Join Log in
Score:2
Doron Bruder avatar Crypto

Is the following derived MAC where the output is XOR'ed with the key secure?

vn flag
Doron Bruder

Hey I'm wondering if the following scheme is secure or not , I tried reductions and some tries to prove that it not must be secure but I feel completely stuck .

More details:
It's just any reduction that came to my mind (up to my knowledge) required knowing $k$ . I tried to use the 'classic' technique of trying to simulate somehow the original Mac and get into a contradiction of it being insecure itself (which is known to be secure in this question)

$\forall k\in\{0,1\}^{n},m\in\mathbb{M}$ $Mac_{k}^{'}(m)$ is defined as follows: $Mac_{k}^{'}(m)=Mac_{k}(m) \oplus k$ it's known that $Mac_{k}$ is secure note: $\mathbb{M}$ is the message space and it's assumed that the key $k$ is generated by some $\operatorname{Gen}$ algorithm in a random manner. It is asked to prove or disprove that $Mac_{k}^{'}(m)$ is necessarily secure.

137
0 + 11
mac
Maarten Bodewes avatar
in flag
Maarten Bodewes
"it is asked" and "not homework" are at odds to each other, Doron. The initial question even had a copy of the assignment. I removed the latter statement that it is not homework. The way it is asked the community should at least treat it as such.
3
Reply
SEJPM avatar
us flag
SEJPM
Hint: Can you imagine a MAC which is by itself secure (though perhaps a bit "artificial") that would leak the key when used in this construction?
3
Reply
Doron Bruder avatar
vn flag
Doron Bruder
@SEJPM Iv'e tried for all day long with no success . Are u sure such construction exist ?
0
Reply
SEJPM avatar
us flag
SEJPM
@DoronBruder the example you described in a previous edit + comment did work. I'm not sure why you think otherwise now?
0
Reply
Doron Bruder avatar
vn flag
Doron Bruder
@SEJPM it does not work as this way I could only reveal half of the key which alone does not finish the proof . I got really stuck there
0
Reply
SEJPM avatar
us flag
SEJPM
@DoronBruder Hint: if you want to leak the entire key, can you somehow exploit the abilitiy to make multiple queries?
1
Reply
Doron Bruder avatar
vn flag
Doron Bruder
@SEJPM nope , not really , at least not with the construction I tried before . As adding 0^n/2 instead of half of the output or anything to one of the half sides will only discover half of the key ... note that both functions are from {0,1}^n to {0,1}^n
0
Reply
SEJPM avatar
us flag
SEJPM
Well, can you perhaps move the zeroes around based on the queries?
1
Reply
Doron Bruder avatar
vn flag
Doron Bruder
I think I can! add zeros in either sides based on the m (inputs), when it's enough to add zero the one of the sides only for specific m and otherwise add zero the second side
1
Reply
Maarten Bodewes avatar
in flag
Maarten Bodewes
You just beat me by a few seconds :) I think that's enough hints? Note that you could also switch based on the resulting MAC value although that's slightly more tricky. Also note that revealing even part of the key means that the algorithm is not as secure as it is supposed to be - leaking half of the key is enough to consider it broken.
2
Reply
fgrieu avatar
ng flag
fgrieu
Side but related remark: if $P$ is a random-like public permutation of $\{0,1\}^n$, efficiently computable in both directions, what can you say about $k\in\{0,1\}^n$ given $P(k)\oplus k$?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.