ECE/CS407 Cryptography – Homework 2 Soulutions

Professor Yupeng Zhang

Due: March 6, 11:59pm CT

Remember, you are free to collaborate with up to one classmate. See the course webpage for
more details. You are expected to write out and submit your own solutions! Your collaboration
is for discussing problems at a high level, not plagiarizing answers. Please acknowledge in writing
the name of every student that you collaborated with.
The homework should be typed or carefully handwritten. We provide a LATEX template for this
document, if you would like to use it as a starting point. If we cannot read your handwritten
answers, they will not receive credit.
Your typed solutions should be submitted through gradescope (see course webpage). Your
hand-written solutions should be scanned and turned in through gradescope.

1
Problem 1. Let F be a pseudorandom function. Show that each of the following MACs is insecure,
even if used to authenticate fixed-length messages of ℓ blocks. (In each case Gen outputs a uniform
k ∈ {0, 1}n ; we let ⟨i⟩ denote an n/2-bit encoding of the integer i.)

1. (3 points) To authenticated a message m = m1 , m2 , . . . mℓ , where mi ∈ {0, 1}n , compute

t = Fk (m1 ) ⊕ Fk (m2 ) ⊕ · · · ⊕ Fk (mℓ ).

2. (3 points) To authenticated a message m = m1 , m2 , . . . mℓ , where mi ∈ {0, 1}n/2 , compute

t = Fk (⟨1⟩||m1 ) ⊕ Fk (⟨2⟩||m2 ) ⊕ · · · ⊕ Fk (⟨ℓ⟩||mℓ ), where “||” means concatenation.

3. (4 points) To authenticated a message m = m1 , m2 , . . . mℓ , where mi ∈ {0, 1}n/2 , choose

a uniformly random r ← {0, 1}n , compute t = Fk (r) ⊕ Fk (⟨1⟩||m1 ) ⊕ Fk (⟨2⟩||m2 ) ⊕ · · · ⊕
Fk (⟨ℓ⟩||mℓ ) and let the MAC be (r, t).

Solution 1. 1. Let m1 , m2 ∈ {0, 1}n be distinct. Then, the tag on the message m1 , m2 is
identical to the tag on the message m2 , m1 . Thus A can ask the tag on the message m1 , m2
and output the message m2 , m1 together with the tag it received.

2. Let m1 , m′1 , m2 , m′2 ∈ {0, 1}n/2 with m1 ̸= m′1 and m2 ̸= m′2 . Note that the tag t1 for m1 , m2
is Fk (⟨1⟩||m1 ) ⊕ Fk (⟨2⟩||m2 ), the tag t2 for m′1 , m2 is Fk (⟨1⟩||m′1 ) ⊕ Fk (⟨2⟩||m2 ), the tag t3 for
m1 , m′2 is Fk (⟨1⟩||m1 ) ⊕ Fk (⟨2⟩||m′2 ). The tag t4 for m′1 , m′2 is Fk (⟨1⟩||m′1 ) ⊕ Fk (⟨2⟩||m′2 ) =
t1 ⊕ t2 ⊕ t3 .
Therefore, the attacker obtains a tag t1 on the message m1 , m2 ; tag t2 on the message m1 , m′2 ;
and tag t3 on the message m′1 , m2 . One can then verify that t1 ⊕ t2 ⊕ t3 is a valid tag on
m′1 , m′2 .

3. Let m1 ∈ {0, 1}n/2 be arbitrary. The attacker can set r := ⟨1⟩∥m1 and output the forgery
⟨r, 0n ⟩ on the message m1 .

2
Problem 2 (Authenticated Encryption (10 points)). Let F be a strong pseudorandom per-
mutation (Slide 11 of Lecture 7), and define a fixed-length encryption (Enc, Dec) as follows: On
input m ∈ {0, 1}n/2 and key k ∈ {0, 1}n , algorithm Enc chooses a uniform string r ∈ {0, 1}n/2 and
computes c = Fk (r||m), where “||” means concatenation.
1. (2 points) Write down the decryption algorithm Dec of the scheme.
2. (6 points) Prove that this scheme is CCA-secure for messages of length n/2.
3. (2 points) Show that this scheme is not an authenticated encryption.
Solution 2. 1. To decrypt, computer m̂ := Fk−1 (c) and then output the last n/2 bits of m̂ as
the message.
2. We build a distinguisher D with access to f (), f −1 (), which is either a truly random permu-
tation, or a pseudorandom permutation Fk (), Fk−1 ().
(a) When the adversary A queries the encryption oracle with message m, sample a uniform
string r ∈ {0, 1}n/2 and return c = f (r||m).
(b) When the adversary A queries the decryption oracle with ciphertext c, return the first
n/2 bits of m̂ = f −1 (c).
(c) Output 1 if PrivCCA
A,Π (n) = 1, which is the CCA experiment.
h −1
i
If D is given Fk (), Fk−1 (), by construction Pr DFk (),Fk () (n) = 1 = Pr PrivCCA
 
A,Π (n) = 1 .

If D is given a truly random permutation f (), f −1 (), consider the CCA experiment on the
modified scheme (Enc′ , Dec′ ) in which F is replaced with a random permutation f . Let E de-
note the set of random n/2-bit strings used to answer the attacker’s encryption-oracle queries,
and let D denote the set of n/2-bit prefixes in the answers to the attacker’s decryption-oracle
queries. The elements of both E and D are uniform and independent. Let c∗ = f (r∗ ||mb ) be
the challenge ciphertext. As long as the random string r∗ used when generating the challenge
ciphertext is not equal to any of the elements in E, c in step (a) above are uniform strings
and the attacker learns nothing about which of its two messages was encrypted. Similarly, if
the random string r∗ is not equal to any of the elements in D, the attacker learns nothing
about which of its two messages was encrypted. (Here is r∗ repeats, the attacker can choose
messages from the decryption oracle as m0 and m1 .) Therefore, by the union bound,
h −1
i 1 q (n) q (n)
e d
Pr Df (),f () (n) = 1 ≤ + n/2 + n/2 ,
2 2 2
where qe (n), qd (n) are the number of queries A made to the encryption and decryption oracles,
respectively.
Therefore, if there is A such that Pr PrivCCA
  1
A,Π (n) = 1 ≥ 2 + negl(n), then
−1
h −1
i h i
Pr Df (),f () (n) = 1 − Pr DFk (),Fk () (n) = 1
is not negligible, which is a contradiction.
3. This scheme is clearly forgeable, since any n-bit string is a valid ciphertext. The adversary
can forge a ciphertext without any queries to the encryption oracle. Therefore, it is not an
authenticated encryption by its definition.

3
Problem 3 (Hash Function (10 points)). Let F : {0, 1}n × {0, 1}n → {0, 1}n be a pseudorandom
permutation (Slide 11 of Lecture 7), for each of the following constructions of a compression
function h : {0, 1}2n → {0, 1}n , show that it is not collision resistant through an attack:

1. (5 points) h(k, x) = Fk (x).

2. (5 points) h(k, x) = Fk (x) ⊕ k.

Solution 3. 1. There are two ways the attacker can learn the value of h on some input. If it
queries Fk (x) and gets response y, then it learns that h(k, x) = y. In this case y is (essentially)
uniform. The attacker can also query Fk−1 (y) to get resonse x; then it learns that h(k, x) = y.
This suggests and attack: pick arbitrary y and distinct k, k ′ . Compute x := Fk−1 (y) and
x′ := Fk−1 ′ ′ ′ ′
′ (y). Note that h(k, x) = h(k , x ) = y and so (k, x) and (k , x ) are a collision.

2. There are two ways the attacker can learn the value of h on some input. If it queries Fk (x)
and gets response y, then it learns that h(k, x) = y ⊕ k. In this case y is (essentially) uniform,
and so is h(k, x). The attacker can also query Fk−1 (y) to get response x, in which case it learns
that h(k, x) = y ⊕ k. In fact, this suggests and attack: pick (distinct) k, k ′ , y, y ′ such that
k ⊕ y = k ′ ⊕ y ′ ; then compute x := Fk−1 (y) and x′ := Fk−1 ′ ′ ′
′ (y ). Note that h(k, x) = h(k , x )

and so (k, x) and so (k ′ , x′ ) are a collision.

4
Problem 4 (Merkle Tree (10 points)). Let H be a collision resistant hash function, MT t be the
Merkle hash tree construction.

1. (5 points) Prove that MT t is collision resistant for a fixed t.

2. (5 points) If t is not fixed, show how to find two sets of inputs with the same root hash.

Solution 4. 1. We show that a collision in MT t implies a collisoin in H. Consdier two in-

puts (x1 , . . . , xt ) ̸= (x′1 , . . . , x′t ) for which MT t (x1 , . . . , xt ) = h = MT t (x′1 , . . . , x′t ). We can
imagine a pair of binary trees with 1 + log t levels where h is at the 0-th level of both binary
trees and the inputs (x1 , . . . , xt ) in one case and (x′1 , . . . , x′t ) in other case are at the t-th
level of the trees. Starting from level 0, let hl , hr (h′l , h′r ) be the two children of the root
in the first (second) Merkle tree. If either hl ̸= h′l or hr ̸= h′r , there is a collision in H as
h = H(hl , hr ) = H(h′l , h′r ), which breaks the assumption that H is collision resistant. Other-
wise, both hl = h′l and hr = h′r . Similarly for the i-th level, all the values must be the same,
otherwise there would be a collision in previous levels by the reduction. If there exists a node
with hl ̸= h′l or hr ̸= h′r , there is a collision in H as H(hl , hr ) = H(h′l , h′r ). Finally, in level
log t, all the values are the same, but (x1 , . . . , xt ) ̸= (x′1 , . . . , x′t ), so there must be a collision
in H at one or more nodes.
In short, let i denote the least integer for which the values at level i are equal in the two trees
but the values at level i + 1 are not. Then there must be a collision in H at that level.

2. We give a solution for t = 2 for concreteness. Let x′1 , x′2 , x′3 , x′4 be arbitrary. Set x1 =
H(x′1 , x′2 ) and x2 = H(x′3 , x′4 ). Then, notice that MT 2 (x1 , x2 ) = MT 4 (x′1 , . . . , x′4 ).

5
Problem 5 (Programming assignment: OpenSSL(10 points)).

Solution 5. For 5.1 and 5.2, you should be able to get the answer following the instructions and
the commands. For 5.2, you should be able to see the boundary of the image after encryption under
the ECB mode, while the file consists of random noise under the CBC mode.
For 5.3, see a sample code in crack key.c.

6
Feedback: Feel free to leave feedback with respect to this homework and the course! Did you
find the homework too easy/too hard/just right? How is the pace of the course so far? Please add
any feedback that would help improve the course.