104 lines
7.7 KiB
TeX
104 lines
7.7 KiB
TeX
\documentclass[a4paper,12pt]{article}
|
|
|
|
\usepackage[utf8]{inputenc}
|
|
\usepackage[T1]{fontenc}
|
|
\usepackage[margin=1in]{geometry}
|
|
\usepackage{amssymb}
|
|
\usepackage{amsmath}
|
|
\usepackage{enumitem}
|
|
\usepackage{csquotes}
|
|
\usepackage[colorlinks=true, citecolor=black, filecolor=black, linkcolor=black, urlcolor=black]{hyperref}
|
|
|
|
\title{Applied Cryptography -- Assignment 2}
|
|
\author{Dennis Gabeler (s1085830)\\Tobias Eidelpes (s1090746)}
|
|
\date{March 16, 2022}
|
|
|
|
\begin{document}
|
|
|
|
\maketitle
|
|
|
|
\section*{Exercise 1}
|
|
|
|
Assume that we have a message $M = M_0\|M_1\|M_2\|M_3$. Passing this message through the modified Merkle-Damgård construction, we get the following:
|
|
\[ M_0\xrightarrow{M_1}\underbrace{F(M_0,M_1)}_{h_1}\xrightarrow{M_2}\underbrace{F(h_1,M_2)}_{h_2}\xrightarrow{M_3}\underbrace{F(h_2,M_3)}_{h_3} \]
|
|
Suppose we take the intermediate calculation of $h_1 = F(M_0,M_1)$ and prepend it to a second message $N = h_1\|M_2\|M_3$, resulting in the following:
|
|
\[ h_1\xrightarrow{M_2}\underbrace{F(h_1,M_2)}_{h_2}\xrightarrow{M_3}\underbrace{F(h_2,M_3)}_{h_3} \]
|
|
Both messages $M$ and $N$---although different---will output the same hash $h_3$.
|
|
|
|
\section*{Exercise 2}
|
|
|
|
Assuming that $\mathcal{H}$ is not collision resistant, then there exists a PPT adversary $\mathcal{A}$ who can find two distinct messages $M$ and $M'$ such that $\mathcal{H}(M)=\mathcal{H}(M')$. A second adversary $\mathcal{B}$ can break the collision resistance of $F$. $\mathcal{B}$ runs $\mathcal{A}$ as follows:
|
|
\begin{enumerate}
|
|
\item $\mathcal{B}$ takes the collision found by $\mathcal{A}$ and defines $M_1,\dots,M_4$ as well as the intermediate hash values $h_1,h_2$ and the final hash value $h$. The same goes for message $M'$: $M'_1,\dots,M'_4$ and $h'_1,h'_2,h'$.
|
|
|
|
\item $\mathcal{B}$ checks if $h = F(F(M_1,M_2),F(M_3,M_4))$ and $h' = F(F(M'_1,M'_2),F(M'_3,M'_4))$ is a collision. If it is a collision, $\mathcal{B}$ outputs it.
|
|
|
|
\item Next, $\mathcal{B}$ checks if $h_2 = F(M_3,M_4)$ and $h'_2 = F(M'_3,M'_4)$ is a collision. If so, $\mathcal{B}$ outputs it.
|
|
|
|
\item Finally, $\mathcal{B}$ checks if $h_1 = F(M_1,M_2)$ and $h'_1 = F(M'_1,M'_2)$ is a collision and outputs it if true.
|
|
\end{enumerate}
|
|
Since $\mathcal{A}$ can find a valid collision $M,M'$ in $\mathcal{H}$, $\mathcal{B}$ must necessarily also find a collision in $F$. However, $F$ is collision resistant and therefore adversary $\mathcal{B}$ cannot exist. This violates the original assumption and therefore $\mathcal{H}$ is collision resistant.\hfill$\blacksquare$
|
|
|
|
|
|
\section*{Exercise 3}
|
|
|
|
To cause a collision, the last permutation function before the squeezing phase should result in the same rate and capacity bits. By performing the algorithm locally using the same primitive, $P$, the attacker obtains the rate and capacity bits.\\\\
|
|
For this attack to work, the attacker must find a collision in the capacity bits. We assume that this is feasible because the adversary has access to $N \approx 2c/2$ evaluations of the permutation.\\
|
|
For each block in the message $M_1 || M_2 || M_3 || L(M_1 || M_2 || M_3)$, we execute the permutation function $P_1(r,c), P_2(r,c), P_3(r,c), P_4(r,c)$. We find a collision in the output $c$ of $P_2(r,c)$\\\\
|
|
We cannot change the input of $P_4(r,c)$ directly, since it is part of the padding.\\
|
|
When we have a collision in $c$, we also need to have the same $r$ for the collision attack to work. Let ($r_2, c_2$) and ($r'_2, c'_2$) be both the output of $P_2(r,c)$ in a collision.\\
|
|
$M_3$ = $r_2 \oplus r'_2$\\
|
|
$P_3(r_2 \oplus M_3, c_2) = P_3(r'_2 \oplus M_3, c'_2)$\\
|
|
Since length encoding produces the same output we have a collision.
|
|
|
|
\section*{Exercise 4}
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item Second preimage resistance is defined as: $N^2/2^{c+1} + N/2^n$\\
|
|
It is given that $c = 256$ and $n = 256$, thus:\\
|
|
$N^2/2^{257} + N/2^{256}$. When doing $N = 2^{128}$ evaluations, we get\\ $(2^{128})^2/2^{257} + 2^{128}/2^{256} = 2^{-1} + 2^{-128} \approx 0.5$, which is the average amount.
|
|
|
|
\item The goal is to find a message $M'$ so that H($M'$) = $h$\\
|
|
First, we make $N = 2^{128}$ evaluations. So that on average we have a inner collision for $c$ after these $N$ evaluations.\\
|
|
We want a second preimage and not a collision attack. When we do $2^{128}$ evaluations for a short message, we only get a collision of two random messages. To get a probable collision in the inner state of $c$ when $M'$ is hashed we need to do $2^{128}$ evaluations with a message length close to $2^{c/2}$.\\
|
|
When the collision is found using $M'$, the rest of the original message's intermediate values for $M'$ are appended in the sponge. Also, a value is XOR'ed to the rate bites to match the rate bits of the original message.\\
|
|
This will produce $h$ thus a second preimage is created.
|
|
|
|
\item Second preimage resistance is defined as: $N^2/2^{c+1} + N/2^n$\\
|
|
We know that $c = 256$ and $n = 88$, thus:\\
|
|
$N^2/2^{257} + N/2^{88}$. When doing $N = 2^{87}$ evaluations, we get\\ $(2^{87})^2/2^{257} + 2^{87}/2^{88} = 2^{-83} + 2^{-1} \approx 0.5$, which is the average amount.\\
|
|
Opposed to 4.a, the security is upper-bounded by $n$ instead of $c$.
|
|
|
|
\item Since the security is upper-bounded by $n$, we can do the attack by evaluating the whole hash function $N = 2^{87}$ times. On average this will output a hash $h' = H(M)$ because it is a classical attack against $\mathcal{RO}$. Thus, $N^{-87}$
|
|
\end{enumerate}
|
|
|
|
\section*{Exercise 5}
|
|
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item An attacker encrypts two messages $M$ and $M'$ with the same key and nonce. The first encryption query outputs ciphertext $C$ and the second query ciphertext $C'$. After XORing the two ciphertexts $C\oplus C'$, the result (the difference) can be XORed again with the plaintext message $M$. The result will be the plaintext message $M'$ and thus the attacker can distinguish.
|
|
|
|
\item An attacker makes two queries. The first query contains associated data $A$ with $|A| < r$ and looks like the following: $(C, T) = E_K(N, A, M)$. The second query contains no associated data and a message $M' = A\|10^*\|M$: $(C', T') = E_K(N,\epsilon,M')$. The encryption of both messages will pass through the same sequence of internal values and output the same tag ($T=T'$). Additionally, the ciphertext $C'$ will have $C$ as its suffix.
|
|
|
|
Using these properties an attacker can mount a forgery attack with one query as follows:
|
|
\begin{enumerate}[label=\arabic*.]
|
|
\item He constructs a message $M' = A\|10^{r-|A|-1}\|M$ where $|A| < r$.
|
|
\item He makes the query $(C', T') = E_K(N,\epsilon,M')$.
|
|
\item He sets $C$ to the last $|M|$ bits of $C'$ and the tag $T = T'$ and returns $C$ and $T$.
|
|
\end{enumerate}
|
|
\end{enumerate}
|
|
|
|
|
|
\section*{Exercise 6}
|
|
\begin{enumerate}[label=(\alph*)]
|
|
\item The attacker would require $\frac{2k}{\lambda} = n$ construction queries. It is assumed that secret state $S$ equals the capacity-bits.\\
|
|
Thus, $P(S \oplus (M||0^c))$ will be evaluated $n$ times with $n$ distinct messages. After this, enough bits are leaked to recover the key.
|
|
|
|
\item The first permutation is the same for both encryption calls because the input is only the key. So during the first permutation an attacker only learns $\lambda$ bits. Then the nonce is introduced in the second permutation which will leak $\lambda$ bits for every call since the nonce and thus the input is always different. In total we would leak $3\lambda$ bits of the secret state $S$ but only $\lambda$ bits of the key $K$.
|
|
|
|
\item
|
|
|
|
\item The secret state is always different for every separate evaluation because the nonce is unique. Thus an attacker may only learn a constant number $\lambda$ of bits in the worst case and not gain additional information for every repeated evaluation.
|
|
\end{enumerate}
|
|
|
|
\end{document}
|
|
|