Cryptography Reference
In-Depth Information
of the padding algorithm, padding is not injective in this case. However, because of
CMAC's security reduction, it looks as if it were injective to an adversary, which is
unable to compute such a 'collision' except with negligible probability. Therefore,
the situation is very different from the one considered in Exercise 5.5, where such
collisions were easy to find without knowledge of the key.
Example 5.6
The method outlined in Exercise 5.8 lets us easily find, with the help
of Maple, different messages with the same CMAC tag assuming, of course, that the
key is known. For example, consider the key
k128
defined in Example 5.4. Then the
empty string and the string
"8c337a285f9355aa858e2191965bf9e5"
have
the same CMAC tag:
> CMAC(k128, "", hex);
"bb1d6929e95937287fa37d129b756746"
> CMAC(k128, "8c337a285f9355aa858e2191965bf9e5", hex);
"bb1d6929e95937287fa37d129b756746"
Similarly, the hexadecimal string consisting of 30 consecutive zeros and the string
"0c337a285f9355aa858e2191965bf965"
have the same CMAC tag:
> CMAC(k128, "000000000000000000000000000000", hex);
"ee26a41b40b8904aa6b8fcaa41b7a8a3"
> CMAC(k128, "0c337a285f9355aa858e2191965bf965", hex);
"ee26a41b40b8904aa6b8fcaa41b7a8a3"
Exercise 5.9
Find a 16-byte stringwith the sameCMAC tag as the string
"0123456
789abcdef"
under the key
k192
of Example 5.4.
5.4 CCA Security and Authenticated Encryption
In Sect.
3.5.2
we defined CCA security and mentioned that we would use authentica-
tion in order to obtain this kind of security. In this section we will see that CPA secure
encryption schemes together with MACs allow the construction of CCA secure sym-
metric encryption schemes and of schemes that guarantee both confidentiality and
authenticity.
5.4.1 A CCA Secure Encryption Scheme
The intuitive idea behind the construction of a CCA secure encryption scheme is the
following. The sender and the receiver agree on a CPA secure private-key encryption
scheme
E
I
and share two secret keys, one for each of
these schemes. In fact, we will assume that the MAC has a stronger security property
called
strong unforgeability
(or SUF-CMA) which, in addition to being UF-CMA,
requires that if
and a UF-CMA secure MAC
(
m
,
t
)
is an authenticated message, the adversary
A
is not able (as
