Chapter 1

1.1. abcdefghijklmnopqrstuvwxyz = hcjkf eyvbuxzplomtgwqiasdrn

Decryption the ciphertext provided :
CRYPTOGRAPHICSYSTEMSAREEXTREMELYDIFFICULTTOBUILDNEVERTHELESSF ORSOMEREA-
SONMANYNONEXPERTSINSISTONDESIGNINGNEWENCRYPTIONSCHEM ESTHATSEEMTOTHEM-
TOBEMORESECURETHANANYOTHERSCHEMEONEARTHTHEUNF ORTUNATETRUTHHOWEVERISTHAT-
SUCHSCHEMESAREUSUALLYTRIVIALTOBREAK
1.2. Denoting {0, . . . , 25} by Z26 , we have:
• Gen: outputs a uniform key k from the set of bijections p : Z26 → Z26 , where we are associating each
letter of the English alphabet, in order, with the correspoding number in Z26 .
• Enc: The encryption of the message m = m1 · · · m` , where mi ∈ Z26 with key k is given by:

Enck (m1 · · · m` ) = c1 · · · c`

where ci = k(mi ), i.e. we apply bijection k to mi .

• Dec: The decryption of the ciphertext c = c1 · · · c` , where ci ∈ Z26 with key k is given by:

Deck (c1 · · · c` ) = k −1 (c1 ) · · · k −1 (c` ) = m1 · · · m`

where k −1 is the inverse of the function k, which exists because k is bijective.

1.3. TODO
1.4. TODO
1.5. Shift cipher: the encryption of a single character sufficies, since c = m + k mod 26, so k = c − m
mod 26.
Monoalphabetic substitution: if the alphabet contains n characters, at least n − 1 distinct characters are
necessary to recover the key (as the nth ) character is determined once the other n − 1 characters are). By
choosing m = m1 · · · mn−1 with m1 6= m2 6= · · · 6= mn−1 , we have c = c1 · · · cn−1 = k(m1 ) · · · k(mn−1 ), and
we may find bijection k.
Vigenère: given a key k of length n, n characters suffice to recover the key, as each part of it can be recovered
as in the shift cipher.
1.6. Since the distance that each character is shifted by is fixed, the attacker can choose abcd if the ciphertext
contains consecutive characters (e.g. mnop) and bedg otherwise.
1.7. It is not possible with period 2. With period 3:
0 1 2 3 1 4 3 6
a b c d b e d g
k1 k2 k3 k4 k1 k2 k3 k4

As for Vigenère with period 4, |K| = |M|, hence we have perfect secrecy.
1.8. TODO

Chapter 2
2.1. TODO
2.2. Enc takes a message m ∈ M and a key k ∈ K, and is randomised (it gets a number of bits from some
random tape that it uses as input as well). Instead of implicitly getting the random bits, we make it explicit
passing them as input, by redifining the key space to K × R (where R is the set of all possible random tapes
of the aximal length we could need):
Thus, Enc becomes deterministic, as it has all the randomness it needs in the new-style key.
 0 1
(0, 0, 0) (0, 0) (1, 1)
(0, 0, 1) (0, 0) (1, 1)
(0, 1, 0) (0, 0) (1, 1)
(0, 1, 1) (0, 1) (1, 0)
(1, 0, 0) (1, 1) (0, 0)
(1, 0, 1) (1, 1) (0, 0)
(1, 1, 0) (1, 1) (0, 0)
(1, 1, 1) (1, 0) (0, 1)

2.3. Consider a scheme with 1 bit of plaintext, 3 bits of key, and 2 bits of ciphertext. The two bits of
ciphertext, c0 and c1 , are obtained as follows:

c0 = m0 ⊕ k0
c1 = (k2 ∧ k1 ) ⊕ m0 ⊕ k0

The possible ciphertexts can be seen in the following table:

The scheme is perfectly secure:

P [M = 0] · (P [K = (0, 0, 0)] + P [K = (0, 0, 1)] + P [K = (0, 1, 0)])

P [M = 0|C = (0, 0)] =
P [C = (0, 0)]
3
P [M = 0] · 8
= 6 = P [M = 0]
16

P [M = 0] · P [K = (0, 1, 1)]
P [M = 0|C = (0, 1)] =
P [C = (0, 1)]
P [M = 0] · 81
= 2 = P [M = 0]
16
..
.
etc.
3
but 8 = P [C = (0, 0)] 6= P [C = (0, 1)] = 18 .
2.4. Assume that the encryption scheme is perfectly secret, and fix messages m0 , m1 ∈ M and a ciphertext
c ∈ C. By Lemma 2.2 of the 1st edition of the book, we have:

P [C = c|M = m0 ] = P [C = c] = P [C = c|M = m1 ]

Completing the proof of the “only if” (⇒) direction.

Note that P [Enck (m) = c] = P [C = c|M = m], as explained in page 30. It is also worth pointing that
Lemma 2.2 is an equivalent formulation of perfect secrecy, stating:
An encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret iff for every probability
distribution over M, every message m ∈ M, and every ciphertext c ∈ C:

P [C = c|M = m] = P [C = c]

2.5. We need to prove that an encryption scheme Π is perfectly secret iff it is perfectly indistinguishable.
(⇒) : In what follows, we make the assumption that the adversary is deterministic. Suppose Π is perfectly
secret. We need to show that P [PrivKeav 1
A,Π = 1] = 2 .

0
P [PrivKeav
A,Π = 1] = P [b = b]
= P [b0 = 0|M = m0 ] · P [M = m0 ] + P [b0 = 1|M = m1 ] · P [M = m1 ]
1
= (P [b0 = 0|M = m0 ] + P [b0 = 1|M = m1 ])
2
Note that in the last step we used that P [M = m0 ] = P [M = m1 ] = 12 . Essentially what the adversary does
is try to partition the ciphertext space C into two subsets C0 , C1 such that C = C0 ∪ C1 and C0 ∩ C1 = ∅. If
the attacker gets c ∈ C0 it outputs 0, else if c ∈ C1 , it outputs 1. We thus proceed:
1
(P [b0 = 0|M = m0 ] + P [b0 = 1|M = m1 ])
2 !
1 X X
= P [C = c|M = m0 ] + P [C = c|M = m1 ]
2
c∈C0 c∈C1
!
1 X X
= P [C = c] + P [C = c]
2
c∈C0 c∈C1
1 1
= (P [c ∈ C0 ] + P [c ∈ C1 ]) =
2 2
Note that the second and third lines are equal by an equivalent formulation of perfect secrecy, and the last
equality holds since P [c ∈ C0 ] + P [c ∈ C1 ] = 1, because C0 and C1 are mutually exclusive and exhaustive.
(⇐) : We prove the contrapositive, i.e. ¬Perfect secrecy ⇒ ¬Adversarial indistinguishability. Suppose Π is
not perfectly secret, then ∃m00 , m01 ∈ M and c0 ∈ C such that:

P [C = c0 |M = m00 ] 6= P [C = c0 |M = m01 ]

(Using an equivalent formulation to the original perfect secrecy). Let A be an adversary that chooses m00 and
m01 . If it receives c0 , A outputs b0 = 0, otherwise b0 ← {0, 1} (the randomness is to ensure we can separate
out the case when C = c0 ).

0
P [PrivKeav
A,Π = 1] = P [b = b ]
= P [b = b0 |M = m00 ]P [M = m00 ] + P [b = b0 |M = m01 ]P [M = m01 ]
1
= (P [b = b0 |M = m00 ] + P [b = b0 |M = m01 ])
2
P [b = b0 |M = m00 ] = P [C = c0 |M = m00 ] · P [b = b0 |M = m00 , C = c0 ]
+ P [C 6= c0 |M = m00 ] · P [b = b0 |M = m00 , C 6= c0 ]
1
= P [C = c0 |M = m00 ] · 1 + P [C 6= c0 |M = m00 ] ·
2
P [b = b0 |M = m01 ] = P [C = c0 |M = m01 ] · P [b = b0 |M = m01 , C = c0 ]
+ P [C 6= c0 |M = m01 ] · P [b = b0 |M = m01 , C 6= c0 ]
1
= P [C = c0 |M = m01 ] · 0 + P [C 6= c0 |M = m01 ] ·
2
1
= P [C 6= c0 |M = m01 ] ·
2
Substituting back:
 
1 1 1
P [PrivKeav
A,Π = 1] = P [C = c0 |M = m00 ] + P [C 6= c0 |M = m00 ] + P [C 6= c0 |M = m01 ]
2 2 2
1 1 1
= P [C = c0 |M = m00 ] + (1 − P [C = c0 |M = m00 ]) + P [C 6= c0 |M = m01 ]
2 4 4
1 1 0 0 0 0
= + (P [C = c |M = m0 ] + P [C 6= c |M = m1 ])
4 4
1 1
6= + (P [C = c0 |M = m01 ] + P [C 6= c0 |M = m01 ])
4 4
1
=
2
The inequality comes from supposing that there is no perfect secrecy. Therefore:
1
P [PrivKeav
A,Π = 1] 6=
2
Hence Π does not have adversarial indistinguishability.
2.6.
a. Take m = 0 and c = 0 as a counterexample. Then we have:
m (message)
0 1 2 3 4
P [C = c|M = m] = P [Enck (m) = c] 0 0 1 2 3 4
= P [m + K ≡ c (mod 5)] 1 1 2 3 4 0
2 2 3 4 0 1
k (key)
= P [K ≡ c − m (mod 5)]
3 3 4 0 1 2
2 1
= = 4 4 0 1 2 3
6 3 5 0 1 2 3 4

6
But P [C = c] = 36 = 16 . Thus, we found a pair m ∈ M and c ∈ C for which P [C = c|M = m] 6=
P [C = c], so the scheme is not perfectly secret.
b. TODO
2.7. By the contrapositive of theorem 2.10, if |K| < |M| then the encryption scheme is not perfectly secret.
Alternatively, we can see that for any m ∈ M and c ∈ C such that m = c, P [C = c|M = m] = 0 (since we
are missing precisely the key that makes c = m ⊕ k = m). However, P [C = c] 6= 0. The intuition for why
key 0` is no different from other keys is that c = 0` ⊕ m = m is equivalent to c = k 0 ⊕ m0 , for any k 0 = c ⊕ m0 ,
and there is no reason why an adversary should assume that the key is 0` instead of k 0 .
2.8.
a.
0
P [PrivKeav
A,Π = 1] = P [b = b ]
= P [b = 0] · P [A outputs 0|b = 0] + P [b = 1] · P [A outputs 1|b = 1]
1
= (P [A outputs 0|b = 0] + P [A outputs 1|b = 1])
2
Then, we have:
1 26 1 26 1 262 14
P [A outputs 0|b = 0] = · + · 2+ · 3 =
3 |{z}
26 3 |{z}
26 3 |{z}
26 39
(a) (b) (c)

where:
 a. when |k| = 1, A always wins.
b. when |k| = 2, A wins when both symbols of the key equal each other (k1 = k2 ). This happens in
26
262 keys.
262
c. when |k| = 3, A wins when two symbols of the key equal each other. This happens in 263 keys.
Also:
1 26 1 26 · 25 1 262 · 25 38
P [A outputs 1|b = 1] = · + · 2
+ · 3
=
3 |{z}
26 3 | 26
{z } 3 | 26
{z } 39
(a) (b) (c)

where:
a. when |k| = 1, A always wins.
b. when |k| = 2, A loses when k1 = k2 + 1 (since Enck (abb) = c1 c1c3 ). This happens in 26 cases, so
we care about the remaining 262 − 26 = 26 · 25 of the 262 cases.
c. when |k| = 3, A loses oncd more when the symbols of k are consecutive, leading to 263 − 262 =
262 · 25 of the 263 cases.
Thus, substituting in our derivation:  
1 14 38 2
+ =
2 39 39 3
b. TODO
2.9.
a. The easiest proof is by Shannon’s theorem: we have |C| = |M| = |K| = 26, each key in Z26 is chosen
1
with equal probability ( 26 ), and for every m ∈ Z26 and c ∈ Z26 there is a unique key k such that
Enck (m) = c, namely k = c − m (mod 2)6. Alternatively, we can show that for each m, c:

1
P [C = c|M = m] = P [Enck (m) = c] = P [K = c − m (mod 2)6] =
26
Thus ∀m0 , m1 ∈ M and ∀c ∈ C, P [C = c|M = m0 ] = P [C = c|M = m1 ], and we have perfect secrecy.
b. By the limitation of perfect secrecy, |M| ≤ |K| = n!, where n is the number of symbols in the alphabet
(n = 26 for English); the factorial is because that’s the number of permutations on an n-element set
(in particular, Z26 ). So we have an upper bound for |M|. Now take the set M of all strings of 26
characters without repeating any. Clearly |M| = 26!. Once more, we use Shannon’s theorem:
1. |K| = |M|, but also |M| = |C| since any permutation on characters will map a string of 26
nonrepeated letters to another.
1
2. Every key is chosen with equal probability, namely 26! .
3. For every m ∈ M and c ∈ C, ∃!k ∈ Ks such that Enck (m) = c, since m and c define a unique
permutation on all the letters of the alphabet.
Therefore, the largest message space M for which the monoalphabetic cipher provides perfect secrecy
is n!, for an n-element set.
c. For an n-element alphabet, the Vigenère cipher using (fixed) period t has |K| = nt . If we encrypt
messages of length t, then |M| = nt too. Clearly, we also have |C| = nt .
Again, by Shannon’s theorem we see that every key is chosen with equal probability ( n1t ), and for each
pair of plaintext and ciphertext, there is a unique key such that Enck (m) = c.
2.10. A simple way is the following: Let Π be a scheme satisfying definition 2.5. Then by Lemma 2.6 Π is
perfectly secret, so by theorem 2.10, |K| > |M|. As for an A for which P [PrivKeav 1
A,Π = 1] > 2 , let Π be an
arbitrary encryption scheme with |K| < |M|.
TODO finish
 n n−t
2.11. Let M = {0, 1} and K = {0, 1} , with Enck (m) = [m]1,n−t ⊕ k, i.e. xor the first (n − t) bits of m
with the key k. Deck (c) = (c||0t )(k||r), where r is a random pad of t bits. Since we have 21t chances that r
is precisely the missing part of the message, P [Deck (Enck (m)) = m] = 21t , so P [Deck (Enck (m)) = m] > 21t .
The perfect secrecy of this scheme follows from the proof of the one-time pad (this is exactly a one-time pad
on the first (n − t) bits of the message). Lower bound: 2n−t = |M| · 2−t 6 |K|.

Chapter 3
3.1.
1. Let p be a positive polynomial. Since 2p is also a positive polynomial and negl1 and negl2 are negligible:
    
1 1
∃N1 , N2 ∀n > N1 negl1 (n) < ∧ ∀n > N2 negl2 (n) <
2p(n) 2p(n)

Choose N3 = max(N1 , N2 ), then ∀n > N3 we have:

1 1 1
negl3 (n) = negl1 (n) + negl2 (n) < + =
2p(n) 2p(n) p(n)

2. Let p, q be two positive polynomials. Since p · q is also a positive polynomial and negl1 is negligible:
  
1
∃N1 ∀n > N1 negl1 <
q(n)p(n)
 
1
Then ∀n > N1 negl4 = p(n) · negl1 (n) < q(n) .

3.2. Let q(n) be a polynomial such that for any k ← Gen(1n ), |Enck (0)| 6 q(n). Such a polynomial exists
because the encryption algorithm must run in an amount of time polynomial in n. Since the maximum
encrypted length of 0 is bounded by q(n), we would like our adversary to choose m0 = 0, and m1 so that m1
will always encrypt to a string of length greater than q(n). If the adversay can to this, it becomes trivial to
determine which message was encrypted, i.e. P [PrivKeav A,Π = 1] = 1, thus the definition cannot be satisfied.
Consider all strings of length q(n) + 2. Since there are 2q(n)+2 such strings, and fewer than 2q(n)+1 strings of
q(n)+2
length 6 q(n), there must be some string s ∈ {0, 1} that can only encrypt to strings of length > q(n).
If the adversary chooses m1 = s, then he can always win the indistinguishability experiment, so Π cannot
satisfy the definition, as desired.
3.3. Let Π = (Gen, Enc, Dec) be a scheme that is secure with respect to the original defintion 3.8 (for
messages of equal length). Construct a scheme Π0 = Gen, Enc0 , Dec0 such that:

• Given m, with |m| 6 `(n), then:


0 Enc(0`−|m|−1 1||m), if |m| < `(n)
Enc (m) =
Enc(m), if |m| = `(n)

• Dec0 applies Dec to the ciphertext, and parses the result as 0t 1||m for t > 0. It outputs m.

A complete answer to this exercise requires a proof showing that the existence of an adversary breaking Π0
with respect to the modified definitions implies the existence of an adversary breaking Π with respect to
definition 3.8.
Informally: Given an adversary A0 who breaks Π0 , we construct an adversary A who takes the pair of
plaintexts m0 , m1 output by A0 and pads them in the same way as Enc0 would. Then it outputs the padded
messages to be encrypted. Observe that A outputs equal length messages, as required. Furthermore, if A0
can correctly guess b with probability greater than 21 , then this guess will also be correct for A with the same
probability.
3.4. Assume the scheme has indistinguishabile encryption in the presence of an eavesdropper (def 3.8), i.e.:
1
P [PrivKeav
A,Π (n) = 1] 6 + (n)
2
TODO finish

Chapter 4
4.1. TODO finish
4.2. TODO finish
4.3. TODO finish

4.4. TODO finish

4.5. TODO finish
4.6. TODO finish

4.7. Let F be a pseudorandom function. Show that each of the following MACs is insecure, even if used
to authenticate fixed-length messages. In each case Gen outputs a uniform k ∈ {0, 1}n . Let hiidenote an
n/2-bit encoding of the integer i.

1. To authenticate a message
m = m1 , . . . , ml
where
mi ∈ {0, 1}n
, compute
t := Fk (m1 ) ⊕ · · · ⊕ Fk (ml )
.
2. To authenticate a message
m = m1 , . . . , ml
where
mi ∈ {0, 1}n/2
, compute
t := Fk (h1i||m1 ) ⊕ · · · ⊕ Fk (hli||ml )
.
3. To authenticate a message
m = m1 , . . . , ml
where
mi ∈ {0, 1}n/2
, choose uniform
r ← {0, 1}n
, compute
t := Fk (r) ⊕ Fk (h1i||m1 ) ⊕ · · · ⊕ Fk (hli||ml )
, and let the tag be
hr, ti
4.8. Let F be a pseudorandom function. Show that each of the following MACs is insecure, even if used to
authenticate fixed-length messages.In each case Gen outputs a uniform k ∈ {0, 1}n . Let hiidenote an n/2-bit
encoding of the integer i.

1. To authenticate a message
m = m1 , . . . , ml
where
mi ∈ {0, 1}n
, compute
t := Fk (m1 ) ⊕ · · · ⊕ Fk (ml )
. 2. To authenticate a message
m = m1 , . . . , ml
where
mi ∈ {0, 1}n/2
, compute
t := Fk (h1i||m1 ) ⊕ · · · ⊕ Fk (hli||ml )
. 3. To authenticate a message
m = m1 , . . . , ml
where
mi ∈ {0, 1}n/2
, choose uniform
r ← {0, 1}n
, compute
t := Fk (r) ⊕ Fk (h1i||m1 ) ⊕ · · · ⊕ Fk (hli||ml )
, and let the tag be
hr, ti
Answer :
* Part 1 :
Reorder the blocks in ”m” and the tag doesn’t change.
* Part 2 :
Query
*
m1 = m1 ||m2
, tag
t1 = Fk (h1i||m1 ) ⊕ Fk (h2i||m2 )
*
m2 = m3 ||m2
, tag
t2 = Fk (h1i||m3 ) ⊕ Fk (h2i||m2 )
*
m3 = m3 ||m4
, tag
t3 = Fk (h1i||m3 ) ⊕ Fk (h2i||m4 )
Thus
m∗ = m1 ⊕ m2 ⊕ m3 = m1 ||m4
, tag
t = t1 ⊕ t2 ⊕ t3 = Fk (h1i||m1 ) ⊕ Fk (h2i||m4 )
.
*
P art3 :

Let
m ∈ {0, 1}n/2
. When choosing
r = h1i||m
,
t = Fk (r) ⊕ Fk (h1i||m) = 0n
.
Thus
t = hh1i||m, 0n i
will be a valid tag for ”m”.
4.9. Let ”F” be a pseudorandom function. Show that the following MAC for messages of length ”2n” is
insecure: Gen outputs a uniform
k ∈ {0, 1}n
. To authenticate a message
m1 ||m2
with
|m1 | = |m2 | = n
, compute the tag
Fk (m1 )||Fk (Fk (m2 ))
.
Answer:
Query
*
m1 = m∗1 ||m∗1
,
t1 = t11 ||t12 = Fk (m∗1 )||Fk (Fk (m∗1 ))
*
m2 = m∗2 ||m∗2
,
t2 = t21 ||t22 = Fk (m∗2 )||Fk (Fk (m∗2 ))
Hence for
m∗ = m∗1 ||m∗2
,
t∗ = t11 ||t22
4.10. TODO finish
4.11. TODO finish
4.12. TODO finish
4.13. TODO finish
4.14. Prove that the following modifications of basic CBC-MAC do not yield a secure MAC ( even for
fixed-length messages) :
1. Mac outputs all blocks
t1 , . . . , t l
rather than just
tl
. ( Verification only checks whether tl is correct.)
2. A random initial block is used each time a message is authenticated. That is, choose uniform

t ∈ {0, 1}n

, run basic CBC-MAC over the “message”

t0 , m1 , . . . , ml

, and output the tag

ht0 , tl i
. Verification is done in the natural way.
The Answer :
* Part 1:
Query
*
m1 = B0 ||B1
,
t1 = t0 ||t1
*
m2 = B2 ||B3
,
t2 = t2 ||t3
We know
Fk (B0 ) = t0
and
Fk (B2 ) = t2
. Hence

M ACk (B0 ||B2∗ ) = Fk (B0 )||Fk (Fk (B0 ) ⊕ B2∗ ) = t0 ||Fk (t0 ⊕ B2∗ )
Let
t0 ⊕ B2∗ = B2
, i.e.,
B2∗ = t0 ⊕ B2
. Then

M ACk (B0 ||t0 ⊕ B2 ) = t0 ||Fk (t0 ⊕ t0 ⊕ B2 ) = t0 ||Fk (B2 ) = t0 ||t2

Therefore,
hB0 ||t0 ⊕ B2 , t0 ||t2 i
is a valid pair of message and tag.
* Part 2:
Query
*
m1 = B0 ||B1
,
t1 = hr1 , t1 i
*
m2 = B2 ||B3
,
t2 = hr2 , t2 i
Hence for
m∗ = B0 ||B1 ||t2 ⊕ r2 ||B2 ||B3
,
t∗ = hr, t2 i
should be a valid tag.
4.15. Show that appending the message length to the end of the message before applying basic CBC-MAC
does not result in a secure MAC for arbitrary-length messages.
The Answer :
Query
*
m1 = B0 ||B1
,
t1 = M ACk (m1 ||h|m1 |i)
*
m∗1 = B0∗ ||B1∗
,
t∗1 = M ACk (m∗1 ||h|m∗1 |i)
*
|m∗1 | = |m1 |
*
m2 = m1 ||h|m1 |i||B2 ||B3
,
t2 = M AC(m2 ||h|m2 |i)
To be specific, the process of computing
t2
for message
m2
is listed below:
*
c0 = Fk (B0 )
*
c1 = Fk (c0 ⊕ B1 )
*
t1 = Fk (c1 ⊕ h|m1 |i)
*
c3 = Fk (t1 ⊕ B2 )
*
c4 = Fk (c3 ⊕ B3 )
*
t = Fk (c4 ⊕ h|m2 |i)
Hence, if we change
m1
to
m∗1
,
*
c∗0 = Fk (B0∗ )
*
c∗1 = Fk (c∗0 ⊕ B1∗ )
*
t∗1 = Fk (c∗1 ⊕ h|m∗1 |i)
In order to keep the result of MAC, it must hold that

t1 ⊕ B2 = t∗1 ⊕ B2∗

. Thus

B2∗ = t1 ⊕ B2 ⊕ t∗1
Therefore
*
c∗3 = Fk (t∗1 ⊕ B2∗ ) = Fk (t∗1 ⊕ t1 ⊕ B2 ⊕ t∗1 ) = Fk (t1 ⊕ B2 ) = c3
*
c∗4 = Fk (c∗3 ⊕ B3 ) = Fk (c3 ⊕ B3 ) = c4
*
t∗ = Fk (c∗4 ⊕ h|m∗2 |i) = Fk (c4 ⊕ h|m2 |i) = t
*
|m∗2 | = |m2 |
can be easily get since
|m∗1 | = |m1 |
Hence we get a message and its valid tag
hm∗ , t∗ i
where

m∗ := m∗1 ||h|m∗1 |i||t1 ⊕ B2 ⊕ t∗1 ||B3 t∗ = t

4.16. Show two types of forgery attacks for authenticated encryption scheme CBC-XOR.
Given a pseudorandom permutation F
Gen : k  0, 1n
Enc: On input a message m = B0 ||B1 ||...||Bl and a key k, uniformly generate an IV0, 1m
1. Compute Bl+1 = B0 ||B1 ||...||Bl
2. Do CBC encryption on m —— Bl+1 using k and IV
- Output ciphertext c := IV —— c0 ||c1 ||...||cl ||cl+1
Dec: On input a ciphertext c = IV —— c0 ||c1 ||...||cl ||cl+1 and a key k
1. Do CBC decryption on c0 ||c1 ||...||cl ||cl+1 using k and IV
2. Check if Bl+1 = B0 ||B1 ||...||Bl −If true, output plaintext B0 ||B1 ||...||Bl −If false, output error
Answers :
Method 1 - Truncation
Query
m = B0 ||B1 ||(B0 ⊕ B1 )
and obtain the ciphertext
c = IV ||c0 ||c1 ||c2 ||c3
.
Thus
c∗ = IV ||c0 ||c1 ||c2
should be a valid ciphertext for
m∗ = B0 ||B1
Method 2 - Swap
Query
m = B0 ||B1 ||B2
and obtain the ciphertext
c = IV ||c0 ||c1 ||c2 ||c3
Thus
*
Fk (IV ⊕ B0 ) = c0
*
Fk (c0 ⊕ B1 ) = c1
*
Fk (c1 ⊕ B2 ) = c2
*
Fk (c2 ⊕ B0 ⊕ B1 ⊕ B2 ) = c3
Hence
c∗ = IV ||c1 ||c0 ||c2 ||c3
should be a valid tag for
m∗ = B1∗ ||B0∗ ||B2∗
, where
*
B0∗ = c0 ⊕ B1 ⊕ IV
*
B1∗ = IV ⊕ B0 ⊕ c1
*
B2∗ = c1 ⊕ B2 ⊕ c0
*
B0∗ ⊕ B1∗ ⊕ B2∗ = c0 ⊕ B1 ⊕ IV ⊕ IV ⊕ B0 ⊕ c1 ⊕ c1 ⊕ B2 ⊕ c0 = B0 ⊕ B1 ⊕ B2
4.17. TODO finish
Chapter 5
5.1. TODO
5.2. TODO

5.3. TODO
5.4. TODO
5.5. Problem
Let Gen,H be a collision-resistant hash function. Is Gen,Ĥ defined by
def
Ĥ s (x) = H s (H s (x))

necessarily collision resistant?

* Solution
Assuming that Ĥ is not collision-resistent, i.e.

∃x 6= y, Ĥ s (x) = Ĥ s (y)
Thus
H s (H s (x)) = H s (H s (y))
* If
H s (x) = H s (y)
,
(x, y)
is a pair of collision for
H
* If
H s (x) 6= H s (y)
, let
x0 = H s (x)
,
y 0 = H s (y)
. *
H s (H s (x)) = H s (H s (y))
,
(x0 , y 0 )
is a pair of collision for
H
Therefore, Ĥ is not collision-resistent implies H is not collision-resistent. Then H is collision-resistent implies
Ĥ is collision-resistent.

5.6. TODO
5.7. TODO