\documentclass[a4paper,12pt]{article}

\usepackage[utf8]{inputenc}
\usepackage[T1]{fontenc}
\usepackage[margin=1in]{geometry}
\usepackage{amssymb}
\usepackage{amsmath}
\usepackage{enumitem}
\usepackage{csquotes}
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}

\title{Applied Cryptography -- Assignment 2}
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
\date{March 16, 2022}

\begin{document}

\maketitle

\section*{Exercise 1}

Assume that we have a message $M = M_0\|M_1\|M_2\|M_3$. Passing this message through the modified Merkle-Damgård construction, we get the following:
\[ M_0\xrightarrow{M_1}\underbrace{F(M_0,M_1)}_{h_1}\xrightarrow{M_2}\underbrace{F(h_1,M_2)}_{h_2}\xrightarrow{M_3}\underbrace{F(h_2,M_3)}_{h_3} \]
Suppose we take the intermediate calculation of $h_1 = F(M_0,M_1)$ and prepend it to a second message $N = h_1\|M_2\|M_3$, resulting in the following:
\[ h_1\xrightarrow{M_2}\underbrace{F(h_1,M_2)}_{h_2}\xrightarrow{M_3}\underbrace{F(h_2,M_3)}_{h_3} \]
Both messages $M$ and $N$---although different---will output the same hash $h_3$.

\section*{Exercise 2}

Assuming that $\mathcal{H}$ is not collision resistant, then there exists a PPT adversary $\mathcal{A}$ who can find two distinct messages $M$ and $M'$ such that $\mathcal{H}(M)=\mathcal{H}(M')$. A second adversary $\mathcal{B}$ can break the collision resistance of $F$. $\mathcal{B}$ runs $\mathcal{A}$ as follows:
\begin{enumerate}
    \item $\mathcal{B}$ takes the collision found by $\mathcal{A}$ and defines $M_1,\dots,M_4$ as well as the intermediate hash values $h_1,h_2$ and the final hash value $h$. The same goes for message $M'$: $M'_1,\dots,M'_4$ and $h'_1,h'_2,h'$.
    
    \item $\mathcal{B}$ checks if $h = F(F(M_1,M_2),F(M_3,M_4))$ and $h' = F(F(M'_1,M'_2),F(M'_3,M'_4))$ is a collision. If it is a collision, $\mathcal{B}$ outputs it.
    
    \item Next, $\mathcal{B}$ checks if $h_2 = F(M_3,M_4)$ and $h'_2 = F(M'_3,M'_4)$ is a collision. If so, $\mathcal{B}$ outputs it.
    
    \item Finally, $\mathcal{B}$ checks if $h_1 = F(M_1,M_2)$ and $h'_1 = F(M'_1,M'_2)$ is a collision and outputs it if true.
\end{enumerate}
Since $\mathcal{A}$ can find a valid collision $M,M'$ in $\mathcal{H}$, $\mathcal{B}$ must necessarily also find a collision in $F$. However, $F$ is collision resistant and therefore adversary $\mathcal{B}$ cannot exist. This violates the original assumption and therefore $\mathcal{H}$ is collision resistant.\hfill$\blacksquare$


\section*{Exercise 3}

To cause a collision, the last permutation function before the squeezing phase should result in the same rate and capacity bits. By performing the algorithm locally using the same primitive, $P$, the attacker obtains the rate and capacity bits.\\\\
For this attack to work, the attacker must find a collision in the capacity bits. We assume that this is feasible because the adversary has access to $N \approx 2c/2$ evaluations of the permutation.\\
For each block in the message $M_1 || M_2 || M_3 || L(M_1 || M_2 || M_3)$, we execute the permutation function $P_1(r,c), P_2(r,c), P_3(r,c), P_4(r,c)$. We find a collision in the output $c$ of $P_2(r,c)$\\\\
We cannot change the input of $P_4(r,c)$ directly, since it is part of the padding.\\
When we have a collision in $c$, we also need to have the same $r$ for the collision attack to work. Let ($r_2, c_2$) and ($r'_2, c'_2$) be both the output of $P_2(r,c)$ in a collision.\\
$M_3$ = $r_2 \oplus r'_2$\\
$P_3(r_2 \oplus M_3, c_2) = P_3(r'_2 \oplus M_3, c'_2)$\\
Since length encoding produces the same output we have a collision.

\section*{Exercise 4}
\begin{enumerate}[label=(\alph*)]
    \item Second preimage resistance is defined as: $N^2/2^{c+1} + N/2^n$\\
    It is given that $c = 256$ and $n = 256$, thus:\\
    $N^2/2^{257} + N/2^{256}$. When doing $N = 2^{128}$ evaluations, we get\\ $(2^{128})^2/2^{257} + 2^{128}/2^{256} = 2^{-1} + 2^{-128} \approx 0.5$, which is the average amount.
    
    \item The goal is to find a message $M'$ so that H($M'$) = $h$\\
    First, we make $N = 2^{128}$ evaluations. So that on average we have a inner collision for $c$ after these $N$ evaluations.\\
    We want a second preimage and not a collision attack. When we do $2^{128}$ evaluations for a short message, we only get a collision of two random messages. To get a probable collision in the inner state of $c$ when $M'$ is hashed we need to do $2^{128}$ evaluations with a message length close to $2^{c/2}$.\\
    When the collision is found using $M'$, the rest of the original message's intermediate values for $M'$ are appended in the sponge. Also, a value is XOR'ed to the rate bites to match the rate bits of the original message.\\
    This will produce $h$ thus a second preimage is created.
    
    \item Second preimage resistance is defined as: $N^2/2^{c+1} + N/2^n$\\
    We know that $c = 256$ and $n = 88$, thus:\\
    $N^2/2^{257} + N/2^{88}$. When doing $N = 2^{87}$ evaluations, we get\\ $(2^{87})^2/2^{257} + 2^{87}/2^{88} = 2^{-83} + 2^{-1} \approx 0.5$, which is the average amount.\\
    Opposed to 4.a, the security is upper-bounded by $n$ instead of $c$.
    
    \item Since the security is upper-bounded by $n$, we can do the attack by evaluating the whole hash function $N = 2^{87}$ times. On average this will output a hash $h' = H(M)$ because it is a classical attack against $\mathcal{RO}$. Thus, $N^{-87}$
\end{enumerate}

\section*{Exercise 5}

\begin{enumerate}[label=(\alph*)]
    \item An attacker encrypts two messages $M$ and $M'$ with the same key and nonce. The first encryption query outputs ciphertext $C$ and the second query ciphertext $C'$. After XORing the two ciphertexts $C\oplus C'$, the result (the difference) can be XORed again with the plaintext message $M$. The result will be the plaintext message $M'$ and thus the attacker can distinguish.
    
    \item An attacker makes two queries. The first query contains associated data $A$ with $|A| < r$ and looks like the following: $(C, T) = E_K(N, A, M)$. The second query contains no associated data and a message $M' = A\|10^*\|M$: $(C', T') = E_K(N,\epsilon,M')$. The encryption of both messages will pass through the same sequence of internal values and output the same tag ($T=T'$). Additionally, the ciphertext $C'$ will have $C$ as its suffix.
    
    Using these properties an attacker can mount a forgery attack with one query as follows:
    \begin{enumerate}[label=\arabic*.]
        \item He constructs a message $M' = A\|10^{r-|A|-1}\|M$ where $|A| < r$.
        \item He makes the query $(C', T') = E_K(N,\epsilon,M')$.
        \item He sets $C$ to the last $|M|$ bits of $C'$ and the tag $T = T'$ and returns $C$ and $T$.
    \end{enumerate}
\end{enumerate}


\section*{Exercise 6}
\begin{enumerate}[label=(\alph*)]
    \item The attacker would require $\frac{2k}{\lambda} = n$ construction queries. It is assumed that secret state $S$ equals the capacity-bits.\\
    Thus, $P(S \oplus (M||0^c))$ will be evaluated $n$ times with $n$ distinct messages. After this, enough bits are leaked to recover the key.

    \item The first permutation is the same for both encryption calls because the input is only the key. So during the first permutation an attacker only learns $\lambda$ bits. Then the nonce is introduced in the second permutation which will leak $\lambda$ bits for every call since the nonce and thus the input is always different. In total we would leak $3\lambda$ bits of the secret state $S$ but only $\lambda$ bits of the key $K$.
    
    \item 
    
    \item The secret state is always different for every separate evaluation because the nonce is unique. Thus an attacker may only learn a constant number $\lambda$ of bits in the worst case and not gain additional information for every repeated evaluation.
\end{enumerate}

\end{document}