Add solution for 1a

exam/ex.tex

@@ -35,7 +35,27 @@
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
   \item \textbf{(18 points)} 
   \begin{enumerate}
-    \item 
+
+    \item EWCDM stands for \emph{Encrypted Wegman-Carter with Davies-Meyer}. As
+      the name implies, EWCDM is based on a Wegman-Carter construction which
+      takes the hash of a message $M$ and XORes it with the application of a
+      pseudorandom function (PRF) to a nonce $N$. This construction is very
+      efficient and also has a strong security bound. However, it is very
+      vulnerable to \emph{nonce-misuse}. To deal with that problem, the
+      Wegman-Carter construction is wrapped by another call to the PRF with a
+      different key. Another disadvantage is the fact that PRFs are hard to get
+      by and instead pseudorandom permutations are used. If a pseudorandom
+      permutation (i.e. block cipher) is used, the security bound of the
+      construction drops to the birthday bound ($2^{n/2}$). The authors replace
+      the inner call to the PRF with the \emph{Davies-Meyer} construction
+      \[ \mathrm{DM}[E]_K(N) = E_K(N)\oplus N \]
+      and then encrypt that (with the hashed message) in another call to the
+      block cipher. The resulting EWCDM construction looks like this
+      \[ E_{K'}(E_K(N)\oplus N\oplus H_{K_h}(M)) \]
+      and is secure \emph{beyond} the birthday bound against nonce-respecting
+      adversaries while still offering birthday bound security against
+      nonce-misusing adversaries.
+
     \item The type of symmetric cryptographic scheme introduced is a Message
       Authentication Code (MAC).
     \item \TODO