CS255: Intro.

to Cryptography Winter 2022

Assignment #2
Due: Wednesday, Feb. 16, 2022, by Gradescope (each answer on a separate page).

Problem 1. RawCBC attacks. In class we discussed the ECBC (encrypted CBC) MAC for
messages in X ≤L where X = {0, 1}n . Recall that RawCBC is the same as ECBC, but
without the very last encryption step. We showed that RawCBC is an insecure MAC for
variable length messages. Here we show a more devastating attack on RawCBC. Let m1
and m2 be two multi-block messages. Show that by asking the signer for the MAC tag on
m1 and for the MAC tag on one additional multi-block message m02 of the same length as
m2 , the attacker can obtain the MAC tag on m = m1 k m2 , the concatenation of m1 and
m2 .

Problem 2. Multicast MACs. Suppose user A wants to broadcast a message to n recipients

B1 , . . . , Bn . Privacy is not important but integrity is. In other words, each of B1 , . . . , Bn
should be assured that the message he is receiving were sent by A. User A decides to use
a MAC.

a. Suppose user A and B1 , . . . , Bn all share a secret key k. User A computes the MAC
tag for every message she sends using k. Every user Bi verifies the tag using k. Using
at most two sentences explain why this scheme is insecure, namely, show that user B1
is not assured that messages he is receiving are from A.
b. Suppose user A has a set S = {k1 , . . . , k` } of ` secret keys. Each user Bi has some
subset Si ⊆ S of the keys. When A transmits a message she appends ` MAC tags to it
by MACing the message with each of her ` keys. When user Bi receives a message he
accepts it as valid only if all tags corresponding to keys in Si are valid. Let us assume
that the users B1 , . . . , Bn do not collude with each other. What property should the
sets S1 , . . . , Sn satisfy so that the attack from part (a) does not apply?
c. Show that when n = 10 (i.e. ten recipients) it suffices to take ` = 5 in part (b).
Describe the sets S1 , . . . , S10 ⊆ {k1 , . . . , k5 } you would use.
d. Show that the scheme from part (c) is completely insecure if two users are allowed to
collude.

1
Problem 3. Parallel Merkle-Damgård. Recall that the Merkle-Damgård construction gives
a sequential method for extending the domain of a CRHF. The tree construction in the
figure below is a parallelizable approach: all the hash functions h within a single level can
be computed in parallel. Prove that the resulting hash function defined over (X ≤L , X )
is collision resistant, assuming h is collision resistant. Here h is a compression function
h : X 2 → X , and we assume the message length can be encoded as an element of X .

output
h

h 11 (msg-len)

h h h

h h h h h
m1 m2 m3 m4 m5 m6 m7 m8 m9 m10 m11

More precisely, the hash function is defined as follows:

input: m1 . . . ms ∈ X s for some 1 ≤ s ≤ L
output: y ∈ X
let t ∈ Z be the smallest power of two such that t ≥ s (i.e., t := 2dlog2 se )
for i = s + 1 to t: mi ← ⊥
for i = t + 1 to 2t − 1:
` ← 2(i − t) − 1, r ← ` + 1 // indices of left and right children
if m` = ⊥ and mr = ⊥: mi ← ⊥ // if node has no children, set node to null
else if mr = ⊥: mi ← m` // if one child, propagate child as is
else mi ← h(m` , m
r ) // if two children, hash with h
output y ← h m2t−1 , s // hash final output and message length

Problem 4. In the lecture we saw that Davies-Meyer is used to convert an ideal block cipher
into a collision resistant compression function. Let E(k, m) be a block cipher where the
message space is the same as the key space (e.g. 128-bit AES). Show that the following
methods do not work:

f1 (x, y) = E(y, x) ⊕ y and f2 (x, y) = E(x, x ⊕ y)

That is, show an efficient algorithm for constructing collisions for f1 and f2 . Recall that
the block cipher E and the corresponding decryption algorithm D are both known to you.

2
Problem 5. Authenticated encryption. Let (E, D) be an encryption system that provides
authenticated encryption. Here E does not take a nonce as input and therefore must be a
randomized encryption algorithm. Which of the following systems provide authenticated
encryption? For those that do, give a short proof. For those that do not, present an attack
that either breaks CPA security or ciphertext integrity.
 
a. E1 (k, m) = c ← E(k, m), output (c, c) and D1 (k, (c1 , c2 ) ) = D(k, c1 )
(
  D(k, c1 ) if c1 = c2
b. E2 (k, m) = c ← E(k, m), output (c, c) and D2 (k, (c1 , c2 ) ) =
fail otherwise
(

D(k, c1 ) if D(k, c1 ) = D(k, c2 )
c. E3 (k, m) = E(k, m), E(k, m) and D3 (k, (c1 , c2 ) ) =
fail otherwise
To clarify: E(k, m) is randomized so that running it twice on the same input will result
in different outputs with high probability.
(

D(k, c1 ) if H(D(k, c1 )) = c2
d. E4 (k, m) = E(k, m), H(m) and D4 (k, (c1 , c2 ) ) =
fail otherwise
where H is a collision resistant hash function.

Problem 6. Let F be a secure PRF defined over (K, X , Y) where Y := {0, 1}n . Let (Ectr , Dctr )
be the cipher derived from F using randomized counter mode. Let H : Y ≤L → Y be a
collision resistant hash function. Consider the following attempt at building an AE-secure
cipher defined over (K, Y ≤L , Y ≤L+2 ):
 
0

0 (t, m) ← Dctr (k, c)
E (k, m) := Ectr k, (H(m), m) ; D (k, c) :=
if t = H(m) output m, else reject

Note that when encrypting a single block message m ∈ Y, the output is three blocks: the
random IV, a ciphertext block corresponding to H(m), and a ciphertext block correspond-
ing to m. Show that (E 0 , D0 ) is not AE-secure by showing that it does not have ciphertext
integrity. Your attack should make a single encryption query.
At some point in the past, this type of construction was used to protect secret keys in the
Android KeyStore. Your attack resulted in a compromise of the key store.

Problem 7. Exponentiation algorithms. Let G be a finite cyclic group of order p with gen-
erator g. In class we discussed the repeated squaring algorithm for computing g x ∈ G for
0 ≤ x < p. The algorithm needed at most 2 log2 p multiplications in G.
In this question we develop a faster exponentiation algorithm. For some small constant
w, called the window size, the algorithm begins by building a table T of size 2w defined
as follows:
set T [k] := g k for k = 0, . . . , 2w − 1 . (1)

a. Show that once the table T is computed, we can compute g x using only (1+1/w)(log2 p)
multiplications in G. Your algorithm shows that when the base of the exponentiation g
is fixed forever, the table T can be pre-computed once and for all. Then exponentiation

3
 is faster than with repeated squaring.
Hint: Start by writing the exponent x base 2w so that:

x = x0 +x1 2w +x2 (2w )2 +. . .+xd−1 (2w )d−1 where 0 ≤ xi < 2w for all i = 0, . . . , d − 1.

Here there are d digits in the representation of x base 2w . Start the exponentiation
algorithm with xd−1 and work your way down, squaring the accumulator w times at
every iteration.
b. Suppose every exponentiation is done relative to a different base, so that a new table
T must be re-computed for every exponentiation. What is the worse case number of
multiplications as a function of w and log2 p?
c. Continuing with Part (b), compute the optimal window size w when log2 p = 256,
namely the w that minimizes the overall worst-case running time. What is the worst-
case running time with this w? (counting only multiplications in G)