Homework 5
4.2 Consider a "CCA-type" extension of the definition of secure message authentication codes where the adversary is provided with both a Mac and Vrfy oracle. (a) Provide a formal definition and explain why such a notion may make sense. (b) Show that when the Mac scheme is deterministic, your definition is equivalent to Definition 4.2. (c) Show that when the Mac scheme may be probabilistic, the definitions are not equivalent. (That is, show that there exists a probabilistic scheme that is secure by Definition 4.2 but not by your definition.) Consideration The message authentication experiment Mac-forge, Π(n):

1. A random key k ← {0, 1}n is chosen. 2. The adversary is given oracle access to Mack (·) and Vrfyk (·, ·) and outputs a pair (m , t ). Formally, (m , t ) ← Mack (·), Vrfyk (·,·) (1n ). Let Q denote the queries asked by during the execution. 3. The output of the experiment is defined to be 1 iff m ∈ Q and Vrfyk (m , t ) = 1. A message authentication code Π = (Gen, Mac, Vrfy) is existentially unforgeable under an adaptive chosen-message attack, or just secure, if for all probablistic polynomial-time adversaries , there exists a negligible function negl such that: Pr Mac-forge
,Π (n) = 1

≤ negl (n)

Access to Vrfyk (·, ·) may not be beneficial to the adversary . Let’s say the adversary somehow manages to generate a pair (m , t ) and attempts to query its Vrfy oracle to check its validity. This seems completely plausible but the adversary has to take wild guesses in exponentially many tag candidates, of which the probability of success is negligible. Also, the Vrfy oracle returns merely a single bit, so the adversary is unable to obtain any practical information on the scheme by querying its Vrfy oracle. Say, the Mac scheme is deterministic. There exists one unique tag corresponding to any specific message. Once the adversary obtains sufficient…...

