) In general, how does a key recovery attack on a MAC scheme relate to its EUF-CMA security? (f) Recall the Merkle-Damgård construction of an n-bit hash function from a compression function h : {0,1}* × {0,1}" → {0,1}", a padding scheme pad(-) such that the bit-length of m' = pad(m) is a multiple of k, and an n-bit value IV: Compute m' = pad(m). • Break m' up into blocks m,...,m, each of bit-length k. Set ho = IV and compute h; | = h(m², h¡) for i = 0, … ..‚† — 1. Output h₁. (i) Draw a diagram to illustrate the hashing operation for this construction. [3 marks] (ii) Suppose that the padding scheme pad(-) adds a length field and additional padding bits to its input messages, so that pad(m) = m len(m)||padding. Show that the hash function is vulnerable to length extension attacks. That is, show that if H (m) is known for some (possibly unknown) bit-string m, then H(m||1en(m)||padding||s) can be computed, for any chosen bit-string 8. (iii) Now consider the following MAC scheme, based on such a hash function H:let the key K have k bits and define Tag, (m) H(Km); algorithm Vrfis defined in the obvious way. Show that this MAC scheme is vulnerable to a forgery attack, by exploiting the length extension weakness of H. What resources does your attack consume, in terms of calls to the oracles in the EUF-CMA security definition?[4 marks]

Fig: 1

Fig: 2

Fig: 3

Fig: 4

Fig: 5

Fig: 6

Fig: 7

Fig: 8

Fig: 9

Fig: 10

Fig: 11

Fig: 12

Fig: 13

Fig: 14

Fig: 15

Fig: 16

Fig: 17

Fig: 18

Fig: 19

Fig: 20

Fig: 21

Fig: 22

Fig: 23

Fig: 24

Fig: 25