Proof of secure MAC

Asked Apr 11 '19 at 05:44

Active Apr 11 '19 at 05:44

Viewed 601 times

I'm studying about MAC and followings are definition of secure MAC.

(This is Def 4.2 and Def 4.3 of "J.Katz and Y.Lindell-Introduction to Modern Cryptography")

I want to prove this statement

"There exists a MAC that is secure(Def 4.2) but is not strongly secure(Def 4.3)

Thank you.

edited Jun 17 '20 at 08:17

Community

asked Apr 11 '19 at 05:44

jyj

Hint: Let $Q_w$ and $Q_s$ denote the "weak" and "strong" versions of $Q$. When would $m \in Q_w$ but $(m,t) \notin Q_s$? How could you arrange that? (Hint 2: You should probably assume the existence of a strongly secure MAC, since AFAIK that in itself is still an unproven conjecture unless our definition of a MAC is broad enough to admit something like Carter-Wegman + OTP. Then find a way to weaken that MAC.) – Ilmari Karonen Apr 11 '19 at 07:04
See https://crypto.stackexchange.com/questions/44535/secure-and-deterministic-macs-which-are-not-strongly-secure?rq=1 – hakoja Apr 11 '19 at 08:40
Or very similarly https://crypto.stackexchange.com/questions/43169/difference-between-int-ctxt-and-int-ptxt?noredirect=1&lq=1 (note that this question is talking about the integrity of ciphertexts of an encryption scheme, not of the security of MACs, but the reasoning/main idea given in the answer is the same in both cases) – hakoja Apr 11 '19 at 08:43

0 Answers0