A printable PDF is available.

# Homework 11 – Due Tuesday, April 18

- In this problem, we revisit the DAA MAC scheme from the previous
homework: if the input message is
*D*, and_{1},...,D_{N}*E(K,M)*is the encryption function for any block cipher, such as DES or AES, we first compute*O*= E(K,_{1}*D*)_{1}

*O*= E(K,_{2}*D*XOR_{2}*O*)_{1}

...

*O*= E(K,_{N}*D*XOR_{N}*O*)_{N-1}

*O*. If we know that the MAC of a single block message_{N}*D*is_{1}*T*, it is possible to figure out what the MAC of the two block message*D*is, even if you don't know the key. What is it? Justify your answer (show your work)._{1}, T XOR D_{1} - There are two main authenticated encryption techniques described in the book, CCM and GCM. Describe at least two advantages of GCM over CCM.
- Both MACs and digital signature schemes are designed with the goal of being resistant to "existential forgery." Describe what this means and why this is an important property.