A printable PDF is available.

1. In this problem, we revisit the DAA MAC scheme from the previous homework: if the input message is D₁,...,D_N, and E(K,M) is the encryption function for any block cipher, such as DES or AES, we first compute

   O₁ = E(K, D₁)
   O₂ = E(K, D₂ XOR O₁)
      ...
   O_N = E(K, D_N XOR O_N-1)
   
   

   The final MAC is O_N. If we know that the MAC of a single block message D₁ is T, it is possible to figure out what the MAC of the two block message D₁, T XOR D₁ is, even if you don't know the key. What is it? Justify your answer (show your work).

2. There are two main authenticated encryption techniques described in the book, CCM and GCM. Describe at least two advantages of GCM over CCM.

3. Both MACs and digital signature schemes are designed with the goal of being resistant to "existential forgery." Describe what this means and why this is an important property.