MACs

Question 1

How is a tag produced?

Answer 1

Hashing a message with a secret key

Question 2

What does it mean if a MAC is secure against existential forgery?

Answer 2

If an attacker without the key can not produce a valid message-tag pair they haven’t seen before.

Question 3

What is a length extension attack?

Answer 3

Where H(m1) can be fed into the state of a hash function. The hash function will continue from where it left off, then the attacker can feed in their own message, where the total message length is the same as m1, and it will produce a valid hash.

Question 4

When is a MAC vulnerable to a length extension attack?

Answer 4

When the hash function used is

Question 5

Is Encrypt-then-MAC secure?

Answer 5

Yes

Question 6

Is MAC-then-Encrypt secure?

Answer 6

Not in general, but works in specific
instances (e.g., if encryption is CBC or CTR mode with
random IV).

Question 7

Is Encrypt and MAC secure?

Answer 7

Not in general, but is in some instances

Question 8

What is the authenticated encryption game?

Answer 8

Challenger picks random encryption key
Attacker does computations, may send messages
Challenger responds with ciphertexts
Attacker does more computations, submits different ciphertext c to challenger
Attacker has won if they forged a valid ciphertext c (where MAC is correct)

Question 9

What conditions must a secure authenticated encryption scheme satisfy?

Answer 9

It satisfies IND-CPA
An attacker wins the authenticated encryption game with only negligible probability

Question 10

What does it mean when an encryption scheme is IND-CPA secure?

Answer 10

It is indistinguishable under a chosen plaintext attack. If an attacker sends 2 plaintexts and the challenger returns 1 of them encrypted. The attacker has no better than a 50% chance of determining which plaintext was encrypted.