25 points merkle damgard keyed hash function consider the following mmac function built by keyin

Hello students, today we will discuss about this question. In this question we need to consider

Hello students in this question it is given as Hx is equal to x plus ax square plus b mod 2 rais

Let's do the solution of the given question. So, if level of difficulty is D, then likelihood of

Question

25 points Merkle-Damgard keyed hash function: Consider the following MAC function built by keying a hash function that is based on the Merkle-Damgard construction: MAC(m) = h(K||m) Let h: {0,1}* -> {0, 1}^128 be a hash function based on the unpadded Merkle-Damgard mode with compression function F: {0, 1}^128 x {0, 1}^128 -> {0,1}^128. Assume that the key K is of fixed length 128 bits. (a) Use the length-extension weakness of Merkle-Damgard to create a forgery, using one generation query for the message m1 of 128 bits. Show that it verifies correctly, i.e., the verification query of this forgery would yield the output T1. Explain why we cannot query F with (m',T') if |m'| > 128 and |T'| > 128. (b) Suppose that you now obtain multiple message-tag pairs (mi,Ti) of 128 bits for i = 1, 2, ..., n. Show that you can create a forgery for MAC using an arbitrary length message m = m1||m2||...||mn with n > 1 and |m| > 128 for all i âˆˆ {0, 1}. [You can make offline queries to the compression function F in the Merkle-Damgard construction. If you do, clearly state how many and which ones you need.] (c) Explain why it is not secure to use this MAC function as a key derivation function (see slide on hashing).

          25 points Merkle-Damgard keyed hash function: Consider the following MAC function built by keying a hash function that is based on the Merkle-Damgard construction:
    
    MAC(m) = h(K||m)
    
    Let h: {0,1}* -> {0, 1}^128 be a hash function based on the unpadded Merkle-Damgard mode with compression function F: {0, 1}^128 x {0, 1}^128 -> {0,1}^128. Assume that the key K is of fixed length 128 bits.
    
    (a) Use the length-extension weakness of Merkle-Damgard to create a forgery, using one generation query for the message m1 of 128 bits. Show that it verifies correctly, i.e., the verification query of this forgery would yield the output T1. Explain why we cannot query F with (m',T') if |m'| > 128 and |T'| > 128.
    
    (b) Suppose that you now obtain multiple message-tag pairs (mi,Ti) of 128 bits for i = 1, 2, ..., n. Show that you can create a forgery for MAC using an arbitrary length message m = m1||m2||...||mn with n > 1 and |m| > 128 for all i âˆˆ {0, 1}. [You can make offline queries to the compression function F in the Merkle-Damgard construction. If you do, clearly state how many and which ones you need.]
    
    (c) Explain why it is not secure to use this MAC function as a key derivation function (see slide on hashing).

25 points merkle damgard keyed hash function consider the following mmac function built by keying a hash function that is based on the merkle damgard constrnction mackm hkllm let h 01 4 0 11 22195

Added by Sherri F.

Question

Please give Ace some feedback