0

Imagine you have a string of plaintext (a), IV (ai) and the MAC (am) for the plaintext (a).

How can you generate a MAC (bm) for a different string of plaintext (b) - using an IV (ib) of your choice, using the same key - which you don't know and can't retrieve.

You can also assume both plaintexts are the same length.

Edit: I have found this question which I think provides a clue: CBC-MAC insecure with random IV

But I'm not sure if I understand correctly. You can also assume your plaintexts are one-block plaintexts.

This should prove that cbc-mac with random IV is insecure.

Thank you.

  • CBC-MAC doesn't actually have an IV. (An alternative way to look at it is that the IV is set to the constant 0.) This means you are working with some (purposefully broken) variant of CBC-MAC. It would be best if you specified this variant. – Maeher Apr 25 '18 at 13:42
  • @Maeher yes, I've read this online as well, that IV for MAC should be 0. But the problem posed to me implies that you would choose an IV for your second message and that ai was used for am. –  Apr 25 '18 at 13:46
  • @Maeher I remember this question from one of the crypto courses. – Maarten Bodewes Apr 25 '18 at 19:51
  • 1
    @MaartenBodewes Yes, this question is a standard exercise to understand why CBC-MAC uses no/constant IV after you just taught them how important an unpredictable IV is for CBC mode. But the question would be much improved for future readers if it specified the modifications to the scheme. – Maeher Apr 25 '18 at 20:13

1 Answers1

1

You're saying we're looking at messages of length one block and a variant of CBC-MAC that uses a random IV. (I'm assuming we're looking at CBC-MAC for fixed length messages, i.e. we can ignore padding issues.) Then we have $$am:=(ai,E(k,a\oplus ai))$$ To forge a MAC for message $b$ we can reuse the second part of the tag if we choose $bi$ such that $$b \oplus bi = a \oplus ai$$$$ \implies bi = a\oplus ai \oplus b$$

I.e., given $a$ and $am=(ai,t)$ simply output $bm=(a\oplus ai \oplus b,t)$.

Maeher
  • 6,818
  • 1
  • 33
  • 44
  • thank you. I had to go to work so I took a break from studying. anyway - so you're essentially saying that I should attempt to use a value for bi such that the same MAC t for a is true for b as well? I was approaching the question wrong then. I was thinking we would have to present a different value for t (basically having at and bt) and bi. –  Apr 25 '18 at 20:46
  • You don't need to "attempt" to find that $bi$. $bi$ is simply $a\oplus ai \oplus b$. But yes, the important insight is that you can simply reuse $t$ and adapt the IV. – Maeher Apr 25 '18 at 21:21
  • perfect, thank you so much. feel like I was banging my head against the wall and it turned out rather simple. showcases why you should definitely not allow a variable IV with CBC-MAC! –  Apr 25 '18 at 23:11