CS5285

Tutorial 5

1
Question 1
Solution (1)
Question 2
 What is public key crypto based on?
• Public key crypto is based on mathematical one way functions
– Easy to compute output given the inputs
– Difficult to compute input given the output

• Factorisation problem
– Multiplying two prime numbers
– Given prime x and y it is easy to compute x.y = z
– Given z it is not easy to compute x and y

• Discrete logarithm problem

– Exponentiation of a number
– Given a, b and prime n is it easy to calculate z= ab mod n
– Given z, a and n it is not easy to compute b

• ‘Not easy’ means it is currently not computationally feasible…

5
Question 2a
Question 2b
 Hash Function
• A cryptographic hash function h(x) should provide
– Two functional properties
• Compression – arbitrary length input to output of small, fixed length
• Easy to compute – expected to run fast
– Three security properties
• One-way – given a hash value y it is infeasible to find an x such that h(x) = y
(also called pre-image resistance)
• Second pre-image resistance – given y and h(y), cannot find x where h(x)=h(y)
• Collision resistance – infeasible to find x and y, with x  y such that h(x) = h(y)

• Note: As h is a compression algorithm, there should

theoretically be collisions. Collision resistance require that
it is hard to find any collision

8
 Question 2c

• One-way function – given hash y it is infeasible to find an x such that h(x) = y?

• Second pre-image resistance – given y and h(y), cannot find x where h(x)=h(y)?
• Collision resistance – infeasible to find x and y, with x  y such that h(x) = h(y)?
Question 3
 Question 3a
• Is it possible to make any other messages that will be the same as:
TheMessage padded with 000000
• Remember it can be any message…it does not need to make sense…

• All these message pad to TheMessage000000! So hash result equal

11
 Question 3b
• How could we change the padding to prevent this issue?

12
 Question 3c

• What should we be thinking about here?

• What probability ‘problem’ did we discuss related to collision resistance?

13
 Question 4
Suppose you are using a MAC based on a block cipher in CBC
mode (Ci = E(K; Pi XOR Ci-1), IV=0 for C0), and you know the
following two messages:
M’= M0 M1
M’’ = M2 M3 M4
together with their corresponding MAC tags T’ and T’’.

(a) Show that you can create a new message M’’’ =

M0||M1||X||M3||M4 and the correct MAC tag T’’’ without
knowing the key K. You can choose any value for X to make this
work. For the purposes of calculating the MAC IV is always 0.
 A MAC Algorithm
• MAC can be constructed from a block cipher
operated in CBC mode (with IV=0).
• Suppose a plaintext has 4 plaintext blocks P=P0,
P1, P2, P3
• Suppose K is the secret key shared between sender
and receiver.
C0 = E(K, P0),
C1 = E(K, C0  P1),
C2 = E(K, C1  P2),…
CN−1 = E(K, CN−2  PN−1) = MAC tag

15
 Question 4
A CBC MAC is calculated exactly the same as when we are encrypting a message.
We just discard all the ciphertext except for the final ciphertext block, which is
our MAC
value.
First we explicitly write down the MAC tags for both M‘ and M’’:
T’ = C’1 = EK(C’0 XOR M1) = EK(EK(IV XOR M0) XOR M1) = EK(EK(M0) XOR M1)

T’’ = C’’2 = EK(C1 XOR M4) = EK(EK(C0 XOR M3) XOR M4) = EK(EK(EK(M2) XOR
M3) XOR M4)

Remember that for MACs based on a block cipher, the IV is always set to zero. So
we can essentially leave out the IV (given the anything XOR with ) stays the
same.
 Question 4
We can now create a new message by setting:
M = M0, M1, M2 XOR T’, M3, M4

Calculating the MAC tag for M we get:

C0 = EK(M0 XOR IV ) = EK(M0)
C1 = EK(M1 XOR EK(M0)) = T’
C2 = EK(C1 XOR M2 XOR T’) = EK(M2)
C3 = EK(EK(M2) XOR M3)
T’’’ = C4 = EK(EK(EK(M2) XOR M3) XOR M4) = T’’
We can thus create a new message with link X = M2 XOR T’ out of
two messages M’ and M’’ (and the corresponding tags T’ and T’’), and
the MAC tag for M will be T = T’’.
 The end!

?
Any questions…

18