Score:1

How to show the PRF in 4.8(b) is not secure?

es flag

Let F be a PRF defined over $F:\{0, 1\}^n \times \{0, 1\}^n \to Y$.

  1. We say that $F$ is XOR-malleable if $F(k, x \oplus c) = F(k, x) \oplus c$ for all $k, x, c \in \{0, 1\}^n$.

  2. We say that $F$ is key XOR-malleable if $F(k \oplus c, x) = F(k, x) \oplus c$ for all $k, x, c \in \{0, 1\}^n$.

Clearly an XOR-malleable PRF cannot be secure: malleability lets an attacker distinguish the PRF from a random function.Show that the same holds for a key XOR-malleable PRF.

Remark: In contrast, we note that there are secure PRFs where $F(k_1\oplus k_2, x) = F(k_1, x)\oplus F(k_2, x)$.

I don't know how to construct an attacker to determine that this is an insecure PRF. My confusion is that this topic has changed the key, but for the attacker, the key is not assignable, so I am very confused. I have discussed with others for a long time without results, so I come here for advice. Thank you very much!

Manish Adhikari avatar
us flag
Hint! The attacker cannot control the challengers key, yes, but can calculate $F(k',x)$ for any key $k'$ of her choice. Advisable to keep it simple like $0^n$
es flag
I'm very sorry. I haven't been in contact with cryptography for a long time, so I don't understand many problems. For 4.8 (a), I let x = C = 1n, get a property of F, and then construct two experiments. The attacker can distinguish the two experiments with an indistinguishable advantage, so this is an unsafe PRF. But I don't know what is the connection between (a) and (b)?
es flag
Do you mean that an attacker can calculate F(k ', x)? Does 0n mean K 'or x?
Manish Adhikari avatar
us flag
The attack is not on $k'$ but it can be used to recover the key used $k$ in b). Try editing the question by showing your work and then maybe it will be open for answering. Of course we won't do your homework for you.
es flag
Thank you very much. I think I may have some ideas now. If I can do it or have any confusion, I will come here again for advice! Because this is the first time I use this website, there are many things I can't do well. Thank you for your understanding and tolerance!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.