Score:2

Is the following derived MAC where the output is XOR'ed with the key secure?

vn flag

Hey I'm wondering if the following scheme is secure or not , I tried reductions and some tries to prove that it not must be secure but I feel completely stuck .

More details:
It's just any reduction that came to my mind (up to my knowledge) required knowing $k$ . I tried to use the 'classic' technique of trying to simulate somehow the original Mac and get into a contradiction of it being insecure itself (which is known to be secure in this question)

$\forall k\in\{0,1\}^{n},m\in\mathbb{M}$ $Mac_{k}^{'}(m)$ is defined as follows: $Mac_{k}^{'}(m)=Mac_{k}(m) \oplus k$ it's known that $Mac_{k}$ is secure note: $\mathbb{M}$ is the message space and it's assumed that the key $k$ is generated by some $\operatorname{Gen}$ algorithm in a random manner. It is asked to prove or disprove that $Mac_{k}^{'}(m)$ is necessarily secure.

Maarten Bodewes avatar
in flag
"it is asked" and "not homework" are at odds to each other, Doron. The initial question even had a copy of the assignment. I removed the latter statement that it is not homework. The way it is asked the community should at least treat it as such.
SEJPM avatar
us flag
Hint: Can you imagine a MAC which is by itself secure (though perhaps a bit "artificial") that would leak the key when used in this construction?
Doron Bruder avatar
vn flag
@SEJPM Iv'e tried for all day long with no success . Are u sure such construction exist ?
SEJPM avatar
us flag
@DoronBruder the example you described in a previous edit + comment did work. I'm not sure why you think otherwise now?
Doron Bruder avatar
vn flag
@SEJPM it does not work as this way I could only reveal half of the key which alone does not finish the proof . I got really stuck there
SEJPM avatar
us flag
@DoronBruder Hint: if you want to leak the entire key, can you somehow exploit the abilitiy to make multiple queries?
Doron Bruder avatar
vn flag
@SEJPM nope , not really , at least not with the construction I tried before . As adding 0^n/2 instead of half of the output or anything to one of the half sides will only discover half of the key ... note that both functions are from {0,1}^n to {0,1}^n
SEJPM avatar
us flag
Well, can you perhaps move the zeroes around based on the queries?
Doron Bruder avatar
vn flag
I think I can! add zeros in either sides based on the m (inputs), when it's enough to add zero the one of the sides only for specific m and otherwise add zero the second side
Maarten Bodewes avatar
in flag
You just beat me by a few seconds :) I think that's enough hints? Note that you could also switch based on the resulting MAC value although that's slightly more tricky. Also note that revealing even part of the key means that the algorithm is not as secure as it is supposed to be - leaking half of the key is enough to consider it broken.
fgrieu avatar
ng flag
Side but related remark: if $P$ is a random-like public permutation of $\{0,1\}^n$, efficiently computable in both directions, what can you say about $k\in\{0,1\}^n$ given $P(k)\oplus k$?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.